Re: Peer liveliness

To: Gregory Lebovitz <Gregory@netscreen.com>

Subject: Re: Peer liveliness

From: Ravi <ravivsn@roc.co.in>

Date: Mon, 05 May 2003 09:50:31 +0530

CC: Michael Choung Shieh <mshieh@netscreen.com>, "'ddukes@cisco.com'"<ddukes@cisco.com>, ipsec@lists.tislabs.com

References: <541402FFDC56DA499E7E13329ABFEA87E66CDA@SARATOGA.netscreen.com>

Sender: owner-ipsec@lists.tislabs.com

User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Title:

Hi, In the text below, I also try to use the same terminology used by you. Rebooted Peer and Persistent Peer. In your email, under 'Recommendations to solve the solution', regarding second point: In my view, whether Peer is alive or not does not solve the problem completely. Persistent node should know aliveness of Tunnel on the other side. It is possible that peer reboots and responds to DPD requests, but tunnels are not there. We should have a mechanism to detect the Tunnel aliveness. With respect to DoS attack: You addressed the issue of DoS attack on the persistent side. I am also concerned about DoS attack on rebooting machine. If MITM keeps sending the packets with some dummy SPI and valid source IP, then the IPSEC SG keeps sending the INVALID_SPI and for this,it keeps creating IKE SAs. That is one of the reason, some implementations do not support generationof INVALID_SPI notifications. I feel that having a standard and interoperable mechanism to detect the dead tunnels will solve the problem. regards, Ravi

 [WE] won't achieve interoperability unless it's mandated that 
[IMPLEMENTORS] must

reply INVALID_SPI (in clear or initiate IKE back to the 
sender) whenever it
receives bad spi packets.  Current IKEv2 draft doesn't 
address this issue
(only states you MAY reply a clear notify message).

IKEv1 vendors has implemented many ways to solve it which leave poor
interoperability.  We should just pick a method and clarify 
it in IKEv2. 
===============
Michael Shieh


We have been having quite a debate in the ICSA IPsec consortium mail list
recently trying to figure out how to handle this in IKEv1 (YES, STILL!!!)

Here is what we know for sure of this problem statement:
(a) detecting liveness/deadness of peer is a good thing, but does not solve
all the failure cases in and of itself
 (b) the behavior of a recently rebooted device when it receives an
encrypted packet for an SPI or IKE-SA not in its SADB MUST be mandated, or
else implementations will not interoperate (as is the case in IKEv1, 5 years
later).
 (c) the behavior of a peer that receives a new IKE from a peer that it has
an existing IKE-SA with (i.e. the rebooted peer that is trying to initiate a
new connection) MUST be mandated, or else implementations will not
interoperate (as is the case in IKEv1, 5 years later).

Darren Dukes wrote:

I believe INVALID_SPI does what you are looking for.  If I receive an
INVALID_SPI notify via an IKE SA I know to delete the SA and 
traffic will
bring up a new one.


I don't believe this will work, since it assumes that an IKE SA is
established. In the scenario, the IKE-SA would have been lost along with the
SPI of the CHILD-SA by the rebooted peer. 

Recommendations to solve the solution:
- the empty notify as an aliveness check is a good idea. It accomplishes
what the DPD draft did. Keep using this.

- do what you can to use empty notify to detect dead peer ASAP. The faster
the persisting peer can delete the old SPI and IKE-SA, the better. The best
case is for Persisting Peer to detect death and initiate new IKE to rebooted
peer before rebooted peer gets packets with old SPI, IKE-SA.

- On the Rebooted peer side: If an implementation receives a protected
packet from an unkown SPI,  
 - simply relying on sending back an unprotected INVALID_SPI is not a good
idea. It is too easy to DoS the persisting peer by simply spoofing the
rebooted peer's address.
 - initiate IKE to the persisting peer.

- On the Persisting Peer:
 - If you get a new IKE request from a peer already in your SADB, respond
with the under-attack, 6 message method. This will mitigate the DoS attack.
If you get all the way through SA and TS negotiation successfully, you are
assured (unless I'm missing something) that this really is your peer, and
that he re-initiated because he lost the original IKE-SA. Start using the
new IKE-SA and the new CHILD-SA and delete the previous ones after some wait
period.

Would this proposal explicitly solve things?

Gregory.

--
signature

The views presented in this mail are completely mine. The company is not responsible for whatsoever.

Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184

ROC home page