[IPsec] My view of the requirements from AD-VPN

Yoav Nir <ynir.ietf@gmail.com> Sun, 16 March 2014 06:26 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 96AA51A02D1 for <ipsec@ietfa.amsl.com>; Sat, 15 Mar 2014 23:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id K2b2FypsGRVS for <ipsec@ietfa.amsl.com>; Sat, 15 Mar 2014 23:26:13 -0700 (PDT)
Received: from mail-ee0-x22f.google.com (mail-ee0-x22f.google.com [IPv6:2a00:1450:4013:c00::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 3614E1A001D for <ipsec@ietf.org>; Sat, 15 Mar 2014 23:26:13 -0700 (PDT)
Received: by mail-ee0-f47.google.com with SMTP id b15so2859479eek.20 for <ipsec@ietf.org>; Sat, 15 Mar 2014 23:26:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=sE2VA/hnAXAoseAvtdz1nX7AxqNE9NIb8WR8K2IdYyg=; b=FCeHZ+SH8VpAaH7gjFHUN/uD3spVTrScQ2ehSeqo9C6/Yz8joBy7D4uqXcDGHRC2o8 PwonvR6oAgMcCYj2lZSRpMyQ+k5aCrrpZq4jhl75Cqi/BjUzq/2u4CnQq85gcjR9D6eF LAEfi+owsp6eOYVyK2SRXZbsQW7k55Q+ZKcoRPsArSN+nnGd6h28qAlF0xX2cSXzQ+40 BT/hKWnRwQsiQvbFmFSDm7TmvF476GxC5Gac4+9xCELT5Evj0ShfMl7m5zVJx3VnaG6J WZh/q18xbYU2Xvp3Zn8Tc3Utb7vH8o0DAXgPtUqIT046e4QQ/vGijN/EhU6x7DgXwJlF YrVA==
X-Received: by with SMTP id v6mr5025eej.115.1394951165286; Sat, 15 Mar 2014 23:26:05 -0700 (PDT)
Received: from [] ([]) by mx.google.com with ESMTPSA id cb5sm29805904eeb.18.2014. for <ipsec@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 15 Mar 2014 23:26:04 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <CFEEA351-5C27-44DE-9B3E-5FFF35C87732@gmail.com>
Date: Sun, 16 Mar 2014 08:25:51 +0200
To: ipsec <ipsec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Imz_vhMKahV31p8SZg_QIOnLVNY
Subject: [IPsec] My view of the requirements from AD-VPN
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 06:26:15 -0000

As promised, here's my view of what a short list of requirements for AD-VPN should be like.

First, a few terms:
An AD-VPN is a subset of the hosts on the Internet, such that all traffic between two nodes within the AD-VPN must be protected by IPsec when it traverses nodes outside of the AD-VPN. An IPsec gateway is a node within the AD-VPN that protects the traffic for passage across nodes outside of the AD-VPN. An IPsec host is a node that protects only its own traffic (common for remote access VPNs). The set of hosts whose traffic is protected by an IPsec gateway is called its "protected domain". The AD-VPN can be said to be partitioned into protected domains.

All this can be accomplished with IPsec and IKEv2 as defined in RFCs 4301, 4303, and 5996. What's missing is dynamic updates to SPD and PAD, and a way to deal with the complexity of the configuration of large scale VPNs. 

So any IPsec gateway or host joining an AD-VPN has to know several things:
 - the total AD-VPN. Specifically, whether an IP address (could the the destination of an outgoing packet or the source of an incoming packet) is or is not in the AD-VPN. Packets that are destined to outside the AD-VPN can be sent in the clear over the Internet.
 - For each host in the AD-VPN, a next-hop gateway. 
 - Credentials for connecting to such a next-hop gateway.
 - If more protected domains, gateways or hosts are added to the AD-VPN, we want the node to learn of this. This doesn't have to happen immediately, but we would like to be able to set an upper bound on how long it takes.
For a simple configuration, there can be one such next-hop gateway for all addresses (that's a hub). Using a single hub for all the VPN is not efficient, so even if we accept this as an initial configuration, we need this to expand. 

Another requirement of this protocol is to limit the impact of rogue or compromised nodes. Specifically, such nodes should not be able to alter the AD-VPN by dynamically removing parts of the protected domains of other gateways, and checks and limits should be imposed on their ability to claim parts of the Internet as part of their own protected domains. This requirement may have a negative impact on usability, for example if additions to the AD-VPN would require matching configuration on both the protecting gateway and on some other node (could be a part of the AD-VPN, like a hub node, or an external server, or maybe an RPKI CA), but we believe it is essential for security in the face of the possibility of compromised nodes.

So to get all this, we need the following from the solution protocol (and it could be one protocol, or a whole suite of protocols at different levels:

 1. A protocol for discovery of the AD-VPN, and at least one next-hop gateway with the credentials to access it. The latter part may be assumed to be manually configured, but the discovery has to be automatic, as the total AD-VPN is assumed to change. Note that the other side of this protocol is not required to be part of the AD-VPN. A server giving out this information over HTTPS is an acceptable solution, as is encoding this information in the DNS.
 2. A protocol for propagating changes to the AD-VPN throughout the network. This does not have to be a single protocol. For example, We could have hub spokes that communicate this information through routing protocols, and spoke nodes that get the information from the hub nodes. Or trusted nodes that update an HTTPS server, while the other nodes periodically download said information. The requirement is that eventually, and after a bounded time period, all nodes will know of the change.
 3. A protocol for discovery of more efficient paths through the AD-VPN. Specifically, such a protocol would allow an IPsec gateway (or an IPsec host) to create a new tunnel such that the traffic would require fewer hops on its way to the destination host. This protocol would also need to handle providing credentials to the nodes. It's not enough to tell a gateway to set up a tunnel with another gateway at address, You also need to tell what credential that gateway is going to present (by DN or alternate name, and maybe by public key as in DANE) and also what IDi/IDr are going to be used in IKE. 
These are the requirements as I see them. The opinions posted here are my own, they do not reflect those of my employer, and do not necessarily reflect those of my co-authors on the AD-VPN draft.