Re: [I2nsf] WGLC and IPR poll for draft-ietf-i2nsf-sdn-ipsec-flow-protection-04

[Rafa Marin-Lopez <rafa@um.es>]

Hi Paul:

Sorry for the delayed answer. Our answer took us more time than expected preparing. Thank you very much again. Please see our comments inline:

> El 22 abr 2019, a las 18:19, Paul Wouters <paul@nohats.ca> escribió:
> 
> Linda Dunbar <linda.dunbar@huawei.com> wrote:
> 
>> This email starts a four weeks Working Group Last Call
>> on draft-ietf-i2nsf-sdn-ipsec-flow-protection-04. 
>> This poll runs until May 15, 2019. 
> 
>> If you are listed as an Author or a Contributor of this Document please respond to this email and
>> indicate whether or not you are aware of any relevant undisclosed IPR. The Document won't progress
>> without answers from all the Authors and Contributors.
> 
> I'm not sure if I should consider mylsef a Contributors, but regardless
> I have no IPR on any of this.
> 
> 
> 
>   The Security Controller is in charge of managing and
>   applying SPD and PAD entries (deriving and delivering IKE Credentials
>   such as a pre-shared key, certificates, etc.), and applying other IKE
>   configuration parameters (e.g.  IKE_SA_INIT algorithms) to the NSF
>   for the IKE negotiation.
> 
> This text is a little confusing as IKE manages and applies the SPD/PAD
> entries, but the SC is not the one running IKE. Proposed new text:
> 
>   The Security Controller is in charge of managing and
>   applying IPsec connection information (determing which nodes need to
>   start an IKE/IPsec session, deriving and delivering IKE Credentials
>   such as a pre-shared key, certificates, etc.), and applying other IKE
>   configuration parameters (e.g.  IKE_SA_INIT algorithms) to the NSF
>   for the IKE negotiation.

[Authors] Changed. 
> 
> 
>   IKE case MAY be easier to deploy than IKE-less case because current
>   gateways typically have an IKEv2/IPsec implementation.
> 
> Why is that MAY in capitals? Also, based on the paragraph it seems you
> really are saying the IKE case is easier to deploy, unless your nodes
> lack the resources to run IKEv2.

[Authors] We have rephrased as:

“In principle, IKE case is easier to deploy than IKE-less
case because current gateways typically have an IKEv2/IPsec 
implementation. Moreover hosts can install easily an IKE implementation."

> 
>   The main
>   reason is that the Security Controller is not able to observe any
>   session keys generated for the IPsec SAs because IKEv2 is in charge
>   of negotiating the IPsec SAs.
> 
> I think you mean "because the nodes, not the Security Controller, is
> generating the session keys". I would not use the word IKEv2, because
> it is unclear if that IKEv2 would be running on the SG or the node.

[Authors] That’s right. Let’s only write this sentence:

"The main reason is that the NSFs are generating the session keys and not the Security Controller”.

> 
> 
>   For IKE case, the rekeying process is carried out by IKEv2, following
>   the information defined in the SPD and SAD.
> 
> That is not the whole story though? Isn't is the Security Controller
> that decides when to terminate a connection? I guess it is implied here
> that we are talking about connections that are instructed by the SG to
> stay up long enough to need rekeying?

[Authors] The Security Controller may decide to terminate a connection but, in principle, if nothing unexpected happens after applying IKE configuration will allow IKE to operate as configured. So, yes, it is expected that connections will live unless something different is required by the administrator or the SC detects something wrong. 
> 
> 
> Section 5.3.1 talks about a bundle of two inbound SA's. That is a little
> confusing as traditionally we talk about the bundle being an inbound and
> outbound SA from the perspective of one of the endpoints. I understand
> you are doing this so you can talk about installing inbound on both ends
> first. Perhaps talk initially about the inbound and outbound bundle,
> then state you are handing out what is the inbound sa from the point of
> view of each endpoint first ?

[Authors] We can add the following paragraph. How about this one?:

"Traditionally, during a rekey process of the IPSec SA using IKE, a bundle of inbound and outbound SAs, from the perspective of one of the NSFs, is taken into account. For example, if the inbound SA expires both the inbound and outbound SA are rekeyed at the same time in that NSF. However, when IKE is not used, we have followed a different approach to avoid any packet loss during rekey: the Security Controller installs first the new inbound SAs in both NSFs and then, the outbound SAs."


