Re: [Hipsec] draft-ietf-hip-esp-03
Mark Townsley <townsley@cisco.com> Wed, 30 August 2006 16:11 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GISel-00057y-Fb; Wed, 30 Aug 2006 12:11:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GISej-00057m-6z for hipsec@ietf.org; Wed, 30 Aug 2006 12:11:09 -0400
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GISeg-00022i-T8 for hipsec@ietf.org; Wed, 30 Aug 2006 12:11:09 -0400
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 30 Aug 2006 09:11:05 -0700
X-IronPort-AV: i="4.08,189,1154934000"; d="scan'208"; a="39012368:sNHT2910494686"
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7UGB4ZI025064; Wed, 30 Aug 2006 12:11:04 -0400
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id k7UGB4uI027291; Wed, 30 Aug 2006 12:11:04 -0400 (EDT)
Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Aug 2006 12:11:03 -0400
Received: from [192.168.1.101] ([10.82.240.127]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Aug 2006 12:11:03 -0400
Message-ID: <44F5B894.6090108@cisco.com>
Date: Wed, 30 Aug 2006 18:11:00 +0200
From: Mark Townsley <townsley@cisco.com>
User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719)
MIME-Version: 1.0
To: Petri Jokela <petri.jokela@nomadiclab.com>
Subject: Re: [Hipsec] draft-ietf-hip-esp-03
References: <44EABD76.50100@cisco.com> <44EEA3D5.3080505@nomadiclab.com>
In-Reply-To: <44EEA3D5.3080505@nomadiclab.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 30 Aug 2006 16:11:03.0888 (UTC) FILETIME=[E472C500:01C6CC4E]
DKIM-Signature: a=rsa-sha1; q=dns; l=2937; t=1156954264; x=1157818264; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=townsley@cisco.com; z=From:Mark=20Townsley=20<townsley@cisco.com> |Subject:Re=3A=20[Hipsec]=20draft-ietf-hip-esp-03 |To:Petri=20Jokela=20<petri.jokela@nomadiclab.com>; X=v=3Dcisco.com=3B=20h=3DgvNP2JDOPH4thR3gNhR9opRwsWQ=3D; b=nBSp743sSoI1BVgv1IKqZzd/WfZlHvepDCrNB+5G53hH6rVEDtS7b+u0nJsatWWWdPiG+/kp z+HWdKtWeeK1sPIa3IRITLXDQd7gI2q9hM4FAPYCDSXZYMLkEFEjqosk;
Authentication-Results: rtp-dkim-2.cisco.com; header.From=townsley@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: hipsec@ietf.org, Russ Housley <housley@vigilsec.com>, Sam Hartman <hartmans-ietf@mit.edu>, hip-chairs@tools.ietf.org, jan.melen@nomadiclab.com
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org
It sounds like this addresses the concern in terms of "truth in advertising" here, and I am very glad to see this as it is certainly important. I wonder if the IPsec community will have architectural issues with SPIs being attached to specific processing above the IP stack (depending, I suppose, on where you consider HIP, IP, and IPsec in relation to one another). I remember somewhat similar cases in the past causing serious heartburn within the IPsec community. cc'ing Sam and Russ for their opinion. - Mark Petri Jokela wrote: > Mark Townsley wrote: >> >> The Security Area has asked for the following: >> >> An explicit section describing why the semantics of HIP ESP differ >> from IPsec ESP,and explaining how a node can run both IPsec and HIP. >> If a node cannot run HIP and IPsec at the same time in all >> configurations of HIP, you are likely to see significant pushback. >> >> Such a section sounds reasonable. Also, is the latter true or false? >> >> Thanks, >> >> - Mark > > Hi, > > we discussed with Jan about this and he wrote a proposal for a new > subsection describing what has to be considered when HIP is used > together with other keying protocols. This limits implementation > possibilities, but I hope it > is not too restrictive to be written on the specification. > > BR, Petri > > > 3.4 IPsec and HIP ESP implementation considerations > > When HIP is run on a node where a standards compliant IPsec is used, > some issues have to be considered. > > The HIP implementation must be able to co-exist with other IPsec keying > protocols. When the HIP implementation selects the SPI value, it may > lead to a collision if not implemented properly. To avoid the > possibility for a collision, the HIP implementation MUST request SPI > values from the IPsec (e.g. using PFKey interface). > > For outbound traffic the HIP has to make a strict binding between the > application socket, Security Policy (SP), and Security Association (SA) > used by HIP. Data originating from a socket that should be processed as > described in this document should have a SP that is bound to the socket. > The SP then MUST be bound to the matching SA and non-HIP packets will > not be processed by this SA. Data originating from a socket that is not > using HIP, MUST NOT have checksum recalculated as described in Section > 3.2 paragraph 2 and data MUST NOT be passed to the SP or SA created by > the HIP. > > Incoming data packets using a SA that is not negotiated by HIP, MUST NOT > be processed as described in Section 3.2 paragraph 2. The SPI will > identify the correct SA for packet decryption and MUST be used to > identify that the packet has an upper-layer checksum that is calculated > in HIP way. The socket that uses HIP SHOULD NOT be able to receive any > data that has not come through the SA that was created by HIP. > > /petri > _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] draft-ietf-hip-esp-03 Mark Townsley
- RE: [Hipsec] draft-ietf-hip-esp-03 Henderson, Thomas R
- Re: [Hipsec] draft-ietf-hip-esp-03 Jan Mikael Melen
- Re: [Hipsec] draft-ietf-hip-esp-03 Andrew McGregor
- Re: [Hipsec] draft-ietf-hip-esp-03 Petri Jokela
- RE: [Hipsec] draft-ietf-hip-esp-03 Henderson, Thomas R
- Re: [Hipsec] draft-ietf-hip-esp-03 Mark Townsley
- Re: [Hipsec] draft-ietf-hip-esp-03 Mark Townsley
- RE: [Hipsec] draft-ietf-hip-esp-03 Henderson, Thomas R
- Re: [Hipsec] draft-ietf-hip-esp-03 Sam Hartman