Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: ESP Processing

Tero Kivinen <kivinen@iki.fi> Fri, 28 October 2016 12:18 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E15129A6F; Fri, 28 Oct 2016 05:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55aNkcSrAd4W; Fri, 28 Oct 2016 05:18:14 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7605129AA2; Fri, 28 Oct 2016 05:18:13 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9SCI64F013871 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 28 Oct 2016 15:18:06 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9SCI5Y7028140; Fri, 28 Oct 2016 15:18:05 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <22547.16893.697871.116537@fireball.acr.fi>
Date: Fri, 28 Oct 2016 15:18:05 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: <nalini.elkins@insidethestack.com>
In-Reply-To: <926572461.2227323.1477585468286@mail.yahoo.com>
References: <22495.62038.771947.984586@fireball.acr.fi> <1264225155.363685.1474644268281@mail.yahoo.com> <22507.60901.665544.878052@fireball.acr.fi> <1130739157.4563724.1475509147203@mail.yahoo.com> <22523.36827.869306.70163@fireball.acr.fi> <926572461.2227323.1477585468286@mail.yahoo.com>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 127 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ySdyWv0ga5e_daDEES4aq1dECFs>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" <draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: ESP Processing
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 12:18:16 -0000

nalini.elkins@insidethestack.com writes:
> New Section 3.4
> 
> 3.4 Header Placement Using IPSec ESP Mode
> 
>    IPSec Encapsulating Security Payload (ESP) is defined in [RFC4303] and
>    is widely used.  Section 3.1.1 of [RFC4303] discusses placement of
>    Destination Options Headers.   
> 
>    The placement of PDM is different depending on if ESP is used in 
>    tunnel or transport mode.
> 
>    3.4.1 Using Transport Mode
> 
>    Below is the diagram from [RFC4303] discussing placement of headers.
> 
>    Note that Destination Options MAY be placed before or after ESP or
>    both.   In transport mode, PDM MUST be placed after the ESP header so
>    as not to leak information. 
> 
>                            BEFORE APPLYING ESP
> 
>              ---------------------------------------
>        IPv6  |             | ext hdrs |     |      |
>              | orig IP hdr |if present| TCP | Data |
>              ---------------------------------------
> 
>                             AFTER APPLYING ESP
>              ---------------------------------------------------------
>        IPv6  | orig |hop-by-hop,dest*,|   |dest|   |    | ESP   | ESP|
>              |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV|
>              ---------------------------------------------------------
>                                           |<--- encryption ---->|
>                                           |<------ integrity ------>|
> 
>               * = if present, could be before ESP, after ESP, or both
> 
> 3.4.2 Using Tunnel Mode
> 
>    Below is the diagram from [RFC4303] discussing placement of headers.
> 
>    Note that Destination Options MAY be placed before or after ESP or
>    both in both the outer set of IP headers and the inner set of IP
>    headers.
> 
>    In tunnel mode, PDM MAY be placed before or after the ESP header 
>    or both.
> 
>                              BEFORE APPLYING ESP
> 
>             ---------------------------------------
>       IPv6  |             | ext hdrs |     |      |
>             | orig IP hdr |if present| TCP | Data |
>             ---------------------------------------
> 
>                      AFTER APPLYING ESP
> 
>             ------------------------------------------------------------
>       IPv6  | new* |new ext |   | orig*|orig ext |   |    | ESP   | ESP|
>             |IP hdr| hdrs*  |ESP|IP hdr| hdrs *  |TCP|Data|Trailer| ICV|
>             ------------------------------------------------------------
>                                 |<--------- encryption ---------->|
>                             |<------------ integrity ------------>|
> 
>             * = if present, construction of outer IP hdr/extensions and
>                 modification of inner IP hdr/extensions is discussed in
>                 the Security Architecture document.

For tunnel mode you could add text noting, that as the sgw will make
completely new IP packet, it means that PDM information for that
packet does not contain any information from the inner packet, i.e.
the PDM information will NOT be based on the TCP ports etc in the
inner header, but will be specific to the ESP flow.

If you want to see PDM information for the inner packet, the original
host sending the inner packet needs to put PDM header in the tunneled
packet, and then the PDM information will be specific for that TCP
stream.

So if the PDM header is part of "new ext hdrs*" then it specifies the
ESP flow, and it will not be end to end, it will only between SGSs. If
the PDM is part of the "orig ext hdrs*", then it will be end to end
PDM header, and ESP processing does not modify it at all. This
location is only place, where you can get end to end information about
the flow.

The first PDM header which is part of the ESP, will not separate TCP
flows at all, as it is for the ESP packets, thus it might not be that
useful, especially as there is no relation between the inbound ESP
packet and outbound ESP packet. The inbound ESP packet might be TCP
packet, and the tunneled packet is sent forward to the inner network,
and then the next outbound ESP packet might be from some completely
different host in different stream, and might be for example UDP DNS
packet. Having PDM information between those packets does not really
help debuggin at all. 
-- 
kivinen@iki.fi