> 
>   It is worth noting that if the IPsec implementation
>   can itself detect traffic on the new IPsec SA, and it can delete
>   the old IPsec SA itself without instruction from the Security
>   Controller, then this step 3 is not required.
> 

> Technically, they can never know this because IKEv2 allows installing
> multiple IPsec SA's with the exact same policies.

[Authors] We are talking here about IKE-less case so there is no IKEv2. This paragraph was added after , as far as I remember, your comment about this possibility. I think if the IPsec SAs have different SPIs the SDN controller can distinguish among them

> We are for example
> doing this for performance increases by creating multiple IPsec SA's,
> (identical policies, different keys)

> to get one IPsec SA bound per CPU
> on the endpoint. I would recommend to leave this up only to the Security
> Controller, eg:
> 
> 	The IPsec implementation cannot detect whether a new identical
> 	IPsec SA is an additional (identical) IPsec SA or a replacement
> 	IPsec SA. It should only delete the (seemingly) old IPsec SA
> 	when the Security Controller instructs the node to do so.

[Authors] Then the step 3 still applies. Most probably removing the paragraph should be enough, right?

> 
> 
> 
> 	It can also instruct the affected NSF to send IKEv2 INITIAL_CONTACT.
> 
> I think this is something the IKEv2 implementation would determine on its own.
> I would remove the sentence or change it to say the node can determine it
> needs to send INITIAL_CONTACT. Also, this removes the need for the SC to
> have to relay this option to the IKEv2 NSF.

[Authors] We have observed some implementations (e.g. libreswan) has this variable initial-contact as well in the ipsec.conf. That is why we decide to keep it. Is it not useful then?



> 
>   In IKE-less case, if the Security Controller detects that a NSF has
>   lost the IPsec SAs (e.g. it reboots) it will delete the old IPsec SAs
>   of the non-failed nodes established with the failed node (step 1).
>   This prevents the non-failed nodes from leaking plaintext.
> 
> Wouldn't doing that before installing a new IPsec SA not actually _cause_
> leaking plaintext? Unless the non-failed nodes, upon receiving the delete
> would put in an SPD policy that would catch packets and trigger an acquire.

[Authors] This is an interesting question. We must state that, for security reasons, any NSF should have a default DISCARD policy. A NSF restarting should not allow any traffic unless SC says so. In other words, Since the NSF needs information coming from the SC, if that information is not in place yet the safest option is DISCARD action.

> 
> I see the use of ah-algorithms. I thought we were going to remove all mention
> of AH and perhaps tell people to use ESP NULL encryption?

[Authors] Yes, we have removed AH. That is what we are doing for version -05.

> 
> 	+--rw security-protocol?          ic:ipsec-protocol
> 
> What does this stand for? There is no "IPsec protocol" in the sense that we do not have
> an IANA protocol entry for "IPsec" (only for ESP)

[Authors] I understand. The intention was to say ipsec related protocol. Should we use something like ic:ipsec-related-protocol? or  ic:sec-protocol?

 
> 
> SHOULD NEVER -> MUST NOT

[Authors] Fixed
> 
> 
>   If PSK authentication is used in IKEv2, the Security
>   Controller SHOULD remove the PSK immediately after generating and
>   distributing it
> 
> Why is that SHOULD not a MUST? Can you give an example of an exception?

[Authors] Right. MUST is the right option.
> 
>   If raw public keys are used,
>   the Security Controller SHOULD remove the associated private key
>   immediately after generating and distributing them to the NSFs.
> 
> Again, why is this SHOULD not a MUST? What is the exception?

[Authors] Right too. We have fixed this.
> 
>   In the IKE-less case, the controller sends the IPsec SA information
>   to the SAD that includes the keys for integrity and encryption (when
>   ESP is used).  That key material are symmetric keys to protect data
>   traffic.
> 
> Change to:
> 
>   In the IKE-less case, the controller sends the IPsec SA information
>   to the SAD that includes the private session keys required for integrity
>   and encryption.

[Authors] Done.

> 
> 
>   The general recommendation is that the Security Controller
>   SHOULD NEVER stores the keys
> 
> Again, use RFC 2119 terms, so change SHOULD NEVER to MUST NOT. (or SHOULD
> NOT, but then you again need to say what the exception would be)

[Authors] MUST NOT better.
> 
>   Moreover, the
>   NSFs MUST NOT allow the reading of these values once they have been
>   applied by the Security Controller (i.e. write only operations).
> 
> These are not really "applied by the Security Controller". Perhaps you
> meant "obtained" instead of “applied"
> ?

