[IPsec] Some comments to the draft-mglt-ipsecme-security-gateway-discovery-00

Tero Kivinen <kivinen@iki.fi> Thu, 18 April 2013 11:00 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7111E21F8A7B for <ipsec@ietfa.amsl.com>; Thu, 18 Apr 2013 04:00:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id l3ZNrGAu3eP7 for <ipsec@ietfa.amsl.com>; Thu, 18 Apr 2013 04:00:24 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi []) by ietfa.amsl.com (Postfix) with ESMTP id 7D36521F89B2 for <ipsec@ietf.org>; Thu, 18 Apr 2013 04:00:23 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost []) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r3IAvou0014413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Apr 2013 13:57:50 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r3IAvolW021908; Thu, 18 Apr 2013 13:57:50 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20847.53678.49713.19290@fireball.kivinen.iki.fi>
Date: Thu, 18 Apr 2013 13:57:50 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: mglt.ietf@gmail.com, k.pentikousis@huawei.com
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 23 min
X-Total-Time: 90 min
Cc: ipsec@ietf.org
Subject: [IPsec] Some comments to the draft-mglt-ipsecme-security-gateway-discovery-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 11:00:25 -0000

In section 4.1 Multiple Interfaces you say:

   Distributed VPN infrastructures are composed of multiple, independent
   Security Gateways.  Currently, IPsec [RFC4301] does not have the
   mechanisms that enable "moving" a VPN connection from one Security
   Gateway to another Security Gateway.  In practice, this means that

There is Redirect Mechanism for the Internet Key Exchange Protocol
Version 2 (IKEv2) RFC5685, which is standard track document allow
redirecting the IKEv2 SA to another gateway. This can used when
initially creating the tunnel, but it can also be used in the middle
of the session, i.e. gateway can request client to move to another

How is this draft working together with REDIRECT RFC?

In section 5 this document seems to be using Notify payloads to do
request reply protocol. I think configuration payloads might be better
suited for this kind of request reply protocol.

In section 5.1 the draft says:
5.1.  Sending a NEIGHBOR_INFORMATION Query

   The initiator builds the NEIGHBOR_INFORMATION Notify Payload
   (described in Section 6.1) by setting the Question bit to 1 and
   providing the necessary Options.  Notify Payloads have a Critical bit

The RFC5996 says:

2.5.  Version Numbers and Forward Compatibility
                                   Note that the critical flag applies
   only to the payload type, not the contents.  If the payload type is
   recognized, but the payload contains something that is not (such as
   an unknown transform inside an SA payload, or an unknown Notify
   Message Type inside a Notify payload), the critical flag is ignored.
3.2.  Generic Payload Header
   o  Critical (1 bit) - MUST be set to zero if the sender wants the
      recipient to skip this payload if it does not understand the
      payload type code in the Next Payload field of the previous
      payload.  MUST be set to one if the sender wants the recipient to
      reject this entire message if it does not understand the payload
      type.  MUST be ignored by the recipient if the recipient
      understands the payload type code.  MUST be set to zero for
      payload types defined in this document.  Note that the critical
      bit applies to the current payload rather than the "next" payload
      whose type code appears in the first octet.  The reasoning behind
      not setting the critical bit for payloads defined in this document
      is that all implementations MUST understand all payload types
      defined in this document and therefore must ignore the critical
      bit's value.  Skipped payloads are expected to have valid Next
      Payload and Payload Length fields.  See Section 2.5 for more
      information on this bit.

I.e. it says that Notify payloads MUST have critical bit set to zero,
as it is payload that is defined in the RFC5996, and as
implementations will support Notify payloads, none of them will ever
return UNSUPPORTED_CRITICAL_PAYLOAD error. The Critical bit only
applies to the payload type, not contents.

So the text in section 5.2 is incorrect:
   Once a NEIGHBOR_INFORMATION Notify Payload is received, the responder
   checks whether the Critical bit is set to 1.  If the Critical Bit is
   set and the Notify Payload is not supported by the responder then,
   following [RFC5996] section 2.5, setting the Critical bit to one
   forces the Responder to send back a UNSUPPORTED_CRITICAL_PAYLOAD
   Notify Payload if it does not understand the received Notify Payload.

As implementations do support Notify payloads, they will not return
UNSUPPORTED_CRITICAL_PAYLOAD, even when they might not support
NEIGHBOR_INFORMATION notify payload type. As the Notify Payload is
specified in the RFC5996, all implementations will support it. Some
minimal implementations might simply ignore them, if they do not
support any of the features provided by the contents of the Notify
Payload, but they do know how to ignore it.

Also in same section:
   If no corresponding query has been sent previously an INVALID_SYNTAX
   MUST be sent back and the rest of the Notify Payload MUST be ignored.
   Conversely, if a query has been sent, the receiver will process the
   response as per Section 5.2.2.

If the peer sends INVALID_SYNTAX notification back, that will cause
the whole IKE SA to be deleted without separate delete notification. I
do not assume this what is wanted here. Most likely it would be better
to simply ignore unsocilicated message, than to tear down the whole

The RFC5996 the INVALID_SYNTAX is defined as follows:
2.21.3.  Error Handling after IKE SA is Authenticated
   If a peer parsing a request notices that it is badly formatted (after
   it has passed the message authentication code checks and window
   checks) and it returns an INVALID_SYNTAX notification, then this
   error notification is considered fatal in both peers, meaning that
   the IKE SA is deleted without needing an explicit Delete payload.

In section 6.4.1 there is Padding payload defined:
6.4.1.  Padding Payload: PADDING

   The Padding Payload is used to make the NEIGHBOR_INFORMATION Notify
   Payload length a multiple of 32 bits.

Why is this needed?

There is nothing in the IKEv2 that requires anything to be padded to
specific length. This also opens one more side channel, to send
information out as the "padding octects are for padding and MUST NOT
be interpreted".