IETF Logo Mail Archive

Re: [btns] Minor connection-latch problem in AUTH48

"Laganier, Julien" <julienl@qualcomm.com> Fri, 16 October 2009 19:48 UTC

Return-Path: <julienl@qualcomm.com>
X-Original-To: btns@core3.amsl.com
Delivered-To: btns@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 475E428C0FA for <btns@core3.amsl.com>; Fri, 16 Oct 2009 12:48:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.599
X-Spam-Level:
X-Spam-Status: No, score=-105.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mE4EMWPZ5lhZ for <btns@core3.amsl.com>; Fri, 16 Oct 2009 12:48:19 -0700 (PDT)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by core3.amsl.com (Postfix) with ESMTP id CC2A93A63D3 for <btns@ietf.org>; Fri, 16 Oct 2009 12:48:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1255722504; x=1287258504; h=from:to:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20Nicolas=20Williams=20<Nicolas.Williams@sun.com>, =0D=0A=20=20=20=20=20=20=20=20"btns@ietf.org"=0D=0A=09<bt ns@ietf.org>|Date:=20Fri,=2016=20Oct=202009=2012:48:16=20 -0700|Subject:=20RE:=20[btns]=20Minor=20connection-latch =20problem=20in=20AUTH48|Thread-Topic:=20[btns]=20Minor =20connection-latch=20problem=20in=20AUTH48|Thread-Index: =20AcpN5rHQ/v0A0SqLQNuZ6uFW3sOslQAsAB1g|Message-ID:=20<BF 345F63074F8040B58C00A186FCA57F1C2A67DF98@NALASEXMB04.na.q ualcomm.com>|References:=20<20091015221608.GC907@Sun.COM> |In-Reply-To:=20<20091015221608.GC907@Sun.COM> |Accept-Language:=20en-US|Content-Language:=20en-US |X-MS-Has-Attach:|X-MS-TNEF-Correlator:|acceptlanguage: =20en-US|Content-Type:=20text/plain=3B=20charset=3D"us-as cii"|Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 300,2777,5773"=3B=20a=3D"25422095"; bh=UAtjKGzXimfIXHsuhPSLWMxjyIURbjJnif4+ItsVnwk=; b=QF5hE7VcgDI3MCd38kX37zrSAp0aE6uvlnNMyp0jOj/IjPiOzZRNTAlZ V5N3AUBZBh1jNEAVsM8bjxFv7Y/UEtKB4dhJhBmkTUg82PTUoqg0qKjhL osv22MsxaPnn1smokVPVyvQqhO++M3ZhLYnFncxikwESp5Zn3ktWV5BGq Q=;
X-IronPort-AV: E=McAfee;i="5300,2777,5773"; a="25422095"
Received: from pdmz-ns-mip.qualcomm.com (HELO numenor.qualcomm.com) ([199.106.114.10]) by wolverine01.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 16 Oct 2009 12:48:22 -0700
Received: from msgtransport04.qualcomm.com (msgtransport04.qualcomm.com [129.46.61.156]) by numenor.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id n9GJmLAo016549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 16 Oct 2009 12:48:22 -0700
Received: from nasanexhub02.na.qualcomm.com (nasanexhub02.na.qualcomm.com [10.46.143.120]) by msgtransport04.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id n9GJmLhx021081 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 16 Oct 2009 12:48:21 -0700
Received: from nasanex14h01.na.qualcomm.com (10.46.94.107) by nasanexhub02.na.qualcomm.com (10.46.143.120) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 16 Oct 2009 12:48:20 -0700
Received: from nalasexhc03.na.qualcomm.com (10.47.129.194) by nasanex14h01.na.qualcomm.com (10.46.94.107) with Microsoft SMTP Server (TLS) id 14.0.639.21; Fri, 16 Oct 2009 12:48:20 -0700
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhc03.na.qualcomm.com ([10.47.129.194]) with mapi; Fri, 16 Oct 2009 12:48:20 -0700
From: "Laganier, Julien" <julienl@qualcomm.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>, "btns@ietf.org" <btns@ietf.org>
Date: Fri, 16 Oct 2009 12:48:16 -0700
Thread-Topic: [btns] Minor connection-latch problem in AUTH48
Thread-Index: AcpN5rHQ/v0A0SqLQNuZ6uFW3sOslQAsAB1g
Message-ID: <BF345F63074F8040B58C00A186FCA57F1C2A67DF98@NALASEXMB04.na.qualcomm.com>
References: <20091015221608.GC907@Sun.COM>
In-Reply-To: <20091015221608.GC907@Sun.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [btns] Minor connection-latch problem in AUTH48
X-BeenThere: btns@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Better-Than-Nothing-Security Working Group discussion list <btns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/btns>
List-Post: <mailto:btns@ietf.org>
List-Help: <mailto:btns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2009 19:48:21 -0000

Hi Nico,

I understand your proposal below tries to removes some sort of chicken-and-egg problem with the ULP creating the latch before sending a packet, the latch creation triggering key management to create an SA if there's none, and the packet being sent triggering the key management.

I'd like to make sure I understand the issue and your proposal, and in particular why we can't have the latch DB triggering directly the key manager: The existing text you have quoted below says "... if there exist no child SAs that match the given 5-tuple, and if local policy permits it", which implies that the 5-tuple is matched against the SPD. Couldn't this action trigger the key manager to establish a child SA without having to be triggered by an actual packet?

Since the ULP trying to create a latch presumably implies that the ULP has a packet to transmit, when it is the case that the ULP tries to latch the 5-tuple, an SPD entry is matched by the 5-tuple but no child SA is found, I'd like to understand what's the value of:

(1) latching the ULP on a larval latch, wait for the actual packet to be transmitted by the ULP to trigger IKEv2 after an SPD entry is matched but no child SA is found, establish the SA, and transition the latch to established

vs. 

(2) triggering IKEv2 based on the 5-tuple, establish the SA, latch the ULP on it.

To me it seems that your proposal (1) above simply implies delaying latching on the final SA (and performing an additional SPD match on the real packet but that's negligible), while I see no problem with (2)...

Am I missing something?

--julien

Nicolas Williams wrote:
> 
> During AUTH48 review I noticed this:
> 
>    o  CREATE_CONNECTION_LATCH(5-tuple, [type and quality-of-protection
>       parameters], [peer ID], [local ID]) -> latch handle | error
> 
> -------->If no connection latch exists in the ESTABLISHED states with
> -------->the same 5-tuple, and if there exist no child SAs that match
> -------->the given 5-tuple, and if local policy permits it, then the
> -------->system MUST initiate an IKE exchange to set up child SAs for
> -------->this 5-tuple.  Otherwise, an error is returned to the ULP.
>          Once one or more applicable SAs exist in the SAD and all such
>          SAs share the same type and quality-of-protection parameters
>          and the same peer, then this operation creates a connection
>          latch object in the ESTABLISHED state for the given 5-tuple.
>          If the caller provided all the optional arguments to this
>          operation, then the resulting connection latch can be created
>          in the ESTABLISHED state directly.
> 
> -------->If there exist no child SAs matching the given 5-tuple, then
> -------->the key manager SHOULD try to create a pair of child SAs for
>          that 5-tuple.  In any case, the key manager can expect that
> the
> -------->ULP will send a packet that would trigger the creation of such
> -------->SAs.
> 
> There are two conflicts here.  The first and second highlighted
> sentences conflict in that one says "MUST" while the other says
> "SHOULD".  The third highlighted sentence conflicts with the first two
> highlighted sentences.
> 
> The third highlighted sentence is the correct one: the IKE exchange
> need
> not be triggered until the ULP sends a packet.  The IKE exchange _can_
> be triggered before then (since the key manager knows, from the fact
> that CREATE_CONNECTION_LATCH() was used, that that packet is coming,
> but
> it doesn't need to be.
> 
> Now, if the key manager waits for the ULP to send a packet then the
> latch that gets created cannot have all parameters filled in.  That is,
> we have a "larval" state to consider.
> 
> IMO this is a fairly minor editing issue, but nonetheless it should be
> fixed.  And though minor, the amount of change involved (a new state!)
> definitely requires review by the WG.  (I've also asked Tim, and he
> concurs.)
> 
> My proposed resolution is to add a new state, called "LARVAL", a
> description of that state in section 2.2, update the state diagram in
> figure 1, and update the description of CREATE_CONNECTION_LATCH().
> 
> Section 2.2 now reads:
> 
> 2.2.  Connection Latch State Machine
> 
>    Connection latches can exist in any of the following five states:
> 
>    o  LISTENER
> 
>    o  LARVAL
> 
>    o  ESTABLISHED
> 
>    o  BROKEN (there exist SAs that conflict with the given connection
>       latch, conflicting SPD changes have been made, or DPD has been
>       triggered and the peer is considered dead or restarted)
> 
>    o  CLOSED (by the ULP, the application or administratively)
> 
>    and always have an associated owner, or holder, such as a ULP
>    transmission control block (TCB).
> 
>    A connection latch can be born in the LISTENER state, which can
>    transition only to the CLOSED state.  The LISTENER state corresponds
>    to LISTEN state of TCP (and other ULPs) and is associated with IP
>    3-tuples, and can give rise to new connection latches in the
>    ESTABLISHED state.
> 
>    A connection latch can also be born in the LARVAL, ESTABLISHED and
>    BROKEN states, either through the direct initiative of a ULP or when
>    an event occurs that causes a LISTENER latch to create a new latch
>    (in either ESTABLISHED or BROKEN states).  These states represent an
>    active connection latch for a traffic flow's 5-tuple.  Connection
>    latches in the LARVAL state can transition to the ESTABLISHED and
>    BROKEN states.  Connection latches in the ESTABLISHED state can
