IPsec, IKE, IPv6
"Jari Arkko" <jari.arkko@kolumbus.fi> Thu, 26 July 2001 08:24 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6Q8O1s01283; Thu, 26 Jul 2001 01:24:01 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id DAA06341 Thu, 26 Jul 2001 03:23:04 -0400 (EDT)
Message-ID: <022f01c115a4$c43f7f00$8a1b6e0a@arenanet.fi>
From: Jari Arkko <jari.arkko@kolumbus.fi>
To: ipsec@lists.tislabs.com, tytso@mit.edu
Cc: kivinen@ssh.fi
References: <3B320F85.5A8943D5@lmf.ericsson.se>
Subject: IPsec, IKE, IPv6
Date: Thu, 26 Jul 2001 10:29:55 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hi, The upcoming IETF meeting reminds me that we had a discussion in the last meeting about certain IPv6 related issues in IPsec, and that we were supposed to get back to the discussion on the mailing list. Specifically, our drafts addressed two issues related to IPv6, namely (a) circular IKE/ICMPv6 traffic in normal IPsec use, and (2) if, and how, IPsec can be used to protect IPv6 control signalling. My interpretation of the discussion in the meeting regarding the first issue was that there was a recognition of the problem from the some of the implementors far enough to run into this. But there were question marks regarding how to document this, if a change in RFC 2401 etc is needed. The draft for the second issue mainly describes the problem, and documents some of the security implications. It also briefly mentioned possible ways to reduce configuration effort. My interpretation of the discussions was that some previous work had existed on this space, but people were not sure if any new solutions were needed for the ICMPv6 protection. The main discussion was on the solutions, not the problem. Now, what should we do then? The first issue looks like an existing problem in typical IPsec situations when IPv6 is used. It has an easy solution which most vendors with IPv6 IKE have adopted. I think we should document the issue and the solution, to ensure that future implementors don't have to reinvent the wheel, and more importantly, to ensure interoperability. I happen to believe in small RFCs and quick progress, so I'd rather see this documentation as a separate RFC rather than updated RFC 2401, which might take ages. Therefore, I'm proposing that the WG adopts the first draft as an official work item. (Also, I'd be very interested in testing this against other folks in the Espoo bakeoff the week after next week.) Regarding the second issue, I'm even myself unsure if we need any new solutions, hence any development of possible configuration effort reductions is propably not warranted. However, here too we should perhaps document the issue. Shouldn't we then adopt also the second draft as a work item as well, but not add any more detail on possible solutions? Jari ----- Last meetings's minutes: > IPSEC and IPV6 > > 1. Jari Arkko presented the draft on Effects on ICMPv6 on IKE and > IPsec Policies. This draft covers a problem with circular icmp > traffic. > > 2. Jari Arkko also presented the draft on Manual SA Configuration for IPv6 > Link Local Messages. Analyzed of icmpv6 security implications. Table > presented that showed control functions against weak and strong attackers > at low and high levels. DoS for weak attackers under higher layer security; > man in the middle, spying, and impersonation for all attackers under no > higher layer security; identity selection in all situations, if stateful... > He presented possible ways to reduce the configuration effort which was > about twice the SAs as the number of nodes. > > Comments: Dan McDonald draft on link shared secret, presented in > Adelaide to the v6 group and it could be dragged back up to help with > the manual configuration. > > Steve Kent suggested that we need a more complete story in order to > motivate people. > > We'll need more discussion on the mailing list to see how to proceed > with both of these. The drafts: >Effects of ICMPv6 on IKE and IPsec Policies >http://search.ietf.org/internet-drafts/draft-arkko-icmpv6-ike-effects-00.txt > >Manual SA Configuration for IPv6 Link Local Messages >http://search.ietf.org/internet-drafts/draft-arkko-manual-icmpv6-sas-00.txt
- IPsec, IKE, IPv6 Jari Arkko