Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: ESP Processing
Tero Kivinen <kivinen@iki.fi> Fri, 28 October 2016 12:18 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E15129A6F; Fri, 28 Oct 2016 05:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55aNkcSrAd4W; Fri, 28 Oct 2016 05:18:14 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7605129AA2; Fri, 28 Oct 2016 05:18:13 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9SCI64F013871 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 28 Oct 2016 15:18:06 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9SCI5Y7028140; Fri, 28 Oct 2016 15:18:05 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22547.16893.697871.116537@fireball.acr.fi>
Date: Fri, 28 Oct 2016 15:18:05 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: nalini.elkins@insidethestack.com
In-Reply-To: <926572461.2227323.1477585468286@mail.yahoo.com>
References: <22495.62038.771947.984586@fireball.acr.fi> <1264225155.363685.1474644268281@mail.yahoo.com> <22507.60901.665544.878052@fireball.acr.fi> <1130739157.4563724.1475509147203@mail.yahoo.com> <22523.36827.869306.70163@fireball.acr.fi> <926572461.2227323.1477585468286@mail.yahoo.com>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 127 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ySdyWv0ga5e_daDEES4aq1dECFs>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" <draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: ESP Processing
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 12:18:16 -0000
nalini.elkins@insidethestack.com writes: > New Section 3.4 > > 3.4 Header Placement Using IPSec ESP Mode > > IPSec Encapsulating Security Payload (ESP) is defined in [RFC4303] and > is widely used. Section 3.1.1 of [RFC4303] discusses placement of > Destination Options Headers. > > The placement of PDM is different depending on if ESP is used in > tunnel or transport mode. > > 3.4.1 Using Transport Mode > > Below is the diagram from [RFC4303] discussing placement of headers. > > Note that Destination Options MAY be placed before or after ESP or > both. In transport mode, PDM MUST be placed after the ESP header so > as not to leak information. > > BEFORE APPLYING ESP > > --------------------------------------- > IPv6 | | ext hdrs | | | > | orig IP hdr |if present| TCP | Data | > --------------------------------------- > > AFTER APPLYING ESP > --------------------------------------------------------- > IPv6 | orig |hop-by-hop,dest*,| |dest| | | ESP | ESP| > |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV| > --------------------------------------------------------- > |<--- encryption ---->| > |<------ integrity ------>| > > * = if present, could be before ESP, after ESP, or both > > 3.4.2 Using Tunnel Mode > > Below is the diagram from [RFC4303] discussing placement of headers. > > Note that Destination Options MAY be placed before or after ESP or > both in both the outer set of IP headers and the inner set of IP > headers. > > In tunnel mode, PDM MAY be placed before or after the ESP header > or both. > > BEFORE APPLYING ESP > > --------------------------------------- > IPv6 | | ext hdrs | | | > | orig IP hdr |if present| TCP | Data | > --------------------------------------- > > AFTER APPLYING ESP > > ------------------------------------------------------------ > IPv6 | new* |new ext | | orig*|orig ext | | | ESP | ESP| > |IP hdr| hdrs* |ESP|IP hdr| hdrs * |TCP|Data|Trailer| ICV| > ------------------------------------------------------------ > |<--------- encryption ---------->| > |<------------ integrity ------------>| > > * = if present, construction of outer IP hdr/extensions and > modification of inner IP hdr/extensions is discussed in > the Security Architecture document. For tunnel mode you could add text noting, that as the sgw will make completely new IP packet, it means that PDM information for that packet does not contain any information from the inner packet, i.e. the PDM information will NOT be based on the TCP ports etc in the inner header, but will be specific to the ESP flow. If you want to see PDM information for the inner packet, the original host sending the inner packet needs to put PDM header in the tunneled packet, and then the PDM information will be specific for that TCP stream. So if the PDM header is part of "new ext hdrs*" then it specifies the ESP flow, and it will not be end to end, it will only between SGSs. If the PDM is part of the "orig ext hdrs*", then it will be end to end PDM header, and ESP processing does not modify it at all. This location is only place, where you can get end to end information about the flow. The first PDM header which is part of the ESP, will not separate TCP flows at all, as it is for the ESP packets, thus it might not be that useful, especially as there is no relation between the inbound ESP packet and outbound ESP packet. The inbound ESP packet might be TCP packet, and the tunneled packet is sent forward to the inner network, and then the next outbound ESP packet might be from some completely different host in different stream, and might be for example UDP DNS packet. Having PDM information between those packets does not really help debuggin at all. -- kivinen@iki.fi
- [secdir] Secdir review of draft-ietf-ippm-6man-pd… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… MORTON, ALFRED C (AL)
- Re: [secdir] Secdir review of draft-ietf-ippm-6ma… nalini.elkins