[IPsec] Some comments to the draft-mglt-ipsecme-security-gateway-discovery-00
Tero Kivinen <kivinen@iki.fi> Thu, 18 April 2013 11:00 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7111E21F8A7B for <ipsec@ietfa.amsl.com>; Thu, 18 Apr 2013 04:00:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3ZNrGAu3eP7 for <ipsec@ietfa.amsl.com>; Thu, 18 Apr 2013 04:00:24 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D36521F89B2 for <ipsec@ietf.org>; Thu, 18 Apr 2013 04:00:23 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r3IAvou0014413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Apr 2013 13:57:50 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r3IAvolW021908; Thu, 18 Apr 2013 13:57:50 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20847.53678.49713.19290@fireball.kivinen.iki.fi>
Date: Thu, 18 Apr 2013 13:57:50 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: mglt.ietf@gmail.com, k.pentikousis@huawei.com
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 23 min
X-Total-Time: 90 min
Cc: ipsec@ietf.org
Subject: [IPsec] Some comments to the draft-mglt-ipsecme-security-gateway-discovery-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 11:00:25 -0000
In section 4.1 Multiple Interfaces you say: ---------------------------------------------------------------------- Distributed VPN infrastructures are composed of multiple, independent Security Gateways. Currently, IPsec [RFC4301] does not have the mechanisms that enable "moving" a VPN connection from one Security Gateway to another Security Gateway. In practice, this means that ---------------------------------------------------------------------- There is Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) RFC5685, which is standard track document allow redirecting the IKEv2 SA to another gateway. This can used when initially creating the tunnel, but it can also be used in the middle of the session, i.e. gateway can request client to move to another gateway. How is this draft working together with REDIRECT RFC? In section 5 this document seems to be using Notify payloads to do request reply protocol. I think configuration payloads might be better suited for this kind of request reply protocol. In section 5.1 the draft says: ---------------------------------------------------------------------- 5.1. Sending a NEIGHBOR_INFORMATION Query The initiator builds the NEIGHBOR_INFORMATION Notify Payload (described in Section 6.1) by setting the Question bit to 1 and providing the necessary Options. Notify Payloads have a Critical bit set. ---------------------------------------------------------------------- The RFC5996 says: ---------------------------------------------------------------------- 2.5. Version Numbers and Forward Compatibility ... Note that the critical flag applies only to the payload type, not the contents. If the payload type is recognized, but the payload contains something that is not (such as an unknown transform inside an SA payload, or an unknown Notify Message Type inside a Notify payload), the critical flag is ignored. ... 3.2. Generic Payload Header ... o Critical (1 bit) - MUST be set to zero if the sender wants the recipient to skip this payload if it does not understand the payload type code in the Next Payload field of the previous payload. MUST be set to one if the sender wants the recipient to reject this entire message if it does not understand the payload type. MUST be ignored by the recipient if the recipient understands the payload type code. MUST be set to zero for payload types defined in this document. Note that the critical bit applies to the current payload rather than the "next" payload whose type code appears in the first octet. The reasoning behind not setting the critical bit for payloads defined in this document is that all implementations MUST understand all payload types defined in this document and therefore must ignore the critical bit's value. Skipped payloads are expected to have valid Next Payload and Payload Length fields. See Section 2.5 for more information on this bit. ---------------------------------------------------------------------- I.e. it says that Notify payloads MUST have critical bit set to zero, as it is payload that is defined in the RFC5996, and as implementations will support Notify payloads, none of them will ever return UNSUPPORTED_CRITICAL_PAYLOAD error. The Critical bit only applies to the payload type, not contents. So the text in section 5.2 is incorrect: ---------------------------------------------------------------------- Once a NEIGHBOR_INFORMATION Notify Payload is received, the responder checks whether the Critical bit is set to 1. If the Critical Bit is set and the Notify Payload is not supported by the responder then, following [RFC5996] section 2.5, setting the Critical bit to one forces the Responder to send back a UNSUPPORTED_CRITICAL_PAYLOAD Notify Payload if it does not understand the received Notify Payload. ---------------------------------------------------------------------- As implementations do support Notify payloads, they will not return UNSUPPORTED_CRITICAL_PAYLOAD, even when they might not support NEIGHBOR_INFORMATION notify payload type. As the Notify Payload is specified in the RFC5996, all implementations will support it. Some minimal implementations might simply ignore them, if they do not support any of the features provided by the contents of the Notify Payload, but they do know how to ignore it. Also in same section: ---------------------------------------------------------------------- If no corresponding query has been sent previously an INVALID_SYNTAX MUST be sent back and the rest of the Notify Payload MUST be ignored. Conversely, if a query has been sent, the receiver will process the response as per Section 5.2.2. ---------------------------------------------------------------------- If the peer sends INVALID_SYNTAX notification back, that will cause the whole IKE SA to be deleted without separate delete notification. I do not assume this what is wanted here. Most likely it would be better to simply ignore unsocilicated message, than to tear down the whole IKE SA. The RFC5996 the INVALID_SYNTAX is defined as follows: ---------------------------------------------------------------------- 2.21.3. Error Handling after IKE SA is Authenticated ... If a peer parsing a request notices that it is badly formatted (after it has passed the message authentication code checks and window checks) and it returns an INVALID_SYNTAX notification, then this error notification is considered fatal in both peers, meaning that the IKE SA is deleted without needing an explicit Delete payload. ---------------------------------------------------------------------- In section 6.4.1 there is Padding payload defined: ---------------------------------------------------------------------- 6.4.1. Padding Payload: PADDING The Padding Payload is used to make the NEIGHBOR_INFORMATION Notify Payload length a multiple of 32 bits. ---------------------------------------------------------------------- Why is this needed? There is nothing in the IKEv2 that requires anything to be padded to specific length. This also opens one more side channel, to send information out as the "padding octects are for padding and MUST NOT be interpreted". -- kivinen@iki.fi
- [IPsec] Some comments to the draft-mglt-ipsecme-s… Tero Kivinen