[IPsec] My comments to draft-ietf-ipsecme-ike-tcp-01.txt
Tero Kivinen <kivinen@iki.fi> Thu, 20 December 2012 14:36 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBB021F88C4 for <ipsec@ietfa.amsl.com>; Thu, 20 Dec 2012 06:36:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.448
X-Spam-Level:
X-Spam-Status: No, score=-102.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPMwoM4pui0V for <ipsec@ietfa.amsl.com>; Thu, 20 Dec 2012 06:36:41 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id C5F5921F88EA for <ipsec@ietf.org>; Thu, 20 Dec 2012 06:36:36 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qBKEaYKC005973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 20 Dec 2012 16:36:34 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qBKEaYJD029772; Thu, 20 Dec 2012 16:36:34 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20691.8818.516025.394027@fireball.kivinen.iki.fi>
Date: Thu, 20 Dec 2012 16:36:34 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 8 min
X-Total-Time: 10 min
Subject: [IPsec] My comments to draft-ietf-ipsecme-ike-tcp-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 14:36:42 -0000
Ok, got finally to continue my IPsec work. Here are my comments to the draft (next is advpn, but not sure whether I will be able to read it before xmas): ---------------------------------------------------------------------- 1.1. Non-Goals of this Specification Firewall traversal is not a goal of this specification. If a Add (except when bypassing broken firewall dropping all framents) I think that is one of the goals. I.e. goal is not to bypass policy rules, goals is to fix brokeness caused by broken implementations not supporting fragments. ---------------------------------------------------------------------- 2.1. Initiator ... An initiator MUST accept responses sent over IKE within the same connection, but MUST also accept responses over other transports, if the request had been sent over them as well. What that "sent over IKE" is supposed to mean, TCP/UDP? Any protocol? ---------------------------------------------------------------------- 2.4. Receiver ... the same way as regular UDP messages. That includes retransmission detection, with one slight difference: if a retransmitted request is detected, the response is retransmitted as well, but using the current TCP connection rather than whatever other transport had been used for the original transmission of the request. What does this mean with MOBIKE. For example the UPDATE_SA_ADDRESSES notify assumes the address which should be used is taken from the current IP header (IP and port), but if the message is retransmitted over TCP this messes up things (port is different if there is NAT). Easiest way would say that such UPDATE_SA_ADDRESSES notification over TCP is replied, but ignored, i.e. it does not cause any actual MOBIKE change. We cannot really do the change, as we do not know the UDP port number in case the initiator sending UPDATE_SA_ADDRESSES is behind NAT. Also with MOBIKE that will disable the dynamic port update happening with normal IKEv2, so all UDP port changes only happen with UPDATE_SA_ADDESSES. Other option is to reply with UNACCEPTABLE_ADDRESSES error to all MOBIKE UPDATE_SA_ADDRESSES requests coming over TCP, in which case it is clear for sender of UPDATE_SA_ADDRESSES thta it failed, but it should also be clear for sender of the request that it retried it over TCP, so it should be able to ignore it in that case too.. Actually the whole behavior with the MOBIKE is missing. I.e. do we first try with UDP then with TCP, and if that fails, then try other IP addresses, or do we first try with all IP addresses with MOBIKE and then fall back to TCP. I think it should most likely try with TCP only if the packet we are trying to send is big i.e > 500 bytes, and if the packet we are trying to send is small then we should first try all possible IP addresses, and if that fails then go to TCP. If packet is big, we should first try with TCP over the current IP address, and if that does not work, then fall back to normal MOBIKE processing. ---------------------------------------------------------------------- 4. Security Considerations Most of the security considerations for IKE over TCP are the same as those for UDP as in RFC 5996. For the Responder, listening to TCP port 500 involves all the risks of maintaining any TCP server. Precautions against DoS attacks, such as SYN cookies are RECOMMENDED. see [RFC4987] for details. Actually TCP has much bigger buffering and state requirements than UDP, especially with the stateless cookies. Syn cookies are not only attack, any peer can open TCP session to the gateway and start sending 4GB IKE packet... Unless special checks of source IP is done then any host in the world can do the same. IKE header length field is 32 bits, so it might be good idea for implementations to limit this to something suitable... On the other hand one reason to use TCP would be able to transfer big certfificate chains or CRL lists, so the limit cannot be too small... -- kivinen@iki.fi
- [IPsec] My comments to draft-ietf-ipsecme-ike-tcp… Tero Kivinen