[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Is TS agreement necessary?

To: "Scott G. Kelly" <skelly@SonicWALL.com>, "Mike Ditto" <ford@incog.com>
Subject: RE: Is TS agreement necessary?
From: "Rajesh Mohan" <Rajesh.Mohan@nexsi.com>
Date: Wed, 3 Apr 2002 11:35:16 -0800
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcHbPxeXaRShNzziTfq1lhtLtKd92wABnttg
Thread-Topic: Is TS agreement necessary?



> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@SonicWALL.com]
> Sent: Wednesday, April 03, 2002 9:33 AM
> To: Mike Ditto
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Is TS agreement necessary?
> 
> 
> Hi Mike,
> 
> Suppose, as you suggest, that we allowed negotiation of multiple SAs
> between two peers without specifying TS values. Ultimately, there must
> be *some* policy rule associated with each of these SAs since, as you
> suggest, the point is to somehow segregate traffic between them. That
> is, for a given SA, some traffic is allowed, and some is not. Please
> elaborate upon how we determine which traffic is appropriate 
> for each SA
> once they are established.

In my case, on the sender side, I would decide on a tunnel based on VLAN ID or the port from which the packet was received. The selectors in IPSec makes it less flexible for applications like these.

> 
> As an aside, can you tell us why wildcard TS values do not 
> satisfy your
> requirements in the same way that omitting TS values would?
> 

0.0.0.0/0 is used to mean "allow tunnel traffic only". Something like "allow all traffic from tunnel" will be useful. A tunnel without selectors can be used for that.


> Thanks,
> 
> Scott
> 
> Mike Ditto wrote:
> > 
> > Hypothesis:  If we were satisfied to let all traffic of equivalent
> > security characteristics (identities, transforms, etc.) 
> share a single
> > SA (or to be distributed arbitrarily among multiple 
> equivalent SAs), we
> > wouldn't need any traffic selector agreement (or 
> negotiation, whatever)
> > protocol.  TS payloads tell the other end how you want your traffic
> > segregated between multiple equivalent SAs, and when it 
> must negotiate a
> > new SA even though there already exists one with the right 
> parameters.
> > 
> > In case I'm not being clear with terminology, by "traffic 
> segregation" I
> > mean segregation of traffic from multiple sources (i.e. users) but
> > equivalent IPsec security parameters into different SAs to protect
> > mutually distrusting users against known-plaintext or DoS 
> attacks from
> > other users of the same secure tunnel.
> > 
> > Eliminating TS agreement would solve the dynamic ports problem and
> > eliminate my other complaint about IKE, already much too verbosely
> > discussed recently here.  But then, how to solve the 
> traffic segregation
> > problem?
> > 
> > What if this kind of traffic segregation was performed at 
> the sender's
> > discretion?  I.e. each end independently decides how to 
> segregate the
> > traffic it sends, and accepts the other end's choice as 
> long as it meets
> > the general security parameters required by the policy.  During SA
> > establishment, the initiator specifies in an abstract way 
> the degree of
> > sharing to apply to each proposed SA (pair).  I see three levels of
> > sharing being important: completely shared, unique address, 
> and unique
> > session.  Unique address means that once the SA (pair) has 
> been used to
> > talk to a particular remote address, it can't be used for 
> sending to any
> > other remote address.  Unique session means the analogous thing with
> > session, where "session" is defined by the implementation.  A
> > recommended model for defining "session" would be based on 
> the TCP/UDP
> > 5-tuple, but implementations would be allowed to vary to 
> some degree.
> > 
> > This way, if my implementation considers the control 
> connection and the
> > data connections of an FTP session to be one "session", and 
> the other
> > end considers those to be multiple distinct "sessions", 
> there is still
> > interoperability.
> > 
> > It might be a good idea even to allow simple IPsec implementations
> > (e.g. for embedded use) not to implement traffic 
> segregation, falling
> > back to "completely shared" SAs, in a transparently 
> interoperable way.
> > 
> > Two questions:
> > 
> > Does this meet the requirements of those who strongly believe in the
> > importance of this kind of traffic segregation?  I'm not 
> such a strong
> > believer; most of the scenarios I've heard where it's 
> relevant seem to
> > have nearly identical weaknesses with and without traffic 
> segregation,
> > or are better handled by assigning unique identities to the unique
> > users.  But I'll take others' word that it's an important 
> capability,
> > and ask such people whether this proposal is sufficient.
> > 
> > Is this idea actually simpler than the workable 
> alternatives?  I haven't
> > seen a concrete proposal for extending TS to handle dynamic 
> ports, so I
> > can't offer an opinion on that alternative yet.
> > 
> >                                         -=] Mike [=-
>

Follow-Ups:
- Re: Is TS agreement necessary?
  - From: "Scott G. Kelly" <skelly@SonicWALL.com>
- Re: Is TS agreement necessary?
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: [mobile-ip] Re: replacing IPsec's replay protection?
Next by Date: Re: Is TS agreement necessary?
Prev by thread: Re: Is TS agreement necessary?
Next by thread: Re: Is TS agreement necessary?
Index(es):
- Date
- Thread