Re: [IPsec] WESP - Roadmap Ahead
Stephen Kent <kent@bbn.com> Tue, 24 November 2009 16:40 UTC
Return-Path: <kent@bbn.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4ED033A68F9 for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 08:40:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Level:
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmYWeyZqjDBT for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 08:40:09 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 3161928C106 for <ipsec@ietf.org>; Tue, 24 Nov 2009 08:40:08 -0800 (PST)
Received: from dhcp89-089-105.bbn.com ([128.89.89.105]) by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1NCyQt-0001OG-CM; Tue, 24 Nov 2009 11:40:03 -0500
Mime-Version: 1.0
Message-Id: <p0624080cc7309f6414a0@[128.89.89.105]>
In-Reply-To: <dc8fd0140911221517j1ad39eeaje143b80c860b8681@mail.gmail.com>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <19200.8786.266973.313959@fireball.kivinen.iki.fi> <19201.20208.563706.519993@fireball.kivinen.iki.fi> <p06240805c7272bb53718@128.89.89.228> <f1548840911171103m4d39e544q236448d4b1c8eefe@mail.gmail.com> <p06240804c729109c4f93@10.1.231.26> <dc8fd0140911210939i4113200ckbfadb5e0a5ea9b50@mail.gmail.com> <p06240804c72ef7906c90@192.168.1.3> <dc8fd0140911221517j1ad39eeaje143b80c860b8681@mail.gmail.com>
Date: Tue, 24 Nov 2009 11:40:01 -0500
To: Jack Kohn <kohn.jack@gmail.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 16:40:10 -0000
>... > > - it fails to characterize the range of protocols for which you >> believe this argument applies, > >http://www.ietf.org/mail-archive/web/ipsec/current/msg05070.html > >This is one example, we could think of some more. This is only one example, and I think it is not "mainstream", so more examples would be helpful. > > > > -it fails to explain how WESP is relevant, since a receiver has the > >This has already been discussed in this email thread earlier. Not a very specific reference :-(. > > ability to process encrypted packets. WESP is a protocol that has been >> promoted as designed to aid middle boxes, not end systems > >Border Gateway Protocol (BGP) (http://www.ietf.org/rfc/rfc4271.txt) >was originally designed to work as an Exterior Gateway Protocol (EGP). >Today besides working as an EGP it is used in myriad other >applications, from discovering nodes in a VPN to distributing advisory >messages to remote network operators. So, i dont see a reason why we >should restrict ourselves to the applications for which a protocol can >be used .. I would NEVER use BGP as a good example of a protocol that has been extended to cover a broader range of contexts, if security is the focus of the discussion. Let me try to recapitulate the context of our discussion, since I have had trouble following the thread: - the principle example offered is OSPFv3 use of IPsec - OSPFv3 relies on both unicast and multicast SAs - in either case, a router receiving IPsec-protected OSPFv3 traffic will have an SAD entry for the traffic, which means that the router will know that the traffic will be protected via AH or ESP. if ESP is employed, a router receiving traffic will know ESP-NULL is used. - RFC 4552 mandates support for using different SAs for DSCP-marked traffic - RFC 4552 calls for manual keying for both unicast and multicast SAs, and states that a receiver is not checking sequence numbers. In a given OSPF context (e.g., an AS), all the routers are operated by the same administrative entity (based on the definition of an AS). If the AS in which OSPF is being employed chooses to use ESP-NULL, all the routers can be configured to require this, as part of local SPD management. Why do we need to use WESP in this context? The current argument you provided was that this was an issue for a router receiving OSPF traffic, not a middlebox issue. But the router knows that the traffic will be ESP-NULL, and knows the algorithm employed, so it should be able to examine this traffic easily. If the router wants to process traffic out-of-order, after examination, that too is easy, since there is no receiver sequence number checking, so processing the rest of the traffic (potentially with gaps) will not be a problem from an IPsec perspective. I went back and analyzed the thread to see how we got to this point. In his message of 11/16, Manav said: >And the reason why you might want to use WESP is to prioritize >certain protocol packets over the others, as is normally done for v4 >control packets (e.g. OSPFv3 HELLOs and ACKs over other OSPFv3 >packets) Tero question this assertion, citing packet ordering concerns, and Manav provided the following cryptic comment: >This is an implementation specific optimization that has already >been solved in multiple implementations. That caused me to ask what "implementation specific" optimizations meant, which resulted in your response (11/17) >Do the seq number check, and then place the packets in different >priority queues/paths based on the kind of packet it is. Proprietary >ASICs on the routers can easily do this and its one of those things >that differentiate one vendor from the other. This response seems confusing, since it discusses a sequence number check being performed in a context (OSPFv3) that calls for no such checks. Sriram noted that in a manual keying context (not just OSPFv3) sequence checking is not performed, which reaffirmed the notion that this thread went awry. Finally, Gregory said: >GML> Or perhaps, a local security policy decision to ease up on the >size of the enforcement window -- aka ease security requirements -- >in order to get more QoS enforcement capability -- aka convenience >-- ?? Which prompted my reply (10/21) noting that 4301 mandates QoS support via use of multiple SAs (which, as noted above, is also called for by 4552) and that using larger receive windows is always a local matter, not an implementation specific optimization. It was this response that you labelled as "all wrong" and said: >... The sender is sending packets with the same QoS >parameters; its the receiver thats trying to prioritize some packets >over the others. One would typically do this for the Hellos/KeepAlives >that are associated with a protocol, so that the adjacency/peering >session are not timed out. So, it does not appear that the context has changed since Manav cited OSPFv3 a week ago, yet all the arguments about sequence number checking (by IPsec) are irrelevant in this context. I have seen no good arguments about why WESP is needed here, i.e., what benefits it offers for a router receiving OSPF traffic, some of which may need to be processed out-of-order. Steve
- [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Scott C Moonen
- Re: [IPsec] WESP - Roadmap Ahead Tero Kivinen
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Merike Kaeo
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Daniel Migault
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Steven Bellovin
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Richard Graveman
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Venkatesh Sriram
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Steven Bellovin
- [IPsec] WESP - Roadmap Ahead Tero Kivinen
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Tero Kivinen
- Re: [IPsec] WESP - Roadmap Ahead Bhatia, Manav (Manav)
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Dan McDonald
- Re: [IPsec] WESP - Roadmap Ahead Gregory Lebovitz
- Re: [IPsec] WESP - Roadmap Ahead Gregory Lebovitz
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Daniel Migault
- Re: [IPsec] WESP - Roadmap Ahead Tero Kivinen
- Re: [IPsec] WESP - Roadmap Ahead Tero Kivinen
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent
- Re: [IPsec] WESP - Roadmap Ahead Jack Kohn
- Re: [IPsec] WESP - Roadmap Ahead Stephen Kent