IETF Logo Mail Archive

Re: [IPsec] Labeled IPsec options

Paul Wouters <paul@nohats.ca> Thu, 12 December 2019 21:13 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEFFB12013B for <ipsec@ietfa.amsl.com>; Thu, 12 Dec 2019 13:13:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVWlgKgSY2tY for <ipsec@ietfa.amsl.com>; Thu, 12 Dec 2019 13:13:10 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60E01120123 for <ipsec@ietf.org>; Thu, 12 Dec 2019 13:13:10 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47YmjZ0KRBzDZG; Thu, 12 Dec 2019 22:13:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1576185186; bh=8t0qjsHSGe/idux6UHSAtqu4ObYtxDKD82L8ZTjMy9I=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=HZvFd3qNbSaiYKPezs1ksPxeEgbO/97GuKPqtCJrAX7TPPy3TTJ8ZiaYuEekfP0ls Ahd5Nl+c0xAEs7/C9mSu+ffyQh0TxUTPHLHuijIPJSPWK9aJf4sLoH31KUAhQmUIUs dL6bVj7U13a/GoIIR765Q+dAOJMQ8cbMCpYKxhm8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id A9zeKGO8ANJU; Thu, 12 Dec 2019 22:13:04 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 12 Dec 2019 22:13:04 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id A6AC56007ADD; Thu, 12 Dec 2019 16:13:03 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A2BD3308EC; Thu, 12 Dec 2019 16:13:03 -0500 (EST)
Date: Thu, 12 Dec 2019 16:13:03 -0500
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: ipsec@ietf.org, 'Sahana Prasad' <sahana@redhat.com>
In-Reply-To: <01f501d5b0b2$facb4370$f061ca50$@gmail.com>
Message-ID: <alpine.LRH.2.21.1912121606130.22484@bofh.nohats.ca>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8qmZC8uXextNzvfKXQD6Uh8BihE>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2019 21:13:13 -0000

On Thu, 12 Dec 2019, Valery Smyslov wrote:

> I don't think option 4 is a good idea. If old responder
> encounters an unknown payload with Critical bit set in IKE_AUTH, it will
> return back UNSUPPORTED_CRITICAL_PAYLOAD and IKE SA won't be set up.
> See section 2.21.2 of RFC7296. This would require initiator to retry from
> IKE_SA_INIT, doubling the work. Or it can create childless IKE SA
> and then try CREATE_CHILD_SA - not an optimal solution too.

I don't think that matters. Security labels are never optional but
always mandatory. And it seems very unlikely to have a mix of child sa's
with and without label. So they will all have a label, and then failing
the  IKE SA is fine, since no single child sa will be able to be setup
anyway. It's better than the responder setting up an SA that needs to be
torn down by the initiator sending a delete.

> Option 1 looks like the clearest from pure theoretical point of view,
> however I agree that it could lead to TS types explosion in future.
>
> Option 3 looks like a compromise from practical point of view.
> You can solve the problem of imperfect error handling by adding
> a new SECLABES_SUPPORTED notification, that must be exchanged
> in IKE_SA_INIT. If both peers support seclabels, then

But you really mean SECLABEL_REQUIRED? The "supported"
keyword here is misleading. The problem of doing this in IKE_SA_INIT
is that it could result in a spoofed answers omiting the payload?

> the responder must not ignore seclabel notifications in IKE_AUTH
> and CREATE_CHILD_SA. The drawback is that we need
> one more notification and it must be exchanged in IKE_SA_INIT,
> increasing its message size. Not a big deal.

So I'm not sure I trust this design.

Paul

v2.29.0 | Report a Bug | By Email | System Status