[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: phase 2 and ports

To: "'Jan Vilhuber'" <vilhuber@cisco.com>, "Andrew Krywaniuk" </o=TimeStepCorporation/ou=TIMESTEP/cn=Recipients/cn=akrywaniuk@ns01.newbridge.com>
Subject: RE: phase 2 and ports
From: andrew.krywaniuk@alcatel.com
Date: Tue, 27 Jun 2000 16:42:54 -0400
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <Pine.LNX.4.21.0006261242060.729-100000@janpc-home.cisco.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Jan,

> > In mind, this is still the theoretically "correct" way of
> solving the
> > problem. The way to avoid black holes is to use a firewall
> policy sharing
> > protocol.
> >
> Well.. No. It's not 'correct'. It may be 'A' way of solving
> this problem, if
> we all agree that selectors be negotiated outside of phase
> II, which I'm not
> sure I would agree to. Afterall, isn't that one of the
> functions of phase II?

Well, obviously there's no single literally *correct* way to do anything. (I
did say "in my mind" and put "correct" in quotes...)

What we have now is based on engineering decisions -- some modularity
violations to avoid overdesign and some arbitrary decisions to resolve
deadlock. (As Steve K said, the reason we negotiate ports in phase 2 is to
avoid the need for a communications protocol between the IKE daemon and the
firewall if they are not co-located.)

However, if you accept the model where we draw an abstract line between the
authentication and authorization packages (I'm lumping firewalling in with
authorization here), then an external (to IKE) exchange of policy
information is the most desirable.

The use of a policy payload isn't such a bad idea, since it appears that
ISAKMP would be merely functioning as transport (opening up giant can of
worms based on same argument re. XAuth). Negotiation isn't really the best
word though (as one of the presenters at the last IPSP meeting pointed out,
it is better to simply take the union of the two security policies instead
of attempting to negotiate a common ground).

What concerns me is that if we created a policy payload, we would also have
to define an encoding scheme, and to make the payload meaningful we would
have to create such a behemoth that we would be duplicating a large
percentage of the work that IPSP is already doing.

Of course, if you already have something written up, then publish it and
feel free to prove me wrong (at which point we can dispense with firewalls
altogether).

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.

> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> Sent: Monday, June 26, 2000 3:45 PM
> To: Andrew Krywaniuk
> Cc: ipsec@lists.tislabs.com
> Subject: RE: phase 2 and ports
>
>
> On Mon, 26 Jun 2000, Andrew Krywaniuk wrote:
> > > P.S. I know of at least one vendor that solves this problem
> > > by using port=0
> > > (i.e. 'all ports') and filtering traffic behind ipsec. I
> > > don't consider that
> > > a good solution, since the peer may not know of this
> > > filtering and needlessly
> > > encrypts and sends stuff that the other side is just going to
> > > toss anyway. It
> > > wastes CPU on both sides and wastes bandwidth. It's also a
> > > bit hard to debug
> > > ("We negotiated all ports... I wonder why none of my traffic
> > > is getting
> > > through...")
> >
> > In mind, this is still the theoretically "correct" way of
> solving the
> > problem. The way to avoid black holes is to use a firewall
> policy sharing
> > protocol.
> >
> Well.. No. It's not 'correct'. It may be 'A' way of solving
> this problem, if
> we all agree that selectors be negotiated outside of phase
> II, which I'm not
> sure I would agree to. Afterall, isn't that one of the
> functions of phase II?
>
> It certainly works, and if you can somehow communicate your
> firewall policy
> to your peer, then you solve the black-hole problem, but then
> we should
> consider removing the ID payloads from phase II altogether,
> to simplify it,
> and require that an external protocol be used to negotiate
> the selectors...
>
> I'd much rather define a payload in IKE phase II which gives
> us a richer way
> to specify our selectors. I have something written up, which
> needs a bit more
> polishing, which I'd be happy to throw out as a strawman.
> That way, the
> 'firewall policy sharing' could be done IN phase II.
>
> jan
>
>
>
> > Andrew
> > --------------------------------------
> > Beauty with out truth is insubstantial.
> > Truth without beauty is unbearable.

Follow-Ups:

IPSEC WG vs. IPSP/ISPRA WGs (Re: phase 2 and ports)

From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

Prev by Date: Re: phase 2 and ports
Next by Date: Re: phase 2 and ports
Prev by thread: Re: phase 2 and ports
Next by thread: IPSEC WG vs. IPSP/ISPRA WGs (Re: phase 2 and ports)
Index(es):
- Main
- Thread