[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security policy discovery

To: <Charlie_Kaufman@notesdev.ibm.com>
Subject: Re: security policy discovery
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Thu, 12 Sep 2002 16:08:08 -0700 (PDT)
cc: Pars Mutaf <mutaf@docomolabs-usa.com>, <ipsec@lists.tislabs.com>, <owner-ipsec@lists.tislabs.com>
In-Reply-To: <OF8CB1BC0D.1DFC8870-ON85256C32.007040EB-85256C32.007196DC@iris.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 12 Sep 2002 Charlie_Kaufman@notesdev.ibm.com wrote:

>
>
>
>
>
> > I've a question about IPsec and I'm not sure IPSP
> > is the answer, therefore I'm asking it in this list.
> >
> > I assume Alice and Bob don't know each other, so
> > they have no security association. Alice doesn't care
> > about security, but Bob cares..
> >
> I don't believe IPsec explicitly addresses this case,
> in the sense of saying what endpoints MUST do in some
> interoperable sense. Many people have asked for
> "opportunistic encryption" where sessions are encrypted
> if the endpoints discover they are capable of doing so,
> but I don't believe that is specified anywhere either.
>

http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-10.txt



> Both of these things *could* be done in a way that
> follows the spec; it's just that the spec doesn't say
> how.
>
> > Alice sends a packet to Bob for the first time. It is not
> > an IKE, JKF packet. It is the actual packet of a session
> > (e.g. TCP SYN).
> >
> > Bob doesn't want to communicate unless a security
> > association is established.
> >
> I believe that the IPsec architecture does not
> envision this configuration. I believe it assumes
> that the initiator decides whether a protected
> channel should be established. In this case, Bob
> would drop the packet. If Alice is capable of speaking
> ESP if Bob wants to do so, Alice should attempt it
> before sending the first packet.
>
> One could imagine, however, Bob seeing the unprotected
> packet and letting that trigger an IKE SA setup. The
> initial TCP SYN would be dropped, but if it was still
> being retried when the ESP SA comes up, Alice would send
> one of the retried packets inside the ESP SA and the
> conversation would ensue. Alternately, one could
> imagine Bob passing on a limited class of packets (like
> TCP SYN) and letting the response packet trigger the
> setup of the ESP SA.
>
> > What happens in this case? Bob replies with IKE/JFK?
> > Or Alice detects Bob's security policy before attempting
> > to communicate?
>
> I believe there is no defined security policy
> discovery protocol.

Ages ago, IPSP defined SPP (which I've yet to read):
http://www.ietf.org/internet-drafts/draft-ietf-ipsp-spp-01.txt

Scott Fluhrer recently (salt lake city? minneapolis?) presented TED
(Tunnel Endpoint Discovery). Sadly, that draft is now expired. I've
been thinking of adding some stuff and resubmitting this, if there's
sufficient interest. When we presented this, quite a few people seemed
interest. But, as seems normal for IPSP, things petered out and were
never heard from again... SPP was resubmitted as a result of Scott
presenting TED.

jan



> There may be a defined ICMP response
> to the dropped packet indicating that IPsec was
> needed (which could trigger Alice's initiating an
> SA).
>
>
>           --Charlie Kaufman
>
> Opinions expressed may not even by mine by the time you read them, and
> certainly don't reflect those of any other entity (legal or otherwise).
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe

References:
- Re: security policy discovery
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: Re: security policy discovery
Next by Date: Re: security policy discovery
Prev by thread: Re: security policy discovery
Next by thread: Re: security policy discovery
Index(es):
- Date
- Thread