IETF Logo Mail Archive

Re: [IPsec] Labeled IPsec options

Russ Housley <housley@vigilsec.com> Thu, 12 December 2019 23:18 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7B512012C for <ipsec@ietfa.amsl.com>; Thu, 12 Dec 2019 15:18:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVfqou8mCA2T for <ipsec@ietfa.amsl.com>; Thu, 12 Dec 2019 15:18:18 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C36112012A for <ipsec@ietf.org>; Thu, 12 Dec 2019 15:18:18 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 776EB300B0C for <ipsec@ietf.org>; Thu, 12 Dec 2019 18:18:16 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Q5QaNLMFdDf0 for <ipsec@ietf.org>; Thu, 12 Dec 2019 18:18:14 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-51-198-163.washdc.fios.verizon.net [108.51.198.163]) by mail.smeinc.net (Postfix) with ESMTPSA id 1ABF1300474; Thu, 12 Dec 2019 18:18:13 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <24050.43728.115813.170898@fireball.acr.fi>
Date: Thu, 12 Dec 2019 18:18:14 -0500
Cc: IETF IPsec <ipsec@ietf.org>, Sahana Prasad <sahana@redhat.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <32430816-736B-42E3-8988-85D4D3F6392E@vigilsec.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com> <24050.43728.115813.170898@fireball.acr.fi>
To: Tero Kivinen <kivinen@iki.fi>, Valery Smyslov <smyslov.ietf@gmail.com>, Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/I8tV6ymlVoJGRydyjpdDhsnwjVw>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2019 23:18:21 -0000


> On Dec 12, 2019, at 4:02 PM, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> Valery Smyslov writes:
>> I don't think option 4 is a good idea. If old responder 
>> encounters an unknown payload with Critical bit set in IKE_AUTH, it will
>> return back UNSUPPORTED_CRITICAL_PAYLOAD and IKE SA won't be set up.
>> See section 2.21.2 of RFC7296. This would require initiator to retry from
>> IKE_SA_INIT, doubling the work. Or it can create childless IKE SA
>> and then try CREATE_CHILD_SA - not an optimal solution too.
> 
> Agree fully on that. 
> 
>> I also don't like option 2 since it requires changing the way TSs
>> are handled in IKEv2.
> 
> Also agree.
> 
>> Option 1 looks like the clearest from pure theoretical point of view,
>> however I agree that it could lead to TS types explosion in future.
> 
> Yes, I think option 1 would be most proper way of doing the
> negotiation. I am not sure if we are going to get that many new
> traffic selectors in the future, so I do not think the TS types
> explosion is going to be that big issue.
> 
> Also in most setups I would expect security labels to be either always
> mandatory or always omitted (and that information quite often comes
> directly from configuration). I do not really see that common cases
> where initiator would try to use security labels and responder not
> supporting them.
> 
> I.e., if you do always require security labels, there is no TS
> explosion as you only propose TS with security labels. If you do not
> support them, you use normal TS.
> 
> You would propose both only if you do not care whether other end
> supports security labels, but are willing to use them if it supports,
> but what is the meaning of security labels then? Why even propose them
> if you do not care what they are?

If the initiator wants to use labels but the responder does not support labels, will the initiator move forward anyway?  Doing so would seem surprising to me.  The point of the label is to indicate what handling is needed to adequately protect the data.  Moving forward without the responder agreeing to that handling seems unlikely to me.  Are there situations where moving forward is "the right thing"?

If not, then Option 1 makes the most sense to me.

Russ

v2.29.0 | Report a Bug | By Email | System Status