Re: [OPSEC] Prospective issue with IPsec ESP-NULL & IGP packets

R Atkinson <ran.atkinson@gmail.com> Wed, 17 December 2008 15:21 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30B0E3A6831; Wed, 17 Dec 2008 07:21:45 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FFDB3A6831 for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 07:21:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KN3KnADVkHTY for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 07:21:42 -0800 (PST)
Received: from mail-qy0-f11.google.com (mail-qy0-f11.google.com [209.85.221.11]) by core3.amsl.com (Postfix) with ESMTP id 2BEDA3A6825 for <opsec@ietf.org>; Wed, 17 Dec 2008 07:21:41 -0800 (PST)
Received: by qyk4 with SMTP id 4so3780490qyk.13 for <opsec@ietf.org>; Wed, 17 Dec 2008 07:21:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=gIj9RHLaBwho1xinvzK9CTbV1ZFFcQTs0M+eVqFf57Q=; b=sFIkgnn0ceksTedkVGmIn4cfPjGcY002qhd/CrqUJk4oCUrGZLaLtTg+nivs+5HMCS y3+UDEM9X0mCEhSNiIPe0cYV1smQ8HZ/QWznV/Fv14bAl5IucT/7MHnUlyK6jYRj2DOF oP4qr/kGWtbMvnUJ+6TxocjbkWuGpNXt15e7Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=a2l04JgSh3985LMW6oWntX5kWHlNO1e27BBpXX6DTeoGkGUkKz3bgeWUS2EXFww+gw 39+INMnGAoQQqyL5ky8NdxwCY9/rkp/4kr1Igr96oSDLdmBHo5Y7h/M9r6gw/O+UHNbZ tAI0JY+/3Y5HUVJSaM9wZ0tfwQuwziR78J3vU=
Received: by 10.214.218.18 with SMTP id q18mr945130qag.115.1229527293925; Wed, 17 Dec 2008 07:21:33 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 6sm2465672ywp.20.2008.12.17.07.21.32 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 17 Dec 2008 07:21:33 -0800 (PST)
Message-Id: <596A619D-6D7B-421E-A43C-47AD1762093F@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
In-Reply-To: <77ead0ec0812161851q204bd1e7nd9fc57538d161794@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Wed, 17 Dec 2008 10:21:31 -0500
References: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com> <77ead0ec0812161759g4900bd98h6ad6c07bb0d81fe3@mail.gmail.com> <89F12E27-304C-41AD-BC27-556BD9FA7040@gmail.com> <77ead0ec0812161851q204bd1e7nd9fc57538d161794@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] Prospective issue with IPsec ESP-NULL & IGP packets
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

On  16 Dec 2008, at 21:51, Vishwas Manral wrote:
> The idea is that we are trying to move away from AH and ESP support to
> only ESP support as most of the functionality of AH is sort of already
> there in ESP, except for the points I mention.

Hmm. AH provides more comprehensive protections than ESP,
in a fundamental way.

> Also note that AH is a MAY support for OSPFv3 while
> ESP is a MUST (just like it is for IPsec).

Most routers already ship with AH, so it is trivial to use AH.

> I think the final aim for us needs to be to support one protocol and
> try to get all the functionality from the same. This is the reason we
> are trying to make changes to ESP rather than using AH.

At least some customers have a hard requirement for AH,
rather than ESP.  It is possible that not all implementers
care about those customers.

> This discussion however would be better part of the IPsec mailing list
> then here in my view.

You seem to have missed the main point of my note,
which was an Operational Security matter, so I will restate:

    There is no ESP attack vector that enables an interior
    node to inject forged IGP packets into a different
    target domain to subvert the target's IGP routing,
    provided the user has configured their systems
    appropriately (e.g. packet filtering at the edges),
    modulo bugs in their deployed implementations.

    In the case of implementation bugs, all bets are off
    anyway, no matter how one configures one's systems
    or designs one's network.

The detailed analysis of why this is NOT actually a problem,
even if ESP is in use, was provided in my previous note.

Cheers,

Ran
rja@extremenetworks.com


_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec