[I2nsf] Some comments / questions on draft-abad-i2nsf-sdn-ipsec-flow-protection-03
Paul Wouters <paul@nohats.ca> Sun, 17 September 2017 17:03 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EB7F133187 for <i2nsf@ietfa.amsl.com>; Sun, 17 Sep 2017 10:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jt3ADo8EOdMC for <i2nsf@ietfa.amsl.com>; Sun, 17 Sep 2017 10:03:55 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F398A13308F for <i2nsf@ietf.org>; Sun, 17 Sep 2017 10:03:54 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xwFpc1vKszCQr for <i2nsf@ietf.org>; Sun, 17 Sep 2017 19:03:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1505667832; bh=ZBJ37ZmepkSM4zx7JLvB3KeJdZPvasfI4EAVdwq69Jg=; h=Date:From:To:Subject; b=EjUJLrqRou7aIj1AHS/tuWYHecu5zqcIu1hWlpvVkfUwD/eJWueZ43ZhQ9wJq7goK kmliYr6ffXJFTtQLLJj7YLCZw++Hi5LPwJqn5Wu1dB68Oqlq66Fbgp07edRvwoqwyS mCQNkMml0L0tW4gWGiCwqWUOFWfP9U+fRuDRc8/0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id tBan3jFey9TE for <i2nsf@ietf.org>; Sun, 17 Sep 2017 19:03:49 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <i2nsf@ietf.org>; Sun, 17 Sep 2017 19:03:49 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 31DEA393B70; Sun, 17 Sep 2017 13:03:48 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 31DEA393B70
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 279B140B828D for <i2nsf@ietf.org>; Sun, 17 Sep 2017 13:03:48 -0400 (EDT)
Date: Sun, 17 Sep 2017 13:03:46 -0400
From: Paul Wouters <paul@nohats.ca>
To: i2nsf@ietf.org
Message-ID: <alpine.LRH.2.21.1709171210230.13383@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ufN8WKeQzdGWqhaCTazIUo5s46M>
Subject: [I2nsf] Some comments / questions on draft-abad-i2nsf-sdn-ipsec-flow-protection-03
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Sep 2017 17:03:58 -0000
I had another look at the draft. I am not in favour or against adoption of this draft. However, I am wondering if the two use cases are not better split into two separate documents, as the requirements, deployment and security considerations are very different. It would also allow implementors to more clearly indicate supporting one or both use cases by referencing RFC numbers. Specific comments on text follow below. In section 6.2, I see a difference in ah-sa and esp-sa. The document has: +--rw ah-sa +--rw integrity-algorithm? +--rw key? +--rw esp-sa | | +--rw encryption | | | +--rw encryption-algorithm? encryption-algorithm-t | | | +--rw key? string | | | +--rw iv? string | | +--rw integrity | | | +--rw integrity-algorithm? integrity-algorithm-t | | | +--rw key? string | | +--rw combined | | +--rw combined-algorithm? This seems inconsistent between ah-sa and esp-sa. More consistent would be: +--rw ah-sa +--rw-integrity | +--rw integrity-algorithm? | +--rw key? +--rw esp-sa | | +--rw encryption | | | +--rw encryption-algorithm? encryption-algorithm-t | | | +--rw key? string | | | +--rw iv? string | | +--rw integrity | | | +--rw integrity-algorithm? integrity-algorithm-t | | | +--rw key? string That is two changes: 1) Give rw ah-sa a subsection rw-integrity, even if it is the only subsection. 2) Don't define rw combined on its own. It is an rw encryption-algorithm. (also, otherwise rw combined needs rw key and rw iv) (alternatively rw combined could be a bool) (also see below) The rw encap entry should add an entry for rw espintcp to indicate support for RFC 8229. I'm not sure why the rpcs ro authentication and ro encryption entries have "max-bits" and "min bits" entries. The idea that we would have algorithms with variable key length was only ever valid for the (basically abandoned) CAST and (never adopted) blowfish/twofish algorithms. These days we have a discrete set of bits, at the moment 128/192/256 only. (libreswan IKE has removed some scar tissue based on this, where it had concepts of min/default/max that were removed) I'm confused by the SAD entries have sa-lifetime's of "soft" and "hard". The counters in the SPD sure need to have these, but the counters in the SAD are representing the actual counters themselves, so there is no hard or soft. The notifications could use an entry for sadb_bad-spi, as it would be useful to somehow notify that packets with unknown SPI's are received, which indicated one of the two endpoints rebooted but the other end isn't aware and still sending encrypted packets that can no longer be decrypted. It seemds IPCOMP has been left out everywhere. I'm not sure if that was by design or not. (I think IPCOMP should die, so I'm fine with it) Section 6.4 the rw autostartup is a boolean, but we tend to have three states here, alwayson, initiate-on-demand, or respond-only. nat-traversal should probably be expanded from a boolean, due to the ESPinUDP and ESPinTCP and ESPinTLs options. It should also have a port value since TCP/TLS could run on different ports. It seems for IKE, combined algorithms were not seperated from enc+integ algorithms (see previous comment) as was done for IPsec. If I read the syntax correctly, there seems to only be one PFS group possible? Often IKE proposals allow more then one. traffic selectors seem also to be limited to only single IP-to-IP without port or protocol selectors? That seems to conflict with an earlier value in Section 6.2 indicating support for Populate From Packet (pfp) which would create multiple IPsec SA's limited by protocols and ports. phase2-lifetime seems to only have a uint32 value. I don't understand what unit this is in? And what happend to the policies for maxtime, maxpackets and maxbytes? Section 7.1 In use case 2 it states "In this case the execution of IKE is not necessary in the controller". I would say that you MUST NOT run an IKE daemon in that case because otherwise the Security Controller and the IKE daemon are going to fight each other for the SAD/SPD states. I'm still a little confused about what is meant by "gateway-to-gateway" since I don't see any policies being able to be defined for "site to site" IPsec policies. Perhaps the context of gateway here does not mean "IPsec gateway" ? Although it then goes on to talk about VPN connections between two branch offices. Is this document only targeting that one host in one branch talks to another host in another branch using host-to-host and that the two subnets are connected by gateways that are not in scope for this document? If site-to-site is in scope, then the entries in Section 6.2 and 6.4 need updating to allow such policies (SPD) and states (SADs) Section 8 I'm not sure if PF_KEYv2 should be recommended for new things. It seems an old interface that people have moved away from. Paul
- [I2nsf] Some comments / questions on draft-abad-i… Paul Wouters
- Re: [I2nsf] Some comments / questions on draft-ab… Rafa Marin-Lopez