[ssm] SSM with IPSec

Hugh Holbrook <holbrook@cisco.com> Wed, 15 January 2003 06:32 UTC

Received: from www1.ietf.org (ietf.org [] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA23766 for <ssm-archive@lists.ietf.org>; Wed, 15 Jan 2003 01:32:51 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0F6kxJ04847; Wed, 15 Jan 2003 01:46:59 -0500
Received: from ietf.org (odin.ietf.org []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0F6dUJ04583 for <ssm@optimus.ietf.org>; Wed, 15 Jan 2003 01:39:30 -0500
Received: from sj-msg-core-3.cisco.com (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA23704 for <ssm@ietf.org>; Wed, 15 Jan 2003 01:24:30 -0500 (EST)
Received: from holbrook-laptop.cisco.com (sjc-vpn1-676.cisco.com []) by sj-msg-core-3.cisco.com (8.12.2/8.12.2) with ESMTP id h0F6RDjS025665; Tue, 14 Jan 2003 22:27:14 -0800 (PST)
Received: by holbrook-laptop.cisco.com (Postfix, from userid 500) id 076C910B869; Wed, 15 Jan 2003 01:25:34 -0500 (EST)
From: Hugh Holbrook <holbrook@cisco.com>
To: ssm@ietf.org
Cc: mbaugher@cisco.com, bew@cisco.com
Reply-To: holbrook@cisco.com
Message-Id: <20030115062534.076C910B869@holbrook-laptop.cisco.com>
Date: Wed, 15 Jan 2003 01:25:34 -0500
Subject: [ssm] SSM with IPSec
Sender: ssm-admin@ietf.org
Errors-To: ssm-admin@ietf.org
X-BeenThere: ssm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ssm>, <mailto:ssm-request@ietf.org?subject=unsubscribe>
List-Id: Source-Specific Multicast <ssm.ietf.org>
List-Post: <mailto:ssm@ietf.org>
List-Help: <mailto:ssm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ssm>, <mailto:ssm-request@ietf.org?subject=subscribe>

Hello, SSM working group.

[ Welcome to the brand spanking new ssm@ietf.org mailing list.  Please
  tell me if you notice any problems with the list.  You should have
  received a mail from the mailman program running the list.  The SSM
  page at ietf.org still lists the [un]subscription info for the old
  list, but it will be updated shortly. ]

Last week, I was talking to some security folks here (Brian Weis and
Mark Baugher) who pointed out that IPSec as specified in RFC2401 has
some issues when securing SSM traffic.  In short, the problem is that
including the source in the SA lookup isn't really accounted for in
IPSec, but it really should be.  Details below.

I don't think this is a really urgent problem, but I think the WG
should be aware of the problem, so I'll spell it out.  Comments

Some IPSec background:

[Apologies for the tutorial, but I know that not everyone in the wg is
 fluent in IPSec details.]

IPSec, in RFC2401, specifies that an incoming IPSec packet is looked
up on arrival in a local Security Association Database (SAD) to decide
which Security Association (SA) should be applied to the packet [see
section 4.4.3 of RFC2401.]  The resulting SA determines the
decryption/authentication key, and the anti-replay window (if one is

RFC2401 specifies that the key for the SAD lookup is a 3-tuple of:

    - the packet's destination IP address
    - the IPSec protocol (ESP or AH)
    - the Security Parameters Index (SPI)

The problem (for SSM) is that the source address is *not* included in
the SAD lookup.

The problem:

You would to be sure that two unrelated SSM channels, if secured by
IPSec, can be guaranteed to have unique Security Associations at all
receivers.  This should be true even if the senders accidentally
happen to choose the same SSM destination address.  There is, however,
no entity that "owns" an SSM destination address and can reasonably
ensure that every sender to an SSM address uses a unique SPI

One could envision a similar problem for ASM, but I believe in the ASM
case, the assumption of the IPSec design is that there exists a "group
controller" that logically "owns" the group and can hand out a unique
SPI to each source that needs one.  But this doesn't apply to SSM.
The mere existence of such an entity for an SSM address would defeat
one of SSM's big benefits -- that external coordination with other
senders is not needed before choosing and using an SSM address.

In practice, I don't think this problem is very severe.  It only
arises if a receiver subscribes simultaneously to two unrelated
IPSec'ed channels whose sources happen to have chosen the same IPDA
and the same IPSec SPI.  Given that the <IPDA,SPI> tuple contains 56
bits of generally randomly-picked data, it is very unlikely to occur
in practice.  However, I don't think the architecture should rely on
coincidence to work properly.

What to do:

The solution that I most like is fairly easy to state: require the
source address to be part of the SA lookup when the destination
address is an SSM address.  Mark and Brian inform me that the msec
working group is looking at solving the problem this way.

The required action from the SSM working group is, I think, to simply
point out the problem in the -arch draft, more or less as I've done
above, and note that work is currently underway to address the
problem.  I don't believe we need to or want to hold up the SSM draft
until msec (or ipsec) solves the problem, but I'd like to hear WG
comments on this topic.

I'll probably be sending out some proposed modifications to the
architecture draft shortly.

Thanks to Mark and Brian for pointing out this problem.


Ssm mailing list