[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protection of port 500

To: Stephen Kent <kent@bbn.com>
Subject: Re: Protection of port 500
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 16 Jan 2001 00:10:11 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <v0422080fb68973cd0b0c@[128.33.238.101]>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 15 Jan 2001, Stephen Kent wrote:
> A UDP/500 SPD entry applies to subscriber traffic, and thus 
> determines whether a subscriber behind the IPsec implementation 
> (especially appropriate in an SG). However, an IPsec implementation 
> can send and receive traffic for ITSELF independent of SPD/SAD entries.

I'm curious:  where, exactly, does the published spec say that?  I can't
find any such statement.  Quoth the RFC (2401):

   "The SPD must be consulted during the processing of all traffic
   (INBOUND and OUTBOUND), including non-IPsec traffic."

   "The SPD is used to control the flow of ALL traffic through an IPsec
   system, including security and key management traffic (e.g., ISAKMP)
   from/to entities behind a security gateway.  This means that ISAKMP
   traffic must be explicitly accounted for in the SPD, else it will be
   discarded..."

   "As mentioned in Section 4.4.1 "The Security Policy Database (SPD)",
   the SPD must be consulted during the processing of all traffic
   (INBOUND and OUTBOUND), including non-IPsec traffic.  If no policy is
   found in the SPD that matches the packet (for either inbound or
   outbound traffic), the packet MUST be discarded."

These flatly-stated requirements do not seem to leave any loopholes for
local management traffic; the word "all" is not usually interpreted to
mean "most". 

(The second quoted statement explicitly mentions ISAKMP traffic from
behind a gateway, which might make one wonder whether ISAKMP traffic from
the gateway itself was a different case... but the RFC does not actually
say anything about that case.)

To me, this means that the exemption for local management traffic must be
part of the explicit policy, as embodied in both the SPD and whatever
higher-level representation of it the administrator deals with.  (And it
would obviously be desirable for any policy lacking such an exemption to
draw at least a warning message.)  Doing otherwise is non-compliant.

I would further observe that making the administrator explicitly aware
of the management traffic is probably a good idea.

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: Protection of port 500

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Manual SA SPI range
Next by Date: Re: Inbound processing of ESP packet
Prev by thread: Re: Protection of port 500
Next by thread: Links to papers about how to calculate Keyed and Hashed AH and ESP payload lenght
Index(es):
- Main
- Thread