[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Traffic selectors, fragments, ICMP messages and security policy problems

To: ipsec@lists.tislabs.com
Subject: Traffic selectors, fragments, ICMP messages and security policy problems
From: Tero Kivinen <kivinen@iki.fi>
Date: Tue, 24 Feb 2004 21:02:56 +0200
Sender: owner-ipsec@lists.tislabs.com

There has been some discussion in the IPsec list about how the
fragments should be handled when the port selectors are in use. The
problem is not only fragments but also ICMP, or actually any packet
related to the data going through the SA using port selectors.

Lets take example. The security policy of the company is:

	- Encrypt all SMTP traffic with AES

	- Use only SHA1-AH for web traffic (encryption of web traffic is
	  forbidden, so goverment / company can see what pages you
	  read :-)

If fragments and ICMP messages are put on the separate SA there is no
way to enforce that kind of policy. If you create 2 SAs:

	port 25 => ESP(AES)
	port 80 => AH(SHA1)

all non-first fragments and ICMP messages are dropped, causing
problems. If you add any or opaque rule:

	opaque (or any) => AH(SHA1)

you are not folling the company rule that all SMTP traffic must be
encrypted as non-first fragments will be sent out in clear text. Also
any ICMP message received for the SMTP traffic (packet too big)
contains parts of the SMTP traffic and they will also be sent in clear
text.

If you on the other hand change the AH(SHA1) to ESP(AES) then you will
be encrypting web traffic against the policy. There is no way to
express that kind of setup with current RFC2401bis document. This
means that port selectors cannot really be used before this problem is
solved. The fragmentation issue is solved when using transport mode,
as there cannot be any fragments there. The ICMP issue is not solved
there, as ICMPs might still get wrong protection.

The vendors have solved this problem differently. As I explained
earlier for example our implementation will do partial-reassembly
(i.e. wait for the first-fragment and then forward all fragments to
same SA) to handle fragments. This will put all fragments to the same
SA, providing them the same protection.

For ICMPs you can check the original packet part of the ICMP message
and see if it contains enough information so you can select the proper
SA for it (i.e. if the port numbers are available use them and select
SA based on them). If the ICMP does not have enough data (possible in
IPv4) to contain selectors, then it propably will not have any real
policy sensitive data anyways, thus sending it using any SA is
propably ok.

I think we should add text to rfc2401bis saying that

If port selectors are used then all data associated with data flow
MUST be sent to the SA associated with that stream. This all data
includes normal packets, ICMP messages related to the data flow and
fragments (first and non-first) of packets. Responder MUST accept all
data stream related data from SA associated with that stream."
-- 
kivinen@safenet-inc.com

Follow-Ups:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>

Prev by Date: ICMP messages and per-port selectors
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: Re: ICMP messages and per-port selectors
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread