Re: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
Joe Touch <touch@isi.edu> Wed, 25 August 2010 19:55 UTC
Return-Path: <touch@isi.edu>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60EF43A69E7 for <saag@core3.amsl.com>; Wed, 25 Aug 2010 12:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBsJGvaT81gL for <saag@core3.amsl.com>; Wed, 25 Aug 2010 12:55:44 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id 2DA2F3A692C for <saag@ietf.org>; Wed, 25 Aug 2010 12:55:44 -0700 (PDT)
Received: from [172.35.1.127] (pc3.shinagawaphvod2-unet.ocn.ne.jp [220.110.141.59]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id o7PJtVdv016885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Aug 2010 12:55:42 -0700 (PDT)
Message-ID: <4C75752F.5020409@isi.edu>
Date: Wed, 25 Aug 2010 12:55:27 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6
MIME-Version: 1.0
To: Thomas Narten <narten@us.ibm.com>
References: <201008251320.o7PDKvI3030865@cichlid.raleigh.ibm.com>
In-Reply-To: <201008251320.o7PDKvI3030865@cichlid.raleigh.ibm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: o7PJtVdv016885
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: saag@ietf.org
Subject: Re: [saag] IPv6 Node Requirements: Updated IPsec/IKEv2 text
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2010 19:55:45 -0000
Hi, Tom,
On 8/25/2010 6:20 AM, Thomas Narten wrote:
> To recap, I presented on the issue of updating the IPsec/IKEv2 text
> at the 6man meeting in Maastricht, as well as at the SAAG meeting. My
> sense of both of those discussions is that there is support for
> changing the general recommendation to a SHOULD.
>
> I got some good feedback in SAAG about the wording (refer to the
> security architecture generally rather than IKEv2, etc.).
>
> New proposed text below.
>
> This text would go into draft-ietf-ipv6-node-requirements, which
> updates RFC 4294.
>
> Comments?
First, this seems to override Sec 10 of RFC4301, so it would need to
update RFC4301 as well.
Some other comments below.
Joe
> Thomas
>
> 10. Security
>
> This section describes the specification for security for IPv6 nodes.
>
> Achieving security in practice is a complex undertaking. Operational
> procedures, protocols, key distribution mechanisms, certificate
> management approaches, etc. are all components that impact the level
> of security actually achieved in practice. More importantly,
> deficiencies or a poor fit in any one individual component can
> significantly reduce the overall effectiveness of a particular
> security approach.
>
> IPsec provides channel security at the Internet layer, making it
> possible to provide secure communication for all (or a subset of)
> communication flows at the IP layer between pairs of internet nodes.
> IPsec provides sufficient flexibility and granularity that individual
> TCP connections can (selectively) be protected, etc.
IPsec can protect down to the socket pair (src addr/src port/dst
addr/dst port) granularity, but there are two important issues. First,
this is rarely done; it is more common to protect services (i.e., at
least letting the src port of incoming SYNs float). Second, such
granularity would reuse an SA for different TCP connections that reuse
the port pair.
I.e., there is no way I am aware of to ensure that IPsec changes SA keys
for a socket pair for each TCP connection that reuses that socket.
TCP-AO can achieve this, however.
So it is not individual TCP connections that are protected; it is
individual socket pairs (at best), and more likely all connections
between two specific endpoints for a given service.
[FWIW, this might be a good opportunity for the IPsec doc to crossref
TCP-AO, and to have at least a short note as to when each is preferred,
or to refer to that discussion in the TCP-AO document]
> Although IPsec can be used with manual keying in some cases, such
> usage has limited applicability and is not recommended.
>
> A range of security technologies and approaches proliferate today
> (e.g., IPsec, TLS, SSH, etc.)
It might be useful to add TCP-AO here.
> No one approach has emerged as an
> ideal technology for all needs and environments. Moreover, IPsec is
> not viewed as the ideal security technology in all cases and is
> unlikely to displace the others.
It's important to note, however, that although any of these protects the
user data, only IPsec and TCP-AO protect TCP connections from disruption
attacks.
> Previously, IPv6 mandated implementation of IPsec and recommended the
> key management approach of IKE. This document updates that
> recommendation by making support of the IP Security Architecture [RFC
> 4301] a SHOULD for all IPv6 nodes. Note that the IPsec Architecture
> requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both
> manual and automatic key management. Currently the default automated
> key management protocol to implement is IKEv2.
>
> This document recognizes that there exists a range of device types
> and environments where other approaches to security than IPsec can be
> justified. For example, special-purpose devices may support only a
> very limited number or type of applications and an application-
> specific security approach may be sufficient for limited management
> or configuration capabilities. Alternatively, some devices my run on
> extremely constrained hardware (e.g., sensors) where the full IP
> Security Architecture is not justified.
>
> 10.1. Requirements
>
> "Security Architecture for the Internet Protocol" [RFC4301] SHOULD be
> supported by all IPv6 nodes. Note that the IPsec Architecture
> requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both
> manual and automatic key management. Currently the default automated
> key management protocol to implement is IKEv2.
>
> 10.2. Transforms and Algorithms
>
> The current set of mandatory-to-implement algorithms for the IP
> Security Architcture are defined in 'Cryptographic Algorithm
> Implementation Requirements For ESP and AH' [RFC4835]. IPv6 nodes
> implementing the IP Security Architecture MUST conform to the
> requirements in [RFC4835]. Preferred cryptographic algorithms often
> change more frequently than security protocols. Therefore
> implementations MUST allow for migration into new algorithms, as
> RFC4835 is replaced or updated in the future.
This might also be a good opportunity to revisit the issue of
recommendations for tunnel and transport mode inclusion. During the
revision of RFC4301, IMO the recommendations on transport mode were
vague with respect to routers (RFC4301, end of section 4.1).
I feel it is important to indicate the following:
---
Any device that acts like a host (i.e., sources packets with IP
addresses assigned to their own interfaces) and implements IPsec MUST
implement transport mode. All devices (hosts and gateways) that
implement IPsec MUST implement tunnel mode. Because gateways always act
as hosts for some protocols (as noted in RFC 1812), the conclusion is
that all devices that implement IPsec MUST implement both tunnel and
transport mode.
In summary,
a) A host implementation of IPsec MUST support both transport and
tunnel mode. This is true for native, BITS, and BITW
implementations for hosts.
b) A security gateway MUST support both transport and tunnel mode.
Transport mode should be used only when the security gateway
is acting as a host, e.g., for network management, or to
provide security between two intermediate systems along a path,
as to secure a tunnel whose encapsulation is not provided
by IPsec tunnel mode.
---
- [saag] IPv6 Node Requirements: Updated IPsec/IKEv… Thomas Narten
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Joe Touch
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Joe Touch
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Paul Hoffman
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Michael Richardson
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Michael Richardson
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Nicolas Williams
- Re: [saag] IPv6 Node Requirements: Updated IPsec/… Joe Touch
- Re: [saag] [IPsec] IPv6 Node Requirements: Update… Thomas Narten