[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security policy discovery

To: Pars Mutaf <mutaf@docomolabs-usa.com>
Subject: Re: security policy discovery
From: Charlie_Kaufman@notesdev.ibm.com
Date: Thu, 12 Sep 2002 16:40:44 -0400
Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com
In-Reply-To: <3D7F9AC4.BA117036@docomolabs-usa.com>
Sender: owner-ipsec@lists.tislabs.com






> I've a question about IPsec and I'm not sure IPSP
> is the answer, therefore I'm asking it in this list.
>
> I assume Alice and Bob don't know each other, so
> they have no security association. Alice doesn't care
> about security, but Bob cares..
>
I don't believe IPsec explicitly addresses this case,
in the sense of saying what endpoints MUST do in some
interoperable sense. Many people have asked for
"opportunistic encryption" where sessions are encrypted
if the endpoints discover they are capable of doing so,
but I don't believe that is specified anywhere either.

Both of these things *could* be done in a way that
follows the spec; it's just that the spec doesn't say
how.

> Alice sends a packet to Bob for the first time. It is not
> an IKE, JKF packet. It is the actual packet of a session
> (e.g. TCP SYN).
>
> Bob doesn't want to communicate unless a security
> association is established.
>
I believe that the IPsec architecture does not
envision this configuration. I believe it assumes
that the initiator decides whether a protected
channel should be established. In this case, Bob
would drop the packet. If Alice is capable of speaking
ESP if Bob wants to do so, Alice should attempt it
before sending the first packet.

One could imagine, however, Bob seeing the unprotected
packet and letting that trigger an IKE SA setup. The
initial TCP SYN would be dropped, but if it was still
being retried when the ESP SA comes up, Alice would send
one of the retried packets inside the ESP SA and the
conversation would ensue. Alternately, one could
imagine Bob passing on a limited class of packets (like
TCP SYN) and letting the response packet trigger the
setup of the ESP SA.

> What happens in this case? Bob replies with IKE/JFK?
> Or Alice detects Bob's security policy before attempting
> to communicate?

I believe there is no defined security policy
discovery protocol. There may be a defined ICMP response
to the dropped packet indicating that IPsec was
needed (which could trigger Alice's initiating an
SA).


          --Charlie Kaufman

Opinions expressed may not even by mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Follow-Ups:
- Re: security policy discovery
  - From: Jan Vilhuber <vilhuber@cisco.com>
- Re: security policy discovery
  - From: "The Purple Streak, Hilarie Orman" <ho@alum.mit.edu>
- RE: security policy discovery
  - From: "Satyadeva Konduru" <skonduru@caymas.com>

References:
- security policy discovery
  - From: Pars Mutaf <mutaf@docomolabs-usa.com>

Prev by Date: security policy discovery
Next by Date: Re: security policy discovery
Prev by thread: security policy discovery
Next by thread: Re: security policy discovery
Index(es):
- Date
- Thread