[IPsec] Still incorrect understanding of PF_KEY in ikev2bis-08
Dan McDonald <danmcd@sun.com> Tue, 02 March 2010 21:41 UTC
Return-Path: <danmcd@sun.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E2F33A8CB8 for <ipsec@core3.amsl.com>; Tue, 2 Mar 2010 13:41:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Level:
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGWOS7VObqwr for <ipsec@core3.amsl.com>; Tue, 2 Mar 2010 13:41:32 -0800 (PST)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id 4D5E73A8839 for <ipsec@ietf.org>; Tue, 2 Mar 2010 13:41:31 -0800 (PST)
Received: from dm-east-02.east.sun.com ([129.148.13.5]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id o22LfWeK009619 for <ipsec@ietf.org>; Tue, 2 Mar 2010 21:41:32 GMT
Received: from kebe.East.Sun.COM (kebe.East.Sun.COM [129.148.174.48]) by dm-east-02.east.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.4) with ESMTP id o22LfVUq021413 for <ipsec@ietf.org>; Tue, 2 Mar 2010 16:41:31 -0500 (EST)
Received: from kebe.East.Sun.COM (localhost [127.0.0.1]) by kebe.East.Sun.COM (8.14.4+Sun/8.14.4) with ESMTP id o22LYdG8023278 for <ipsec@ietf.org>; Tue, 2 Mar 2010 16:34:39 -0500 (EST)
Received: (from danmcd@localhost) by kebe.East.Sun.COM (8.14.4+Sun/8.14.4/Submit) id o22LYd8e023277 for ipsec@ietf.org; Tue, 2 Mar 2010 16:34:39 -0500 (EST)
X-Authentication-Warning: kebe.East.Sun.COM: danmcd set sender to danmcd@sun.com using -f
Date: Tue, 02 Mar 2010 16:34:39 -0500
From: Dan McDonald <danmcd@sun.com>
To: ipsec@ietf.org
Message-ID: <20100302213439.GJ11824@kebe.East.Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Organization: Sun Microsystems, Inc. - Solaris Networking & Security
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: [IPsec] Still incorrect understanding of PF_KEY in ikev2bis-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 21:41:33 -0000
Even as of draft-08, section 2.9: When an RFC4301-compliant IPsec subsystem receives an IP packet that matches a "protect" selector in its Security Policy Database (SPD), the subsystem protects that packet with IPsec. When no SA exists yet, it is the task of IKE to create it. Maintenance of a system's SPD is outside the scope of IKE (see [PFKEY] for an example programming interface, although it only applies to IKEv1), though some implementations might update their SPD in connection with the running of IKE (for an example scenario, see Section 1.1.3). is entirely incorrect about PF_KEY. PF_KEY maintains the SADB and expresses the SPD and/or triggering packet when IPsec requires a new outbound SA. Some PF_KEY extensions (notably in any KAME/WIDE-derived implementations) also maintain the SPD. And it certainly is not applicable to just IKEv1 - it was intended to allow an ARBITRARY Key Management daemon to add/delete/etc. SAs. The PF_KEY SADB_ACQUIRE message is an expression of the SPD entry for the packet. So as not to just be a whiner, I will provide a replacement first two paragraphs: When an RFC4301-compliant IPsec subsystem receives an IP packet that matches a "protect" selector in its Security Policy Database (SPD), the subsystem protects that packet with IPsec. When no SA exists yet, it is the task of IKE to create it. Maintenance of a system's SPD is outside the scope of IKE, though some implementations might update their SPD in connection with the running of IKE (for an example scenario, see Section 1.1.3). Traffic Selector (TS) payloads allow endpoints to communicate some of the information from their SPD to their peers. These must be communicated to IKE from the SPD (for example the PF_KEY API [PFKEY] uses the SADB_ACQUIRE message). TS payloads specify the selection criteria for packets that will be forwarded over the newly set up SA. This can serve as a consistency check in some scenarios to assure that the SPDs are consistent. In others, it guides the dynamic update of the SPD. Thanks, Dan
- [IPsec] Still incorrect understanding of PF_KEY i… Dan McDonald
- Re: [IPsec] Still incorrect understanding of PF_K… Paul Hoffman
- Re: [IPsec] Still incorrect understanding of PF_K… Pasi.Eronen