[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: Joe Touch <touch@ISI.EDU>
Subject: Re: revised IPsec processing model
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 Aug 2003 19:01:22 -0400
Cc: Mark Duffy <mduffy@quarrytech.com>, ipsec@lists.tislabs.com
In-Reply-To: <3F2EC97D.5050800@isi.edu>
References: <5.2.0.9.0.20030724113200.01feed80@email><p05210613bb4db57e16c7@[128.89.89.75]> <3F2EC3DC.6010803@isi.edu><p05210602bb5476a89c38@[128.89.88.34]> <3F2EC97D.5050800@isi.edu>
Sender: owner-ipsec@lists.tislabs.com

At 14:00 -0700 8/4/03, Joe Touch wrote:
>>
>>Joe,
>>
>>Cumbersome is in the eye of the beholder :-).
>>
>>The other folks who participated in the discussions, who are 
>>vendors, did not seem to agree with the overlay net model you & 
>>Lars proposed.
>
>Having just participated in one such meeting in the U.K., at least 
>one major vendor is prescribing our model as a preferred solution.

OK.

>
>>Also, that model seems narrowly focused on end system, vs. SG or 
>>BITW, implementations.  It is preferable to have a simple model 
>>that is generally applicable, and that's what we have strived to 
>>achieve.
>
>I certainly appreciate, as you have observed, that our perspective 
>is end-system based. You have also noted:
>
>>...I am not knowledgeable enough about the details of host
>  > implementations to have provided an answer like this.
>
>It would be useful at least if this proposal could be vetted with a 
>working implementation on both a router and an end host before being 
>considered as such a major modification to the architecture.

After that exchange, two folks with knowledge of host OS internals, 
and who are implementors of IPv6 and IPsec, confirmed that they saw 
no problems with the proposed processing model via messages to the 
list. Two individuals have told me privately, in the last few weeks, 
that their implementations are equivalent to the processing model, in 
person or in e-mails.  I do not agree that there needs to be working 
examples before we proceed with a new version of 2401, although I 
think I am hearing that there will be several in the near future.

>-----------
>
>One other question:
>
>What happens to packets when the IPsec-time forwarding lookup 
>differs from the forwarding that actually happens when the packet 
>would be emitted?
>
>I.e., it seems possible that if I had weak or no encryption on one 
>link, that it might be possible to leak such packets out onto a link 
>that I needed strong protection on. If this is not the case, a 
>specific example would help.

If I understand correctly, your concern is that there could be a 
mismatch between an SPD lookup that maps a packet to a interface that 
is deemed implicitly secure and thus does not warrant IPsec 
protection, but a later forwarding decision that puts the packet out 
over a link that does warrant protection.  Is that right?

I certainly agree that this would be a "bad thing" and one must 
configure the SPDs and the forwarding tables to avoid the problem. If 
we allow the first forwarding table to select the appropriate SPD, 
then we have to rely on that forwarding function to operate 
correctly, IF we allow any sensitive traffic to be emitted without 
IPsec protection on ANY link. Otherwise, the first forwarding lookup 
could map the traffic to an SPD that allowed bypass such traffic for 
a specific interface, but then the traffic could be emitted via a 
different interface, thus defeating the intent of the policy 
specification.

Also, if the SPD does allow bypassing of any sensitive traffic, then 
the post IPsec processing forwarding lookup also must function 
properly, lest the same bad effect take place despite the correct 
functioning of the first lookup (and the correct config of the 
corresponding SPD).  Frankly, this is why I worry about anything 
other than the trivial case with one SPD and no per-interface 
distinctions about what classes of traffic to protect.  If the WG 
feels that we do not require per-interface SPDs, as Mark suggested, I 
am happy to make that change. But I note that Mark did call for 
multiple SPDs (just not tied to an interface by the first forwarding 
function), and I see the same opportunity for security problems due 
to lookup errors in that case as well.

I think the fundamental problem here is the opportunity to emit 
traffic without appropriate protection, due to a mismatch between 
what an SPD says and what a forwarding function does.  This is 
ultimately a config management problem, made worse by a desire to 
support fancier access controls and fancier forwarding options.

Steve

Follow-Ups:
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>

References:
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>

Prev by Date: Re: revised IPsec processing model
Next by Date: Re: revised IPsec processing model
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread