IETF Logo Mail Archive

RE: [Hipsec] draft-ietf-hip-esp-03

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 30 August 2006 20:02 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GIWGh-0006uH-1M; Wed, 30 Aug 2006 16:02:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GIWGf-0006u6-EW for hipsec@ietf.org; Wed, 30 Aug 2006 16:02:33 -0400
Received: from blv-smtpout-01.boeing.com ([130.76.32.69] helo=blv-smtpout-01.ns.cs.boeing.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GIWGe-0001Oh-34 for hipsec@ietf.org; Wed, 30 Aug 2006 16:02:33 -0400
Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.13.6/8.13.6/SMTPOUT) with ESMTP id k7UK2QqY006507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <hipsec@ietf.org>; Wed, 30 Aug 2006 13:02:27 -0700 (PDT)
Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.13.6/8.13.6/DOWNSTREAM_RELAY) with ESMTP id k7UK2P6c009012 for <hipsec@ietf.org>; Wed, 30 Aug 2006 13:02:26 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.13.6/8.13.6/UPSTREAM_RELAY) with ESMTP id k7UK2Mqm008918; Wed, 30 Aug 2006 13:02:25 -0700 (PDT)
Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Aug 2006 13:02:23 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Hipsec] draft-ietf-hip-esp-03
Date: Wed, 30 Aug 2006 13:02:23 -0700
Message-ID: <77F357662F8BFA4CA7074B0410171B6D01A2F616@XCH-NW-5V1.nw.nos.boeing.com>
In-Reply-To: <44EEA3D5.3080505@nomadiclab.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Hipsec] draft-ietf-hip-esp-03
Thread-Index: AcbIGmMSka0xY2OZTAGJsEuQ/Mx/jgEUxZSQ
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: Petri Jokela <petri.jokela@nomadiclab.com>, Mark Townsley <townsley@cisco.com>, hipsec@ietf.org
X-OriginalArrivalTime: 30 Aug 2006 20:02:23.0859 (UTC) FILETIME=[358E4430:01C6CC6F]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc: jan.melen@nomadiclab.com, hip-chairs@tools.ietf.org
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org

I have a few comments on this proposed text.

> 3.4 IPsec and HIP ESP implementation considerations
> 
> When HIP is run on a node where a standards compliant IPsec is used,
> some issues have to be considered.
> 
> The HIP implementation must be able to co-exist with other 
> IPsec keying
> protocols. When the HIP implementation selects the SPI value, it may
> lead to a collision if not implemented properly. To avoid the
> possibility for a collision, the HIP implementation MUST request SPI
> values from the IPsec (e.g. using PFKey interface).

I would prefer to say "MUST ensure that the SPI values used for HIP SAs
are not used for IPsec or other SAs, and vice versa."  -- less
implementation dependent description. 

> 
> For outbound traffic the HIP has to make a strict binding between the
> application socket, Security Policy (SP), and Security 
> Association (SA)
> used by HIP. Data originating from a socket that should be 
> processed as
> described in this document should have a SP that is bound to 
> the socket.

I think that the issue of binding a HIP SA to a socket is a separate
implementation/architectural issue that also exists in the realm of
IPsec (the channel binding discussion in BTNS WG).  The above text
conflicts with section 9 of the BEET draft (and also our experience)
that says that you can reuse an existing IPsec implementation (without
socket bindings) to implement HIP.

I think that it suffices to say that for outbound traffic, the SPD or
(coordinated) SPDs if there are two (one for HIP, one for IPsec) must
ensure that packets intended for HIP processing are given a HIP-enabled
SA and that packets intended for IPsec processing are given an
IPsec-enabled SA.

> The SP then MUST be bound to the matching SA and non-HIP packets will
> not be processed by this SA. Data originating from a socket 
> that is not
> using HIP, MUST NOT have checksum recalculated as described in Section
> 3.2 paragraph 2 and data MUST NOT be passed to the SP or SA created by
> the HIP.
> 
> Incoming data packets using a SA that is not negotiated by 
> HIP, MUST NOT
> be processed as described in Section 3.2 paragraph 2. The SPI will
> identify the correct SA for packet decryption and MUST be used to
> identify that the packet has an upper-layer checksum that is 
> calculated
> in HIP way. The socket that uses HIP SHOULD NOT be able to receive any
> data that has not come through the SA that was created by HIP.
> 

I don't think the last sentence adds anything.

Regards,
Tom

_______________________________________________
Hipsec mailing list
Hipsec@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hipsec

v2.23.0 | Report a Bug | By Email