Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <kent@bbn.com> Tue, 24 November 2009 16:40 UTC

Return-Path: <kent@bbn.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4ED033A68F9 for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 08:40:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Level:
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmYWeyZqjDBT for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 08:40:09 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 3161928C106 for <ipsec@ietf.org>; Tue, 24 Nov 2009 08:40:08 -0800 (PST)
Received: from dhcp89-089-105.bbn.com ([128.89.89.105]) by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1NCyQt-0001OG-CM; Tue, 24 Nov 2009 11:40:03 -0500
Mime-Version: 1.0
Message-Id: <p0624080cc7309f6414a0@[128.89.89.105]>
In-Reply-To: <dc8fd0140911221517j1ad39eeaje143b80c860b8681@mail.gmail.com>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <19200.8786.266973.313959@fireball.kivinen.iki.fi> <19201.20208.563706.519993@fireball.kivinen.iki.fi> <p06240805c7272bb53718@128.89.89.228> <f1548840911171103m4d39e544q236448d4b1c8eefe@mail.gmail.com> <p06240804c729109c4f93@10.1.231.26> <dc8fd0140911210939i4113200ckbfadb5e0a5ea9b50@mail.gmail.com> <p06240804c72ef7906c90@192.168.1.3> <dc8fd0140911221517j1ad39eeaje143b80c860b8681@mail.gmail.com>
Date: Tue, 24 Nov 2009 11:40:01 -0500
To: Jack Kohn <kohn.jack@gmail.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 16:40:10 -0000

>...
>  >        - it fails to characterize the range of protocols for which you
>>  believe this argument applies,
>
>http://www.ietf.org/mail-archive/web/ipsec/current/msg05070.html
>
>This is one example, we could think of some more.

This is only one example, and I think it is not "mainstream", so more 
examples would be helpful.

>  >
>  >        -it fails to explain how WESP is relevant, since a receiver has the
>
>This has already been discussed in this email thread earlier.

Not a very specific reference :-(.

>  > ability to process encrypted packets. WESP is a protocol that has been
>>  promoted as designed to aid middle boxes, not end systems
>
>Border Gateway Protocol (BGP) (http://www.ietf.org/rfc/rfc4271.txt)
>was originally designed to work as an Exterior Gateway Protocol (EGP).
>Today besides working as an EGP it is used in myriad other
>applications, from discovering nodes in a VPN to distributing advisory
>messages to remote network operators. So, i dont see a reason why we
>should restrict ourselves to the applications for which a protocol can
>be used ..

I would NEVER use BGP as a good example of a protocol that has been 
extended to cover a broader range of contexts, if security is the 
focus of the discussion.


Let me try to recapitulate the context of our discussion, since I 
have had trouble following the thread:

	- the principle example offered is OSPFv3 use of IPsec
	- OSPFv3 relies on both unicast and multicast SAs
	- in either case, a router receiving IPsec-protected OSPFv3 traffic
	  will have an SAD entry for the traffic, which means that the
	  router will know that the traffic will be protected via AH
	  or ESP. if ESP is employed, a router receiving traffic will know
	  ESP-NULL is used.
	- RFC 4552 mandates support for using different SAs for DSCP-marked
	  traffic
	- RFC 4552 calls for manual keying for both unicast and multicast SAs,
	  and states that a receiver is not checking sequence numbers.

In a given OSPF context (e.g., an AS), all the routers are operated 
by the same administrative entity (based on the definition of an AS). 
If the AS in which OSPF is being employed chooses to use ESP-NULL, 
all the routers can be configured to require this, as part of local 
SPD management.

Why do we need to use WESP in this context? The current argument you 
provided was that this was an issue for a router receiving OSPF 
traffic, not a middlebox issue. But the router knows that the traffic 
will be ESP-NULL, and knows the algorithm employed, so it should be 
able to examine this traffic easily. If the router wants to process 
traffic out-of-order, after examination, that too is easy, since 
there is no receiver sequence number checking, so processing the rest 
of the traffic (potentially with gaps) will not be a problem from an 
IPsec perspective.


I went back and analyzed the thread to see how we got to this point.

In his message of 11/16, Manav said:

>And the reason why you might want to use WESP is to prioritize 
>certain protocol packets over the others, as is normally done for v4 
>control packets (e.g. OSPFv3 HELLOs and ACKs over other OSPFv3 
>packets)

Tero question this assertion, citing packet ordering concerns, and 
Manav provided the following cryptic comment:

>This is an implementation specific optimization that has already 
>been solved in multiple implementations.

That caused me to ask what "implementation specific" optimizations meant, which
resulted in your response (11/17)

>Do the seq number check, and then place the packets in different
>priority queues/paths based on the kind of packet it is. Proprietary
>ASICs on the routers can easily do this and its one of those things
>that differentiate one vendor from the other.

This response seems confusing, since it discusses a sequence number 
check being performed in a context (OSPFv3) that calls for no such 
checks. Sriram noted that in a manual keying context (not just 
OSPFv3) sequence checking is not performed,
which reaffirmed the notion that this thread went awry.

Finally, Gregory said:

>GML>  Or perhaps, a local security policy decision to ease up on the 
>size of the enforcement window -- aka ease security requirements -- 
>in order to get more QoS enforcement capability -- aka convenience 
>-- ??

Which prompted my reply (10/21) noting that 4301 mandates QoS support 
via use of multiple SAs (which, as noted above, is also called for by 
4552) and that
using larger receive windows is always a local matter, not an 
implementation specific optimization.

It was this response that you labelled as "all wrong" and said:

>... The sender is sending packets with the same QoS
>parameters; its the receiver thats trying to prioritize some packets
>over the others. One would typically do this for the Hellos/KeepAlives
>that are associated with a protocol, so that the  adjacency/peering
>session are not timed out.

So, it does not appear that the context has changed since Manav cited 
OSPFv3 a week ago, yet all the arguments about sequence number 
checking (by IPsec) are irrelevant in this context. I have seen no 
good arguments about why WESP is needed here, i.e., what benefits it 
offers for a router receiving OSPF traffic, some of which may need to 
be processed out-of-order.

Steve