[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Peer liveliness

To: ipsec@lists.tislabs.com
Subject: Re: Peer liveliness
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 15 May 2003 16:49:10 -0400
In-reply-to: Your message of "Thu, 15 May 2003 11:41:10 PDT." <5.0.2.1.0.20030515113452.024cd510@10.1.5.10>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "suren" == suren  <suren@intotoinc.com> writes:
    suren> The mechanism you suggested (INITIAL-CONTACT + rebooted-peer
    suren> initiating IKE (with those two conditions) + aliveness detection)
    suren> may not work with in the scenario of a roaming client.

  I partially agree.
  I think that DPD can be made to work for most remote-access scenarios.

    suren> Suppose, a Roaming client (with a dynamic IP address) tunnels to a 
    suren> Corporate network, and corporate SG is acting as responder only.
    suren> Now if  
    suren> corporate SG is rebooted, it is not able to send INITIAL_CONTACT

  The situation of rebooting the SG is not an isolated case.

  This is a general problem with any system where all the policy is not known
at boot time. In the end game of IPsec on every host, and applications asking
for security, this will be very common.
  The Opportunistic Encryption system that the FreeS/WAN team has developped
has this problem as well.

  I have been working on a system of birth certificates, as first suggested by
Bill Summerfeld. In such a system, when a system receives an ESP (AH) packet
with an unknown SPI, it emits a digitally signed message giving its boot
count. The signature need only been done once per boot.

  If one receives such a message, and it is greater than a boot count sent
in IKE for that connection, then one starts phase 1 again. Sounds simple,
doesn't it?

  There are a number of details that need to be resolved:
  1) what is the form of the message? ICMP? UDP to port 500?
     ICMP may be hard for the IKE daemon to actually get, but is 
     architecturally cleaner.

  2) the signature block should be kept as simple as possible.
     What is the host has multiple identities?
     Is the IP address that one originates included in the signature?

  3) the boot count keeps replays from previous reboots, but
     does not keep the packet from the current reboot from being 
     replayed, causing potential DOS on IKE.

     As such, I'd want to have the IKE do some kind of acclerated
     DPD in IKE when it gets this signal that the host has rebooted.
     
     An attacker could also be generating ICMP port unreachables as well.

    suren> Suren.

    suren> Intoto Inc.
    suren> 3160, De La Cruz Blvd #100
    suren> Santa Clara, CA
    suren> www.intotoinc.com

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPsP9KYqHRg3pndX9AQFCMwP/UYYbQYKSGefNFTJWcjAm7VV1s74kAmjT
wvCEumzfzfHGDFjnPJ5GFCzskLYEY1nFDm6dEr/GqkrvaRXWuYBbM26C8jHON/k2
eAXG+vGL9kLxb4nZyIWV3d5E0aZ2M7tptIUIua8Q2oeLkG7gky958FajfDdQtRz2
qIuPspnbXP0=
=BpFF
-----END PGP SIGNATURE-----

References:
- RE: Peer liveliness
  - From: suren <suren@intotoinc.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: RE: Peer liveliness
Next by thread: Re: Peer liveliness
Index(es):
- Date
- Thread