[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

inbound policy verification



[I just joined the ipsec list. I've skimmed the minutes from the August IETF
and the last month's archives. I'm reading the July '98 security
architecture draft. I understand this draft was just approved by the IESG.
I'm working on an implementation: http://research.microsoft.com/msripv6. My
questions stem from a recent group discussion with Aaron Griggs, Maryann
Maher, Allison Mankin, and Brian Zill.]


I don't understand an aspect of the inbound processing specified in section
5.2.1 of the security architecture spec. As specified, the processing would
seem to create a security problem.

As I understand it, the basic idea is that a) the headers are processed and
list of SAs used are collected, then b) the selectors from the packet are
used to locate a security policy in the inbound SPD/SAD, then c) check that
the SAs that were used match the SAs that are specified by the policy.

The part I don't understand is the provision that if the SAs don't match,
then the implementation should continue searching the inbound SPD until it
either finds a policy that accepts the packet, or it's checked all the
policies in the inbound SPD.

This would seem to make it impossible to enforce a more-restrictive policy
in the inbound SPD when there is also a more general policy.

For example, suppose I'm a host H1 and I expect to receive packets from a
network N2, but there's a particular host H2 in N2 for which I have
different security requirements. So I create two policies in my inbound SPD
- first one with source address selector H2, and the second one with source
address selector N2 (an address prefix or range). The first policy results
in a SAD entry with security association SA1, and the second results in a
SAD entry with security association SA2.

Now suppose I receive a packet from H2 with the "wrong" security headers. I
process the packet and discover SA2 from the destination
address/SPI/protocol triple and do the required authentication/decryption.
Now I search the SPD. The packet's selectors match the first policy but the
wrong SA was used to receive the packet. I want to reject this packet.

However this provision says I should continue searching the inbound SPD. I
find the second policy; the packet's selectors match it also. SA2 is the
right SA for this policy, so I accept the packet.

Surely this can't be right? What am I missing?

Thanks,
Rich


Follow-Ups: