Re: [IPsec] Comments on draft-sathyanarayan-ipsecme-advpn-00
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 25 July 2013 22:22 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA6B521F8F4F for <ipsec@ietfa.amsl.com>; Thu, 25 Jul 2013 15:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Level:
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWLe7ETHmcMM for <ipsec@ietfa.amsl.com>; Thu, 25 Jul 2013 15:22:55 -0700 (PDT)
Received: from mail-ea0-x236.google.com (mail-ea0-x236.google.com [IPv6:2a00:1450:4013:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id DE6C921F8EC3 for <ipsec@ietf.org>; Thu, 25 Jul 2013 15:22:54 -0700 (PDT)
Received: by mail-ea0-f182.google.com with SMTP id o10so1221810eaj.13 for <ipsec@ietf.org>; Thu, 25 Jul 2013 15:22:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=VCWEMSb4IwsgyXgdMHQTnKQK38/jjiYN22T5hbp31B0=; b=0MmZc+QqW105G8TUaneoe6PhTpY6yH6HjEL2g9nBpQpoILh/+nOsmAgfI4TqKzBntz DJWshcy8X14ceoX0VWNu/sYyxU/QHCLiHCF81pOW6ypzHthtknrVvfM269onupJvQQgV 0CLHrnNk3TgubSdw4mciOwq0JbS1893t/C5/esK+wuAdfechOgB/WSx8/yCwEsjG4g5K mMQZNe/Kk4njTYhVswvYFKTJLvicI2Hx0XQJzsG1OBvS60UfC2TNmSETwPrR26R+HTps M+VMYUNfYVN2lVfDwv4WFMCuEyqzpq19hRX/WzvrtZW4897e0avZlGNtUcNjesTY4ZPP KeQg==
X-Received: by 10.14.223.5 with SMTP id u5mr36468249eep.131.1374790972395; Thu, 25 Jul 2013 15:22:52 -0700 (PDT)
Received: from [192.168.2.103] (dslb-094-222-009-225.pools.arcor-ip.net. [94.222.9.225]) by mx.google.com with ESMTPSA id j2sm103447eep.6.2013.07.25.15.22.47 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Jul 2013 15:22:51 -0700 (PDT)
Message-ID: <51F16895.4050901@gmail.com>
Date: Thu, 25 Jul 2013 20:04:05 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <51E92CB7.9090108@gmail.com> <47554A2B-B80A-41B5-9866-4C3FA52F2EDB@checkpoint.com>
In-Reply-To: <47554A2B-B80A-41B5-9866-4C3FA52F2EDB@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Comments on draft-sathyanarayan-ipsecme-advpn-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 22:22:56 -0000
Hi Yoav, sorry for the delayed response, but hey, what's an airplane for? Please see below. Yaron On 2013-07-22 21:28, Yoav Nir wrote: > > On Jul 19, 2013, at 3:10 PM, Yaron Sheffer <yaronf.ietf@gmail.com > <mailto:yaronf.ietf@gmail.com>> wrote: > >> Hi, >> >> the comments below are focused on the protocol, rather than on its fit >> with our requirements. So in a sense I'm jumping the gun here. >> >> Summary >> >> First, the document is very well written, actually fun to read. It >> presents a relatively simple solution which I personally find >> advantageous, and seems to cover most of the associated issues. > > Thanks. > >> Where I suspect that we have a problem is in the policy definition, >> for cross-domain scenarios. I think the currently proposed solution is >> simplistic, and I realize that a fuller one could easily turn very >> complex. Specifically the peers in the current proposal simply compare >> the shortcut request with each peer's SPD for traffic to the >> *suggester*. Viewed architecturally, this seems to me like mixing the >> control and the data plane (you cannot have a suggester that's not a >> valid gateway with a valid SPD). Even if we decide this is a good >> thing, it might not work in weirder cases like overlapping IP networks. > > We'd be happy to hear about those weirder cases. In all cases that we > considered, traffic from A to C was flowing through B. B "introduces" A > to C so that the traffic can flow directly. The SHORTCUT doesn't come > out of the blue, but is a response to existing traffic. This is easy to > do when B is in the data path, and it also makes policy relatively > straightforward. If you trust certain traffic to go through B, you > should also trust that same traffic to go through some other party that > B delegated this traffic to (we don't use the word "delegate" in the > draft, but maybe we should). > > A non-GW suggester would have to receive real-time traffic reports from > B, and also be trusted by A and C to change their SPD. This is > believable within an administrative domain, but very much not so between > domains. This external suggester would also have to be capable of > bi-directional communications, as it receives data from B and sends data > to A and C. So all the NAT issues and firewall issues come up. We think > that adds a lot of complexity. Also, just because the shortcut messages > use the IKE syntax and the IKE keys, and are co-located with the > IKE/IPsec stack does not make this a mixture of control and data planes. > The shortcut messages are entirely control plane, while the IPsec > traffic that follows is entirely data plane. I agree this removes a whole lot of complexity. I'm just not convinced it's good enough for real-world use. The control/data thing is just an analogy: you need to be on the path in order to control it. > >> Details >> >> • Why send the notification to both peers? This creates a race >> condition, and the data is only informational anyway, i.e. trust may >> not be required. > > We assume that the peers don't know each other. So you have to supply > them with PAD entries. The shortcut to one peer tells it to be an > initiator while the other is told to be a responder. To avoid the race, > all you have to do is to first tell the responder, and only when it ACKs > do you tell the initiator. So let's mandate this order. > >> • Suggester not a good word. Do we have a better one? Supplicant :-) ? > > Supplicant is taken (thank $DEITY). Until a week before we submitted the > draft, we called it a "shortcut starter", but we kept confusing > "starter" with "initiator" so we changed the