IETF Logo Mail Archive

Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)

Tero Kivinen <kivinen@iki.fi> Tue, 20 January 2015 14:34 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9C01B2DAB for <ipsec@ietfa.amsl.com>; Tue, 20 Jan 2015 06:34:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtDlHoC2aUAa for <ipsec@ietfa.amsl.com>; Tue, 20 Jan 2015 06:34:07 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0E9C1B2DB0 for <ipsec@ietf.org>; Tue, 20 Jan 2015 06:34:05 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t0KEXxKD024163 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Jan 2015 16:33:59 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t0KEXwZr016695; Tue, 20 Jan 2015 16:33:58 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21694.26453.977101.952972@fireball.kivinen.iki.fi>
Date: Tue, 20 Jan 2015 16:33:57 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <038B7179C6EB4C5BB2A110AD37541204@buildpc>
References: <alpine.LFD.2.10.1501131139150.13941@bofh.nohats.ca> <038B7179C6EB4C5BB2A110AD37541204@buildpc>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 13 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/P6cIDSQCAyohykdhQ3h_cyNJlXU>
Cc: IPsecME WG <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2015 14:34:10 -0000

Valery Smyslov writes:
> > Valery suggests sending liveness checks to all IKE SA's that used
> > AUTH_NONE.
> > 
> > I suggested sending liveness checks only to those IKE SA's that used
> > the same IP address, thus limiting the scope to a more likely pool
> > of possible orphaned SA's by a remote that crashed/restarted.
> 
> I don't think that restricting liveness checks in this case to the same 
> IP address covers all the situations. The peer may crash,
> reboot and get new IP from its ISP and then create new IKE SA.
> In this situation (very common, not?) the proposed restriction
> will prevent the server from finding that old stale SA and it will continue
> to consume resources untill the server decides to send smth.
> over it or to check its liveness based on a long period of its
> inactivity or until its lifetime is over.
> 
> I don't think that the document should impose such a restriction,
> but instead it should give some guidance of how implementation
> should behave in this situation. 
> 
> To clarify my position: I don't propose that implementation
> should blindly send liveness check messages on 
> every SA once new one is created. If SA is active
> (there was recent incoming traffic over it) or implementation
> has just successfully finished liveness check on that 
> particular SA, then there is no need to do it again.
> But if some unauthenticated SAs are idle for a while, then the event of 
> creating new unauthenticated IKE SA  MAY (not SHOULD, not MUST) 
> trigger the liveness check on those SAs, regardless of their IP addresses.

Or the implementation could just do n liveness checks for
unauthenticated clients per second. I.e. go through all your
unauthentication clients ever now and while, and see whether you need
to clear the resources. How fast you want to go through them depends
how much resources you have left. If you have plenty of resources,
there is no need to wast other resources to clean up some other
resources. If you are running out of memory because you have too many
unauthenticated IKE SAs then send liveness check to them faster (==
consume more CPU resource), to clean up resource you are running out
(==memory).

This all is implementation details. We could give some hints here, but
I do not think we want to make any hard rules...

> > Traffic Selectors
...
> > And opens up the reverse attack of the server stealing the
> > client's 8.8.8.8 traffic. Some more discussion and insights on this
> > would be useful.

Actually I think I am missing something. How can server steal clients
8.8.8.8 traffic? Even if it assigns client 8.8.8.7 IP address, that
does not mean 8.8.8.8 is sent to the server. Server can assign 8.8.8.8
for the client, which means that 8.8.8.8 traffic from the client does
not go anywhere (i.e. it is routed to localhost, because client think
it is his own IP), but that does not allow stealing traffic.

Assigning address using configuration payloads do not affect routing
table. Only traffic selectors and perhaps INTERNAL_IP*_SUBNET stuff
might affect routing, and client should not ever allow traffic
selectors which are wider than what his policy allows. For
unauthenticated host-to-host conection client would always put exactly
one IP address (servers IP-address) to the TSr when proposing traffic
selectors, and server cannot make it wider than that.

Also client can easily limit that address assigned to it via
configuration payload must be from the private address range, as there
is no reason for server to assign client real routable IP-address in
unauthenticated user case. But again this is policy decision which
implementations need to do.

> > Additionally, if we allow some kind of narrowed traffic selector,
> > malicious IKE peers would only need their one IP and could setup
> > (protocol * sport * dport) IPsec SAs. Or a variant of this could
> > be done with when allowing CREATE_CHILD_SA to setup a plethora of
> > IPsec SAs. Restrictions based on IP address is hard, again because
> > of the NAT support problem.
> 
> I think it is a server's policy issue. It can always restrict
> the number of IPsec SAs from a single peer
> by using NO_ADDITIONAL_SAS notification.
> The document should not impose any restrictions here, IMHO.

Agree. Implementations might also have different limits depending
whether the other end is authenticated or unauthenticated, i.e.
unauthenticated clients might only be able to create for example 10
Child SAs, and authenticated clients can create 1000 Child SAs... And
btw child SAs are quite cheap, so the limit does not need to be 1 and
3... :)

On the other hand on some environments Child SAs are expensive, for
example if you have hardware acceleration which  only supports limited
amount of SAs. In those environments the server's policy might
disallow per flow SA.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email