[IPsec] Closing #25
Tero Kivinen <kivinen@iki.fi> Tue, 01 December 2009 13:55 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA7713A6808 for <ipsec@core3.amsl.com>; Tue, 1 Dec 2009 05:55:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEifh+o4Wu16 for <ipsec@core3.amsl.com>; Tue, 1 Dec 2009 05:55:06 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 106983A6783 for <ipsec@ietf.org>; Tue, 1 Dec 2009 05:55:05 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nB1DspYL023226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Dec 2009 15:54:51 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nB1DsoGw023366; Tue, 1 Dec 2009 15:54:50 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19221.8234.750024.497905@fireball.kivinen.iki.fi>
Date: Tue, 01 Dec 2009 15:54:50 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240849c730e28d02c4@[10.20.30.158]>
References: <p06240849c7039304f1d1@[10.20.30.158]> <349076FF-487D-4B6C-91EB-1E845B2303F6@checkpoint.com> <p06240849c730e28d02c4@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 23 min
X-Total-Time: 24 min
Cc: IPsecme WG <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>
Subject: [IPsec] Closing #25
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 13:55:07 -0000
Paul Hoffman writes:
> At 9:46 AM +0200 10/21/09, Yoav Nir wrote:
> > A few lines above this section it already says "If the responder's
> > policy allows it to accept the first selector of TSi and TSr, then
> > the responder MUST narrow the traffic selectors to a subset that
> > includes the initiator's first choices."
> >
> > So there is a MUST requirement to select the initiator's first
> > choice (if possible), so I don't think the SHOULD and MAY are
> > appropriate here. The way I read this section, it only clarifies
> > what to do if the initiator traffic selector (first or not) is too
> > broad. In that case, we shouldn't mention the initiator's choices.
> >
> >On Oct 20, 2009, at 6:19 PM, Paul Hoffman wrote:
> >
> >>Issue #25, Choice of the right TS when narrowing
> ><snip/>
> >>Proposed change:
> >> When narrowing is done, there may be several subsets that are
> >> acceptable but their union is not. In this case, the responder
> >> SHOULD select the initiator's first choice (to be interoperable
> >> with RFC 4306), but MAY arbitrarily select any of them,
> >> and MAY include an
> >> ADDITIONAL_TS_POSSIBLE notification in the response.
>
> God call. I have closed #25 without making any change.
There is one problem with the current text for this traffic selector
negotiation.
If the initiator has policy that says (I only use one end of traffic
selectors as that is enough for this example):
192.0.2.0 - 192.0.2.255 PROTECT
and responder has policy that says:
192.0.2.128 - 192.0.2.255 PROTECT
Now when initiator gets packet form the network that has address of
192.0.2.5, it will match its policy and it will start creating new IKE
SA and Child SA. It sends traffic selectors having content of:
TS(TCP:80-80, 192.0.2.5 - 192.0.2.5)
TS(0:0-65535, 192.0.2.0 - 192.0.2.255)
The responder will see those and starts following the rules in the
section 2.9.
----------------------------------------------------------------------
The responder performs the narrowing as follows:
o If the responder's policy does not allow it to accept any part of
the proposed traffic selectors, it responds with TS_UNACCEPTABLE.
o If the responder's policy allows the entire set of traffic covered
by TSi and TSr, no narrowing is necessary, and the responder can
return the same TSi and TSr values.
o If the responder's policy allows it to accept the first selector
of TSi and TSr, then the responder MUST narrow the traffic
selectors to a subset that includes the initiator's first choices.
In this example above, the responder might respond with TSi being
(192.0.1.43 - 192.0.1.43) with all ports and IP protocols.
o If the responder's policy does not allow it to accept the first
selector of TSi and TSr, the responder narrows to an acceptable
subset of TSi and TSr.
----------------------------------------------------------------------
1) The responder's policy do allow some part of the traffic selectors,
so it does not send TS_UNACCEPTABLE.
2) Responder's policy does not allow entire set of traffic, so it
cannot return full set.
3) Responder's policy does not allow first traffic selector, so it
cannot narrow it down to that.
4) So it gets to this last rule and narrows traffic selectors down to
acceptable subset of initiators set, i.e resulting traffic selector
will be:
TS(0:0-65535, 192.0.2.128 - 192.0.2.255)
Now when initiator gets this it installs the Child SA as normally. The
created SA is useless for triggering packet, so it cannot send the
packet over that SA, and most likely it will throw that packet away.
When the next packet coming having same address comes in, it most
likely triggers new child SA exchange with same results. After a few
hundred packets the initiator and responder have 100 overlapping Child
SAs which all are completely useless for any traffic.
Responder cannot do anything, as it is completely valid to create
multiple overlapping Child SAs, as this is required for the QoS.
Initiator might try to do something smart and for example disable the
trigger rule for next n minutes when it started creating Child SA, so
it will not trigger again, but at some point it do want to enable the
trigger again, just in case the other end has fixed its configuration.
All of this is caused because of the final rule saying:
o If the responder's policy does not allow it to accept the first
selector of TSi and TSr, the responder narrows to an acceptable
subset of TSi and TSr.
If that would not be there, then the responder would return
TS_UNACCEPTABLE to the initiators Child SA create exchange, which
would prevent creating extra Child SAs. This final rule is NOT in the
RFC4306 in triggering packet case, it was only there in case there was
no triggering packet (of course there is no text explaining how do you
know if the first traffic selector is triggering packet or not).
I suggest that we add text explaining what it means when there is
triggering packet and modify the last rule to be:
o If the initiator's first TSi and TSr are not from triggering
packet (i.e. they are ranges), then if the responder's policy
does not allow it to accept the first selector of TSi and TSr,
the responder narrows to an acceptable subset of TSi and TSr.
And the text to explain what triggering packet is should be added
before paragraph above:
To enable the responder to choose the appropriate range in this
case, if the initiator has requested the SA due to a data packet,
the initiator SHOULD include as the first traffic selector in each
of TSi and TSr a very specific traffic selector including the
addresses in the packet triggering the request. This kind of
triggering packet can be detected because it exactly match one IP
address, protocol and port. In the example, the initiator would
include in TSi two traffic selectors: the first containing the
address range (192.0.1.43 - 192.0.1.43) and the source port and IP
protocol from the packet and the second containing (192.0.1.0 -
192.0.1.255) with all ports and IP protocols. The initiator would
similarly include two traffic selectors in TSr. If the initiator
creates the Child SA pair not in response to an arriving packet,
but rather, say, upon startup, then there may be no specific
addresses the initiator prefers for the initial tunnel over any
other. In that case, the first values in TSi and TSr will be ranges
rather than specific values.
(Added text "This kind of triggering packet can be detected because it
exactly match one IP address, protocol and port." in the middle, and
changed the final "can be ranges" to "will be ranges".
--
kivinen@iki.fi
- [IPsec] Closing the IKEv2bis open issues Paul Hoffman
- Re: [IPsec] Closing the IKEv2bis open issues Yoav Nir
- Re: [IPsec] Closing the IKEv2bis open issues Paul Hoffman
- Re: [IPsec] Closing the IKEv2bis open issues Keith Welter
- [IPsec] Finishing #22 (was: Re: Closing the IKEv2… Paul Hoffman
- [IPsec] Closing #25 Paul Hoffman
- [IPsec] Closing #25 Paul Hoffman
- [IPsec] Closing #22 (was: RE: Closing #25) Yaron Sheffer
- Re: [IPsec] Closing #22 (was: RE: Closing #25) Paul Hoffman
- [IPsec] Closing #25 Tero Kivinen