IETF Logo Mail Archive

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

Paul Wouters <paul@nohats.ca> Thu, 01 April 2021 14:11 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C61B23A135E for <ipsec@ietfa.amsl.com>; Thu, 1 Apr 2021 07:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mhf4GBAn4W9L for <ipsec@ietfa.amsl.com>; Thu, 1 Apr 2021 07:11:01 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D5423A135F for <ipsec@ietf.org>; Thu, 1 Apr 2021 07:11:01 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4FB4pj70zJzCqt; Thu, 1 Apr 2021 16:10:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1617286253; bh=86vUaUUyCen2o8N7QePOCeaQxwjlow1eFeXILLdofkQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=sE5fqFJvyS/Ylx7MEN8zTh/yUOvY/k62uClDER8MvPT+BnyK71mSgQ88cUavbOpTZ iY0G11lmW7noRV85eP72r4AVjx1DVl9NdDIJjoh+luy7G1iw56LvaB8zEhvaQqnAdr oqqoIreTdxmyvkfXmgCzMnvlOl5NRfe+E+Fjzgw0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id A-KHkYpgEa-o; Thu, 1 Apr 2021 16:10:52 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 1 Apr 2021 16:10:52 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id AE33660299AB; Thu, 1 Apr 2021 10:10:51 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A55AB1259; Thu, 1 Apr 2021 10:10:51 -0400 (EDT)
Date: Thu, 01 Apr 2021 10:10:51 -0400
From: Paul Wouters <paul@nohats.ca>
To: Antony Antony <antony.antony@secunet.com>
cc: "Bottorff, Paul" <paul.bottorff@hpe.com>, IPsec <ipsec@ietf.org>
In-Reply-To: <20210401133615.GB27893@moon.secunet.de>
Message-ID: <5851ee8a-4797-5c4b-379-fbbc2295e1bc@nohats.ca>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210401133615.GB27893@moon.secunet.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YKyZSx-Nd-dPM8Til7kgvUTaLiQ>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 14:11:07 -0000

On Thu, 1 Apr 2021, Antony Antony wrote:

> In my experience it would work well when there is no NAT. When there
> there is NAT the IKE and ESP in UDP should use same ports, otherwise
> IKE will get established and ESP packets could get dropped in one
> direction. When there is NAT it would look more like a client-to-server
> than a peer-to-peer.

One idea could be to use MOBIKE probes (without UPDATE_SA) by the
initiator behind NAT to get multiple NAT mappings? It might require
kernel changes depending on how it implements NAT updates :/

> I implemented a proof concept - UDP source port set to 16bit hash of out going SPI.
> Then it occurred to me the hash could collide with other well
> known UDP ports e.g. hash of an SPI or/and IP address could be 53(DNS).
> Some admins may not be happy to see source port 53 for ESP in UDP traffic.

I seen this in the wild already with a large VPN provider blocking port
19 (chargen) and NAT gateways picking port 19 as source port. While this
could be an attack to try and trigger chargen responses from a spoofed
packet, I don't think it is. It might work for TCP, but not really for
UDP as a DoS attack. I think in the end, sadly, we have to expect every port
to be used by badly designed NAT gateways.

However, it would still be a good design to keep UDP source ports in the
ephemeral ranges. This also helps against local policy enforcements,
such as Linux's SElinux policies.

> If you choose ephemeral source ports both sides should know the source
> ports otherwise SADB remap will be generated. If we disable that real NAT
> would break...
> So far I don't have a clean solution which would work with NAT and without NAT
> for our use case.

That is indeed the real problem to solve. I have to do some more
testingwith MOBIKE probes on the same IP with only port differences
and see if the kernel acts like these are port updates or not if it
is only IKEinUDP and not ESPinUDP.

Paul

v2.23.0 | Report a Bug | By Email