[IPsec] Comments to draft-nir-ipsecme-cafr-02
Tero Kivinen <kivinen@iki.fi> Wed, 09 October 2013 11:10 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C5A21F9A78 for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 04:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2cr4aE4rebU for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 04:10:38 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id EF43C21E8121 for <ipsec@ietf.org>; Wed, 9 Oct 2013 04:10:35 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id r99BAViB026175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Wed, 9 Oct 2013 14:10:31 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id r99BAVNr024130; Wed, 9 Oct 2013 14:10:31 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21077.14759.253612.481464@fireball.kivinen.iki.fi>
Date: Wed, 09 Oct 2013 14:10:31 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 17 min
X-Total-Time: 25 min
Subject: [IPsec] Comments to draft-nir-ipsecme-cafr-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 11:10:39 -0000
In section "2.2. Verifying the HAND_OVER_CHILD_SAS Notification" the
document lists operations which needs to be done when handling the
notification. The process seems otherwise quite good, expect the error
handling seems to be bit drastic.
It currently says that if the authenticated identites are different
then other end replies with INVALID_SYNTAX error message:
----------------------------------------------------------------------
2.2. Verifying the HAND_OVER_CHILD_SAS Notification
...
o The authenticated identities of both sides under the new IKE SA
are the same as those under the old IKE SA. If the authenticated
identity of one peer differs from the authenticated identity that
it had in the previous IKE SA, the other side MUST respond with an
INVALID_SYNTAX notification.
...
----------------------------------------------------------------------
>From RFC5996, the INVALID_SYNTAX processing is described as following:
----------------------------------------------------------------------
2.21.3. Error Handling after IKE SA is Authenticated
...
If a peer parsing a request notices that it is badly formatted (after
it has passed the message authentication code checks and window
checks) and it returns an INVALID_SYNTAX notification, then this
error notification is considered fatal in both peers, meaning that
the IKE SA is deleted without needing an explicit Delete payload.
----------------------------------------------------------------------
I.e. the INVALID_SYNTAX notification is considered fatal in both
peers, meaning that IKE SA is deleted. In this case this will cause
the OLD IKE SA to be deleted. I do not think we want to be that to
happen. Perhaps something less fatal error message would be better as
this is not error cases listed in the RFC5996: "message that was
received was invalid because some type, length, or value was out of
range or because the request was rejected for policy reasons." (Ok, it
could be considered to be rejected because policy reasons).
As we are moving CHILD SAs, perhaps we could consider this as normal
"Generic Child SA error" and use NO_PROPOSAL_CHOSEN.
Also in the end of the section 2.2 it says:
----------------------------------------------------------------------
If the Initiator has sent the notification, but the notification from
the Responder does not match the IKE SPIs in the Initiator's
notification, the Initiator MUST send a SYNTAX_ERROR notification and
MUST NOT transfer the Child SAs.
----------------------------------------------------------------------
but there is no SYNTAX_ERROR error message in the IKEv2. This on the
other hand is clearly fatal error, as it indicates that the responder
has somehow corrupted its state, or there is implementation bug there,
if it cannot copy SPI from the request to the reply properly. On the
other hand I see no reason why the reply should include the SPI it
all. It would be better that initiator just sends the notify with the
SPI, and responder replies with the notify and does not include SPI at
all (i.e. its notify data would be empty). The SPI in the responder
message does not have any meaning or use.
In section 7 Security Considerations I can see the attack that can
happen if the authenticated identities are not same. I.e. if host uses
authenticated identities also outside the IPsec. For example the host
might export the authenticated identities to the nfs-server, and
nfs-server could use that to verify what kind of operations the user
can do. In that case attacker might create IKE SA and Child SA to
nfs-server of the server, and then move the Child SA to another users
IKE SA, and then start doing nfs-requests. Now when nfs-server asks
from the IPsec engine who is on the other end of the protected IPsec
tunnel the IPsec engine would respond wrong users...
As long as the IPsec is mostly used for VPNs this kind of setups are
not used, but if host to host IPsec ever comes reality this kind of
setups might happen, so I think that check is very important...
--
kivinen@iki.fi
- [IPsec] Comments to draft-nir-ipsecme-cafr-02 Tero Kivinen
- Re: [IPsec] Comments to draft-nir-ipsecme-cafr-02 Yoav Nir
- Re: [IPsec] Comments to draft-nir-ipsecme-cafr-02 Tero Kivinen