[IPsec] Fwd: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
Yoav Nir <ynir@checkpoint.com> Wed, 25 August 2010 20:43 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 718BA3A6B62 for <ipsec@core3.amsl.com>; Wed, 25 Aug 2010 13:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.583
X-Spam-Level:
X-Spam-Status: No, score=-2.583 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbZgsFy77H7F for <ipsec@core3.amsl.com>; Wed, 25 Aug 2010 13:43:41 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 6E6963A6B65 for <ipsec@ietf.org>; Wed, 25 Aug 2010 13:43:27 -0700 (PDT)
X-CheckPoint: {4C758DF1-F-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id o7PKhxn4021613 for <ipsec@ietf.org>; Wed, 25 Aug 2010 23:43:59 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 25 Aug 2010 23:44:40 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: IPsecme WG <ipsec@ietf.org>
Date: Wed, 25 Aug 2010 23:43:56 +0300
Thread-Topic: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
Thread-Index: ActEllYvXTKWkERPQnmzm9nlKwbJpw==
Message-ID: <ABCB4132-2917-44A0-A006-BC67089E73AB@checkpoint.com>
References: <4C75752F.5020409@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [IPsec] Fwd: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2010 20:43:43 -0000
Hi all This might be of interest to the group. Joe is suggesting here (and in the next messages on the thread) to update RFC 4301. Begin forwarded message: > From: Joe Touch <touch@isi.edu> > Date: August 25, 2010 10:55:27 PM GMT+03:00 > To: Thomas Narten <narten@us.ibm.com> > Cc: "saag@ietf.org" <saag@ietf.org> > Subject: Re: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text > > Hi, Tom, > > On 8/25/2010 6:20 AM, Thomas Narten wrote: >> To recap, I presented on the issue of updating the IPsec/IKEv2 text >> at the 6man meeting in Maastricht, as well as at the SAAG meeting. My >> sense of both of those discussions is that there is support for >> changing the general recommendation to a SHOULD. >> >> I got some good feedback in SAAG about the wording (refer to the >> security architecture generally rather than IKEv2, etc.). >> >> New proposed text below. >> >> This text would go into draft-ietf-ipv6-node-requirements, which >> updates RFC 4294. >> >> Comments? > > First, this seems to override Sec 10 of RFC4301, so it would need to > update RFC4301 as well. > > Some other comments below. > > Joe > >> Thomas >> >> 10. Security >> >> This section describes the specification for security for IPv6 nodes. >> >> Achieving security in practice is a complex undertaking. Operational >> procedures, protocols, key distribution mechanisms, certificate >> management approaches, etc. are all components that impact the level >> of security actually achieved in practice. More importantly, >> deficiencies or a poor fit in any one individual component can >> significantly reduce the overall effectiveness of a particular >> security approach. >> >> IPsec provides channel security at the Internet layer, making it >> possible to provide secure communication for all (or a subset of) >> communication flows at the IP layer between pairs of internet nodes. >> IPsec provides sufficient flexibility and granularity that individual >> TCP connections can (selectively) be protected, etc. > > IPsec can protect down to the socket pair (src addr/src port/dst > addr/dst port) granularity, but there are two important issues. First, > this is rarely done; it is more common to protect services (i.e., at > least letting the src port of incoming SYNs float). Second, such > granularity would reuse an SA for different TCP connections that reuse > the port pair. > > I.e., there is no way I am aware of to ensure that IPsec changes SA keys > for a socket pair for each TCP connection that reuses that socket. > TCP-AO can achieve this, however. > > So it is not individual TCP connections that are protected; it is > individual socket pairs (at best), and more likely all connections > between two specific endpoints for a given service. > > [FWIW, this might be a good opportunity for the IPsec doc to crossref > TCP-AO, and to have at least a short note as to when each is preferred, > or to refer to that discussion in the TCP-AO document] > >> Although IPsec can be used with manual keying in some cases, such >> usage has limited applicability and is not recommended. >> >> A range of security technologies and approaches proliferate today >> (e.g., IPsec, TLS, SSH, etc.) > > It might be useful to add TCP-AO here. > >> No one approach has emerged as an >> ideal technology for all needs and environments. Moreover, IPsec is >> not viewed as the ideal security technology in all cases and is >> unlikely to displace the others. > > It's important to note, however, that although any of these protects the > user data, only IPsec and TCP-AO protect TCP connections from disruption > attacks. > >> Previously, IPv6 mandated implementation of IPsec and recommended the >> key management approach of IKE. This document updates that >> recommendation by making support of the IP Security Architecture [RFC >> 4301] a SHOULD for all IPv6 nodes. Note that the IPsec Architecture >> requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both >> manual and automatic key management. Currently the default automated >> key management protocol to implement is IKEv2. >> >> This document recognizes that there exists a range of device types >> and environments where other approaches to security than IPsec can be >> justified. For example, special-purpose devices may support only a >> very limited number or type of applications and an application- >> specific security approach may be sufficient for limited management >> or configuration capabilities. Alternatively, some devices my run on >> extremely constrained hardware (e.g., sensors) where the full IP >> Security Architecture is not justified. >> >> 10.1. Requirements >> >> "Security Architecture for the Internet Protocol" [RFC4301] SHOULD be >> supported by all IPv6 nodes. Note that the IPsec Architecture >> requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both >> manual and automatic key management. Currently the default automated >> key management protocol to implement is IKEv2. >> >> 10.2. Transforms and Algorithms >> >> The current set of mandatory-to-implement algorithms for the IP >> Security Architcture are defined in 'Cryptographic Algorithm >> Implementation Requirements For ESP and AH' [RFC4835]. IPv6 nodes >> implementing the IP Security Architecture MUST conform to the >> requirements in [RFC4835]. Preferred cryptographic algorithms often >> change more frequently than security protocols. Therefore >> implementations MUST allow for migration into new algorithms, as >> RFC4835 is replaced or updated in the future. > > This might also be a good opportunity to revisit the issue of > recommendations for tunnel and transport mode inclusion. During the > revision of RFC4301, IMO the recommendations on transport mode were > vague with respect to routers (RFC4301, end of section 4.1). > > I feel it is important to indicate the following: > > --- > > Any device that acts like a host (i.e., sources packets with IP > addresses assigned to their own interfaces) and implements IPsec MUST > implement transport mode. All devices (hosts and gateways) that > implement IPsec MUST implement tunnel mode. Because gateways always act > as hosts for some protocols (as noted in RFC 1812), the conclusion is > that all devices that implement IPsec MUST implement both tunnel and > transport mode. > > In summary, > > a) A host implementation of IPsec MUST support both transport and > tunnel mode. This is true for native, BITS, and BITW > implementations for hosts. > > b) A security gateway MUST support both transport and tunnel mode. > Transport mode should be used only when the security gateway > is acting as a host, e.g., for network management, or to > provide security between two intermediate systems along a path, > as to secure a tunnel whose encapsulation is not provided > by IPsec tunnel mode. > > --- >