IETF Logo Mail Archive

Re: [OPSEC] Prospective issue with IPsec ESP-NULL & IGP packets

"Vishwas Manral" <vishwas.ietf@gmail.com> Wed, 17 December 2008 16:14 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01CC23A6B16; Wed, 17 Dec 2008 08:14:34 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B9963A6B16 for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 08:14:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LS-VpVLsbmpv for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 08:14:32 -0800 (PST)
Received: from mail-bw0-f21.google.com (mail-bw0-f21.google.com [209.85.218.21]) by core3.amsl.com (Postfix) with ESMTP id 19B883A683D for <opsec@ietf.org>; Wed, 17 Dec 2008 08:14:31 -0800 (PST)
Received: by bwz14 with SMTP id 14so5816341bwz.13 for <opsec@ietf.org>; Wed, 17 Dec 2008 08:14:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=vEJCuEdj1aP6SS6DqafweVpv6TQdlxWxszx0BiToQBw=; b=HhnVNNVNEe1wmZ2oU/9eKbaY4mjeI06/M+QpdUkJRJjbJoVaoWNSJV187dC5MxtscN OkDDgx5TsufOVq6TkPurXBRdPqPx5BiYnxEh0YT/VY/7LI0fO1h2aRpPVNuCTmOvexlS K2KV2byPDi2s7knjO+9k5uEPf5zm6uaQSDLhU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=GMVGmubWJIwGBaSUjMiFRxYtHLYiClmHESsh2ESFWYoeJwADyD7yADX1Ou6XLwKRUz 07jbbnBY4bY5873i6toZmcnL8fMgQIB/tjN9b/OiQIIPddALyVkv5EQsAxTHShTej2F5 cm524qlGSeBZtmmYs6VR0loXpoPeazrNaI+pc=
Received: by 10.181.10.7 with SMTP id n7mr301730bki.50.1229530463853; Wed, 17 Dec 2008 08:14:23 -0800 (PST)
Received: by 10.181.31.13 with HTTP; Wed, 17 Dec 2008 08:14:23 -0800 (PST)
Message-ID: <77ead0ec0812170814j3c34ea6aof7df345adfeee56f@mail.gmail.com>
Date: Wed, 17 Dec 2008 08:14:23 -0800
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: R Atkinson <ran.atkinson@gmail.com>
In-Reply-To: <596A619D-6D7B-421E-A43C-47AD1762093F@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com> <77ead0ec0812161759g4900bd98h6ad6c07bb0d81fe3@mail.gmail.com> <89F12E27-304C-41AD-BC27-556BD9FA7040@gmail.com> <77ead0ec0812161851q204bd1e7nd9fc57538d161794@mail.gmail.com> <596A619D-6D7B-421E-A43C-47AD1762093F@gmail.com>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] Prospective issue with IPsec ESP-NULL & IGP packets
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

Hi Ran,

>> The idea is that we are trying to move away from AH and ESP support to
>> only ESP support as most of the functionality of AH is sort of already
>> there in ESP, except for the points I mention.
>
> Hmm. AH provides more comprehensive protections than ESP,
> in a fundamental way.
Are you stating something other than what is in the link I provided.

>> Also note that AH is a MAY support for OSPFv3 while
>> ESP is a MUST (just like it is for IPsec).
>
> Most routers already ship with AH, so it is trivial to use AH.
Yes, but the aim is to move away from AH. AH has been downgraded to a
MAY support in IPsec RFC4301. It is the same for the OSPFv3 RFC too.

>> I think the final aim for us needs to be to support one protocol and
>> try to get all the functionality from the same. This is the reason we
>> are trying to make changes to ESP rather than using AH.
>
> At least some customers have a hard requirement for AH,
> rather than ESP.  It is possible that not all implementers
> care about those customers.
Ok.

>> This discussion however would be better part of the IPsec mailing list
>> then here in my view.
>
> You seem to have missed the main point of my note,
> which was an Operational Security matter, so I will restate:
Thanks for restating it. I am sorry if I missed the point.

>   There is no ESP attack vector that enables an interior
>   node to inject forged IGP packets into a different
>   target domain to subvert the target's IGP routing,
>   provided the user has configured their systems
>   appropriately (e.g. packet filtering at the edges),
>   modulo bugs in their deployed implementations.
Ran, the point we were talking is about the packet actually not being
able to be filtered by the edge node/ device because the packet is
encapsulated in the ESP header. Is there something amiss here - when
you say such a packet can be filtered?

>   In the case of implementation bugs, all bets are off
>   anyway, no matter how one configures one's systems
>   or designs one's network.
>
> The detailed analysis of why this is NOT actually a problem,
> even if ESP is in use, was provided in my previous note.
>
> Cheers,
>
> Ran
> rja@extremenetworks.com
>
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email