[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Peer liveliness
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "suren" == suren <suren@intotoinc.com> writes:
suren> The mechanism you suggested (INITIAL-CONTACT + rebooted-peer
suren> initiating IKE (with those two conditions) + aliveness detection)
suren> may not work with in the scenario of a roaming client.
I partially agree.
I think that DPD can be made to work for most remote-access scenarios.
suren> Suppose, a Roaming client (with a dynamic IP address) tunnels to a
suren> Corporate network, and corporate SG is acting as responder only.
suren> Now if
suren> corporate SG is rebooted, it is not able to send INITIAL_CONTACT
The situation of rebooting the SG is not an isolated case.
This is a general problem with any system where all the policy is not known
at boot time. In the end game of IPsec on every host, and applications asking
for security, this will be very common.
The Opportunistic Encryption system that the FreeS/WAN team has developped
has this problem as well.
I have been working on a system of birth certificates, as first suggested by
Bill Summerfeld. In such a system, when a system receives an ESP (AH) packet
with an unknown SPI, it emits a digitally signed message giving its boot
count. The signature need only been done once per boot.
If one receives such a message, and it is greater than a boot count sent
in IKE for that connection, then one starts phase 1 again. Sounds simple,
doesn't it?
There are a number of details that need to be resolved:
1) what is the form of the message? ICMP? UDP to port 500?
ICMP may be hard for the IKE daemon to actually get, but is
architecturally cleaner.
2) the signature block should be kept as simple as possible.
What is the host has multiple identities?
Is the IP address that one originates included in the signature?
3) the boot count keeps replays from previous reboots, but
does not keep the packet from the current reboot from being
replayed, causing potential DOS on IKE.
As such, I'd want to have the IKE do some kind of acclerated
DPD in IKE when it gets this signal that the host has rebooted.
An attacker could also be generating ICMP port unreachables as well.
suren> Suren.
suren> Intoto Inc.
suren> 3160, De La Cruz Blvd #100
suren> Santa Clara, CA
suren> www.intotoinc.com
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPsP9KYqHRg3pndX9AQFCMwP/UYYbQYKSGefNFTJWcjAm7VV1s74kAmjT
wvCEumzfzfHGDFjnPJ5GFCzskLYEY1nFDm6dEr/GqkrvaRXWuYBbM26C8jHON/k2
eAXG+vGL9kLxb4nZyIWV3d5E0aZ2M7tptIUIua8Q2oeLkG7gky958FajfDdQtRz2
qIuPspnbXP0=
=BpFF
-----END PGP SIGNATURE-----