term. delegator? cut-shorter? > "Manager" (half-smile)? Never mind. >> • Why send the VID in IKE_AUTH and not in IKE_SA_INIT? > > Agree. > >> • The VID (if at all used) should be temporary, until the RFC is >> published. OTOH I suggest to have a "supported" notification defined >> immediately, otherwise we cannot add it later. > > The VID is only to facilitate testing, and is actually required for > using private-space notifies. Of course, this will be replaced by a > "support" notification before this document advances. > >> • Notification of shortcut success can take 10 sec. Is it still useful? > > The success or failure notifications have little value for the suggester > anyway. They are very useful for logging. If the administrator can look > at a log and see that all shortcuts suggested with gateway E failed but > traffic still flowed between the center gateway and E, then something is > weird about the E's attachment to the network, and this should be > checked and perhaps fixed. > >> • Why are the traffic selectors for the shortcut related to the TS >> between the suggester and the two peers? This precludes the case that >> the suggester is an off-line "controller", which does not see the >> actual traffic. > > If it doesn't see the traffic the only thing it can do is try to create > a mesh. We don't think that's useful in large configurations. > >> • 3.4: the Critical bit is in fact set. > > Why? The Notify payload is defined in 5996 and all payloads defined > there have their critical bit unset. Of course. Sorry. > >> • 3.4: should not use a private value in the draft. I suggest to have >> a TBD here, and to mention in the IANA Considerations section that the >> value currently being used is this one. > > OK. > >> • These are not "IPv4" or "DNS" shortcuts. The IPv4 and DNS are just >> fields in the shortcut definition, and do not make any difference to >> the shortcut's behavior. I would suggest to have a single type of >> shortcut, and to use a third ID-like field for the address of the >> target of the shortcut. You did not comment on this point. Please consider a rearrangement of the various shortcuts. >> • Validity of the PSK: is it valid for the entire duration set by the >> suggester? Must it be deleted thereafter? Note that the PSK may be >> reused if the peers tear down the IKE SA or it is disconnected. > > We should probably fix the language there. But the PSK is valid as long > as the timeout in the SHORTCUT regardless of how many times the the IKE > SA has been torn down and set up again. If a second SHORTCUT is set up > with the same peer, the new PSK replaces the old PSK and sets the timer > if the identifiers are the same, but it does not cause existing SAs to > be torn down. This all should be noted in the draft. > >> • 3.4.1: Sending the IDr (by the initiator) is not normally mandatory >> in IKEv2. I think here it should be. > > Good idea. > >> • 3.4.2: why does the IPv6 Address field appear 4 times in the diagram? > > Because it takes 4 32-bit rows? > >> • 3.4.3: 12 octets -> 2 octets > > Right > >> • 3.4.3: the recommendation at the end of the section is strange: why >> is it tied to certificate authentication? A peer presents its ID when >> authenticating with a PSK, too. > > Yes, there's something missing there. I think it was supposed to be a > suggestion that the *certificate* have the same FQDN, similar to HTTPS. But then again, we don't do that in IKE (though maybe we should have). > >> • Response Shortcut: I would prefer a separate Shortcut-Response >> notification, since this is not a real shortcut of course. Moreover, >> rather than matching a large number of strings, it's much more >> convenient to tag each shortcut suggestion with an ID, and include >> this ID in the response. > > Good idea. That will also allow us to have a SHORTCUT delete message if > for example, the responder agreed to the shortcut, but the initiator > refused. > >> • 3.5.2: the last sentence (to do with timeouts) is unclear. > > s/shortcut partner to the timeout/shortcut partner prior to the timeout/ > >> • 3.5.3: why are shortcuts a "service" that can be disabled? What is >> the benefit? > > With AD-VPN the behavior of the gateways is less predictable. It is far > easier to trouble-shoot why traffic is not getting to the other side if > the SPD is fixed. Also, using AD-VPN makes you dependent on correct > implementation of AD-VPN in gateways you have never heard of. Disabling > AD-VPN might fix the issue. OK, but is there a useful difference between a gateway where AD-VPN was disabled and one that doesn't support it? Eventually the gateway operators need to talk to one another :-) > >> • 3.5.5: typo: UNMATCHED_SHORTCUT)_SPD >> • 3.5.5: the SPD lookup applies to additional things, not only to IP >> address. > > Yes, I guess it is the traffic selectors that matter here. > >> • 3.5: If as an Initiator/Responder I don't like the suggestion that I >> have received, but I don't want to leak details of my security policy, >> is there a generic error I can use? > > Not currently, but wouldn't a new generic error signal just that? Yes and no. There are two quite specific responses, unmatched PAD and unmatched SPD. I would have liked a "Shortcut Refused", too. > >> Thanks, >> Yaron >> >
- [IPsec] Comments on draft-sathyanarayan-ipsecme-a… Yaron Sheffer
- Re: [IPsec] Comments on draft-sathyanarayan-ipsec… Yoav Nir
- [IPsec] Some comments on draft-sathyanarayan-ipse… Valery Smyslov
- Re: [IPsec] Comments on draft-sathyanarayan-ipsec… Yaron Sheffer
- Re: [IPsec] Comments on draft-sathyanarayan-ipsec… Yoav Nir
- Re: [IPsec] Some comments on draft-sathyanarayan-… Praveen Sathyanarayan