IETF Logo Mail Archive

Re: [IPsec] draft-zhang-ipsecme-multi-path-ipsec

Xiangyang zhang <xiangyang.zhang@huawei.com> Fri, 06 April 2012 04:44 UTC

Return-Path: <xiangyang.zhang@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8B211E80A3 for <ipsec@ietfa.amsl.com>; Thu, 5 Apr 2012 21:44:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.792
X-Spam-Level:
X-Spam-Status: No, score=-1.792 tagged_above=-999 required=5 tests=[AWL=0.807, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9II0pkwxxZ7V for <ipsec@ietfa.amsl.com>; Thu, 5 Apr 2012 21:44:35 -0700 (PDT)
Received: from dfwrgout.huawei.com (dfwrgout.huawei.com [206.16.17.72]) by ietfa.amsl.com (Postfix) with ESMTP id 6DAB111E809A for <ipsec@ietf.org>; Thu, 5 Apr 2012 21:44:35 -0700 (PDT)
Received: from 172.18.9.243 (EHLO dfweml202-edg.china.huawei.com) ([172.18.9.243]) by dfwrg01-dlp.huawei.com (MOS 4.2.3-GA FastPath) with ESMTP id AEZ78664; Fri, 06 Apr 2012 00:44:35 -0400 (EDT)
Received: from DFWEML408-HUB.china.huawei.com (10.193.5.134) by dfweml202-edg.china.huawei.com (172.18.9.108) with Microsoft SMTP Server (TLS) id 14.1.323.3; Thu, 5 Apr 2012 21:44:36 -0700
Received: from dfweml511-mbx.china.huawei.com ([169.254.16.128]) by dfweml408-hub.china.huawei.com ([10.193.5.134]) with mapi id 14.01.0323.003; Thu, 5 Apr 2012 21:44:32 -0700
From: Xiangyang zhang <xiangyang.zhang@huawei.com>
To: Stephen Kent <kent@bbn.com>
Thread-Topic: [IPsec] draft-zhang-ipsecme-multi-path-ipsec
Thread-Index: AQHNETbnWY8qptfHo0+ep8QVvtAqKJaNF6gAgAAfBWA=
Date: Fri, 06 Apr 2012 04:44:31 +0000
Message-ID: <00E6CDB229A4CF4487D6E0326EDE5A0320A0F581@dfweml511-mbx.china.huawei.com>
References: <20336.40486.516402.44061@fireball.kivinen.iki.fi> <a75ef412a8addbbf9cdfd495b2ebc5c2.squirrel@www.trepanning.net> <20337.35271.746249.402746@fireball.kivinen.iki.fi> <efc316aaa7bbc447f6fb3f00d605aa4c.squirrel@www.trepanning.net> <20337.53508.89005.604501@fireball.kivinen.iki.fi> <7aa224f3b90062aabf6dea821c57d8a4.squirrel@www.trepanning.net> <20339.3159.442125.142134@fireball.kivinen.iki.fi> <7C4DFCE962635144B8FAE8CA11D0BF1E05B2DFAD08@MX14A.corp.emc.com> <00E6CDB229A4CF4487D6E0326EDE5A0320A0EDF9@dfweml511-mbx.china.huawei.com> <p06240806cba38891fd20@[128.89.89.180]>
In-Reply-To: <p06240806cba38891fd20@[128.89.89.180]>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.142.56]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] draft-zhang-ipsecme-multi-path-ipsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 04:44:37 -0000

Steve,

Your understanding is partially right.  Only that anti-replay window could possibly be bigger if two paths go along the different routes.  If two paths go along the same route, it is no difference from the traditional single SA.  But the attacker does not know two paths carry the same flow of traffic.   

For security consideration, could you point out what is in error?

Thanks,

Victor



-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Thursday, April 05, 2012 12:29 PM
To: Xiangyang zhang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] draft-zhang-ipsecme-multi-path-ipsec

At 1:12 AM +0000 4/3/12, Xiangyang zhang wrote:
>A new version of I-D, draft-zhang-ipsecme-multi-path-ipsec-00.txt
>has been successfully submitted by Xiangyang Zhang and posted to the 
>IETF repository.
>
>Filename:    draft-zhang-ipsecme-multi-path-ipsec
>Revision:    00
>Title:        Multiple Path IP Security
>Creation date:    2012-04-02
>WG ID:        Individual Submission
>Number of pages: 7
>
>Abstract:
>   This document presents one approach to enhance data protection when
>   transmitting IPsec datagrams across the insecure networks. The method
>   affords the stronger protection to the traffic by splitting it among
>   a set of sub-tunnels.  All the Security Associations (SAs) are set up
>   independently for all sub-tunnels.  Both the sending and receiving
>   entity combine all the sub-tunnels to one clustered tunnel.  As
>   different sub-tunnel uses different crypto key materials and
>   processing parameters, it may achieve the stronger protection of the
>   traffic across the insecure networks.  In addition, it could possibly
>   bring more benefits in terms of the network control.

This seems like a potentially very complex feature that creates added opportunities for packet arrival reordering (of added jitter) without a good analysis of the security rationale. Also, as others have noted, this is not a "multi-path" feature, but a multi=-tunnel feature, so the doc name is inappropriate. The comment on multiple paths in the secruity considerations section is also in error.

Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email