[IPsec] Comments to draft-nir-ipsecme-cafr-02
Tero Kivinen <kivinen@iki.fi> Wed, 09 October 2013 11:10 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C5A21F9A78 for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 04:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2cr4aE4rebU for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 04:10:38 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id EF43C21E8121 for <ipsec@ietf.org>; Wed, 9 Oct 2013 04:10:35 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id r99BAViB026175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Wed, 9 Oct 2013 14:10:31 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id r99BAVNr024130; Wed, 9 Oct 2013 14:10:31 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21077.14759.253612.481464@fireball.kivinen.iki.fi>
Date: Wed, 09 Oct 2013 14:10:31 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 17 min
X-Total-Time: 25 min
Subject: [IPsec] Comments to draft-nir-ipsecme-cafr-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 11:10:39 -0000
In section "2.2. Verifying the HAND_OVER_CHILD_SAS Notification" the document lists operations which needs to be done when handling the notification. The process seems otherwise quite good, expect the error handling seems to be bit drastic. It currently says that if the authenticated identites are different then other end replies with INVALID_SYNTAX error message: ---------------------------------------------------------------------- 2.2. Verifying the HAND_OVER_CHILD_SAS Notification ... o The authenticated identities of both sides under the new IKE SA are the same as those under the old IKE SA. If the authenticated identity of one peer differs from the authenticated identity that it had in the previous IKE SA, the other side MUST respond with an INVALID_SYNTAX notification. ... ---------------------------------------------------------------------- >From RFC5996, the INVALID_SYNTAX processing is described as following: ---------------------------------------------------------------------- 2.21.3. Error Handling after IKE SA is Authenticated ... If a peer parsing a request notices that it is badly formatted (after it has passed the message authentication code checks and window checks) and it returns an INVALID_SYNTAX notification, then this error notification is considered fatal in both peers, meaning that the IKE SA is deleted without needing an explicit Delete payload. ---------------------------------------------------------------------- I.e. the INVALID_SYNTAX notification is considered fatal in both peers, meaning that IKE SA is deleted. In this case this will cause the OLD IKE SA to be deleted. I do not think we want to be that to happen. Perhaps something less fatal error message would be better as this is not error cases listed in the RFC5996: "message that was received was invalid because some type, length, or value was out of range or because the request was rejected for policy reasons." (Ok, it could be considered to be rejected because policy reasons). As we are moving CHILD SAs, perhaps we could consider this as normal "Generic Child SA error" and use NO_PROPOSAL_CHOSEN. Also in the end of the section 2.2 it says: ---------------------------------------------------------------------- If the Initiator has sent the notification, but the notification from the Responder does not match the IKE SPIs in the Initiator's notification, the Initiator MUST send a SYNTAX_ERROR notification and MUST NOT transfer the Child SAs. ---------------------------------------------------------------------- but there is no SYNTAX_ERROR error message in the IKEv2. This on the other hand is clearly fatal error, as it indicates that the responder has somehow corrupted its state, or there is implementation bug there, if it cannot copy SPI from the request to the reply properly. On the other hand I see no reason why the reply should include the SPI it all. It would be better that initiator just sends the notify with the SPI, and responder replies with the notify and does not include SPI at all (i.e. its notify data would be empty). The SPI in the responder message does not have any meaning or use. In section 7 Security Considerations I can see the attack that can happen if the authenticated identities are not same. I.e. if host uses authenticated identities also outside the IPsec. For example the host might export the authenticated identities to the nfs-server, and nfs-server could use that to verify what kind of operations the user can do. In that case attacker might create IKE SA and Child SA to nfs-server of the server, and then move the Child SA to another users IKE SA, and then start doing nfs-requests. Now when nfs-server asks from the IPsec engine who is on the other end of the protected IPsec tunnel the IPsec engine would respond wrong users... As long as the IPsec is mostly used for VPNs this kind of setups are not used, but if host to host IPsec ever comes reality this kind of setups might happen, so I think that check is very important... -- kivinen@iki.fi
- [IPsec] Comments to draft-nir-ipsecme-cafr-02 Tero Kivinen
- Re: [IPsec] Comments to draft-nir-ipsecme-cafr-02 Yoav Nir
- Re: [IPsec] Comments to draft-nir-ipsecme-cafr-02 Tero Kivinen