ipsec error protocol

["sankar ramamoorthi" <sankar@nexsi.com>]

There has been a lot of discussion in the past about state-synchronization
issues in ipsec, packets vanishing into blackhole because of ipsec peers
getting out-of-step, potential DOS problems in suggested solutions,
need for secure in-band error communication etc.

As for as I know, there was no clear resolution on this issue and it
still remains unsolved. The closest working solution was using keep-alives,
which many (including me) opposed as too heavyweight to solve a basic
protocol problem.

Using inband-pings would be nice way to check if the peer's state is in
sync.
This in conjunction with a suitable icmp error from the peer, would allow
one
to detect quickly if the ipsec SA state is in sync between both the
communicating parties.

One of the opposition to using inband-ping was that it was difficult to
distinguish from customer traffic.

Here is a suggestion for adding control messages to ipsec

spi values 1-255 are reserved by IANA for future use. I was wondering
if a reserved spi, could be used for ipsec control communication.
This could allow control messages including secure echo-replies to be
implemented. The control messages of the form

  ip packet
  esp header with special spi indicating payload is ipsec-control
  ipsec control payload (yet to be defined)

The receiving entity MUST handle the control packets when it receives
a ah/esp packet with the special spi value. The control message can be
of the type encrypted echo/echo-reply for a specific tunnel, authenticated
or encrypted error notification etc.

Welcome your feedback on this idea.

Thanks,

-- sankar ramamoothi --

---

Follow-Ups:

• Re: ipsec error protocol
• From: Frédéric Detienne <fd@cisco.com>

---

• Prev by Date: Re: Protection of port 500
• Next by Date: Re: Manual SA SPI range
• Prev by thread: RE: Manual SA SPI range
• Next by thread: Re: ipsec error protocol
• Index(es):
  • Main
  • Thread