[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tunnel Mode and Auditable Events

To: ipsec@lists.tislabs.com
Subject: Re: Tunnel Mode and Auditable Events
From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
Date: Wed, 20 Feb 2002 14:53:14 +0100 (MET)
In-Reply-To: <200202201133.g1KBX8g43873@givry.rennes.enst-bretagne.fr>
Organization: Département Logiciels - Réseaux
References: <4F7DD203738DD411B71A00B0D03DDECC0173B99E@highway><200202201133.g1KBX8g43873@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Hi

>  In your previous mail you wrote:
> 
>    I have two questions:
>    1) Why is it necessary for an SA involiving a Security Gateway to be in
>    Tunnel Mode?
>    
> => because SAs in transport mode are end-to-end and the term Security
> Gateway includes the gateway notion, i.e. the opposite of end-to-end.
> This is only a question of terminology, you can have a transport mode SA
> between two nodes which are security gateways too, but RFC 2401 section
> 4.3 way to describe things, they are hosts which are also security
> gateways.

	I don't know if "a question of terminology" should be the right term here, though it may be sufficient for the end user. I'll try to give extra info here.
Let's take 2 hosts A and B,

Scenario 1: A may communicate directly with B, with end to end security; this is transport mode. There are no intermediates.

Scenario 2: A is behing a security gateway GA, B is behind a security gateway GB. Eg, A would send in-clear packets to B, but it is not in the company policy: for B's network, GA's policy database states that encryption should be used. GA encrypts A packets and sends them to GB, which decrypts them and forwards them to B. This is a tunnel mode operation.

Note that a gateway may use transport mode if it acts as a host: GA may be configured securely from a host in GA's network using transport mode.

>    2) What are auditable events (how are they defined?)?
>    
> => look at RFC 2401 section 7.

Good catch. RFCs 2401 and 2411 are good entrances and references for IPsec standards.

> 
> Regards
> 
> Francis.Dupont@enst-bretagne.fr
> 
> PS: IMHO everything is already in RFCs 240x but they are not the best
> written documents so you can have some difficulties to understand some
> small but so important details...

I wanted to have a closer (though not exhaustive) look:
~/documents/ietf/rfc/ipsec$ grep -B 1 -A 1 -n "auditable" * | more
(I cleaned the output and joined it below for people interested)

It appears that:

* An auditable event *usually* occurs when it should not; the audit function keeps trace of such a problem: sequence number overflow, wrong combination of two null algo, wrong processing required, validation failed, misconfiguration option...

* Some auditable events are given in 240xs, if these events are taken into account by an implementation, some informations SHOULD be included (SPI, date, time, source...) and some additional MAY be included.

* Auditing events and with which granularity is above all a local matter.

Hope it helps.

--
Jean-Jacques Puig

rfc2401.txt-1199-	"Sequence Counter Overflow: a flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent transmission of additional packets..."

rfc2401.txt-1650-	"...determine what processing is required for the packet.  If the packet is to be discarded, this is an auditable event.  If the traffic is allowed to bypass IPsec processing, the packet continues through..."

rfc2401.txt-1688-	"...ESP SA that employs both a NULL encryption and a NULL authentication algorithm.  An attempt to negotiate such an SA is an auditable event..."

rfc2401.txt-2138-	"...the most part, the granularity of auditing is a local matter. However, several auditable events are identified in the AH and ESP specifications and for each of these events a minimum set..."

rfc2401.txt-2145-	"...no requirement for the receiver to transmit any message to the purported transmitter in response to the detection of an auditable event, because of the potential to induce denial of service..."

rfc2402.txt-437-	"An attempt to transmit a packet that would result in Sequence Number overflow is an auditable event.  (Note that this approach to Sequence Number management does not require use of modular arithmetic.)."

rfc2402.txt-689-	"...i.e., the OFFSET field is non-zero or the MORE FRAGMENTS flag is set, the receiver MUST discard the packet; this is an auditable event. The audit log entry for this event SHOULD include the SPI value..."

rfc2402.txt-712-	"...receiver has no key), the receiver MUST discard the packet; this is an auditable event.  The audit log entry for this event SHOULD include the SPI value, date/time, Source Address, Destination..."

rfc2402.txt-772-	"...If the ICV validation fails, the receiver MUST discard the received IP datagram as invalid; this is an auditable event.  The audit log entry for this event SHOULD include the SPI..."

rfc2402.txt-806-	"...If the test fails, then the receiver MUST discard the received IP datagram as invalid; this is an auditable event.  The audit log entry SHOULD include the SPI value, date/time..."

rfc2402.txt-833-	"...part, the granularity of auditing is a local matter.  However, several auditable events are identified in this specification and for each of these events a minimum set of information that SHOULD be..."

rfc2402.txt-848-	"...receiver to transmit any message to the purported sender in response to the detection of an auditable event, because of the potential to induce denial of service via such action."

rfc2406.txt-634-	"...An attempt to transmit a packet that would result in Sequence Number overflow is an auditable event. (Note that this approach to Sequence Number management does not require use of modular arithmetic.)..."

rfc2406.txt-708-	"...i.e., the OFFSET field is non-zero or the MORE FRAGMENTS flag is set, the receiver MUST discard the packet; this is an auditable event. The audit log entry for this event SHOULD include the SPI value..."

rfc2406.txt-740-	"...example, the receiver has no key), the receiver MUST discard the packet; this is an auditable event.  The audit log entry for this event SHOULD include the SPI value, date/time received, Source..."

rfc2406.txt-805-	"...ICV verification.  If the ICV validation fails, the receiver MUST discard the received IP datagram as invalid; this is an auditable event.  The audit log entry for this event SHOULD include the SPI..."

rfc2406.txt-828-	"...and it is accepted.  If the test fails, then the receiver MUST discard the received IP datagram as invalid; this is an auditable event.  The log data SHOULD include the SPI value, date/time..."

rfc2406.txt-946-	"...part, the granularity of auditing is a local matter.  However, several auditable events are identified in this specification and for each of these events a minimum set of information that SHOULD be..."

rfc2406.txt-961-	"...receiver to transmit any message to the purported sender in response to the detection of an auditable event, because of the potential to induce denial of service via such action."

rfc2407.txt-1033-	"...other values, this MUST be treated as an error and the security association setup MUST be aborted.  This event SHOULD be auditable."

References:
- Tunnel Mode and Auditable Events
  - From: 827 <827@nu.edu.pk>
- Re: Tunnel Mode and Auditable Events
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: why the SAs are unidirectional
Next by Date: Re: Tunnel Mode and Auditable Events
Prev by thread: Re: Tunnel Mode and Auditable Events
Next by thread: Re: Tunnel Mode and Auditable Events
Index(es):
- Date
- Thread