[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Improvement for IPsec: Better PMTUD, ICMP Processing,and signalling in general!?

To: "'Karen Seo'" <kseo@bbn.com>, "'Stephen Kent'" <kent@bbn.com>
Subject: [Ipsec] Improvement for IPsec: Better PMTUD, ICMP Processing,and signalling in general!?
From: Lars Völker <ipsec-mail@larsvoelker.de>
Date: Thu, 17 Jun 2004 10:48:35 +0200
Cc: ipsec@ietf.org
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org
Thread-index: AcRUNa1q48r0zLbqRGC8/w8FUx+VDg==


Abstract: Several problems of IPsec are caused by the concept of unicast
SAs. With very small and compatible changes major improvements for inband
PMTUD, ICMP processing, and others might be achieved.


While implementing the IPsec standard (and a few modifications) I was
wondering why the IPsec standard described SA as being unicast but did not
provide a simple way to form bidirectional combinations while SAs are mostly
used in pairs.

With IPsec secure bidirectional connections are possible as long as two
matching SAs are created (outgoing and incoming). Problems just arise in
error conditions and when other means for signalling are used. In-band PMTUD
and Signalling Messages are examples.

The changes to IPsec would only include a new field in the SA structure to
point to the inverse SA, the PF_KEY API would get a new function to set up
the relationship, and the Key Exchange daemons and setkey Utilities could
use this PF_KEY function to set up the new field in the SAD.


Cons: 
Some small changes are required iff additional features are wanted. The
changes are rather small and could be initially marked as MAY. No Flag Day!
The changes to Key Exchange daemons and Utilities are also very small since
SAs are setup in pairs in almost all cases anyway and in other cases the new
SA field does not need to be set.

A minimal set of signalling message needs to be handled by IPsec since the
key exchange daemon can not handle these.

Pros:
The small changes would give us a foundation to solve some major
implementation problems and close some of the possible bugs in
implementations. A working PMTUD would allow us to fragment before
protecting packets without the risk of getting the packet discarded in
nested tunnel scenarios. Signalling messages can be sent back in a secure
manner (no data leakage) and it's obvious for the receiver for which SA the
message is meant.


I am looking forward to your replies
   Lars

-- 
Lars Völker 
Institute of Telematics, University of Karlsruhe, Germany
Phone: +49 721 608 6397



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Prev by Date: [Ipsec] RE: Protected message
Next by Date: [Ipsec] Site changes
Previous by thread: [Ipsec] RE: Protected message
Next by thread: RE: [Ipsec] Improvement for IPsec: Better PMTUD, ICMP Processing,and signalling in general!?
Index(es):
- Date
- Thread