[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: opportunistic encryption deployment problems

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: opportunistic encryption deployment problems
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Mon, 20 Aug 2001 17:00:06 -0400
cc: ipsec@lists.tislabs.com, design@lists.freeswan.org, Wes Hardaker <wes@hardakers.net>, Hugh Daniel <hugh@road.xisp.net>
In-reply-to: Your message of "Sun, 19 Aug 2001 13:19:59 EDT." <200108191720.f7JHKoE07868@marajade.sandelman.ottawa.on.ca>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

I very much like the concept of opportunistic use of IPsec, but I'm
deeply concerned about several aspects of the FreeS/WAN approach.

There is (at least) one significant additional opportunity for
mischief in the absence of DNSSEC: because the DNSSEC record contains
not only IPsec parameters, but also a "tunnel to" address, it provides
an additional mechanism to subvert the routing of IP datagrams.

While an attacker capable of spoofing DNS might also be able to spoof
the A record, a spoofed "A" record:
 - will be visible to applications and in logs
 - will be trivially visible in traditional system status tools (e.g.,
netstat output).

If we assume spotty DNSSEC deployment (almost a certainty), the
combination of a secured forward zone and an unsecured inverse zone is
extremely likely, and in this case, an unauthenticated tunnel-to
address is particularly problematic.

I'd like to suggest two changes to the proposal:

 1) in the absence of a secured inverse zone, disallow use of a
tunnel-to address different from the end system's address.
Alternatively, just use transport mode..

 2) Add a (necessarily unauthenticated) request-response protocol
(perhaps using IKE NOTIFY messages?) to attempt to determine whether a
destination is OE-capable, to be used if the appropriate reverse DNS
zone is insecure or does not contain OE info.  This also quite
effectively deals with the very common case where the host's
administrator has no control of the contents of the inverse zone.

While it's outside the scope of a protocol specification, the spec
should recommend that, in the absence of some form of certification,
implementations should make {dnsname,address}->key mappings "sticky"
using techniques similar to those currently used by ssh.

I also think that some more thought should be given to ways to use
opportunistic encryption in conjunction with the NAT traversal drafts;
the current draft encourages using cleartext communications on the
"inside" of the NAT, which is clearly the wrong answer when there's
802.11 on the "inside" of the NAT..

					- Bill

Follow-Ups:

Re: opportunistic encryption deployment problems

From: "Jari Arkko" <jari.arkko@kolumbus.fi>

References:

Re: opportunistic encryption deployment problems

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: RE: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie=0
Next by Date: Re: Bakeoff summary
Prev by thread: Re: opportunistic encryption deployment problems
Next by thread: Re: opportunistic encryption deployment problems
Index(es):
- Main
- Thread