Re: [Hipsec] To tunnel or not
"Laganier, Julien" <julienl@qualcomm.com> Thu, 20 August 2009 22:42 UTC
Return-Path: <julienl@qualcomm.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B8953A68E1 for <hipsec@core3.amsl.com>; Thu, 20 Aug 2009 15:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.707
X-Spam-Level:
X-Spam-Status: No, score=-105.707 tagged_above=-999 required=5 tests=[AWL=0.892, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQ522yIHJOvq for <hipsec@core3.amsl.com>; Thu, 20 Aug 2009 15:42:38 -0700 (PDT)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by core3.amsl.com (Postfix) with ESMTP id 10BFA3A69F0 for <hipsec@ietf.org>; Thu, 20 Aug 2009 15:42:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1250808163; x=1282344163; h=from:to:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20Robert=20Moskowitz=20<rgm@htt-consult.com>,=0D=0A =20=20=20=20=20=20=20=20"hipsec@ietf.org"=0D=0A=09<hipsec @ietf.org>|Date:=20Thu,=2020=20Aug=202009=2015:42:33=20-0 700|Subject:=20RE:=20[Hipsec]=20To=20tunnel=20or=20not |Thread-Topic:=20[Hipsec]=20To=20tunnel=20or=20not |Thread-Index:=20AcohHLh0sx+ps+NMRqydCWv+KMz0IgAxdJNw |Message-ID:=20<BF345F63074F8040B58C00A186FCA57F1C24BE407 F@NALASEXMB04.na.qualcomm.com>|References:=20<4A8C7D0D.70 10708@htt-consult.com>|In-Reply-To:=20<4A8C7D0D.7010708@h tt-consult.com>|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 300,2777,5715"=3B=20a=3D"22409517"; bh=GsHt9rMA/c5s5zSvX615u4E9SjHWBPmidc3DQcxq8+c=; b=QykU/fhmu1MGmZe2HuwDxvqsafpOg5wkKpjkXx2PjJkggEblnNdO0qqJ +c1DocKsFWrLMKpp40t+gKH96zEBMcCjITf/K82E3D6bfzMSptqFB4m6U YUzy8HZQDWz8GXs4e9Wt+KzYKojUD2C2y/Nz/zyALBsKsojlrYGpcHUf8 U=;
X-IronPort-AV: E=McAfee;i="5300,2777,5715"; a="22409517"
Received: from pdmz-ns-mip.qualcomm.com (HELO numenor.qualcomm.com) ([199.106.114.10]) by wolverine01.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 20 Aug 2009 15:42:43 -0700
Received: from hamtaro.qualcomm.com (hamtaro.qualcomm.com [129.46.61.157]) by numenor.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id n7KMghoe024493 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 20 Aug 2009 15:42:43 -0700
Received: from nasanexhub02.na.qualcomm.com (nasanexhub02.na.qualcomm.com [10.46.143.120]) by hamtaro.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id n7KMgYqm022923 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 20 Aug 2009 15:42:34 -0700 (PDT)
Received: from nalasexhc01.na.qualcomm.com (10.47.129.185) by nasanexhub02.na.qualcomm.com (10.46.143.120) with Microsoft SMTP Server (TLS) id 8.1.358.0; Thu, 20 Aug 2009 15:42:34 -0700
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhc01.na.qualcomm.com ([10.47.129.185]) with mapi; Thu, 20 Aug 2009 15:42:34 -0700
From: "Laganier, Julien" <julienl@qualcomm.com>
To: Robert Moskowitz <rgm@htt-consult.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Date: Thu, 20 Aug 2009 15:42:33 -0700
Thread-Topic: [Hipsec] To tunnel or not
Thread-Index: AcohHLh0sx+ps+NMRqydCWv+KMz0IgAxdJNw
Message-ID: <BF345F63074F8040B58C00A186FCA57F1C24BE407F@NALASEXMB04.na.qualcomm.com>
References: <4A8C7D0D.7010708@htt-consult.com>
In-Reply-To: <4A8C7D0D.7010708@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Hipsec] To tunnel or not
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2009 22:42:42 -0000
Robert Moskowitz wrote: > > ESP Transport in a bound, end-to-end operation > > or > > ESP Tunnel with HITS (or LSI?) explicit. > > Developers have reported challenges in using what we have been calling > BEET mode, and have pointed out that if explicit tunnels were used, > then the special HIP "optimization" (? right word) of Transport mode would > be avoided. While implementing HIP circa 2002 the only reason I had to start hacking the kernel was that "optimization". Other than that I could run the same daemon on FreeBSD and SunOS, and have the daemon configure IPsec SAs via PF_KEY. Thus I do agree that BEET is challenging to the extent that is not part of standards IPsec implementation. Would BEET be a standard part of IPsec the challenge would disappear. Is it likely? I don't think so... > I have at least two technical problems with use of tunnel mode: > > What is enumerated in the tunnel? HITs always or HITs for IPv6 apps > and LSIs for IPv4? (as we have demonstarted that IPv4 apps work well over > HIP over IPv6). If HITs how will this work for IPv4? I suspect that > someone can explain how this could 'work'? The Security Policy Database I had had entries requiring use of ESP tunnel mode for any communication between a local HITs or LSIs and any remote one. A given communication from a local HIT or LSI to a remote one would thus trigger via PF_KEY the HIP daemon to establish keys. The HIP daemon would in turn insert a specific SPD entries requiring protection of communication between the specific local and remote HIT/LSI via an ESP tunnel mode SA between the local and remote IP addresses (v4 or v6). Thus for every association there's one or two SPD entries (keyed by local/remote HITs and/or LSIs), and the protection required by these entries is afforded by a tunnel mode SA between the local and remote IP addresses of the peers. > Would there be expectations on tunnel behaviour that would have to be > negotiated? I'm do not understand what sort of behavioral expectations you're talking about. Can you tell us more.. > My basic philosophy was ESP transport was used as a 'short hand' for > the HIP connection between two hosts. That HIP is not a key negotiation > for ESP, but that ESP is used operationally to simplify HIP (not to develop > YAP) with SPIs being pointers to the underlying HITs (did I remember > that right? :) ). I remember that. But I'm not sure this is in contradiction with the use of HIP as a key management to setup IPsec tunnel mode security association between pair of HITs (or LSIs.) These are IMHO two views of the same machinery. > I can see where the process between two hosts is a tunneling process > and in that HIP is used to secure the tunnel, but here the tunnel is not > coupled to HIP but rather the process between two hosts that uses HIP. > Does that make enough sense? Not sure I'm following you... --julien
- [Hipsec] To tunnel or not Robert Moskowitz
- Re: [Hipsec] To tunnel or not Laganier, Julien
- Re: [Hipsec] To tunnel or not Miika Komu