Re: [IPsec] Labeled IPsec options
"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 13 December 2019 15:04 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A474120013 for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 07:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8c0DIEJeD0P for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 07:04:24 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F7C312009E for <ipsec@ietf.org>; Fri, 13 Dec 2019 07:04:24 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id c19so2955138lji.11 for <ipsec@ietf.org>; Fri, 13 Dec 2019 07:04:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=eJq8Q256aEMe5YMtfS9yYO2nkGKB5zdPwy9slNCPsD0=; b=rkj6bShL4Tsks2yuFR1C3H4TlgCLAHQXrsyuXe2pTVNHn/dwclmnaxANhd9D1rAFS3 oA8u3hrp23C1RN+9fhE55c3oidVKsqpl6NRKHWou6NcbPvxzX2EnNGP6NtzAVsxUtV0s ANNCtf1yTm2FkcDgnwoLBgza4z6AJKZFdJDgtYYyVNhc2ai+XYeh0EzoUVZUTbb0BezH 7FYb6eK9anZnmuL1ai4QVfMaudwL4Uya+Pb3HIUWnde6VBKKue8In6/bYMwuup3DEF2C Pjsxe836gAMRdc1U5+4cyAsOSXbYSrrsSzMtk+TPEhtGm6KTSIOEAzSTY2wSG8tO+8LD FLTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=eJq8Q256aEMe5YMtfS9yYO2nkGKB5zdPwy9slNCPsD0=; b=IHeHHsnZUrigzRTWpSIwQXr8jx3w3WLA4cZ/qvMNMHqXFmuTGjSInqixI4xUwNzmCe WkEUdSy9bfpp7v05lrFl1/w1uvKS9rm1MzP41fEpuJ0nP61uOwqT2NhMS0SOuhsc9KNr ++4RM7a3qtwocmGwVHIJmeZdJDmgQW7BrceLXeH2avlumpMvqeezy7thW2tya74Y1gAd qEzELkumjkyzaWFSPxfuDTul17ZNx4qFMmeJ5ZI/pCeTAgsnncngDLzA4yqDOKEUAQOn UlYmvrpTmLr2Q3n19oAwPvViY2ycNQQsthWRdWHsBEKA4SDCEIhPbAsLrS+fuU24w9IY 8cng==
X-Gm-Message-State: APjAAAVX9ItriG731JMphnIvWvxkcfdj3a99D1re60CoK46lnlflNXJP q3mCVCJuiUZNGDNzdYe1XPOa47aV
X-Google-Smtp-Source: APXvYqy4cIG5+6m3IMB/nfJqNYDuWkMkJMONZk/hMTXGEOncrP42Picv8RmxGirX19ACbUyVYv4X7g==
X-Received: by 2002:a2e:7405:: with SMTP id p5mr9964634ljc.34.1576249461102; Fri, 13 Dec 2019 07:04:21 -0800 (PST)
Received: from svannotebook ([185.48.36.95]) by smtp.gmail.com with ESMTPSA id 145sm4939423ljj.69.2019.12.13.07.04.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Dec 2019 07:04:20 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Tero Kivinen' <kivinen@iki.fi>
Cc: ipsec@ietf.org, 'Sahana Prasad' <sahana@redhat.com>, 'Paul Wouters' <paul@nohats.ca>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com> <24050.43728.115813.170898@fireball.acr.fi>
In-Reply-To: <24050.43728.115813.170898@fireball.acr.fi>
Date: Fri, 13 Dec 2019 18:04:16 +0300
Message-ID: <046401d5b1c6$98ed09d0$cac71d70$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLx+ZsZ28gCWkLjxf5xPWFraxjS5AGiqmCDANTXOjyla9tAYA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/He3czZeALZZUMEaHe3WMyLZSFDY>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 15:04:26 -0000
Hi Tero, > > You can solve the problem of imperfect error handling by adding a new > > SECLABES_SUPPORTED notification, that must be exchanged in > > IKE_SA_INIT. If both peers support seclabels, then the responder must > > not ignore seclabel notifications in IKE_AUTH and CREATE_CHILD_SA. The > > drawback is that we need one more notification and it must be > > exchanged in IKE_SA_INIT, increasing its message size. Not a big deal. > > I am not sure we need that. I mean if initiator do require security labels and > sends security labels notification, but responder does not reply to them, what > can it do next? There isn't going to be any communications between the peers > in that case, so it should simply tear down the SA anyways. The SA won't be created in this case, since the initiator stopped creating it by not initiating IKE_AUTH. > If it gets same information during IKE_SA_INIT (missing > SECLABELS_SUPPORTED), it cannot trust that thing yet as other end is not > authenticated, so it will need to run IKE_AUTH to the end anyways to make > sure that there was no attack removing that SECLABELS_SUPPORTED > notification. So it will detect that error at the end of IKE_AUTH always. Well, the situation is no worse than with NO_PROPOSAL_CHOSEN or with USE_PPK. In brief - if an attacker is so powerful, that it can remove packets from the network and replace them with forged ones, then it can break communication anyway (just drop all packets). On the other hand, if an attacker can only inject packets, then the responder's packet will eventually reach the initiator. In our case the strategy for initiator is: retransmit and wait. If even after several retransmission it doesn't receive message with SECLABELS_SUPPORTED, then there is no reason to continue with IKE_AUTH (if using labels is mandatory for initiator). If it receives a message with SECLABELS_SUPPORTED, then go with it. Regards, Valery. > In that case there is no point of adding notification to the IKE_SA_INIT. > -- > kivinen@iki.fi > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Russ Housley
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters