IETF Logo Mail Archive

Re: [IPsec] WG Review: IP Security Maintenance and Extensions (ipsecme)

Yoav Nir <ynir@checkpoint.com> Mon, 28 July 2008 22:00 UTC

Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD9CB3A6B24; Mon, 28 Jul 2008 15:00:49 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C1BB3A6B24 for <ipsec@core3.amsl.com>; Mon, 28 Jul 2008 15:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXk6+aKjOUbj for <ipsec@core3.amsl.com>; Mon, 28 Jul 2008 15:00:47 -0700 (PDT)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 083EF3A6B1E for <ipsec@ietf.org>; Mon, 28 Jul 2008 15:00:47 -0700 (PDT)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 99D06294002; Tue, 29 Jul 2008 01:00:56 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 8512D294001; Tue, 29 Jul 2008 00:59:02 +0300 (IDT)
Received: from [172.31.21.146] (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id m6SLx0jI016215; Tue, 29 Jul 2008 00:59:01 +0300 (IDT)
Message-Id: <F7958F65-F576-4323-B0F4-19856EB3ED6C@checkpoint.com>
From: Yoav Nir <ynir@checkpoint.com>
To: Dan Harkins <dharkins@lounge.org>
In-Reply-To: <24824166c413680844268e1db43651cf.squirrel@www.trepanning.net>
Mime-Version: 1.0 (Apple Message framework v928.1)
X-Priority: 3 (Normal)
Date: Mon, 28 Jul 2008 22:58:59 +0100
References: <20080624163001.66CF63A6A69@core3.amsl.com> <24824166c413680844268e1db43651cf.squirrel@www.trepanning.net>
X-Mailer: Apple Mail (2.928.1)
Cc: ipsec@ietf.org
Subject: Re: [IPsec] WG Review: IP Security Maintenance and Extensions (ipsecme)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1293454376=="
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

I don't really agree with this. Different vendors would want different  
things in the "ticket". So much so, that if we insist on including it,  
one of two things will happen: (1) We will fail to reach consensus or  
some vendors implement their own private version, or (2) We will end  
up with a monstrous structure with IETF-specified and vendor-specific  
extensions.

Just as a for-instance, I'll give some examples of what may or may not  
be in the ticket:
1. My company makes VPN software that runs of commodity servers. These  
servers run on regular X86 processors and come with 100's of gigabytes  
of disk space. It's fairly easy for me to save the IKE SA to disk upon  
its creation, perhaps in a database with a unique 64-bit key, and send  
that 64-bit key as the "ticket". After a crash, the database is still  
there. Other vendors run on systems with either no disk or very  
limited disk space, sometimes flash-based. They can't store their SAs  
on disk.
2. With AAA servers you sometimes get authorization information from  
the server during the log-in process. In such a case, the ticket (or  
its persistent record) must hold the authorization information (you  
either can't or don't want to query the AAA server for that  
information during resumption). Other vendors may not rely on AAA  
servers for authorization.
3. User identity may sometimes be stored as a simple string (ASCII or  
UTF8), as a DN, as an email address extracted from the DN or from an  
alternate name in the certificate, or we may want to keep the user  
identity as their public key.

Since failover from one gateway to another is out of scope, let alone  
a failover from one gateway to a gateway made by a different vendor,  
interoperability does not suffer by not specifying a ticket. We can  
and should specify security considerations and what data the gateway  
should be able to reconstruct based on the ticket, but format should  
be out of scope.

On Jul 28, 2008, at 7:04 PM, Dan Harkins wrote:

>
>  Hi,

<snip>

>
>  A bigger issue, though, concerns the construction of the "ticket".  
> I'd
> like to know why this is out-of-scope. I can see the possibility of
> consensus forming in the WG around a document that does not specify
> construction of the "ticket" but that doesn't mean the topic should be
> out-of-scope. How the "ticket" get constructed will influence the  
> security
> of the scheme. A properly constructed "ticket" may even help address  
> DoS
> issues. This topic should be in scope. It seems very wrong that we  
> would
> generate a standards track document in the Security Area with a  
> critical
> component of the security of the proposal being left up to the  
> imagination
> of the guy implementing it.


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email