IETF Logo Mail Archive

Re: [IPsec] Labeled IPsec options

"Valery Smyslov" <smyslov.ietf@gmail.com> Thu, 12 December 2019 06:11 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 458921200FF for <ipsec@ietfa.amsl.com>; Wed, 11 Dec 2019 22:11:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZezQJi3KGkg for <ipsec@ietfa.amsl.com>; Wed, 11 Dec 2019 22:11:23 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0FD1200FD for <ipsec@ietf.org>; Wed, 11 Dec 2019 22:11:23 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id h23so877009ljc.8 for <ipsec@ietf.org>; Wed, 11 Dec 2019 22:11:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=RH3zwttCCo7LOZDyq2NvjNmQfQok0oorBYSuFnyhbHc=; b=ic1icA/mcovsiy+pXru/0BgCalMEzh5Kk5AMx6hMtk7dU2fQAxui/gRY9brcCBvR87 toENP+1EiZ3piuB3GvAkw5a6znTH7LfzGLLAydQ+BAN46Gc26aB359dFcBi3nOLsZB10 fdS50Jy31fy2hiseka0EMp6Dmi7EvyOmAtWfePhtuu2mKsAkLGCUJU4C0+YY68CHJQGG LMcjfCLZGNhaTLvEBkTmZtYPJ+ub+ldZy8JzVQ7H6cGJX1Ka/3ctP1/4rn3xnK71C5Uo m/HhOOKjsu7Fywkp8DWc/PUPSdWtUjDs05hNftNyvqzypXcKGNmNiNXuYPcrIpYixzqW U4sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=RH3zwttCCo7LOZDyq2NvjNmQfQok0oorBYSuFnyhbHc=; b=UiEHDbiTVXEy1h0Cf3PqorDIs5GCEe7UqigTn2q2X9voN4M03TCA2ouwe8OyjoL3+U Rl9BaUgOrMXkqomF7JVhoIn7XPEA+XIrwNES6U5V9nF45aF1W145EdyapEnylTR8ykUz a+m2Idr/shV03EsgT8HYnI7uXbljSj5ST5qCVeAlN34SesHQ+3T8vZZsmfkfqESgG0sM WIOMzP0Fs0JLTCkNkGd71tEV9/kJq0RIgoLL4SjN3XWlNCtNnf6L0Hm24Rcq9dXh6A73 GGiOrkvWQyBbBRAKM//NaBB5+JL+nXzmGHL7ExLwqnTPv4FtrDY1NcGIgfXEu18W80Vf sBZA==
X-Gm-Message-State: APjAAAWvLlabjgXxtI1oOEw3Nhc4/vAEykynJQpisa+8M+xG3zK8eem6 DRd3n4rgXu3gRj1liEjSNcepHJ8M
X-Google-Smtp-Source: APXvYqzmAnnKJQuU/vPeFzWPpnCNvAjO+JLe+/547Fr8Oc1VNKVv6vzIfqBNuqc3cQu/epIV+eR7WQ==
X-Received: by 2002:a2e:9b8f:: with SMTP id z15mr4769699lji.20.1576131081066; Wed, 11 Dec 2019 22:11:21 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id e20sm2290772ljl.59.2019.12.11.22.11.20 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Dec 2019 22:11:20 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>, ipsec@ietf.org
Cc: 'Sahana Prasad' <sahana@redhat.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca>
Date: Thu, 12 Dec 2019 09:11:22 +0300
Message-ID: <01f501d5b0b2$facb4370$f061ca50$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLx+ZsZ28gCWkLjxf5xPWFraxjS5KV9a7nw
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MKZImfDbZr1fcVzB3c5hfxDrXW8>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2019 06:11:25 -0000

Hi Paul,

I don't think option 4 is a good idea. If old responder 
encounters an unknown payload with Critical bit set in IKE_AUTH, it will
return back UNSUPPORTED_CRITICAL_PAYLOAD and IKE SA won't be set up.
See section 2.21.2 of RFC7296. This would require initiator to retry from
IKE_SA_INIT, doubling the work. Or it can create childless IKE SA
and then try CREATE_CHILD_SA - not an optimal solution too.

I also don't like option 2 since it requires changing the way TSs are handled
in IKEv2.

Option 1 looks like the clearest from pure theoretical point of view,
however I agree that it could lead to TS types explosion in future.

Option 3 looks like a compromise from practical point of view.
You can solve the problem of imperfect error handling by adding
a new SECLABES_SUPPORTED notification, that must be exchanged
in IKE_SA_INIT. If both peers support seclabels, then 
the responder must not ignore seclabel notifications in IKE_AUTH
and CREATE_CHILD_SA. The drawback is that we need 
one more notification and it must be exchanged in IKE_SA_INIT,
increasing its message size. Not a big deal.

Regards,
Valery. 



> Hi,
> 
> As agreed at IETF 106, we would write up the options for negotiating
> Labeled IPsec that we have discussed, with their PROs and CONs, so
> that the working group can make a final decision.
> 
> 
> 
> Option 1) TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL
> https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-00
> 
> This option introduced a new Traffic Selector type that is similar
> to the core IKEv2 RFC S_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE, but
> also contain a Security Label field
> 
> PROs:
> - Early failure during IKE_AUTH when mismatched. No IPsec SA establishes
> - Does not otherwise change the Traffic Selector processing
> CONs:
> - A bit ugly to have sort of duplicate Traffic Selector types
> - All new TS types in the future would need to get a seclabel and non-seclabel version.
> 
> 
> 
> 
> Option 2) TS_SECLABEL
> https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-02
> 
> PROs:
> - No copies of TS TYPE's with/without seclabel
> CONs:
> - Error handling is less nice. Responder might setup an IPsec SA
>    narrowed to without security label (unsupported TStypes can be
>    ignored according to RFC 7296), and the initiator has to refuse
>    it by sending a Delete SA message (as security labels are typically
>    mandatory)
> - Changes Traffic Selector processing, as now one is told that
>    if you pick TS_SECLABEL you must also pick a TS_IPV{46}_ADDR_RANGE.
>    Thus updates RFC 7296 with "sub typing" of TS TYPEs.
> 
> 
> 
> 
> Option 3) Use NOTIFY payloads
> (not specified in a draft)
> 
> PROs:
> - No changes to Traffic Selector code or specification. Easiest to
>    implement.
> CONs:
> - Error handling is less nice. Responder might setup an IPsec SA
>    without supporting the NOTIFY, and initiator has to Delete SA it.
> 
> 
> 
> Option 4) A new payload type like NOTIFY but now we can set Critical Flag
> (not specified in a draft)
> PROs:
> - No changes to Traffic Selector code or specification. Easiest to
>    implement.
> - Can use payload with Critical Flag, so exchange fails if not
>    configured or supported for security label type payload
> - Error handling already done as part of standard IKEv2
> CONs:
> - Takes up a new payload number.
> - Old Implementations might ignore Critical Flag and new payload type
>    and setup IPsec SA without Security Label? New implementations not
>    receiving the new payload type must also send Delete SA to prevent
>    non-label IPsec SA on responder to linger.
> 
> 
> Please let us know on the list which solution you prefer and why, so we
> can make a final decision and move on :)
> 
> Paul & Sahana
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email