[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound policy verification

To: lmccarth@cs.umass.edu, ipsec@tis.com
Subject: Re: inbound policy verification
From: "Valery Smyslov" <svan@elvis.ru>
Date: Wed, 30 Sep 1998 11:05:05 +3
Comments: Authenticated sender is <svan@ss10>
In-reply-to: <36113326.4EF60AA4@cs.umass.edu>
Organization: Elvis+
Sender: owner-ipsec@ex.tis.com

On 29 Sep 98 at 15:21, Lewis McCarthy wrote:

Hi Lewis,

> > So, if I have policy with some SPD entries that demand secure
> > communication with some number of specific hosts/networks and with
> > last entry, that allows insecure communication with the rest of the
> > internet, does this mean, that such policy will allow *any* host,
> > including those specific, to communicate with me insecurely?
> 
> If the matching entry specifying strong security parameters for particular  
> hosts/nets precedes the wildcard bypass-IPsec entry, then the SPD lookup 
> settles on that matching entry (strong security with specific hosts).

Yes this is true for outgoing packets processing, but for incoming 
packets processing, security architecture draft says (section 5.2.1), 
that we must verify that the applied SA's match the "kind and order 
of SAs required by the policy found" (this check failed in my 
example) and if it "failed continue searching SPD until all policy 
entries have been checked or until the check succeeds" (in my example 
this check succeeds with the last entry, that permits insecure 
communication).

> In Rich's example the incoming packet's selector did not match the selector for 
> the host-specific SPD entry. So the lookup dropped through to the later entry 
> (for a whole network) in the SPD.

As far as I understand Rich's example, they match. He described SPD 
with two entries - host specific and network specific (the network 
includes the host) with different security requirements for each and 
the situation, when incoming packet from that host is 
encrypted/authenticated according to network specific policy, not to 
host specific. As far as I understand, this packet matches both 
entries and even if host specific entry precedes network specific, 
the latter will be selected instead of discarding that packet (if we 
follow architecture draft). That was his problem in my understanding. 
Maybe I missed something and Richard himself will clarify what he 
mean?

> IMHO having a very permissive wildcarded entry at the end of the SPD can be 
> slightly risky, from a s/w engineering perspective. A small error in a 
> host/net-specific entry might cause that specific entry not to match in some
> situation when it should have. So instead the wildcarded bypass entry matches, 
> and traffic on that connection transparently bypasses IPsec processing. 
> (Packets are sent in the clear and no alarm bells ring....)
> If there had been no wildcarded bypass entry at the end of the SPD, then the 
> connection would have failed and (presumably) someone would notice the 
> communication failure relatively quickly.

I agree, but it is very useful (not to say inescapable), until most 
of the Internet becomes secure.

[...]
> You need to keep looking until you find one that matches (or you run out of
> entries to examine). More than one entry might have a selector that matches 
> the packet -- the first matching entry (if any) in the SPD is used.

Yes, but its again true for outgoing packets. For incoming packets 
architecture draft explicitly states (5.2.1):

NOTE: The correct "matching" policy will not necessarily be
              the first inbound policy found.  If the check in (4)
              fails, steps (3) and (4) are repeated until all policy 
              entries have been checked or until the check succeeds.

>From my own point of view, the problem resides in this note. As far 
as I understand security architecture, every SPD entry points to zero 
or more SA bundles, associated with it (let's call it list of 
bundles). Every outgoing packet, that match this SPD entry will be 
processed by one of this bundle or a new one will be created and 
added to this list. The decision what bundle to use (or to create a 
new one) is made upon comparing packet with bundle selectors. For 
incoming packets we apply all IPsec processing, collecting SA's used, 
and then check whether we did it right. From my point of view, we 
must find first matching entry in SPD (as with outgoing packet) and 
check if applied SA's match one of bundle in this entry's list of 
bundles. If we find matching bundle, it's OK, if not - packet must be 
discarded. If that note mean this behaviour, it is slightly 
misleading, because it requires to look for another matching entry 
in SPD, not for another matching bundle in this entry's list.

Please, correct me if I missed something.

> -Lewis

Regards,
Valery Smyslov.

References:

Re: inbound policy verification

From: Lewis McCarthy <lmccarth@cs.umass.edu>

Prev by Date: RE: inbound policy verification
Next by Date: RE: multiple payloads via "ID_LIST"
Prev by thread: Re: inbound policy verification
Next by thread: Re: inbound policy verification
Index(es):
- Main
- Thread