Re: [IPsec] Comments for draft-ietf-ipsecme-labeled-ipsec-04
Valery Smyslov <smyslov.ietf@gmail.com> Thu, 21 January 2021 12:46 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E1A3A09F5 for <ipsec@ietfa.amsl.com>; Thu, 21 Jan 2021 04:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkSBvKfOsZCD for <ipsec@ietfa.amsl.com>; Thu, 21 Jan 2021 04:46:24 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9D233A09EA for <ipsec@ietf.org>; Thu, 21 Jan 2021 04:46:23 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id s11so2302555edd.5 for <ipsec@ietf.org>; Thu, 21 Jan 2021 04:46:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=Sa1C/jjSc04/78Lpr0YjrF0545mD+rUxrjNU2EOXbe8=; b=DhdgFu6mx1V5SHJIzh/X9LHyxVu6QS/QA8iOAIklVQd8KkZGb0R8nKG/VejvyBAAbS sN7Xstdy46JdCf91Nz9Xk38tXM47pwmpctbxucPdj58zaWPa79GZZWZEXFdMxIHrKt2f uiS8CsrigPPACyipF/gMbu0Fc90/4KOATLp5YVb7R2QdXq3BEyKVQ82++rcpZPpA1h6L YmAML4WLul0ONffBV7FrLM4oTUh22CG9rcTV3qzuRrebGIOz5IIf3Qd0cl5FY/taP7uy qr3nuw7lfBeWGqgV/Hez/1oCC98AABD+7u7ntuvh6LeeqKkXojVRSCN+3TJqyMkemADe ZjoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=Sa1C/jjSc04/78Lpr0YjrF0545mD+rUxrjNU2EOXbe8=; b=DlYS+Wyn5Aj0KTJ9hD5qfDbTj7vFnLrV5hx6oCGU/FeWtGgvxbjU+IxmkoJ2UmiXgX T13kFaS3y34wQVSkhHtWiGAzvkw2StGioj+gd7JI7I4Ovbrtr9PRhszq9QCSyia58GQ1 TqfcqMxDFeMNELn2ynav/KUISDXU7nrL7auaf5EUjaRxaAvKgIIOIHs8iVXImmDODWlk dfxliBxdAgB47poYuJ/XAvONfWOpUcmq7eYhuo7iBXwXmvC6Jc6zYDCsEETymEVF+dGl S2hl/cerpwlVcCyIt+kga3aKhB5iqdupAOhOn7zqdxZEz6/oD0jLE0r0cgh2KSkbfCrI JfTw==
X-Gm-Message-State: AOAM532U3l7Z05UPtJobmgPMr+OZg7gQxVn1ra6HtNnJIEUlg4UuRSy6 SdrFzVTlMFAK/9MOAGoOlhnTIa7SfjI=
X-Google-Smtp-Source: ABdhPJzw5Noskm/EuyribzicWK8QB5dBw+Gx3uXGVYOmBtUxbwE5+Kfzsv5Y3+U819SIqqWl3H5fOA==
X-Received: by 2002:a05:6402:50c6:: with SMTP id h6mr10924854edb.117.1611233181581; Thu, 21 Jan 2021 04:46:21 -0800 (PST)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id re19sm2126050ejb.111.2021.01.21.04.46.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Jan 2021 04:46:20 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>
Cc: 'IPsecME WG' <ipsec@ietf.org>, 'Sahana Prasad' <sahana.prasad07@gmail.com>
References: <03e801d6ef2d$88820f00$99862d00$@gmail.com> <da8f5de-d64d-595c-74bc-9f486b7161e@nohats.ca>
In-Reply-To: <da8f5de-d64d-595c-74bc-9f486b7161e@nohats.ca>
Date: Thu, 21 Jan 2021 15:46:24 +0300
Message-ID: <055901d6eff3$6ddf7220$499e5660$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGBSOOV+wJ6j63zYWXgPX4dM31iBwISkvkYqsyruwA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/r9RXPhygFfhlUyIRYYp5P6P85xM>
Subject: Re: [IPsec] Comments for draft-ietf-ipsecme-labeled-ipsec-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2021 12:46:25 -0000
Hi Paul,
> > First, it's not clear for me why zero length TS_SECLABLE is prohibited.
> > The draft currently says
> >
> > A zero length Security Label MUST NOT be used. If a received TS
> > payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
> > Label, that specific Traffic Selector MUST be ignored.
> >
> > I wonder what's rational behind this restriction. From my point of view
> > zero length TS_SECLABLE can be used to express that using Security Labels
> > is optional. I.e. initiator can include zero length TS_SECLABEL Traffic Selector
> > along with other TS_SECLABEL Traffic Selectors to indicate that responder
> > is free to not use security labels for the SA.