[Authors] Since we were referring to IKE-less case the Security Controlles sends these keys to the NSF. In that case, the Security Controller applies the keys but it MUST NOT BE obtained (read) by anyone (including the SC).


> 
> 
>   In other words, it may have access to the
>   key material used in the distributed IPsec SAs and observe the
>   traffic between peers.
> 
> change to:
> 
>   In other words, the attack might be able to observe the IPsec traffic and decrypt, or even modify
>   and re-encrypt the traffic between peers.

[Authors] Done.
> 
> 
>   In any case, some escenarios with special
>   secure environments (e.g. physically isolated data centers) make this
>   type of attack difficult.
> 
> I would not make this claim and just delete this setence (and the "Morever," part
> of the next sentence.

[Authors] Done
> 
>    enum ah { description "AH Protocol"; }
> 
> another occurance of AH ?

[Authors] We are writing version -05 of these changes will be applied.
> 
>    typedef ipsec-upper-layer-proto {
>                        type enumeration {
>                                enum TCP { description "TCP traffic"; }
>                                enum UDP { description "UDP traffic"; }
>                                enum SCTP { description "SCTP traffic";}
>                                enum DCCP { description "DCCP traffic";}
>                                enum ICMP { description "ICMP traffic";}
>                                enum IPv6-ICMP { description "IPv6-ICMP traffic";}
>                                enum GRE {description "GRE traffic";}
>                        }
>                        description "Next layer proto on top of IP";
>                }
> 
> I don't understand ipsec-upper-layer-proto? If this is encapsulation protocol, then
> there is only TCP and UDP. If this is the protocol of the encrypted data, then there
> are a lot more protocols. The document also nowhere explains the term "upper layer protocol"
> I think you mean what I would call the "inner protocol" so that it is every number from the
> IANA protocol registry.

[Authors] Basically RFC 4301 mentions next layer protocols and we had that in previous versions but it was suggested that was not a good name. So we used this one. We can use inner protocol. Thus it is not encapsulation but the protocols in the next header after IP header.

"Next Layer Protocol: Obtained from the IPv4 "Protocol" or the
        IPv6 "Next Header" fields.”

So it seems  that every number from the IANA protocol registry should be there. So here we have again the same problem as crypto algorithms. However, we can do as RFC 8519 : 

leaf protocol {
      type uint8;
      description
        "Internet Protocol number.  Refers to the protocol of the
         payload.  In IPv6, this field is known as 'next-header',
         and if extension headers are present, the protocol is
         present in the 'upper-layer' header.";
      reference
        "
RFC 791
: Internet Protocol
         
RFC 8200
: Internet Protocol, Version 6 (IPv6) Specification.";
    }

> 
> 
>                typedef pfs-group {
>                        type enumeration {
>                                enum NONE {description "NONE";}
>                                enum 768-bit-MODP {description "768-bit MODP Group";}
>                                enum 1024-bit-MODP {description "1024-bit MODP Group";}
>                                enum 1536-bit-MODP {description "1536-bit MODP Group";}
>                                enum 2048-bit-MODP {description "2048-bit MODP Group";}
>                                enum 3072-bit-MODP {description "3072-bit MODP Group";}
>                                enum 4096-bit-MODP {description "4096-bit MODP Group";}
>                                enum 6144-bit-MODP {description "6144-bit MODP Group";}
>                                enum 8192-bit-MODP {description "8192-bit MODP Group";}
>                        }
>                        description "PFS group for IPsec rekey";
>                }
> 
> This is the only entry still enumerating (partially!) an IANA registry.

[Authors] Right. But I am not sure if there is a final conclusion about this dilemma. Personally, I still prefer to have a uint32 and refer Group Description (Value 4) in 

https://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml



> 
>     leaf-list ike-sa-authalg { type ic:integrity-algorithm-t; description "Auth algorigthm for IKE SA”;}

[Authors] Done.
> 
> Typo in algorigthm
> 
>     leaf-list ike-sa-encalg { type ic:encryption-algorithm-t; description "Auth algorigthm for IKE SAs";}
> 
> Same typo, but it should also not be "Auth" but "Encryption or AEAD algorithm”.

