[IPsec] My comments to draft-ietf-ipsecme-ike-tcp-01.txt

Tero Kivinen <kivinen@iki.fi> Thu, 20 December 2012 14:36 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBB021F88C4 for <ipsec@ietfa.amsl.com>; Thu, 20 Dec 2012 06:36:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.448
X-Spam-Level:
X-Spam-Status: No, score=-102.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPMwoM4pui0V for <ipsec@ietfa.amsl.com>; Thu, 20 Dec 2012 06:36:41 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id C5F5921F88EA for <ipsec@ietf.org>; Thu, 20 Dec 2012 06:36:36 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qBKEaYKC005973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 20 Dec 2012 16:36:34 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qBKEaYJD029772; Thu, 20 Dec 2012 16:36:34 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20691.8818.516025.394027@fireball.kivinen.iki.fi>
Date: Thu, 20 Dec 2012 16:36:34 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 8 min
X-Total-Time: 10 min
Subject: [IPsec] My comments to draft-ietf-ipsecme-ike-tcp-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 14:36:42 -0000

Ok, got finally to continue my IPsec work. Here are my comments to the
draft (next is advpn, but not sure whether I will be able to read it
before xmas):

----------------------------------------------------------------------
1.1.  Non-Goals of this Specification

   Firewall traversal is not a goal of this specification.  If a


Add

	(except when bypassing broken firewall dropping all framents)

I think that is one of the goals. I.e. goal is not to bypass policy
rules, goals is to fix brokeness caused by broken implementations not
supporting fragments.

----------------------------------------------------------------------
2.1.  Initiator
...
   An initiator MUST accept responses sent over IKE within the same
   connection, but MUST also accept responses over other transports, if
   the request had been sent over them as well.

What that "sent over IKE" is supposed to mean, TCP/UDP? Any protocol?
----------------------------------------------------------------------
2.4.  Receiver
...
   the same way as regular UDP messages.  That includes retransmission
   detection, with one slight difference: if a retransmitted request is
   detected, the response is retransmitted as well, but using the
   current TCP connection rather than whatever other transport had been
   used for the original transmission of the request.

What does this mean with MOBIKE. For example the UPDATE_SA_ADDRESSES
notify assumes the address which should be used is taken from the
current IP header (IP and port), but if the message is retransmitted
over TCP this messes up things (port is different if there is NAT).
Easiest way would say that such UPDATE_SA_ADDRESSES notification over
TCP is replied, but ignored, i.e. it does not cause any actual MOBIKE
change. We cannot really do the change, as we do not know the UDP port
number in case the initiator sending UPDATE_SA_ADDRESSES is behind
NAT. Also with MOBIKE that will disable the dynamic port update
happening with normal IKEv2, so all UDP port changes only happen with
UPDATE_SA_ADDESSES.

Other option is to reply with UNACCEPTABLE_ADDRESSES error to all
MOBIKE UPDATE_SA_ADDRESSES requests coming over TCP, in which case it
is clear for sender of UPDATE_SA_ADDRESSES thta it failed, but it
should also be clear for sender of the request that it retried it over
TCP, so it should be able to ignore it in that case too..

Actually the whole behavior with the MOBIKE is missing. I.e. do we
first try with UDP then with TCP, and if that fails, then try other IP
addresses, or do we first try with all IP addresses with MOBIKE and
then fall back to TCP.

I think it should most likely try with TCP only if the packet we are
trying to send is big i.e > 500 bytes, and if the packet we are trying
to send is small then we should first try all possible IP addresses,
and if that fails then go to TCP.

If packet is big, we should first try with TCP over the current IP
address, and if that does not work, then fall back to normal MOBIKE
processing. 

----------------------------------------------------------------------
4.  Security Considerations

   Most of the security considerations for IKE over TCP are the same as
   those for UDP as in RFC 5996.

   For the Responder, listening to TCP port 500 involves all the risks
   of maintaining any TCP server.  Precautions against DoS attacks, such
   as SYN cookies are RECOMMENDED. see [RFC4987] for details.
   
Actually TCP has much bigger buffering and state requirements than
UDP, especially with the stateless cookies. Syn cookies are not only
attack, any peer can open TCP session to the gateway and start sending
4GB IKE packet... Unless special checks of source IP is done then any
host in the world can do the same.

IKE header length field is 32 bits, so it might be good idea for
implementations to limit this to something suitable... On the other
hand one reason to use TCP would be able to transfer big certfificate
chains or CRL lists, so the limit cannot be too small...
-- 
kivinen@iki.fi