[IPsec] comments on esp-null-heuristics-01
Michael Richardson <mcr@sandelman.ca> Thu, 12 November 2009 01:40 UTC
Return-Path: <mcr@marajade.sandelman.ca>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 110E43A67B1 for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 17:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.092
X-Spam-Level:
X-Spam-Status: No, score=-1.092 tagged_above=-999 required=5 tests=[AWL=-0.043, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, RCVD_IN_PBL=0.905]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8+7XzUS1F9Ox for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 17:40:58 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by core3.amsl.com (Postfix) with ESMTP id E1F8A3A67FA for <ipsec@ietf.org>; Wed, 11 Nov 2009 17:40:57 -0800 (PST)
Received: from sandelman.ottawa.on.ca (desk.marajade.sandelman.ca [209.87.252.247]) by relay.sandelman.ca (Postfix) with ESMTPS id 687A5342E6 for <ipsec@ietf.org>; Wed, 11 Nov 2009 20:32:34 -0500 (EST)
Received: from marajade.sandelman.ca (localhost [127.0.0.1]) by sandelman.ottawa.on.ca (Postfix) with ESMTP id A043B4E793 for <ipsec@ietf.org>; Wed, 11 Nov 2009 20:41:21 -0500 (EST)
Prev-Resent: Wed, 11 Nov 2009 19:03:11 -0500
Prev-Resent: "kivinen@iki.fi, ipsecme@ietf.org "
From: Michael Richardson <mcr@sandelman.ca>
X-Message-Flag: You should stop using Outlook. Switch to Thunderbird.
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 21)
Date: Wed, 04 Nov 2009 10:02:46 -0500
Message-ID: <10247.1257346966@marajade.sandelman.ca>
Sender: mcr@marajade.sandelman.ca
Resent-To: ipsec@ietf.org
Resent-Date: Wed, 11 Nov 2009 20:41:21 -0500
Resent-Message-ID: <18304.1257990081@marajade.sandelman.ca>
Resent-From: Michael Richardson <mcr@marajade.sandelman.ca>
Cc: ipsecme@ietf.org
Subject: [IPsec] comments on esp-null-heuristics-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 01:40:59 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> As end nodes might be able to
> bypass those checks by using encrypted ESP instead of ESP-NULL, these
> kinds of scenarios also require very specific policies to forbid such
> circumvention.
The question is, are these end-nodes malicious, or are they just
ignorant?
> Because the traffic inspected is usually host to host traffic inside
> one organization, that usually means transport mode IPsec is used.
It is? I'll bet 95% of actual transport mode IPsec has an L2TP layer inside.
===
I agree with the analysis of section 3, in particular the explanation of
how hardware can be programmed to statefully match the ESP-NULL flows.
It might be worth noting that NAT-T ESP-NULL flows *ALREADY* have a
5-tuple (likely unique) marker, and that if the inspector is also a NA(P)T,
that it already is keeping the right state.
section 4.
It might be worth having a reference for "flow cache". I think that
there is a document on Cisco Netflow, and I also think that FORCES has
something that relates to the Linux "flow" things. I think it might
also be worth staying that this is really a "microflow" cache.
Include a forward reference to section 7, so the reader knows UDP will
be dealt with. In particular, in the text relating to NAT-T
encapsulated IKE packets. If they are not allowed through (queue until
sure, or drop option), then the SA might not get setup ever..
section 8.2
I'd rather see the math/calculations in a display... that would
eliminate the difficulty in reading when things are wrapped.
page 16:
those cases the packet must be marked "unsure".
s/must/MUST/ ???
I have read the appendix code, and I do not see anything glaringly out
at me, but I'd have to sit down and actually implement to know if all
the situations are taken care of.
It seems like good guidance, and the statements in the Appendix were
familiar from reading the text.
In conclusion: while I think the whole inspection notion is ridiculous,
and likely is going to get in the way of deployment of
new protocols, and may well help the "throttlers"
(cf. Mark Handley's Net Neutrality presentation at
IETF75), I find that if the inspection people follow the
very sage advice of Kivinen and McDonald, that the least
amount of harm possible will be done.
- --
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBSvGXlICLcPvd0N1lAQIQ+Af/ViKcqG7Ed9CLVzXbiZOUGUArYJizkO5t
teH+U6DuvPmfX2yLr4cZhEcH5CmhfF6xh2Y2Lg3yc5+IGjk2pqzwn6eRONfP1bwO
8LcFZQ+a215sVCHoFDNFhMzyyMi6i2F/wiyNnSpfEG3HX3gvjonkZJcWKxm6lbyr
uNNPs2BrC11OQcqGsyVXqH1C2T5c42cdauh/Z3U7hxflyf/WNFU3iux3I8SgmgWx
QkZBwp8U60ugbuN/LuA3O72+XXChfQPQppR50aX1RLS86D5UmJoyJvsuA0XOfLSg
qS9H+RWMRk4RgLiO4DrlwhYVoKznhwf48XTaCTa8nPT+rT2ffLzepA==
=H/OJ
-----END PGP SIGNATURE-----
- [IPsec] comments on esp-null-heuristics-01 Michael Richardson
- [IPsec] comments on esp-null-heuristics-01 Tero Kivinen
- Re: [IPsec] comments on esp-null-heuristics-01 Tero Kivinen
- Re: [IPsec] comments on esp-null-heuristics-01 Tero Kivinen