>    transition to the BROKEN and CLOSED states.  Connection latches in
>    the BROKEN state can transition to the the LARVAL state if and only
>    if the latch had been in the LARVAL state before and never in the
>    ESTABLISHED state.  Connection latches in the BROKEN state can
>    transition to the ESTABLISHED states as well as to the CLOSED state.
> 
>    The LARVAL state is used when not all the parameters to be latched
>    are known; a future IKE exchange may fill them in.  Connection
>    latches remain in the LARVAL state until a child SA appears in the
>    the SAD from which all the missing parameters can be obtained, in
>    which case it transitions to the ESTABLISHED state.  If it is
>    possible that conflicting SAs can appear in the SAD before a latch
> in
>    the LARVAL state can be changed to the ESTABLISHED state, then the
>    latch will transition to the BROKEN state, and may later transition
>    back to LARVAL or ESTABLISHED when the conflict clears up.
> 
>    Connection latches remain in the CLOSED state until...
>    ...
> 
> The state diagram now looks like:
> 
>    <CREATE_LISTENER_LATCH(3-tuple, ...)>
>                   |
>                   |    <CREATE_CONNECTION_LATCH(5-tuple, ...)>
>                   V              |    |   |
>              /--------\          |    |   |
>       +------|LISTENER|......    |    |   |
>       |      \--------/     |    |    |   |
>       |        |            |    |    |   |
>       |        |            |    |    | /------\
>       |        |            |    |    | |LARVAL|
>       |        |            |    |    | \------/
>       |        |            |    |    |   |
>       |        |            |    |    :  <child SAs installed>
>       |        |            |    +--------+
>       |  <conn. trigger event>   |    :   |
>       |      (e.g., TCP SYN |    |    |   |
>       |       received,     |    |    |   |   +--------------------+
>       |       connect()     |    |    |   |   |Legend:             |
>       |       called, ...)  v    v    |   |   | dotted lines denote|
>       |        |        /-----------\ |   |   |    latch creation  |
>       |        |        |ESTABLISHED| |   |   |                    |
>       |    <conflict>   \-----------/ |   |   | solid lines denote |
>       |        |         ^       |    |   |   |    state transition|
>       |        |         |       <conflict    |                    |
>       |        |    <conflict     or DPD>     | semi-solid lines   |
>       |        |     cleared>    |    |   |   |    denote async    |
>       |        |         |       |    +---+   |    notification    |
>       |        |         |       v    v       +--------------------+
>       |        |      /----------------\
>       |        +.....>|     BROKEN     |.-.-.-.-.-> <ALERT()>
>       |               \----------------/
>       |                       |
>    <RELEASE_LATCH()>   <RELEASE_LATCH()>
>       |                       |
>       |                       v
>       |                    /------\
>       +------------------->|CLOSED|
>                            \------/
> 
> And the description of CREATE_CONNECTION_LATCH() now reads:
> 
>    o  CREATE_CONNECTION_LATCH(5-tuple, [type and quality-of-protection
>       parameters], [peer ID], [local ID]) -> latch handle | error
> 
>          If no connection latch exists with the same 5-tuple, and if
>          local policy (i.e., the SPD) permits it, then a latch is
>          created in either the LARVAL, ESTABLISHED, or BROKEN states.
>          Otherwise, an error is returned to the ULP.  If one or more
>          applicable SA pairs exist in the SAD, and all such SAs share
>          the same type- and quality-of-protection parameters and the
>          same peer, then this operation creates a connection latch
>          object in the ESTABLISHED state for the given 5-tuple.  If
> more
>          than one applicable SA pair exists in the SAD that do not
> agree
>          on type-, quality-of-protection parameters and peer IDs, then
>          this operation creates a connection latch object in the BROKEN
>          state.  If no SA pairs exists in the SAD then this operation
>          creates a connection latch object in the LARVAL state.  If the
>          caller provided all the optional arguments to this operation,
>          then the resulting connection latch can be created in the
>          ESTABLISHED state even if there are no applicable SA pairs in
>          the SAD.
> 
>          If there exist no child SAs matching the given 5-tuple, then
>          the key manager MAY try to create a pair of child SAs for that
>          5-tuple.  In any case, the key manager can expect that the ULP
>          will send a packet that would trigger the creation of such SAs.
>          Either way, and assuming no conflicts arise, the necessary
>          child SA pairs should eventually be created, causing a latch
> in
>          the LARVAL state to transition to the ESTABLISHED state.
> 
> 
> Comments?
> 
> Nico
> --
> _______________________________________________
> btns mailing list
> btns@ietf.org
> https://www.ietf.org/mailman/listinfo/btns

v2.23.0 | Report a Bug | By Email