[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
revised IPsec processing model

To: ipsec@lists.tislabs.com
Subject: revised IPsec processing model
From: Stephen Kent <kent@bbn.com>
Date: Thu, 17 Jul 2003 14:48:15 -0400
Sender: owner-ipsec@lists.tislabs.com
Folks,

Here is the new, proposed processing model for IPsec.  Comments 
welcome, of course.

Steve

------

The current IPsec subscriber traffic processing model, as defined in 
2401, is imprecise in several respects, and it does not accommodate 
some significant deployment use that have arisen, e.g., PPVPNs. 
Also, just as we have created the extended sequence number facility 
for AH and ESP to accommodate high speed (10Gb/s and beyond) 
implementations, there are changes one can make to the processing 
model to better accommodate traffic classification (for outbound 
traffic).  Finally, there are some simplifications one can make to 
the mode, consistent with the overall push for implementation 
simplification.

We first look at outbound traffic, which is where most of the 
proposed changes are visible, then examine inbound traffic 
processing. The focus here is on subscriber traffic, with some 
discussion of IKE traffic.

Several concepts underlie the proposed model:

- virtual interface: every IPsec device has at least one virtual 
interface, which may correspond to one physical interface (the common 
case). Multiple virtual interfaces may map to a single physical 
interface, e.g., for overlay nets, or one virtual interface may map 
to multiple virtual interfaces. The choice of a one-to-one, 
many-to-one, or one-to-many mapping for virtual to physical 
interfaces is a local matter, which each implementer is free to 
select apropos to the environment on which IPsec is implemented. 
Every virtual interface has an ID (VID), a purely local identifier, 
which is used with the forwarding function defined below, to select 
the virtual interface to which outbound traffic is directed. The VID 
is NOT technically a selector, because it does not need to appear in 
an SPD; rather it is used to select an appropriate SPD.

- forwarding function: to provide a clear separation between 
forwarding (routing) and security decisions, an explicit forwarding 
function is added. This function can be trivial, in the case where 
there is only one interface (virtual or physical). It may be complex 
if there are multiple interfaces and if the implementation elects to 
offer a more sophisticated form of route selection. The spec makes no 
assumptions about the internal operation of the function, other than 
to say that the whole packet is passed to it and the output is a VID. 
In turn, the VID is used to select the appropriate SPD.

	- SPD: the SPD is largely the same as currently defined. 
Instead of being defined on a per interface basis, it is now per 
virtual interface, and is labeled with a VID, as specified above. The 
new SPD will differ in terms of the selectors allowed (consistent 
with IKEv2). Rather than referring to separate SPDs for inbound vs. 
outbound traffic (pre interface) we will talk in terms of entries in 
each SPD being directional, i.e., there are separate inbound and 
outbound entries for each SPD for each virtual interface. This makes 
sense because the inbound and outbound entries are really linked.

	- SPD caches: the current processing model refers to 
searching the SPD for each outbound packet to determine how to 
process it, and to check inbound traffic after IPsec processing, to 
ensure that traffic arriving on an SA is consistent with the 
selectors defined when the SA was created. This is a potentially time 
consuming search process, in both directions, because of the need to 
search the SPD entries in the order specified by the administrator or 
user who created them. The search process also is ambiguous as 
currently defined, with regard to processing inbound packets.  To 
simplify the process, and to allow for very fast SA lookups, we 
introduce the notion of an outbound SPD cache (on a per virtual 
interface basis), and the caching of inbound SPD entries in two 
places. Since SPD entries may overlap, one cannot safely cache these 
entries in general. Simple caching might result in a match against a 
cache entry whereas a search of the SPD would have resulted in a 
match against a different entry. But, if we decorrelate the SPD, then 
the resulting entries can safely be cached. For outbound traffic, 
each cached entry maps to an SA, or indicates that matching traffic 
should be bypassed or discarded. For inbound traffic, the SPD cache 
serves as the reference for the selectors to be matched against 
arriving packets, or defines traffic to be bypassed or discarded. An 
algorithm for decorrelation was published as an ID some time ago, and 
I think there is at least one paper on the topic published as well. 
2401bis will not mandate a specific algorithm, but will include an 
example in an appendix.

With these concepts in mind, we can describe the revised model. First 
we examine outbound traffic processing.  (There is no separate 
discussion of fragment processing for now, as we await the WG 
decisions of several pending proposals re fragmentation.)

1. when a packet arrives from a subscriber interface, invoke the 
forwarding lookup function.

2. match the packet headers against the SPD cache specified by the 
VID from step 1

3a. if there is a match, then process the packet as specified by the 
matching cache entry, i.e., bypass, discard, or apply AH or ESP in 
the specified mode. If IPsec processing is applied, there is a link 
from the SPD cache entry to the relevant SAD entry (specifying the 
algorithms, keys, SPI, etc.). IPsec processing is as previously 
defined, for tunnel or transport modes and for AH or ESP, as 
specified.

