Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-null-heuristics-01
Nicolas Williams <Nicolas.Williams@sun.com> Wed, 14 October 2009 17:57 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D70AF3A6A13 for <ipsec@core3.amsl.com>; Wed, 14 Oct 2009 10:57:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.229
X-Spam-Level:
X-Spam-Status: No, score=-5.229 tagged_above=-999 required=5 tests=[AWL=0.817, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mwi-Q+h+itUY for <ipsec@core3.amsl.com>; Wed, 14 Oct 2009 10:57:42 -0700 (PDT)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id C03EE3A6904 for <ipsec@ietf.org>; Wed, 14 Oct 2009 10:57:42 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n9EHvh9m020079 for <ipsec@ietf.org>; Wed, 14 Oct 2009 17:57:43 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n9EHvg4v032243 for <ipsec@ietf.org>; Wed, 14 Oct 2009 11:57:42 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n9EHcrDw010023; Wed, 14 Oct 2009 12:38:53 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n9EHcqHB010022; Wed, 14 Oct 2009 12:38:52 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 14 Oct 2009 12:38:52 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Tero Kivinen <kivinen@iki.fi>
Message-ID: <20091014173852.GO887@Sun.COM>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328329@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BD9338E802@il-ex01.ad.checkpoint.com> <20091013183424.GH887@Sun.COM> <19157.47028.842967.590918@fireball.kivinen.iki.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <19157.47028.842967.590918@fireball.kivinen.iki.fi>
User-Agent: Mutt/1.5.7i
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-null-heuristics-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2009 17:57:44 -0000
On Wed, Oct 14, 2009 at 02:36:20PM +0300, Tero Kivinen wrote:
> Nicolas Williams writes:
> > - Section 8.3, 1st paragraph, 2nd sentence: this sentence is
> > grammatically incorrect, and I'm unsure as to what is meant.
>
> This was commented already by others and was changed to:
>
> For example, when many TCP / UDP flows are established over
> one SA, a rekey produces a new SA which needs heuristics and will
> benefit from the existing flows.
>
> > I think what is meant is that if an intermediate node has seen a
> > stateful ULP flow over an ESP-NULL flow, and later the SA is changed
> > and the new flow looks like ESP-NULL and appears to contain a next
> > protocol header that matches that previously-seentateful ULP flow,
> > then chances are very good that the old ESP-NULL flow is abandoned
> > and replaced by the new one. In such situations the intermediate
> > node can simply change the old ESP-NULL state's lookup key.
>
> Yes. That was what I tried to say. Do you think my already changed
> sentence is ok, or do we need to explain it more.
Well, the heuristics will benefit from the information cached for the
TCP/UDP flow over the previous SA. "...benefit from the existing flows"
doesn't quite get that point across (though it's the only realistic
meaning).
> > - Section 8.3.1, third paragraph: are you suggesting that intermediate
> > nodes drop TCP-looking packets to elicit retransmission?
>
> It says that "if a packets is dropped", i.e. it does not say whether
> the intermediate node does or does not do it, as that depends on the
> policy. If the intermediate node's policy is that no packets go
> through before they can be inspected meaning ESP-NULL detection needs
> to finish first before they can be inspected, that will cause all
> packets to be dropped while heuristics is in progress. This will cause
> next packets to be retransmissions.
But surely actively trying to elicit retransmissions could be used
as a way to get enough information to classify a flow... The
retransmissions should have different MACs, thus retransmissions
help resolve ambiguities, even if the policy isn't to drop packets that
cannot be inspected.
> If the policy is so that packets are passed, even when we cannot yet
> inspect them, then the next packet still might be to the same flow.
I see. Having a policy that says "drop packets that can't be inspected"
actually helps resolve ambiguities if the end nodes retransmit.
> > - Section 9, 1st paragraph, 1st sentence: this is an odd sentence
> > construction. How about:
> > Attackers can always bypass ESP-NULL deep packet inspection by
> > using encrypted ESP (or some other encryption or tunneling method)
> > instead, unless the intermediate node's policy requires dropping
> > of packets that it cannot inspect.
> > - Section 9, 1st paragraph, 2nd sentence, rewrite:
> > Ultimately the responsibility for performing deep inspection, or
> > allowing intermediate nodes to perform deep inspection, must rest
> > on the end nodes.
> > - Section 9, 1st paragraph, last sentence: s/but in that/in which/
>
> Ok, took all of those in, here is the current version of section 9:
>
> <t>Attackers can always bypass ESP-NULL deep packet inspection by
> using encrypted ESP (or some other encryption or tunneling method)
> instead, unless the intermediate node's policy requires dropping
> of packets that it cannot inspect. Ultimately the responsibility
> for performing deep inspection, or allowing intermediate nodes to
> perform deep inspection, must rest on the end nodes. I.e. if a
> server allows encrypted connections also, then attacker who wants
> to attack the server and wants to bypass deep inspection device in
> the middle, will use encrypted traffic. This means that the
> protection of the whole network is only as good as the policy
> enforcement and protection of the end node. One way to enforce
> deep inspection for all traffic, is to forbid encrypted ESP
> completely, in which case ESP-NULL detection is easier, as all
> packets must be ESP-NULL based on the policy, and further
> restriction can eliminate ambiguities in ICV and IV sizes.</t>
^
s
Great!
> > - Section 10.2, an informative reference to MOBIKE is needed. What
> > about multicast IPsec?
>
> Added reference to MOBIKE.
>
> I do not think multicast IPsec requires any special handling as the
> level what we need for them is already in the RFC4301/RFC4303. We do
> not really care about the keying protocols, we only care about the ESP
> packets and we use source address, destination address and SPI to
> indicate IPsec flow as specified in the RFC4301 and RFC4303.
Thanks.
A few more comments:
- Should there be an explicit threat model in the document? I think
the threat model is this:
- End nodes trying to access inappropriate data, end nodes trying
sneak confidential data out, but without collusion with other end
nodes outside the network.
- Malware (since deep inspection could find malware and terminate
flows before malware downloads complete).
The first one shows how simple it is to defeat deep packet
inspection: just find a peer to collude with.
- A security considerations note about the security impact of forcing
the use of ESP-NULL (and/or WESP) would be nice. Specifically a note
about the increased risk of sending confidential information where
eavesdroppers can see it.
I will review the pseudo-code at some point. I've reviewed the fast
path already, and it seemed OK (and it seemed to underscore the point
that state is actually needed for reasons other than optimization).
The thought occurred that the pseudo-code could be expressed as a BSD
Packet Filter program. From what I can tell BPF does not have
instructions by which one can implement state caching, but you could
still implement, and _test_, large parts of the code in the appendix as
BPF programs. I wouldn't demand that -- it's a lot of work for a
feature that we all seem to agree is not exactly hot (and it might mean
doing implementation work for some vendors for free).
Nico
--
- [IPsec] WG last call: draft-ietf-ipsecme-esp-null… Yaron Sheffer
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Scott C Moonen
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Tero Kivinen
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Yoav Nir
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Yaron Sheffer
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Paul Hoffman
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Tero Kivinen
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Tero Kivinen