Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?

Linda Dunbar <linda.dunbar@futurewei.com> Wed, 20 May 2020 17:34 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86D303A0CE0 for <ipsec@ietfa.amsl.com>; Wed, 20 May 2020 10:34:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkA5igEi1uLr for <ipsec@ietfa.amsl.com>; Wed, 20 May 2020 10:34:08 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2133.outbound.protection.outlook.com [40.107.220.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6FC13A0CC7 for <ipsec@ietf.org>; Wed, 20 May 2020 10:34:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KMESOSes6P1Jdr8dmXrjfE7D6yLRvYQjwCBG/9eOAftmwP970V//+bsg+9WMV0lUusp4hvBpriaG6s0d8Jx1D9TDvPzpE1XOtHiKG5c0hY1iULJnnxGLwc/Ehpa2hu6pVh+RPMwAQ2RMIip32FgoyMyR9Qe62nrS573kBqVXe90pNyTdMcm7uAHkCVSUrV33XO/nfmeAmwLB/fhDm/3Jtc2ebGcm/r3bg9o10RFuBzwpCoPcvl0nK7dgTQ5GI4kYVf6I7Ci6ICliD3CLxdtRit9PDuzsX4cs+A2L8xHj2+p2qKDUj1G7vwEeFEkDsRUZ9I58v8pHDNfROwtghq54KA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xf59XHpT8wGLobxoIjWkk77PX5EqibvsRvJhU+8ydFo=; b=il9edsbrATLDCn0DUzRrCIjMbJ9siO8QFjQWgAxVv+VLthhL6mPR8opAT8CBwtWveOCpmnO49IdcTwe70C07I2h73ztI2It6TGXRBrnp6HBcQlumNVNGEY9h8j3RapxCyKXzwxpB5FtuPqbR0mQLDGcCa6ItPr54IBYmbV9snopSlgcRseGJRQ1gO2Jgzwe3gahB1dkLCXKmUCGqvwSdR1qlbrXChwS81f1RXa+4E+vTqlg3By6G6alwsoRXzVBTavePsK+lm7v3HylYN32YWXQDU2q6BU/DZ2jRmfLeDotAoecFrcBWA80bASrD0YAx3ucgkc1gPW2fhyJIluYUQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xf59XHpT8wGLobxoIjWkk77PX5EqibvsRvJhU+8ydFo=; b=HD3B6/t0KzukF7tMn4NBSGYyVtY46FmowiuPZ9yudeDD8PSgrc5FXUYpzas86Sa9woEsACSYhxYkp36/G6HX7LybZ6Ay3RARtYCXmoxfY64p3llosdagpR3GjFxqQ30Q5NqbVF/xicqyTcCJ2nhnqywsITu8q9onURChQOI60Aw=
Received: from SN6PR13MB2334.namprd13.prod.outlook.com (2603:10b6:805:55::16) by SN6PR13MB2365.namprd13.prod.outlook.com (2603:10b6:805:5a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.12; Wed, 20 May 2020 17:34:01 +0000
Received: from SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::7813:cef6:bbde:1970]) by SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::7813:cef6:bbde:1970%5]) with mapi id 15.20.3021.019; Wed, 20 May 2020 17:34:01 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?
Thread-Index: AdYtNxBY7rsPEhAvSSaEorpChh0soAADmGAAAGHB/1A=
Date: Wed, 20 May 2020 17:34:00 +0000
Message-ID: <SN6PR13MB23349CB87CDDCF05E504727B85B60@SN6PR13MB2334.namprd13.prod.outlook.com>
References: <SN6PR13MB233450103D13365702E14D7A85B80@SN6PR13MB2334.namprd13.prod.outlook.com> <alpine.LRH.2.21.2005181442060.29444@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.2005181442060.29444@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: nohats.ca; dkim=none (message not signed) header.d=none;nohats.ca; dmarc=none action=none header.from=futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c56c9662-440c-4fc8-7a42-08d7fce3fbed
x-ms-traffictypediagnostic: SN6PR13MB2365:
x-microsoft-antispam-prvs: <SN6PR13MB236570B981CDDFD7044E7E6F85B60@SN6PR13MB2365.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04097B7F7F
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IQDYrCOR5OCCOEf3yQx3Pe2CbhET5gs+GUoWp9iZJ5lgCI61PwGxjZfxx8Y8T0F+EXG0ukDvQtSPu9aGeGAR9TnGLj06HCYjF5DIiKXwaK1DQ3EhAexmyY5+zqsOcj6IFyOilL/CoBcId+Avi/dG4Oi2l6Qf6fCjv+eqouX50q3zVSaInES+fer1gV7m7cmemtzHLzN5XCuZbNz53M9u4JqcmqMU2JGq2+ngMDIBHP8+2CJt1md7D9BpniEZyjAAQWpnzxAeSMVHlPaqbswK81W6B4dhcgHgcFuFNTYGKDDunpfEyqAH+1mJsx48kXRF740d0J4bhnzA3sGcvPcMJEolity/fTZ5BTmCiUg6obnLbFDNEZNzqi8TGucGlCMrP12IY23oY6tsG+MBnnBA7g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR13MB2334.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(39840400004)(366004)(136003)(52536014)(5660300002)(26005)(8936002)(71200400001)(45080400002)(316002)(186003)(66556008)(966005)(478600001)(66476007)(66446008)(86362001)(64756008)(66946007)(76116006)(33656002)(53546011)(6506007)(55016002)(8676002)(44832011)(2906002)(6916009)(9686003)(7696005)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 4GrY+Kqe3aimxVB/+o2MuI5tGn2OX1CFznDVALu4+soVlYRqOMW+PwHJILl53Q6ULMzsNYuRRNjdBhE4qTdYoj/aQE1PUYOR7+b+g8MdMgqL8u1D9E94ZYCc87cRisrRQXvvUFKVOEAUTCdrA9QrVlC7YJ+BHHdtxiHp/rjkbWgNw/2gHbbMuheT8RvTEb3qeJfDa2s19Ic4xwcUeeo3+FFkJnFe52plLrgXXbN9ZR+0+HSKRULSptw92pFtHYbU20mmr6NKh1naVwS5igCOKa5P5icSKJ+lNDHa+g2N228Az/mZqrawJaYn0K71CXoPm7lutX53QrBzt4IiPw1NDIQoFghuWtz7p7//QtRziVzKhFhtmO/oS0ncHQIE7cLSdk4pRbAtiqwXgFxna8rFFWBZ19NFKNMTVPPGCH6Fbf4ZT6u3BUQoKlGJzzr/QzpGYPGGlHSAbt6rAPRV/aL/EpryzoTh8x50Wpt3d0uNaqc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c56c9662-440c-4fc8-7a42-08d7fce3fbed
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2020 17:34:00.6787 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1u7LdX7yqTbKasMnTThuZg22tqooWixDhxPfDu2PNTwZkvomLurlnVfMOs+xK8ayvkzYbi9k+1A3y5vx2NN7ww==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR13MB2365
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Fc0w1qqmAFhwUI91Py67kqjGkNI>
Subject: Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 17:34:17 -0000

