[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound policy verification

To: Richard Draves <richdr@microsoft.com>
Subject: Re: inbound policy verification
From: Charles Lynn <clynn@bbn.com>
Date: Fri, 9 Oct 98 18:35:50 EDT
cc: "'IPsec'" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

Rich, et.al.,

Your question about why one should continue to search beyond the first
matching SPD entry for an incoming packet, and other's comments,
indicates that more explanation is needed.  My understanding of the
requirement is given below (maybe in too much detail :-).  Maybe we
can find a better solution to the problems, or legislate them away.

First, in the common cases, I do not think one should get into the
state described in the example you presented.  What has never been
mentioned in any of the discussion on this topic that I've seen, was
how the lower precedence "net" policy SA for the host specified in the
higher precedence "host" policy was created.  It seems to me that the
policy module should have told ISAKMP, or whatever KMP was used, to
reject the net policy setup, since the ordered search of the inbound
SPD (at SA setup time) would have first found the matching host entry
and never proceeded to find the net one.

Do you agree that it net SA should never have been created?  If not,
what scenario occurred to create it?

On the other hand, if the policy module did (correctly) permit the net
SA for the host to be created (for whatever reason), then looking
beyond the host entry in the SPD during input packet processing would
be necessary to allow that SA to be used.  Do you agree?

The architecture document described inbound and outbound SPDs
(although some may implement a single one with a "direction" selector,
or boxes with more than two interfaces might need a pair of SPDs per
interface).  However, there are no required ordering requirements
between the policies expressed in the two (or more) SPDs.

  (Since it is "policy configuration", I doubt that we can legislate
  it.  Doing so would require some module to compare the SPD entries
  for consistency.  I suspect that would be A Good Thing, and some
  vendors may provide it, but I do not think that it should be a MUST.
  What do others think?)

The next piece of the problem involves KMPs, such as ISAKMP, that
negotiate a pair of SAs.  If the order of the two policies at the
initiator is different, then the KMP would setup both the outbound and
inbound SAs based on the order in the outbound SPD.  Does the KMP even
check the inbound SPD to verify that the first matching selectors gave
the same result?  (What have implementors implemented?)

We are now in the problem situation.  When a reply packet arrives
through the return SA the inbound SPD is searched during input
processing, the different policy order might result in finding some
other inbound SPD entry before the one that corresponds to the one
used to setup the (outgoing) SA.  In order for the packet to be
accepted, one would have to continue searching the inbound SPD for the
"proper" entry.

The basic problem, in my opinion, is that the architecture describes a
unidirectional model, but the KMP uses a bidirectional one.  Where are
the mechanisms needed to reconcile these perspectives defined?

A third piece of the problem is the desire for "protocol, not
implementation" that we all desire.  At one point, there was a SAM and
backpointers to the SPD entries.  I think that was removed as being
"implementation", not "protocol".  Given that an SA may be shared
between bundles, and a bundle may be used by multiple policies (or SPD
entries), there may well be lists of lists that would need to be
searched (at least if we want to allow sharing either now or in the
future).  I guess there is an engineering tradeoff between searching
the SPD until one finds something acceptable and maintaining the
backpointer lists and searching them.  Maybe the architecture document
made the wrong choice.

Assuming that the security implications are the same, what do you
think we should do?  The architecture document could specify the
backpointers (whether or not that is how an vendor chose to implement
the functionality they describe).

However, are the security implications the same?  Your point is that
it might be possible to exploit the "keep searching" rule.  Would
that, or related, vulnerabilities be reduced by using backpointers?
We'll have to think a bit about that, I suspect.  The answer may
depend, in your example, on whether the KMP could have correctly setup
that net SA.

Note that if the order of the two SPDs is consistent, the situation
you describe should not occur.  If the communication used, e.g., well
known ports, the situation would be less likely to occur.  I do not
think that we should rule out (not be able to protect) protocols that
do not use well known (direction indicating) ports, or no ports at all.

An additional point that we must not forget is that manually
configured SAs must be supported.  How they interact with the SPD(s),
in particular with respect to ordering, needs to be considered.

Charlie

Prev by Date: RE: comments on VPN framework document
Next by Date: RE: comments on VPN framework document
Prev by thread: RE: inbound policy verification
Next by thread: RE: inbound policy verification
Index(es):
- Main
- Thread