IETF Logo Mail Archive

Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Tero Kivinen <kivinen@iki.fi> Thu, 17 December 2009 12:04 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 020EC3A68C4; Thu, 17 Dec 2009 04:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIbzXstXHdo6; Thu, 17 Dec 2009 04:04:12 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id BE3623A69D6; Thu, 17 Dec 2009 04:04:11 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nBHC3q8X028522 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Dec 2009 14:03:52 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nBHC3pWK004311; Thu, 17 Dec 2009 14:03:51 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19242.7719.715250.335841@fireball.kivinen.iki.fi>
Date: Thu, 17 Dec 2009 14:03:51 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F0B9@il-ex01.ad.checkpoint.com>
References: <20091217023458.GA23757@mactavish> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F0B9@il-ex01.ad.checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 15 min
X-Total-Time: 14 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Russ Housley <housley@vigilsec.com>, "iesg@ietf.org" <iesg@ietf.org>, Dan McDonald <danmcd@sun.com>
Subject: Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 12:04:13 -0000

Yaron Sheffer writes:
> I agree with you regarding some of the proposals that have been
> floating around re: exposing bits and pieces of encrypted data.

I am really concerned about some of those late proposals for WESP
extensions, and if someone would have mentioned any of those earlier
when we were discussing whether WESP should allow encrypted ESP also,
I would have been even more against allowing encrypted WESP. 

> I disagree though that WESP should not be used for encrypted data:
> 
> - It is simpler for implementations and architecturally cleaner for
>   WESP to support both flavors.

It does make more complexity for the middle boxes as they need to cope
with both encrypted WESP and ESP-NULL WESP, thus they still cannot use
just the WESP protocol number to indicate this packet is clear text.
Now they also need to check the bit in the header, and if we add more
extensions to WESP, they need to start doing even more processing etc,
and quite soon WESP is more complex than what AH is now.

> - WESP provides for (secure) extensibility, which unfortunately we
>   have not had with ESP. Indeed we should be wise about picking such
>   extensions.

ESP is extensible, but it just requires out of band communication to
negotiate those extensions. We currently already have ESP extesions
like extended sequence numbers (ESN), Explicit Congestion Notification
(ECN), Traffic Flow Confidentiality (TFC), and Combined mode
algorithms.

Those were added after initial ESP was created, and they are
negotiated using IKEv2 (or some other method).

ESP does not offer extensibility that can be done without out of band
communication, and as that out of band communication is normally
encrypted (inside IKEv2) that means middle boxes cannot process it.

I do not think WESP should be used as generic extensible ESP. That was
not what the ipsecme wg was chartered to do. We were chartered to do:

- A standards-track mechanism that allows an intermediary device, such
  as a firewall or intrusion detection system, to easily and reliably
  determine whether an ESP packet is encrypted with the NULL cipher;
  and if it is, determine the location of the actual payload data
  inside the packet. The starting points for this work item are
  draft-grewal-ipsec-traffic-visibility and draft-hoffman-
  esp-null-protocol.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email