[Authors] Done.
> 
> 
>   description "Configure the IKEv2 software";
> 
> Maybe call it "Configuration of the IKEv2 implementation" ?
> (more of these "Configure" vs "Configuration" terms follow)

[Authors] Ok.

> 
>  leaf pad-entry-id { type uint64; description "SAD index. ";}
> 
> did you mean "PAD index” ?

[Authors] Yes, it is a typo.
> 
>   Whether to use IKEv2 fragmentation as
> 
> Whether or not to enable IKEv2 fragmentation
> 
> (enable because the other end can not have support, it is just a suggestion, not a demand)

[Authors] True.

> 
>    container ike-sa-state {
>           container uptime {
>               description "IKE service uptime";
> 
> Did you mean "IKE connection uptime” ?

[Authors] Yes, that is correct.

> To me ike-sa-state means an IKE state, not IKE service state?

[Authors] Agree

> 
>    leaf nat-any {type boolean; description "YES, if both local and remote endpoints are behind a NAT”;}

> 
> I could call this nat-both instead of nat-any, nat-any suggests it could be "0 or more”

[Authors] Done
> 
> Seconds before IKE SA gets rekeyed -> Seconds before IKE SA must be rekeyed
> (same for next auth item)

[Authors] Done.
> 
>   description "Configure Security Association (SA). Section 4.4.2.1 in RFC 4301";
> 
> Use "Configuration of IPsec Security Association (SA). Section 4.4.2.1 in RFC 4301"
> To ensure it is clear this is not about an IKE SA. Same on the next line for
> "for a particular SA"
> 
>   leaf seq-number-overflow-flag { type boolean; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted."; }
> 
> What is the source of this? I thought sequence numbers were never allowed to overflow?

[Authors] According to RFC 4301 - 4.4.2.1.  Data Items in the SAD:

Sequence Counter Overflow: a flag indicating whether overflow of
      the sequence number counter should generate an auditable event and
      prevent transmission of additional packets on the SA, or whether
      rollover is permitted.  The audit log entry for this event SHOULD
      include the SPI value, current date/time, Local Address, Remote
      Address, and the selectors from the relevant SAD entry.



> 
>   leaf anti-replay-window { type uint16 { range "0 | 32..1024"; } description "Anti replay window size"; }
> 
> Why cap at 1024? That could be too low for 100gbps connections.

[Authors] The truth is that RFC 4301 mentions:

Anti-Replay Window: a 64-bit counter and a bit-map (or equivalent)
      used to determine whether an inbound AH or ESP packet is a replay.

So we can replace this with uint64. On the other hand, we have observed with uint16 should be enough in real cases. We can remove the restriction (1024) . what do you think?


> 
>   leaf spd-entry-id {type uint64; description "This value links the SA with the SPD entry";}
> 
> Again, use "IPsec SA”

[Authors] Ok. 
> 
>  leaf security-protocol { type ic:ipsec-protocol; description "Security protocol of IPsec SA: Either AH or ESP."; }
> 
> If we killed AH, remove from here.

[Authors] Yes, this has already been removed.
> 
>   leaf mode { type ic:ipsec-mode; description "SA Mode"; }
> 
> "IPsec SA". Should it say "tunnel/transport” ?

[Authors] Right.
> 
>   leaf replay {type uint32; default 0; description "packets detected out of the replay window and dropped because they are replay packets";}
> 
> That should be: "inside the replay window”

[Authors] Good catch. Changed.
> 
>              typedef sadb-msg-satype {
>                         type enumeration {
>                                enum sadb_satype_unspec { description "SADB_SATYPE_UNSPEC"; }
>                                enum sadb_satype_ah { description "SADB_SATYPE_AH"; }
>                                enum sadb_satype_esp { description "SADB_SATYPE_ESP"; }
>                                enum sadb_satype_rsvp { description "SADB_SATYPE_RSVP"; }
>                                enum sadb_satype_ospfv2 { description "SADB_SATYPE_OSPFv2"; }
>                                enum sadb_satype_ripv2 { description "SADB_SATYPE_RIPv2"; }
>                                enum sadb_satype_mip { description "SADB_SATYPE_MIP"; }
>                                enum sadb_satype_max { description "SADB_SATYPE_MAX"; }
>                        }
>                        description "PF_KEY Security Association types";
>                }
> 
> Is this enumerating an IANA registry? I think it might be from xfrm.h but I don't know any of those
> except the first three.

