IETF Logo Mail Archive

Re: [IPsec] My view of the requirements from AD-VPN

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 21 March 2014 17:20 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 718FE1A09AE for <ipsec@ietfa.amsl.com>; Fri, 21 Mar 2014 10:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level:
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQDt1I2rs-Av for <ipsec@ietfa.amsl.com>; Fri, 21 Mar 2014 10:20:36 -0700 (PDT)
Received: from mail-ee0-x229.google.com (mail-ee0-x229.google.com [IPv6:2a00:1450:4013:c00::229]) by ietfa.amsl.com (Postfix) with ESMTP id 402641A075D for <ipsec@ietf.org>; Fri, 21 Mar 2014 10:20:36 -0700 (PDT)
Received: by mail-ee0-f41.google.com with SMTP id t10so2073574eei.0 for <ipsec@ietf.org>; Fri, 21 Mar 2014 10:20:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=TGKgMmma3fgVAgbagAqsILPKdGkcnYfCDrdkL38C3MM=; b=G9VVbUoj0atEtvbQlrbUvDDY6GyFjipVxtwyVGR31SYxhr6S7lJtc2463dl0dfNJAC IZihwyvnLyfKUE8znGPDUxKGlNEyCxjRXR6UwZw7VWShA0cUmsXpm0PbqUV/+bLoRjQT Nc9EkboevWn5zOFe4SzgyJBHcWJ3eN9y3r73temwVdMNT/UuM4QA3RPMDT1b95oYITEu w/Sr4ysd0cGwpeIXnQaRgy4qnFNRWhaXel24BQK2MYWqSYHfqR2WjjpT4GInsISGzREX Ip9Gha8i5nki3tkwQWoZlCJG/Bh5l6+0HS5bGxrntYNfPUC3BDcf0UmIGCW5MFzwGT2/ d2cg==
X-Received: by 10.14.95.8 with SMTP id o8mr33174127eef.15.1395422426284; Fri, 21 Mar 2014 10:20:26 -0700 (PDT)
Received: from [10.0.0.1] (bzq-79-179-48-141.red.bezeqint.net. [79.179.48.141]) by mx.google.com with ESMTPSA id m42sm12890462eex.21.2014.03.21.10.20.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Mar 2014 10:20:25 -0700 (PDT)
Message-ID: <532C74D6.8000208@gmail.com>
Date: Fri, 21 Mar 2014 19:20:22 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, ipsec <ipsec@ietf.org>
References: <CFEEA351-5C27-44DE-9B3E-5FFF35C87732@gmail.com>
In-Reply-To: <CFEEA351-5C27-44DE-9B3E-5FFF35C87732@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Hqr1032m28yLxhs9RtfojDeqS9E
Subject: Re: [IPsec] My view of the requirements from AD-VPN
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 17:20:40 -0000

Hi Yoav,

I like your attempt at reducing the requirement set to the minimum.

Parts of the text I think do not distinguish well between IPsec hosts 
(such as remote access clients) and (simple) hosts, that are non-IPsec 
hosts protected behind a gateway. Presumably simple hosts will be 
unaffected by this protocol.

And in the spirit of minimizing the set of requirements: isn't your #3 
solution components just an optimization? I think in many cases a 
protocol that includes #1 and #2 but not #3 could be sufficient for 
scale. And then #3 could be added as an extension. Or we can decide that 
we do not need a fully general #3, and we're good enough with simple 
shortcuts between two spokes of the same hub.

Thanks,
	Yaron

On 03/16/2014 08:25 AM, Yoav Nir wrote:
> As promised, here's my view of what a short list of requirements for AD-VPN should be like.
>
> First, a few terms:
> An AD-VPN is a subset of the hosts on the Internet, such that all traffic between two nodes within the AD-VPN must be protected by IPsec when it traverses nodes outside of the AD-VPN. An IPsec gateway is a node within the AD-VPN that protects the traffic for passage across nodes outside of the AD-VPN. An IPsec host is a node that protects only its own traffic (common for remote access VPNs). The set of hosts whose traffic is protected by an IPsec gateway is called its "protected domain". The AD-VPN can be said to be partitioned into protected domains.
>
> All this can be accomplished with IPsec and IKEv2 as defined in RFCs 4301, 4303, and 5996. What's missing is dynamic updates to SPD and PAD, and a way to deal with the complexity of the configuration of large scale VPNs.
>
> So any IPsec gateway or host joining an AD-VPN has to know several things:
>   - the total AD-VPN. Specifically, whether an IP address (could the the destination of an outgoing packet or the source of an incoming packet) is or is not in the AD-VPN. Packets that are destined to outside the AD-VPN can be sent in the clear over the Internet.
>   - For each host in the AD-VPN, a next-hop gateway.
>   - Credentials for connecting to such a next-hop gateway.
>   - If more protected domains, gateways or hosts are added to the AD-VPN, we want the node to learn of this. This doesn't have to happen immediately, but we would like to be able to set an upper bound on how long it takes.
>
> For a simple configuration, there can be one such next-hop gateway for all addresses (that's a hub). Using a single hub for all the VPN is not efficient, so even if we accept this as an initial configuration, we need this to expand.
>
> Another requirement of this protocol is to limit the impact of rogue or compromised nodes. Specifically, such nodes should not be able to alter the AD-VPN by dynamically removing parts of the protected domains of other gateways, and checks and limits should be imposed on their ability to claim parts of the Internet as part of their own protected domains. This requirement may have a negative impact on usability, for example if additions to the AD-VPN would require matching configuration on both the protecting gateway and on some other node (could be a part of the AD-VPN, like a hub node, or an external server, or maybe an RPKI CA), but we believe it is essential for security in the face of the possibility of compromised nodes.
>
> So to get all this, we need the following from the solution protocol (and it could be one protocol, or a whole suite of protocols at different levels:
>
>   1. A protocol for discovery of the AD-VPN, and at least one next-hop gateway with the credentials to access it. The latter part may be assumed to be manually configured, but the discovery has to be automatic, as the total AD-VPN is assumed to change. Note that the other side of this protocol is not required to be part of the AD-VPN. A server giving out this information over HTTPS is an acceptable solution, as is encoding this information in the DNS.
>
>   2. A protocol for propagating changes to the AD-VPN throughout the network. This does not have to be a single protocol. For example, We could have hub spokes that communicate this information through routing protocols, and spoke nodes that get the information from the hub nodes. Or trusted nodes that update an HTTPS server, while the other nodes periodically download said information. The requirement is that eventually, and after a bounded time period, all nodes will know of the change.
>
>   3. A protocol for discovery of more efficient paths through the AD-VPN. Specifically, such a protocol would allow an IPsec gateway (or an IPsec host) to create a new tunnel such that the traffic would require fewer hops on its way to the destination host. This protocol would also need to handle providing credentials to the nodes. It's not enough to tell a gateway to set up a tunnel with another gateway at address 192.0.2.5, You also need to tell what credential that gateway is going to present (by DN or alternate name, and maybe by public key as in DANE) and also what IDi/IDr are going to be used in IKE.
>
>
> These are the requirements as I see them. The opinions posted here are my own, they do not reflect those of my employer, and do not necessarily reflect those of my co-authors on the AD-VPN draft.
>
> Yoav
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email