[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPsec, IKE, IPv6
Hi,
The upcoming IETF meeting reminds me that we had a discussion in
the last meeting about certain IPv6 related issues in IPsec, and that
we were supposed to get back to the discussion on the mailing list.
Specifically, our drafts addressed two issues related to IPv6, namely
(a) circular IKE/ICMPv6 traffic in normal IPsec use, and (2) if, and how,
IPsec can be used to protect IPv6 control signalling. My interpretation
of the discussion in the meeting regarding the first issue was that there
was a recognition of the problem from the some of the implementors
far enough to run into this. But there were question marks regarding
how to document this, if a change in RFC 2401 etc is needed.
The draft for the second issue mainly describes the problem,
and documents some of the security implications. It also briefly
mentioned possible ways to reduce configuration effort. My interpretation
of the discussions was that some previous work had existed on
this space, but people were not sure if any new solutions were
needed for the ICMPv6 protection. The main discussion was
on the solutions, not the problem.
Now, what should we do then? The first issue looks like an
existing problem in typical IPsec situations when IPv6 is
used. It has an easy solution which most vendors with IPv6 IKE
have adopted. I think we should document the issue and
the solution, to ensure that future implementors don't have to
reinvent the wheel, and more importantly, to ensure interoperability.
I happen to believe in small RFCs and quick progress, so
I'd rather see this documentation as a separate RFC rather
than updated RFC 2401, which might take ages. Therefore,
I'm proposing that the WG adopts the first draft as
an official work item. (Also, I'd be very interested in
testing this against other folks in the Espoo bakeoff
the week after next week.)
Regarding the second issue, I'm even myself unsure if
we need any new solutions, hence any development of
possible configuration effort reductions is propably not
warranted. However, here too we should perhaps document
the issue. Shouldn't we then adopt also the second
draft as a work item as well, but not add any more detail
on possible solutions?
Jari
-----
Last meetings's minutes:
> IPSEC and IPV6
>
> 1. Jari Arkko presented the draft on Effects on ICMPv6 on IKE and
> IPsec Policies. This draft covers a problem with circular icmp
> traffic.
>
> 2. Jari Arkko also presented the draft on Manual SA Configuration for IPv6
> Link Local Messages. Analyzed of icmpv6 security implications. Table
> presented that showed control functions against weak and strong attackers
> at low and high levels. DoS for weak attackers under higher layer security;
> man in the middle, spying, and impersonation for all attackers under no
> higher layer security; identity selection in all situations, if stateful...
> He presented possible ways to reduce the configuration effort which was
> about twice the SAs as the number of nodes.
>
> Comments: Dan McDonald draft on link shared secret, presented in
> Adelaide to the v6 group and it could be dragged back up to help with
> the manual configuration.
>
> Steve Kent suggested that we need a more complete story in order to
> motivate people.
>
> We'll need more discussion on the mailing list to see how to proceed
> with both of these.
The drafts:
>Effects of ICMPv6 on IKE and IPsec Policies
>http://search.ietf.org/internet-drafts/draft-arkko-icmpv6-ike-effects-00.txt
>
>Manual SA Configuration for IPv6 Link Local Messages
>http://search.ietf.org/internet-drafts/draft-arkko-manual-icmpv6-sas-00.txt