3b. if no match, search the SPD that corresponds to this cache. If 
the SPD calls for bypass or discard, create a new outbound and 
inbound cache entries. If the SPD entry calls for creation of an SA 
(pair), the key management mechanism (e.g., IKEv2) is invoked to 
create the SA. If SA creation succeeds, a new outbound cache entry is 
created, along with an SAD entry, otherwise the packet is discarded, 
and an error is logged, and may be signaled. (A packet that triggers 
an SPD lookup MAY be discarded by the implementation, or it may be 
buffered and then processed against the newly created cache entry, if 
one is created.) The SAD entry contains the inbound selector values 
linked to the SPD entry used to create the inbound SA, to support 
checking of received traffic.

4. The VID assigned to the packet in step 1 (the forwarding lookup) 
is used to select the interface to which the packet is directed, 
after the specified processing (if any) is applied in step 3.

Inbound processing is somewhat different from outbound processing, 
largely because we use of SPIs to map IPsec traffic to SAs, vs. 
performing a lookup based on traffic selector values. However, we 
still have to perform traffic selector lookups for non-IPsec inbound 
traffic, to determine whether this traffic is to be discarded or 
bypassed. Thus an inbound IPsec cache is used to quickly process this 
traffic. The description below does not include reassembly 
processing, while we await a WG decision on the possibility of 
rejecting fragments for SAs from specified sources.

1. When a packet arrives, it is tagged with a VID. This ID may be 
directly mapped from a physical interface, or a lookup function may 
be invoked to assign a VID, analogous to what is offered for outbound 
traffic in step 1 above. Note that there is no need to tag a packet 
with a VID if it is an IPsec packet directed to the IPsec 
implementation. This is because there is only one SAD which applies 
to all traffic, regardless of the interface. However, because SPDs 
are per-interface, entries for bypass or discard traffic might be 
specific to the interface via which the inbound traffic is received. 
If there is no need to treat inbound traffic differently depending on 
the interface upon which it arrived, the VID may be a constant.

2. examine the header to determine if it is addressed to the IPsec 
implementations, and if so, if it appears to be for a key management 
protocol. If so, direct the packet to key management processing.

3a. If the packet is addressed to the IPsec implementation and AH or 
ESP is specified as the protocol, lookup the packet using the SPI in 
the SAD. Remember that each SAD entry now includes 2-bits to specify 
which fields are used to determine a match (unicast vs. multicast). 
If there is no match, discard the traffic, logging the error as 
specified by local management controls. If there is a match in the 
SAD, apply AH or ESP as specified, using the SAD entry selected 
above. Then match the packet against the inbound selectors in the SAD 
entry, to verify that the received packet is appropriate for the SA 
via which it was received. If there is a mismatch, log the error and 
signal it if a signaling mechamism is available and enabled.

3b. If the packet is not addressed to the implementation, or if the 
traffic is not AH or ESP, lookup the packet header in the inbound 
(discard/bypass) SPD cache for this (virtual) interface. If there is 
a match and the packet is to be discarded or bypassed, do so. If 
there is no match, lookup the packet in the inbound SPD (for the 
interface in question) and create an appropriate inbound and an 
outbound cache entry. (No SAs are created in response to receipt of a 
packet that requires IPsec; only bypass or discard entries can be 
created this way.)

This processing model is simpler and less vague than the old model, 
and it offers the potential for higher speed processing of traffic. 
It does, however, remove some functionality.  For example, there is 
no provision for SA bundles. It would be easy to include support for 
the simple AH+ESP combination that IKEv1 was able to negotiate, and 
that 2401 mandates, if that combination is still viewed as needed. 
However, IKEv1 was not able to negotiate any other nested protocol 
combinations and I don't think IKEv2 has addressed this problem 
either, especially the notion of adding new SAs to create an SA 
"bundle." So, I suggest we remove the requirement to support SA 
bundles, unless the WG feels strongly otherwise.

There is also no provision within this processing model to support 
nested SAs, i.e., all IPsec processing is performed in one pass. 
However, after the packet is emitted, it could be redirected through 
the IPsec module via local, virtual interfaces and use of the 
forwarding lookup function, to cause more than one layer of IPsec 
headers to be applied or removed. Note that to accomplish this, 
multiple entries would have to be created, in distinct SPDs, each 
specifying a layer of IPsec processing to be applied. However, IKE 
still lacks a means to negotiate this, so I suspect that only manual 
configuration, or some key management mechanism not yet defined for 
IPsec, would be needed to take advantage of this approach.
Follow-Ups:
- Re: revised IPsec processing model
  - From: itojun@iijlab.net
- Re: revised IPsec processing model: Q: VID and forwarding function
  - From: Ricky Charlet <rcharlet@speakeasy.net>
- Re: revised IPsec processing model
  - From: Russ Housley <housley@vigilsec.com>
- Re: revised IPsec processing model
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: revised IPsec processing model
  - From: Mark Duffy <mduffy@quarrytech.com>
Prev by Date: Re: IKEv2 and NAT/T
Next by Date: Re: revised IPsec processing model
Prev by thread: Re: IKEv2 and NAT/T
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread