[anonsec] comments on the BTNS core I-D
mcr at sandelman.ca (Michael Richardson) Thu, 26 July 2007 19:32 UTC
From: "mcr at sandelman.ca"
Date: Thu, 26 Jul 2007 14:32:38 -0500
Subject: [anonsec] comments on the BTNS core I-D
In-Reply-To: <p06240508c2ce6ce745e0@[130.129.16.169]>
References: <p06240505c2cd5414684e@[172.28.170.76]> <f89aup$pa$1@sea.gmane.org> <p06240508c2ce6ce745e0@[130.129.16.169]>
Message-ID: <f8assn$ghb$1@sea.gmane.org>
Stephen Kent wrote: > - If the ID asserted by a peer does not match any PAD entry, > then a BTNS-enabled IPsec implementation replaces the ID with into > the new ID of type "PUBLICKEY" that is created by extracting the > public key from the IKE CERT (or ??) payload Index: ietf-btns-core.xml =================================================================== RCS file: /l/users/nico/btns/drafts/ietf-btns-core.xml,v retrieving revision 1.20 retrieving revision 1.21 diff -u -5 -r1.20 -r1.21 --- ietf-btns-core.xml 26 Jul 2007 01:40:52 -0000 1.20 +++ ietf-btns-core.xml 26 Jul 2007 19:29:13 -0000 1.21 @@ -132,20 +132,35 @@ <t>The IPsec processing model is hereby modified as follows: <list style='symbols'> <t>A new ID type is added, 'PUBLICKEY'; IDs of this type have public keys as values. This ID type is not used on the wire.</t> + <t>A BTNS-specific PAD entry. This entry MUST be the last entry in the PAD when BTNS is enabled. A peer that matches no other PAD entries is to be "authenticated" by verifying that the signature in its AUTH payload in the IKEv2 exchange with the public key from the peer's CERT payload. The peer's ID MUST then be coerced to be of 'PUBLICKEY' type with the peer's public key as its value.</t> + + <t>To accomplish the above, search the PAD as normal, + with the ID provided by the peer. If it matches do + normal processing. If the ID asserted by a peer does + not match any PAD entry, then a BTNS-enabled IPsec + implementation replaces the ID with into the new ID of type "PUBLICKEY" + that is created by extracting the public key from the IKE CERT payload.</t> + + <t>The PAD is searched again, using this new ID type and value. + If there is a match, the associated PAD entry (which will be a BTNS entry) + is used to control the SPD search. + </t> + <t>If there is no match, the IKE SA is rejected</t> + <t>A new flag for SPD entries: 'BTNS_OK'. Traffic to/from peers that match the BTNS PAD entry will match only SPD entries that have the BTNS_OK flag set. The SPD may be searched by address or by ID (of type PUBLICKEY, for BTNS @@ -184,11 +199,12 @@ SAs. In the first pass the PAD is searched for a matching PAD entry as usual, and in the second it is searched to make sure that BTNS peers' asserted child SA traffic - selectors do not conflict with non-BTNS PAD entries.</t> + selectors do not conflict with non-BTNS PAD entries. + </t> </section> <section title="Usage Scenarios"> <t>In order to explain the above rules a number of scenarios will be examined. The goal here is to persuade the reader @@ -498,10 +514,14 @@ to create new registrations nor new registries. (The new ID type is not used on the wire, therefore it need not be assigned a number from the IANA IKEv2 Identification Payload ID Types registry.)</t> </section> + + <section title="Acknowledgements"> + <t>Thanks for the following reviewers: Stephen Kent</t> + </section> </middle> <back> <references title="Normative References"> &rfc2119; &rfc4301;
- [anonsec] comments on the BTNS core I-D Stephen Kent
- [anonsec] comments on the BTNS core I-D Sam Hartman
- [anonsec] comments on the BTNS core I-D Michael Richardson
- [anonsec] comments on the BTNS core I-D Stephen Kent
- [anonsec] comments on the BTNS core I-D Michael Richardson
- [anonsec] comments on the BTNS core I-D Michael Richardson
- [anonsec] comments on the BTNS core I-D Nico
- [anonsec] comments on the BTNS core I-D Stephen Kent
- [anonsec] comments on the BTNS core I-D Nicolas Williams
- [anonsec] comments on the BTNS core I-D Derrell Piper
- [anonsec] comments on the BTNS core I-D Stephen Kent
- [anonsec] comments on the BTNS core I-D Nicolas Williams
- [anonsec] comments on the BTNS core I-D Nicolas Williams
- [anonsec] comments on the BTNS core I-D Stephen Kent
- [anonsec] comments on the BTNS core I-D Nicolas Williams
- [anonsec] comments on the BTNS core I-D Derrell Piper
- [anonsec] comments on the BTNS core I-D Nicolas Williams