Re: [mif] draft-mglt-mif-security-requirements-01
Daniel Migault <mglt.ietf@gmail.com> Thu, 05 April 2012 18:02 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBDF21F85DA for <mif@ietfa.amsl.com>; Thu, 5 Apr 2012 11:02:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w14Rx3g14sjZ for <mif@ietfa.amsl.com>; Thu, 5 Apr 2012 11:02:17 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id CDF5521F85D8 for <mif@ietf.org>; Thu, 5 Apr 2012 11:02:16 -0700 (PDT)
Received: by iazz13 with SMTP id z13so2510916iaz.31 for <mif@ietf.org>; Thu, 05 Apr 2012 11:02:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=yn8YmjKX98yd0+PA6184bur5BVk+8MvKorRN55BNEK8=; b=WJ33AgBaQgk1/4SzUXHrVzi46Kxu7a/QHjlawbE2kA2zx9opy1x5btd+tRYUrycx9S 5DxgoYtvdC0yzvaERjovcXjGAiR68jpUVbHV5La9K2We8cKLa36hNUxjcZDfLgJ+6ONJ h+tWLDE2Ua9Yv6NPV1/uiuIPdFEDcGEOOXotBus50Yi9lxfEZEFZGDEH63FqR3DTRu6T Ajhcie434njBDcEItFGsLlJ9ifbFo0Dgoqlgi4i83+mNH+uq2GXyladeCj+efmQ9Ey6b B1f5Cm84kcNFOLo341iJx5tBV0aZoilG2tFHzWe/kawPdzUsGHlaKi2i6w2Vmn9WHCAu LJnQ==
MIME-Version: 1.0
Received: by 10.50.45.228 with SMTP id q4mr3351009igm.58.1333648936257; Thu, 05 Apr 2012 11:02:16 -0700 (PDT)
Received: by 10.231.170.138 with HTTP; Thu, 5 Apr 2012 11:02:16 -0700 (PDT)
In-Reply-To: <154773479ED2314980CB638A48FC4434893D3C1A@USNAVSXCHMBSA2.ndc.alcatel-lucent.com>
References: <154773479ED2314980CB638A48FC4434893D3BCA@USNAVSXCHMBSA2.ndc.alcatel-lucent.com> <CADZyTk=n8pBSuB1duJshmJXf=h-mPvapK3T_=PAtCwqMvOqLwg@mail.gmail.com> <154773479ED2314980CB638A48FC4434893D3C1A@USNAVSXCHMBSA2.ndc.alcatel-lucent.com>
Date: Thu, 05 Apr 2012 20:02:16 +0200
Message-ID: <CADZyTkm5-sOPEDDs4uuaa+hvagrhX1h0EagG=QO8kV6xM=FBAg@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: "Hampel, K Georg (K Georg)" <georg.hampel@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary="14dae934064519c8d204bcf25742"
Cc: "mif@ietf.org" <mif@ietf.org>
Subject: Re: [mif] draft-mglt-mif-security-requirements-01
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 18:02:18 -0000
Exactly. There are actually two possible scenarios:
- Scenario 1 where the MIF-Node initiates for each Interface an
IKEv2 exchange to establish an IKEv2 channel and then configure the SA.
- Scenario 2 where the MIF-Node re-use the already IKEv2 channel to
create the new SAs for each Interface with a CREATE_CHILD_SA exchange.
The proposed solution takes advantage of previously existing SA and SP.
When an update is required, we only update the required field, and when a
new SA or SP needs to be created, we take advantage of the existing
context. Note that when a new SP need to be created, we have to check first
they match the general Security Policies of the System.
I will clarify this in the next version of the draft thanks for the comment.
Here are some more details about the mentioned scenarios:
Note that Scenario1 MUST be considered since IKEv2 [RFC5996] mentions in
section1.3 an implementation MAY refuse all CREATE_CHILD_SA request within
an IKE_SA"
A) Scenario 1: For each Interface the MIF-Node performs an IKEv2 exchange
to negotiate the SA.
This requires at least a four message exchange which includes an
authentication. For example, using EAP-SIM [RFC4186] adds 7 exchanges and
using EAP-AKA [RFC4187] adds 5 exchanges. This method is not convenient
because it adds latencies, it results in creatings SA + IKE_SA for each
interface, add computations by generating the keys and DH exchange for each
Interface.
B) Scenario 2: For each Interface the MIF-Node performs an CREATE_CHILD_SA
This requires a two message exchange described in [RFC5996] section 1.3.1.
This exchange requires multiple Notify Payloads like SA (SA Proposal), Ni
(the Nonce) and Tsi Tr, (the Traffic Selectors). This is still better than
scenario 1, but (1) it does not take advantage of the previously negotiated
SA and its keying material, (2) Payloads are quite large which adds
latencies, slows the IPsec configuration. This affects the SCTP/ MPTCP
connectivity because packets are DISCARDed during this time. In additon,
the IPsec Anti-replay Windows is quite small and may increase the number of
rejected IP packets.
On Thu, Apr 5, 2012 at 4:46 PM, Hampel, K Georg (K Georg) <
georg.hampel@alcatel-lucent.com> wrote:
> Daniel,****
>
> ** **
>
> In principle, the same could be accomplished via separate SA on each path,
> even if the paths pertain to the same SCTP or MPTCP connection. Correct?
> This obviously adds cost to SA establishment.****
>
> ** **
>
> Georg****
>
> ** **
> ------------------------------
>
> *From:* Daniel Migault [mailto:mglt.ietf@gmail.com]
> *Sent:* Thursday, April 05, 2012 10:29 AM
> *To:* Hampel, K Georg (K Georg)
> *Cc:* mif@ietf.org
> *Subject:* Re: [mif] draft-mglt-mif-security-requirements-01****
>
> ** **
>
> That's correct. It provides IPsec the Multiple Interfaces features of SCTP
> or MPTCP. The goal is that MIF Nodes can deal with IPsec protected
> communications.
>
>
> BR
> Daniel****
>
> On Thu, Apr 5, 2012 at 4:04 PM, Hampel, K Georg (K Georg) <
> georg.hampel@alcatel-lucent.com> wrote:****
>
> Daniel, all,****
>
> ****
>
> I read draft-mglt-mif-security-requirements-01. ****
>
> ****
>
> Just to make sure I got the essence: The draft proposes to extend
> IPsec/MobIKE so that a multihomed host can simultaneously sustain multiple
> paths to the same security gateway or app server using the *same* SA.
> MobIKE would have to be upgraded to dynamically add/delete such paths.****
>
> ****
>
> Purpose: Such an extension would avoid the need to establish separate SAs
> for each path.****
>
> ****
>
> Is that correct?****
>
> ****
>
> ****
>
> Regards,****
>
> Georg****
>
> ****
>
> ****
>
>
> _______________________________________________
> mif mailing list
> mif@ietf.org
> https://www.ietf.org/mailman/listinfo/mif****
>
>
>
>
> --
> Daniel Migault
> Orange Labs -- Security
> +33 6 70 72 69 58****
>
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
- Re: [mif] draft-mglt-mif-security-requirements-01 Hampel, K Georg (K Georg)
- [mif] draft-mglt-mif-security-requirements-01 Hampel, K Georg (K Georg)
- Re: [mif] draft-mglt-mif-security-requirements-01 Daniel Migault
- Re: [mif] draft-mglt-mif-security-requirements-01 Daniel Migault