[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: locating a Security Gateway

To: "Alexei V. Vopilov" <alx@elnet.msk.ru>
Subject: RE: locating a Security Gateway
From: "Freedman, Jerome" <Jerome.Freedman@GSC.GTE.Com>
Date: Mon, 26 Jan 1998 13:07:28 -0500
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

In response to Alexei Vopilov, this is our security gateway location
protocol. It is currently included in a product we are building. The
basic concept came from SDNS KMP which we used in an earlier product.
This particular feature was in the narrative part of the KMP spec but,
for some reason - maybe funds ran out, was garbeled in the accompanying
state machine. We pieced it together from the narrative description and
it work{s,ed} fine. Since we were going to SAMP and ISAKMP, neither of
which had this facility we broke it out into RECIP. I have included it
whole since it is not that big and I have had trouble including it as an
attachment before. 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++

Remote Encryptor Configuration Information Protocol (RECIPe)
January 26, 1997
J. Freedman, J. Evans, N. ONeil, C. Limoges


1  Introduction

The Remote Encryptor Configuration Information Protocol (RECIPe)
provides a simple, low bandwidth mechanism for conveying configuration
information between Inline Network Encryptors (INEs) on Internet
Protocol (IP) networks.  The information exchanged via RECIPe is used to
establish and maintain IP-based Security Associations (SAs) between
INEs.

RECIPe allows an SA initiator INE to determine the IP address of an
intended SA responder INE when the SA initiator INE only knows the IP
address of the intended INE-protected host.  This feature is referred to
as Probe/Tryme.  The RECIPe message sent by the SA initiator is called a
Probe and the message returned by the SA responder in reply is called a
Tryme, since Tryme is the historical term used for the feature by the
Secure Data Network System (SDNS) Key Management Protocol (KMP).

RECIPe also allows an SA responder INE to let an SA initiator INE know
when an SA does not exist.  This feature is referred to as Nokey, since
that is the historical term used for the feature by the SDNS KMP.  Nokey
messages are generated by the SA responder without any previous RECIPe
message being received from an initiator.

2  Protocol Message Formats

RECIPe uses a single message format for all messages.  This format is
illustrated below.  Note that all fields are aligned on 32 bit
boundaries.  All unused fields in any RECIPe message are always set to
zeros.

Table 2-1.  RECIPe Message Format
Field	Octet Number (Size)	
Version	1-4 (4 octets)	
Length	5-8 (4 octets)	
Security Parameters Index (SPI)	9-12 (4 octets)	
Status	13-16 (4 octets)	
Source INE IP Address	17-20 (4 octets)	
Source INE Identifier	21-24 (4 octets)	
Target Host IP Address	25-28 (4 octets)	
Target INE IP Address	29-32 (4 octets)	
Target INE Identifier	33-36 (4 octets)	

Each field of the RECIPe message format is described below:

a)	Version:  RECIPe version number, currently always defined as 1.
b)	Length:  Length of the RECIPe message, in 32 bit words.
c)	SPI:  Security Parameters Index identifies the SA.  Set by SA
responder for Tryme.
d)	Status:  0 indicates no special status, 1 indicates Nokey, and 2
indicates that traffic cannot be delivered to the Target Host.  Set to 0
by SA initiator or responder for Probe.  Set to 1 or 2 by SA responder
for Nokey.
e)	Source INE IP Address:  IP address of the INE establishing the
SA.  Set by SA initiator for Probe.  Set by SA responder for Nokey.
f)	Source INE Identifier:  Additional 32 bits of information to
identify the source INE (Optional).  Set by SA initiator for Probe.
g)	Target Host IP Address:  IP address of the intended
INE-protected host.  Set by SA initiator for Probe.
h)	Target INE IP Address:  IP address of the INE fronting the
Target Host.  Set by SA responder for Tryme and Nokey.
i)	Target INE Identifier:  Additional 32 bits of information used
to identify the target INE (Optional).  Set by SA responder for Tryme
and Nokey.

3  Protocol Processing

Below is a description of the processing involved for both the
Probe/Tryme and Nokey functions of RECIPe.

3.1  SA Initiator

An SA initiator preparing to establish an SA performs the following
processing:

1.	SA initiator sends a RECIPe Probe message to the Target Host IP
Address, populating the fields of the message as follows:

		a)	Version = 1.
		b)	SPI = 0.
		c)	Status = 0.
		d)	Source INE IP Address = IP address of the INE
establishing the SA (the SA initiator).
		e)	Source INE Identifier = 32 bits of additional
information (if used).
		f)	Target Host IP Address = IP address of the
intended INE-protected host.

2.	If no Tryme message is received, the RECIPe Probe message may be
repeated based on locally-defined criteria (e.g., if Plaintext (PT)
traffic is still being received for the Target Host IP Address).
	
3.	If a Tryme message is received, the SA initiator matches up the
Target Host IP Address with the previously sent RECIPe Probe message(s)
based on locally-defined criteria (e.g., a queue of outstanding Probe
requests).  If multiple Tryme messages are received, the first Tryme
message received should be acted upon for SA establishment.

4.	If a Nokey message is received, then the SA initiator should
perform the following processing:

	a)	If the Status = 1 then the SA initiator should delete
the SA identified in the Nokey message.
	b)	If the Status = 2, then the Target Host IP Address
identified in the Nokey message should be dis-associated from the SA
identified in the Nokey message based on locally-defined criteria.

3.2  SA Responder

An SA responder performs the following processing upon receipt of a
Probe message (Note that the SA responder is assumed to be the intended
INE since it received the RECIPe Probe message):

1.	The SA responder sends a Tryme message to the SA initiator with
all fields the same as the Probe except for the Target INE IP address
and Target INE Identifier (if used), which are set to the SA responder
IP address and identifier, respectively.

An SA responder performs the following processing when IP traffic
associated with a specific SA is received that cannot be decrypted by
the SA responder:

1.	If the SA does not exist, then the SA responder sends a Nokey
message to the SA initiator, populating the message with the following
fields:

		a)	Version = 1.
		b)	SPI = SPI associated with the SA the traffic was
received for.
		c)	Status = 1.
		d)	Source INE IP Address = IP address of the INE
establishing the SA (the SA initiator).
		e)	Target INE IP Address = SA responder IP address.
		f)	Target INE Identifier = 32 bits of additional
information (if used).

An SA responder performs the following processing when decrypted IP
traffic cannot be delivered to an intended Target Host IP Address.

2.  If the SPI exists, but decrypted traffic cannot be delivered to the
Target Host IP Address associated with the SA, then the SA responder
sends a Nokey message to the SA initiator, populating the message with
the following fields:

		a)	Version = 1.
		b)	SPI = SPI associated with the SA the traffic was
received for.
		c)	Status = 2.
		d)	Source INE IP Address = IP address of the INE
establishing the SA (the SA initiator).
		e)	Target Host IP Address = Destination IP address
of decrypted traffic.
		f)	Target INE IP Address = SA responder IP address.
		g)	Target INE Identifier = 32 bits of additional
information (if used).
Prev by Date: Re: some issues about IPSec
Next by Date: Re: some issues about IPSec
Prev by thread: Re: locating a Security Gateway
Next by thread: ANX interoperability
Index(es):
- Main
- Thread