Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt

Nicolas Williams <Nicolas.Williams@sun.com> Mon, 07 April 2008 18:16 UTC

Return-Path: <anonsec-bounces@postel.org>
X-Original-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Delivered-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4ED0F28C1B1 for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Mon, 7 Apr 2008 11:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.822
X-Spam-Level:
X-Spam-Status: No, score=-2.822 tagged_above=-999 required=5 tests=[AWL=-0.223, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITjLRz-KO4KD for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Mon, 7 Apr 2008 11:16:31 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 395FC28C111 for <btns-archive-waDah9Oh@lists.ietf.org>; Mon, 7 Apr 2008 11:16:31 -0700 (PDT)
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m37I1J6d021177; Mon, 7 Apr 2008 11:01:19 -0700 (PDT)
Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m37I05tl020643 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <anonsec@postel.org>; Mon, 7 Apr 2008 11:00:06 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m37I057m022262 for <anonsec@postel.org>; Mon, 7 Apr 2008 18:00:05 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m37I04sb007327 for <anonsec@postel.org>; Mon, 7 Apr 2008 12:00:05 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m37I041F005011; Mon, 7 Apr 2008 13:00:04 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m37I049c005010; Mon, 7 Apr 2008 13:00:04 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 7 Apr 2008 13:00:04 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Daniel Migault <mglt.biz@gmail.com>
Message-ID: <20080407180003.GB16998@Sun.COM>
Mail-Followup-To: Daniel Migault <mglt.biz@gmail.com>, anonsec@postel.org
References: <20080225093002.01ABB3A6CB2@core3.amsl.com> <c17ec2f80803132253k6442ec40m99be1872704f5c5a@mail.gmail.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <c17ec2f80803132253k6442ec40m99be1872704f5c5a@mail.gmail.com>
User-Agent: Mutt/1.5.7i
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: nicolas.williams@sun.com
Cc: anonsec@postel.org
Subject: Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org

On Fri, Mar 14, 2008 at 06:53:24AM +0100, Daniel Migault wrote:
> Hi,
> 
> Here are my comments on the draft. I tried to sum up the exchange I had with
> Nico.

Thanks.  My comments follow as well.

> < Although it adds almost nothing to the introduction and it is mainly a
> re-writing of the introduction, it might bring some clarification to the
> paper and to the connection latching concept:

Your proposed new intro text seems to do three things: summarize the
IPsec architecture (RFC4301), restate part of the intro that's already
there and, importantly, restates a constraint that is not clearly stated
in the intro (though it is stated elsewhere).  That constraint is this:
that under no circumstance does connection latching cause persistent
changes to IPsec policy databases.

I don't think it's safe to try to summarize the IPsec architecture here,
so I will not take that text, but I think it's crucial that sa

So I will add text like this:

> < The changes are requested from applications and not from the network
> administrator, which means that the ULP must not systematically overwrite
> the IPsec policies established by the network administrator. For example
> policy requests must not survive to crash, must not establish lower security
> as defined by the network administrator. One way not to survive to crash is
> to disable any modification in the user land.
> <
> < This lead us to consider a new object that will define security rules with
> specific characteristics : the Connection Latching Objects.
> <
> < This document defines :
> <    - What is a connection latching object (Section 2 Introduction).
> <    - The behavior of a latching object (that is to say its state machine
> section 2.1).
> <    - The interface of the Latching object with key managers and ULP
> (section 2.2).
> <    - Interaction between LD and traditional IPsec databases (section 4).

to the intro.

I will also add a sentence to the abstract (I'll also delete a redundant
sentence from the abstract) to the same efffect:

    Connection latching is layered on top of IPsec and does not modify
    the underlying IPsec architecture.

Additionally I'll add text to the security considerations section about
this.  Something like:

   Connection latching adds a new, non-persisting database to IPsec and
   new functionality to the IPsec key manager.  Stripped of all optional
   features, connection latching is really about protecting established
   packet flows from SPD and SAD changes that are not consistent with
   what the application and/or ULP would like.  This protection is
   achieved by tracking latched connections and synchronizing changes to
   the SPD and SAD with alerts to the ULPs that are responsible for
   affected latched connections.

   Excluding all optional features connection latching is simply a
   passive feature bolted to the side of the IPsec key manager.  When a
   connection latch cannot be guaranteed the only action to be taken is
   to synchronously inform the affected ULPs and applications.
   
   Including all optional features connection latching also involves
   dynamic modifications to the "logical SPD," which do not persist
   across reboots nor past the lifetime of latched packet flows, and it
   also optionally involves IKEv2 CHILD SA narrowing.

   That connection latching state never persists beyond the lifetime of
   associated packet flows, nor across events which necessarily
   terminate such state (including reboots), derives from the fact that
   the very state of those packet flows is also non-persistent.

   We believe that this construction of connection latching achieves the
   desired goal -- protecting applications from dynamic IPsec policy or
   too permissive an IPsec policy -- without doing violence to the IPsec
   architecture.

> < The considered model can be thus represented by the figure below:

I like your ASCII art, but I'm going to modify it somewhat.

Following our conversation I think we need to clearly delineate "kernel"
and "user" mode execution, even though it's mostly irrelevant in a
document like this one, because it'd relevant to most implementors; your
figure almost does this.

Also I think the ULP needs to be a box, as should be the key manager.
And rather than refer to decorrelated and non-decorrelated SPD I'd
rather speak of SPD and "logical SPD," where the latter is in the
kernel.  This last change is important because we want to demonstrate
that connection latching, even with all OPTIONAL features, never
modifies persistent IPsec policy.

> <    The ULP interfaces to the IPsec LD database are as follows:
> ---
> >    The ULP interfaces to the IPsec PAD database are as follows:

Good catch.  I'll make it "The ULP interfaces to the key manager ..."

> 648,659d584
> <    The IPsec to ULP interfaces is as follows:
> <
> <    o  POP_MESSAGE(5-tuple, message) -> latch handle
> <
> <          Pop up a message (code) to the ULP.

Yes, I'd described the IPsec->ULP interface rather informally.

I think we want something like:

   o INFORM(5-tuple, BREAK | SUSPEND)

There's no return value for this function.

> < The State diagram with functions can be represented by the figure below:
> < [I removed mine]

Er, could you send it again?

I'll review your "Interaction between LD and other IPsec Databases"
section next.

Thanks!

Nico
-- 
_______________________________________________