[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] IKEv2 traffic selector negotiation examples

To: <ipsec@lists.tislabs.com>
Subject: [Ipsec] IKEv2 traffic selector negotiation examples
From: "William Dixon" <ietf-wd@v6security.com>
Date: Sat, 7 Aug 2004 17:04:45 -0700
Cc:
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

One of the things that was missing during IKEv1 development was a set of
clear examples of expected negotiation results between two host IPsec
policies (SPD traffic selectors in QM). How would we document this for IKEv2
under 2401 or 2401bis rules ? Or should we ? I think we will have greater
interoperability if there is a consistent set of test cases that everyone
uses for interop testing. This is primarily a concern with overlapping SPD
entries when IPsec policy is deployed to secure host-to-host communication.

For example, IKEv2-14 section 2.9 talks about selector negotiation, but not
in sufficient detail for me to know exactly how each of the client QM
traffic selector proposals is responded to by the server below, for
different client IP source addresses. And it is more complicated now that
IKEv2 allows multiple SAs with the same selectors.

Client policy:

>From Any IP to My IP all traffic -> discard

>From My IP to Server IP subnet all traffic -> protect_AH_ESP

>From My IP to Server IP TCP src 1028, dst 4242 -> protect_ESP_only

>From My IP to Any IP UDP src *, dst 137-139 -> discard (block outbound
netbios)

>From Any IP to My IP ICMP Type 3 -> bypass (for TCP PMTU detection)

>From My subnet to Multicast Addr1 UDP src *, dst 4242 -> bypass (receive
multicast app from local sender)


Server policy:

>From Any to Any all traffic -> discard (including multicast & broadcast)

>From Any to My IP Subnet all traffic -> protect_AH_ESP

>From Any to My IP all traffic -> protect_ESP_only

>From Any to My IP TCP/UDP src *, dst 135-139 -> discard (block inbound RPC
endpoint mapper & NetBIOS)

>From My Subnet to My IP TCP src *, dst 445 -> bypass (expose Windows
filesharing to my local subnet)

>From Any to My IP TCP src *, dst 80 -> bypass (allow web server for anyone)

>From Any to My IP TCP src *, dst 22 -> bypass (allow SSH incoming
connections outside of IPsec to anyone)

>From Any to My IP ICMP Type 3 -> bypass (allow incoming ICMP DU PMTU
messages for TCP)

>From My IP to Any IP TCP src *, dst 80 -> bypass (Allow outbound web
browsing outside of IPsec)

Definitions:
My IP = My unicast IP address - either statically defined or dynamically
defined based on the DHCP assigned address.
Any = Any unicast IP address when it is a source address, and Any IP address
when it is a destination address to include unicast, multicast or broadcast
addresses.
My subnet = really any subnet that I can specifically define, perhaps
commonly the subnets used by local LAN or my company.

I didn't fully specify inbound & outbound selectors for each case for
brevity. The full policy specification would.

thanks,
Wm


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] IKEv2 traffic selector negotiation examples
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: [Ipsec] OCSP in IKEv2
Next by Date: [Ipsec] Re:
Previous by thread: Re: [Ipsec] Paddding Issue in AES-XCBC-MAC-96 with IPSEC (RFC3566)
Next by thread: Re: [Ipsec] IKEv2 traffic selector negotiation examples
Index(es):
- Date
- Thread