Paul, 

Thank you very much for the detailed explanation. 

What is " you can do auth-null for passive attack protection"?  does it mean "NO Authentication"? 
If two peers have shared CA, does it mean there is no need for Authentication? 

Thanks, Linda



-----Original Message-----
From: Paul Wouters <paul@nohats.ca> 
Sent: Monday, May 18, 2020 1:52 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: ipsec@ietf.org WG <ipsec@ietf.org>
Subject: Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?

On Mon, 18 May 2020, Linda Dunbar wrote:

> We are experiencing the problems described in RFC 7018 (Auto-Discovery 
> VPN Problem Statement and Requirements), i.e. the  problem of enabling a large number of peers (primarily Gateway) to communicate directly using IPsec to protect the traffic between them.

unfortunately, standarization failed because vendors wanted their own solution standarized, and the WG didn't want multiple standards, so it decided to do none.

For libreswan, we do "Opportunistic IPsec", which is basically "just try host-to-host IPsec, fail to either clear or block depending on policy".
We also have a "you can do auth-null for passive attack protection"
in one or both directions" and a migration path from there to fully authenticated IPsec. Authentication based on a shared CA or DNSSEC.

These are packet trigger based solutions.

It works well for most meshes, and requires no proprietary or new standards. The only two non-standard parts are that when using certificates, we allow requiring an addictional call to match the IKE ID with certificate SAN in the DNS (to prevent a compromised node from pretending to be another node in the mesh) and we have one non-standarized payload to signify we can do auth-null as well as authenticated IPsec, which we hopefully can retire once this document gets adopted / implemented:

https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-smyslov-ipsecme-ikev2-auth-announce%2F&amp;data=02%7C01%7Clinda.dunbar%40futurewei.com%7C1a29cf55dab94e9d7e3b08d7fb5c9754%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637254247407162655&amp;sdata=8%2B%2FxIlUKattjsk957tdKCXR137ntP8WZ5YcnNsBzBD4%3D&amp;reserved=0

> Is there any drafts describing the solutions to the problems identified by RFC7018?

There might be the old drafts of the autovpn candidates, but as that is all incompatible and/or proprietary, and mostly from before my time, I have not looked at those solutions much.

One issue I have with Cisco solutions, is that they now prefer to wrap everything in GRE, which isn't the best from a security point of view.

NHRP (using opennhrp) seems somewhat popular too?

Paul