>
> We did discuss this earier in the WG. There is no use case of "optional"
> security labels. You either insist on these, or you don't use these.
Well, it contradicts what draft says (Section 2.2):
If the Security Label traffic selector is optional from a
configuration point of view, the initiator will have to choose which
TS payload to attempt first. If it includes the Security Label and
receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation
without that Security Label.
So you do allow security label to be optional, but negotiate its usage this
with most complex and ineffective way. It's very strange.
> Implementing "optional" ones by using a zero length label is asking for
> implementation problems. Especially when people consider these labels
> as strings and run strlen() on the empty (but NULL terminated string)
> and interpret that as wildcard.
Well, people will consider meaning of the security labels in accordance
to what is written in the draft. If we try to envision every possible mis-reading
of the documents we'd better not to start writing them...
And BTW zero length means that there are no any content, including NULL terminator :-)
> Since there is no use case, and significant implementation danger, the
> document makes an explicit case to reject these. Our implementation
> will return TS_UNAVAILABLE if it encounters any zero length TS_SECLABEL.
No, the document does allow optional security labels, see above.
> > Currently draft suggests
> > the initiator to perform several attempts to establish IPsec SA
> > with and without TS_SECLABEL Traffic Selectors in such situation,
> > which is more complicated and less efficient. Am I missing something?
>
> It was what the WG preferred to do. The reasoning was that labels are
> surely very much preconfigured and connections will not be migrated
> from "no security" to "security label" where the operator wants to
> operate insecurely first. That is, opportunistic security labels is
> not a thing.
>
> The case you describe is very unlikely. Either the endpoints wants a
> label or doesn't want one. optional security is not security.
Then why text in 2.2 allows the initiator to choose between using them
and omitting them? Isn't it exactly what you just described as "not security"?
> > Another my concern is that draft allows security labels to differ
> > in TSi and TSr without giving any possible semantic interpretation for this.
>
> Correct. But the label is clearly defines as opaque to the IKE layer.
> The IKE layer should not be making any kindds of assumptions or
> interpretations, but just relay this to the underlying label security
> consumer (eg in our case the LSM of SElinux). Note that our
> implementation only supports symmetrical labels so far, because
> that is how SElinux labeling works. But the protocol can accept
> other methods.
I still prefer _some_ words to be added about _possible_
semantics when seclabels are different in TSi and TSr.
> > This looks weird. I think that at least some possible interpretation
> > of such situation must be given, e.g. TS_SECLABEL in TSi is used
> > for traffic from initiator to responder and TS_SECLABEL in TSr
> > is used for the return traffic. In this case it is clear that
> > they can differ in some situations.
>
> I'm not sure why this is not clear? TSi and TSr entries apply to
> one direction. TS_SECLABEL does not change that.
It's unclear what this case could mean:
TSi = ((0,0,198.51.0-198.51.255),
TS_SECLABEL1)
TSr = (((0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL2)
It's true that IKE doesn't interpret seclabels, but it usually
does some sanity checks and as implementer I'm not sure whether
this is allowed (what does it mean?) or not.
> > And the last (but not the least). It seems to me that Section 3
> > (which aims to update Section 2.9 of RFC 7296) oversimplifies
> > the negotiation process.
>
> Again, we followed the consensus of the group here.
>
> > In particular, the sentence
> >
> > A responder MUST create its TS response by selecting one of each
> > TS_TYPE present in the offered TS by the initiator.
> >
> > is inaccurate in my opinion, since it implies (as I read it) that responder can pick
> > exactly one traffic selector of each TS_TYPE and can only return it unmodified.
>
> How about this clarification:
>
> A responder MUST create its TS response by selecting at least
> one of each TS Type. One exception is that a responder MAY omit
> a TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE as long as at least
> one TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE is selected.
> Furthermore, a narrowed TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE content
> set MAY be selected.
Much better, thank you. For best clarity I would have added a sentence that this draft
doesn't change a logic described in Section 2.9 of RFC 7296 for
types TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE, it only
defines additional rules for how TS_SECLABEL traffic selectors are negotiated.
Regards,
Valery.
> Note that this is mentioned already in section 1.2:
>
> A Traffic Selector payload (TS) is a set of one or more Traffic
> Selectors of the same or different TS_TYPEs, but MUST include at
> least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
>
> If you prefer other text, please provide your suggestion.
>
> Paul
- [IPsec] Comments for draft-ietf-ipsecme-labeled-i… Valery Smyslov
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Paul Wouters
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Valery Smyslov
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Paul Wouters
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Valery Smyslov