Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt
Nicolas Williams <Nicolas.Williams@sun.com> Mon, 07 April 2008 18:16 UTC
Return-Path: <anonsec-bounces@postel.org>
X-Original-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Delivered-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4ED0F28C1B1 for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Mon, 7 Apr 2008 11:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.822
X-Spam-Level:
X-Spam-Status: No, score=-2.822 tagged_above=-999 required=5 tests=[AWL=-0.223, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITjLRz-KO4KD for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Mon, 7 Apr 2008 11:16:31 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 395FC28C111 for <btns-archive-waDah9Oh@lists.ietf.org>; Mon, 7 Apr 2008 11:16:31 -0700 (PDT)
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m37I1J6d021177; Mon, 7 Apr 2008 11:01:19 -0700 (PDT)
Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m37I05tl020643 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <anonsec@postel.org>; Mon, 7 Apr 2008 11:00:06 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m37I057m022262 for <anonsec@postel.org>; Mon, 7 Apr 2008 18:00:05 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m37I04sb007327 for <anonsec@postel.org>; Mon, 7 Apr 2008 12:00:05 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m37I041F005011; Mon, 7 Apr 2008 13:00:04 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m37I049c005010; Mon, 7 Apr 2008 13:00:04 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 07 Apr 2008 13:00:04 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Daniel Migault <mglt.biz@gmail.com>
Message-ID: <20080407180003.GB16998@Sun.COM>
Mail-Followup-To: Daniel Migault <mglt.biz@gmail.com>, anonsec@postel.org
References: <20080225093002.01ABB3A6CB2@core3.amsl.com> <c17ec2f80803132253k6442ec40m99be1872704f5c5a@mail.gmail.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <c17ec2f80803132253k6442ec40m99be1872704f5c5a@mail.gmail.com>
User-Agent: Mutt/1.5.7i
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: nicolas.williams@sun.com
Cc: anonsec@postel.org
Subject: Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org
On Fri, Mar 14, 2008 at 06:53:24AM +0100, Daniel Migault wrote: > Hi, > > Here are my comments on the draft. I tried to sum up the exchange I had with > Nico. Thanks. My comments follow as well. > < Although it adds almost nothing to the introduction and it is mainly a > re-writing of the introduction, it might bring some clarification to the > paper and to the connection latching concept: Your proposed new intro text seems to do three things: summarize the IPsec architecture (RFC4301), restate part of the intro that's already there and, importantly, restates a constraint that is not clearly stated in the intro (though it is stated elsewhere). That constraint is this: that under no circumstance does connection latching cause persistent changes to IPsec policy databases. I don't think it's safe to try to summarize the IPsec architecture here, so I will not take that text, but I think it's crucial that sa So I will add text like this: > < The changes are requested from applications and not from the network > administrator, which means that the ULP must not systematically overwrite > the IPsec policies established by the network administrator. For example > policy requests must not survive to crash, must not establish lower security > as defined by the network administrator. One way not to survive to crash is > to disable any modification in the user land. > < > < This lead us to consider a new object that will define security rules with > specific characteristics : the Connection Latching Objects. > < > < This document defines : > < - What is a connection latching object (Section 2 Introduction). > < - The behavior of a latching object (that is to say its state machine > section 2.1). > < - The interface of the Latching object with key managers and ULP > (section 2.2). > < - Interaction between LD and traditional IPsec databases (section 4). to the intro. I will also add a sentence to the abstract (I'll also delete a redundant sentence from the abstract) to the same efffect: Connection latching is layered on top of IPsec and does not modify the underlying IPsec architecture. Additionally I'll add text to the security considerations section about this. Something like: Connection latching adds a new, non-persisting database to IPsec and new functionality to the IPsec key manager. Stripped of all optional features, connection latching is really about protecting established packet flows from SPD and SAD changes that are not consistent with what the application and/or ULP would like. This protection is achieved by tracking latched connections and synchronizing changes to the SPD and SAD with alerts to the ULPs that are responsible for affected latched connections. Excluding all optional features connection latching is simply a passive feature bolted to the side of the IPsec key manager. When a connection latch cannot be guaranteed the only action to be taken is to synchronously inform the affected ULPs and applications. Including all optional features connection latching also involves dynamic modifications to the "logical SPD," which do not persist across reboots nor past the lifetime of latched packet flows, and it also optionally involves IKEv2 CHILD SA narrowing. That connection latching state never persists beyond the lifetime of associated packet flows, nor across events which necessarily terminate such state (including reboots), derives from the fact that the very state of those packet flows is also non-persistent. We believe that this construction of connection latching achieves the desired goal -- protecting applications from dynamic IPsec policy or too permissive an IPsec policy -- without doing violence to the IPsec architecture. > < The considered model can be thus represented by the figure below: I like your ASCII art, but I'm going to modify it somewhat. Following our conversation I think we need to clearly delineate "kernel" and "user" mode execution, even though it's mostly irrelevant in a document like this one, because it'd relevant to most implementors; your figure almost does this. Also I think the ULP needs to be a box, as should be the key manager. And rather than refer to decorrelated and non-decorrelated SPD I'd rather speak of SPD and "logical SPD," where the latter is in the kernel. This last change is important because we want to demonstrate that connection latching, even with all OPTIONAL features, never modifies persistent IPsec policy. > < The ULP interfaces to the IPsec LD database are as follows: > --- > > The ULP interfaces to the IPsec PAD database are as follows: Good catch. I'll make it "The ULP interfaces to the key manager ..." > 648,659d584 > < The IPsec to ULP interfaces is as follows: > < > < o POP_MESSAGE(5-tuple, message) -> latch handle > < > < Pop up a message (code) to the ULP. Yes, I'd described the IPsec->ULP interface rather informally. I think we want something like: o INFORM(5-tuple, BREAK | SUSPEND) There's no return value for this function. > < The State diagram with functions can be represented by the figure below: > < [I removed mine] Er, could you send it again? I'll review your "Interaction between LD and other IPsec Databases" section next. Thanks! Nico -- _______________________________________________
- [anonsec] I-D Action:draft-ietf-btns-connection-l… Internet-Drafts
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Daniel Migault
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Daniel Migault
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Nicolas Williams
- Re: [anonsec] I-D Action:draft-ietf-btns-connecti… Daniel Migault