[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: INITIAL-CONTACT issues

To: "'Stephen Kent'" <kent@bbn.com>, Alex Alten <Alten@home.com>
Subject: RE: INITIAL-CONTACT issues
From: "Burden, James" <JBurden@caiso.com>
Date: Fri, 7 May 1999 20:37:49 -0700
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Greetings,

I have been lurking and learning on here for awhile.  This was written a
couple of days ago, but I did not send it as I thought the UDP debate would
have died as it did in the Intrusion Detection Work Group (IDWG).
Personally, I am wary of allowing any UDP through a firewall.

A couple of thoughts come to mind.  With UDP, the application (layer) must
keep session information (or not), do error checking, and ensure security.
In addition, UDP requires some mechanism to prevent IP spoofing.  This is
all done at layer 7.  The application (and the implementation) must be
trusted, and you could potentially lose your defense in depth with the
firewall.

I would agree that a DoS attack is easily mounted against TCP, but it would
be easier to defend than UDP.  

The IETF's IDWG discussed using UDP for transport.  Below is a URL to the
archives. 
Jim

http://www.semper.org/idwg-public/0191.html:

From: Chad Schieken <chad@Op.Net>
Message-Id: <199903101910.OAA02823@monet.op.net>
Subject: Re: SNMP satisfies most requirements
To: cuber@omaha.com
Date: Wed, 10 Mar 1999 14:10:33 -0500 (EST)
In-Reply-To: <36E6BDB8.1517BF7D@omaha.com> from "Uber, Chet" at Mar 10, 99
12:45:12 pm

That's a good point, my answer to the question is that is upto the
transport method used. Most transports, TCP/IP, UDP don't have much,
but it's still possible to create secure serivces using them, look at
ssh an example. 

I think I should point out that I personally don't think that a
stateless protocol (UDP) is appropreate to use if we're going to want
secure channels of commincation built ontop of it. 

However obviously it's a tradeoff. UD P simply has alot less overhead,
which makes it attractive in some situations.j

Too bad ttcp didn't really take off
(http://www.cis.udel.edu/~sezen/ttcp.html) that would be my suggestion
for the transport mechanism. If it were more widely adopted.

> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@redcreek.com]
> Sent: Tuesday, May 04, 1999 8:59 AM
> To: Sankar Ramamoorthi
> Cc: 'Stephen Kent'; ipsec@lists.tislabs.com
> Subject: Re: INITIAL-CONTACT issues
> 
> 
> Hi Sankar,
> 
> I'm really swamped, so I don't have time to research all the 
> reasons for
> the decision to use UDP instead of TCP. I joined the working 
> group after
> that discussion occurred, but a little thought reveals a number of
> problems with your proposal.
> 
> Sankar Ramamoorthi wrote:
> > 
> > If the same TCP stream is used across rekeying,
> > then TCP connection overhead is not an issue - right?
> > 
> 
> 1) In this case the overhead is reduced, but not eliminated entirely.
> 
> 2) This effectively removes identity PFS capability - a Very Bad Thing
> (tm).
> 
> 3) One of the design requirements for ISAKMP, and hence IKE, was
> transport protocol independence. Requiring the use of TCP in order to
> provide keepalive capability is contrary to this design requirement.
> 
> 4) A DoS attack is more easily mounted if the transport is TCP.
> 
> I will add that the spec does not preclude the use of TCP, and you are
> welcome to implement ISAKMP over whatever transport you 
> choose. However,
> the minimum interoperability requirement is for UDP port 500 support.
> 
> Scott
> 
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Friday, May 07, 1999 2:46 PM
> To: Alex Alten
> Cc: ipsec@lists.tislabs.com
> Subject: Re: INITIAL-CONTACT issues
> 
> 
> Alex,
> 
> >Has anyone had deployment experience with IKE?
> >Do actual customers like it running over UDP?
> >Is there any resistance with opening an IKE UDP
> >port in firewalls?
> 
> Folks at several companies have cited problems getting IPsec traffic
> through in general, whether UPD for IKE or AH or ESP.
> 
> Steve
> 
James L. Burden, Security Engineer and Architect
California Independent System Operator
Phone: 916.351.2243 http://www.caiso.com
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
____________________________________________
  Know yourself, Know your enemy
     in a hundred battles you will never be in danger,
  Know the ground, Know the weather,
     and your victory will be total.    - Sun Tzu "The Art of War"
____________________________________________

Follow-Ups:

Re: IKE transport (was INITIAL-CONTACT issues)

From: "Scott G. Kelly" <sgkelly@ix.netcom.com>

Prev by Date: Re: INITIAL-CONTACT issues
Next by Date: Re: INITIAL-CONTACT issues
Prev by thread: RE: INITIAL-CONTACT issues
Next by thread: Re: IKE transport (was INITIAL-CONTACT issues)
Index(es):
- Main
- Thread