[Authors] Yes, you’r right they belong to xfrm.h (pf_keyv2) . And yes, we have left UNSPEC and ESP
> 
>   description "Configure integrity for IPSec Authentication Header (AH)";
> 
> "Configuration of integrity algorithm for IPSec Authentication Header (AH)

[Authors] This has been deleted.

> 
>   description "Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)";
> 
> "Configuration of encryption or AEAD algorithm for IPSec Authentication Header (ESP)"
> 
>   description "Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)";
> 
> See above, but also I would not use "authentication" here, but "integrity", as it is really
> the same thing as the AH value except for ESP. So either call both authentication or call both
> integrity - i strongly prefer integrity to avoid confusing with IKE authentication.

[Authors] Done.
> 
>   /* With AEAD algorithms, the integrity node is not used */
> 
> So it can either be fully ommited, or it can contain the integrity value for None. Perhaps
> relfect that in the comment? There are some implementations that do not handle both, so there
> might be a need to configure "None" as the integrity algorithm for an AEAD.

[Authors] If integrity node does not appear in the configuration sent by the controller, the integrity interpretation is none. We can comment this. 

Our comment is if the encryption container is sent to the NSF with an AEAD algorithm the container integrity is not sent , not required since AEAD algorithm provides integrity (and encryption)
> 
> I now spotted the entry for AEAD, so now I am a little confused. If the above encryption is not
> used for that, and we have a special entry for aead, than the above comment is wrong, because
> then with AEAD algorithms, encryption and integrity is not used but combined-enc-intr.

[Authors] combined-enc-intr has been removed.

We have only encryption and integrity container now. But an AEAD algorithm will be included in the encryption leaf and there won’t be integrity leaf.

> 
> I would be more inclined to keep this more in line with IKEv2, where AEAD's are just encryption
> algorithms. So remove the combined-enc-intr leaf.
> 
>  notification sadb_expire {
>                        description "A IPsec SA expiration (soft or hard)";
> 
>                        uses base-grouping;
>                        leaf spi { type ic:ipsec-spi;  description "Security Parameter Index";}
>                        leaf anti-replay-window { type uint16 { range "0 | 32..1024"; } description "Anti replay window"; }
> 
>                        leaf encryption-algorithm { type ic:encryption-algorithm-t; description "encryption algorithm of the expired SA"; }
>                        leaf authentication-algorithm { type ic:integrity-algorithm-t; description "authentication algorithm of the expired SA"; }
> 
> So if you keep AEAD as a seperate entry, you also need a leaf here for it.

[Authors] If the encryption-algorithm is AEAD the authentication(integrity)-algorithm will not contain any algorithm, right?.
> 
> 
> 
> 
> I see IPcomp is not used anywhere. I agree with that but I'm not sure if there is WG conensus for that.

[Authors] We did not include IPcomp from the beginning and until now, there has not been any comment in this regard.

> Some IoT people think compression is super important.

[Authors] I am aware they are working in some compression techniques for very constrained links.
> 
> nits:
> 
> These appear a few times:
> 
> "in IKE case" -> in the IKE case"
> "in IKE-less case" -> in the IKE-less case"
> 
> making IKEv2 configuration -> making the IKEv2 configuration
> 
> 
>   Note that the usage of TRANSPORT mode when NAT is
>   required is forbidden in this specification.
> 
> We normally don't use words like "forbidden". We usually write that like:
> 
>   Transport mode MUST NOT be used when a NAT is present between
>   two NSF's.
> 
> and not the IKE-less. -> and not the IKE-less case.
> 
> In order to support IKE case and IKE-less case -> In order to support the IKE and IKE-less cases
> 
> I see the use of "IKE case" and the use of "IKE-case". Pick one and stick to that?

> 
> minimu -> minimum
> 
> it may access to these values. -> it might have access to the key material"
> 
> It is acting as initiator in this connection -> It is acting as initiator for this connection
> 
> IKEless -> IKE-less
> 
> "A SPD entry has expired" -> "An SPD entry has expired"
> 
> "A IPsec SA is required " -> "An IPsec SA is required"
> 
> "A IPsec SA expiration (soft or hard)" -> "An IPsec SA expiration (soft or hard)"
> 
> "Security Parameter Index" -> "Security Parameter Index (SPI)”

[Authors] All these nits have been solved.


Thank you very much again for this review and your time.

> 
> Paul
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------