Re: [IPsec] WESP - Roadmap Ahead

Daniel Migault <mglt.ietf@gmail.com> Wed, 25 November 2009 11:11 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78B083A69F5 for <ipsec@core3.amsl.com>; Wed, 25 Nov 2009 03:11:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPdCrxETtUB4 for <ipsec@core3.amsl.com>; Wed, 25 Nov 2009 03:11:20 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id E722C28C207 for <ipsec@ietf.org>; Wed, 25 Nov 2009 03:11:16 -0800 (PST)
Received: by fxm5 with SMTP id 5so6811672fxm.28 for <ipsec@ietf.org>; Wed, 25 Nov 2009 03:11:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=8gQOkWM2+colAcEdqLCR5csop9QkOalMX1R/EVDfMiU=; b=I949inPN63G3Tz54IJ50r0sTTKaiXVPPZRUH6jCtLNdNB5FqwtgtWaBZDCRhWGPsh6 tuUzm0L2A34GVdva2ZQVkZ4g4uSiClMr9raRqGV26DtN8pwbnd8aO1gstNKM6zjhBXwJ ITLA2/i4JsdYxnleOqVdQQ9o2YOki81yTDkzs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=hkofi2Gc7KIM6QpHY0Vf7Qvln1dD8YT/MteHcT7lSWAs+zdSYKwwYl9oSgc/H847tl V4QdezVEUo0zn7MXrDEg7qpddDYJ+tkmeCRM/O1+blVbT9iHX7/Z26AUfUt6SZZ9+8Dh zVJzKuNSNVCDN+y/A94gKsRpyvynXwtZVsW8U=
MIME-Version: 1.0
Received: by 10.102.226.17 with SMTP id y17mr3293436mug.67.1259147469193; Wed, 25 Nov 2009 03:11:09 -0800 (PST)
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350AB2C85E06@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <p06240800c720d4538dd2@133.93.112.234> <p0624080ac7212e67c860@133.93.16.246> <8CCEE8E4-9AC4-46FB-93E4-FE61E0135EB7@doubleshotsecurity.com> <p0624080ec7213743dc05@133.93.16.246> <dc8fd0140911112030y46aa24f9hf3715d57446e96c0@mail.gmail.com> <51eafbcb0911112144u6e25b826w4ec8110d1f73e652@mail.gmail.com> <7C362EEF9C7896468B36C9B79200D8350AB2C85E06@INBANSXCHMBSA1.in.alcatel-lucent.com>
Date: Wed, 25 Nov 2009 12:11:09 +0100
Message-ID: <51eafbcb0911250311h5465f034q5bcfd01ad826987b@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary=0016364d205b9f03740479301d91
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Stephen Kent <kent@bbn.com>, Merike Kaeo <merike@doubleshotsecurity.com>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 11:11:28 -0000

Hi Manav,

I agree that for an already negotiated SA, the SPD lookup detects IP source
address spoofing. So in that case ESP detects the address spoofing during
the SPD check whereas AH would detect it while checking the signature check.


However SAD lookup is done with the longest match rule, and section 4.1 of
RFC4301 specifies :

      "3. Search the SAD for a match on only SPI if the receiver has
         chosen to maintain a single SPI space for AH and ESP, and on
         both SPI and protocol, otherwise."


This seems to enable a ESP or AH datagram with spoofed IP addresses to match
the SAD and SPD. If we consider a middleboxe that changes the IP address,
then using ESP will not detect the IP address spoof. On the other hand using
AH the spoofing attack will be detected.

There are some cases you want to protect the IP address header with IP
addresses and options. The example I have in mind is when you are a mobile
or a multihomed node, you are changing you IP address and want to notify
your peer with a IPsec protected signalling message.
      - MIPv6 [RFC3776] uses ESP to protects the BU message. The information
to be carried is the new CoA. Since ESP does not protects the IP header, the
BU datagram carries the IP address in its Payload, thus carrying twice this
information. It seems that AH would avoid repeating information.
      - MOBIKE [RFC4555] MOBIKE does not protect the new IP value which is
taken from the IP header. In some cases this can lead to traffic redirecting
attacks. The main purpose of this attack seems to be DoS.

Thus I would not consider AH as ESP_NULL equivalent, and thus feel AH should
not be removed. Nevertheless, AH has a major drawback which is NAT. For now
we can only hope IPv6 will bring an end-to-end connectivity. At least AH
would take considerable advantage of this statement!

IMO, rather then removing AH I would see if future use of the Internet make
it "historical" or not. For now it might be too soon to take such a
decision. Furthermore, AH does not cause "problems" with other protocols,
since they can chose not to use it.

Regards,

Daniel

Regards,

Daniel

On Fri, Nov 13, 2009 at 2:18 AM, Bhatia, Manav (Manav) <
manav.bhatia@alcatel-lucent.com>; wrote:

> Daniel,
>
> > AH is a security feature we need to keep for header authentication
>
> Am really not sure about the value that AH adds even in case of header
> authentication.
>
> So what fields does AH protect:
>
> Version, Payload length, Next Header, Source IP and dest IP
>
> The only field worth modifying is the source and the dest IP. Now note that
> an IPSec SA is established between a pair of source IP and dest IP. Upon
> receipt of a packet containing an AH header, the receiver determines the
> appropriate (unidirectional) SA, based on the dest IP, security protocol
> (AH), and the SPI (it could also include the source IP). If the attacker
> modifies (or spoofs) either of the source or the dest IP, the SA lookup will
> fail and the receiver will regardless discard the packet. So what are we
> gaining by AH "header authentication"?
>
> AH can only add value over ESP-NULL if there are instances where despite
> address spoofing we erroneously process the IPSec packet. I don't see that
> happening, so is this really an issue?
>
> Cheers, Manav
> ________________________________
>
>        From: Daniel Migault [mailto:mglt.ietf@gmail.com]
>        Sent: Thursday, November 12, 2009 11.14 AM
>        To: Jack Kohn
>        Cc: Stephen Kent; ipsec@ietf.org; Bhatia, Manav (Manav); Merike
> Kaeo
>         Subject: Re: [IPsec] WESP - Roadmap Ahead
>
>         On Thu, Nov 12, 2009 at 5:30 AM, Jack Kohn <kohn.jack@gmail.com>;
> wrote:
>                >
>                > Whoops, I was wrong. I looked at 4552 and they do cite
> ESP-NULL (although
>                > they never refer to it that way) as a MUST, and AH as a
> MAY.
>
>                Ok, so can we work on deprecating AH? This way new standards
> defined
>                in other WGs dont have to provide support for AH.
>
>
>        AH is a security feature we need to keep for header authentication.
> Other WG may chose not to deal with AH and only consider ESP. I don't see
> what's wrong with that?
>
>         Regards
>
>        Daniel
>        --
>        Daniel Migault
>        Orange Labs -- Security
>        +33 6 70 72 69 58
>
>
>


-- 
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58