summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog7
-rw-r--r--doc/draft-richardson-ipsec-opportunistic.txt2688
-rw-r--r--doc/draft-richardson-ipsec-rr.txt840
-rw-r--r--doc/draft-spencer-ipsec-ike-implementation.nr1203
-rw-r--r--doc/draft-spencer-ipsec-ike-implementation.txt1232
5 files changed, 4 insertions, 5966 deletions
diff --git a/debian/changelog b/debian/changelog
index f27c56fd1..401e34d17 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,9 @@
-strongswan (2.7.3-1) UNRELEASED; urgency=low
+strongswan (2.7.3+dfsg-1) unstable; urgency=low
- * (NOT RELEASED YET) New upstream release
+ * New upstream release. Another try on getting it into unstable.
+ Closes: #372267: ITP: strongswan -- second fork of freeswan.
- -- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 23 Aug 2006 21:23:36 +0100
+ -- Rene Mayrhofer <rmayr@debian.org> Wed, 23 Aug 2006 21:23:36 +0100
strongswan (2.7.2+dfsg-1) unstable; urgency=low
diff --git a/doc/draft-richardson-ipsec-opportunistic.txt b/doc/draft-richardson-ipsec-opportunistic.txt
deleted file mode 100644
index 4c87d857a..000000000
--- a/doc/draft-richardson-ipsec-opportunistic.txt
+++ /dev/null
@@ -1,2688 +0,0 @@
-
-
-Independent submission M. Richardson
-Internet-Draft SSW
-Expires: November 19, 2003 D. Redelmeier
- Mimosa
- May 21, 2003
-
-
- Opportunistic Encryption using The Internet Key Exchange (IKE)
- draft-richardson-ipsec-opportunistic-11.txt
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at http://
- www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on November 19, 2003.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
- This document describes opportunistic encryption (OE) using the
- Internet Key Exchange (IKE) and IPsec. Each system administrator
- adds new resource records to his or her Domain Name System (DNS) to
- support opportunistic encryption. The objective is to allow
- encryption for secure communication without any pre-arrangement
- specific to the pair of systems involved.
-
- DNS is used to distribute the public keys of each system involved.
- This is resistant to passive attacks. The use of DNS Security
- (DNSSEC) secures this system against active attackers as well.
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 1]
-
-Internet-Draft opportunistic May 2003
-
-
- As a result, the administrative overhead is reduced from the square
- of the number of systems to a linear dependence, and it becomes
- possible to make secure communication the default even when the
- partner is not known in advance.
-
- This document is offered up as an Informational RFC.
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 10
- 4. Impacts on IKE . . . . . . . . . . . . . . . . . . . . . . . . 21
- 5. DNS issues . . . . . . . . . . . . . . . . . . . . . . . . . . 24
- 6. Network address translation interaction . . . . . . . . . . . 28
- 7. Host implementations . . . . . . . . . . . . . . . . . . . . . 29
- 8. Multi-homing . . . . . . . . . . . . . . . . . . . . . . . . . 30
- 9. Failure modes . . . . . . . . . . . . . . . . . . . . . . . . 32
- 10. Unresolved issues . . . . . . . . . . . . . . . . . . . . . . 34
- 11. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
- 12. Security considerations . . . . . . . . . . . . . . . . . . . 42
- 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
- 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 45
- Normative references . . . . . . . . . . . . . . . . . . . . . 46
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 47
- Full Copyright Statement . . . . . . . . . . . . . . . . . . . 48
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 2]
-
-Internet-Draft opportunistic May 2003
-
-
-1. Introduction
-
-1.1 Motivation
-
- The objective of opportunistic encryption is to allow encryption
- without any pre-arrangement specific to the pair of systems involved.
- Each system administrator adds public key information to DNS records
- to support opportunistic encryption and then enables this feature in
- the nodes' IPsec stack. Once this is done, any two such nodes can
- communicate securely.
-
- This document describes opportunistic encryption as designed and
- mostly implemented by the Linux FreeS/WAN project. For project
- information, see http://www.freeswan.org.
-
- The Internet Architecture Board (IAB) and Internet Engineering
- Steering Group (IESG) have taken a strong stand that the Internet
- should use powerful encryption to provide security and privacy [4].
- The Linux FreeS/WAN project attempts to provide a practical means to
- implement this policy.
-
- The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC protocols
- because they are standardized, widely available and can often be
- deployed very easily without changing hardware or software or
- retraining users.
-
- The extensions to support opportunistic encryption are simple. No
- changes to any on-the-wire formats are needed. The only changes are
- to the policy decision making system. This means that opportunistic
- encryption can be implemented with very minimal changes to an
- existing IPsec implementation.
-
- Opportunistic encryption creates a "fax effect". The proliferation
- of the fax machine was possible because it did not require that
- everyone buy one overnight. Instead, as each person installed one,
- the value of having one increased - as there were more people that
- could receive faxes. Once opportunistic encryption is installed it
- automatically recognizes other boxes using opportunistic encryption,
- without any further configuration by the network administrator. So,
- as opportunistic encryption software is installed on more boxes, its
- value as a tool increases.
-
- This document describes the infrastructure to permit deployment of
- Opportunistic Encryption.
-
- The term S/WAN is a trademark of RSA Data Systems, and is used with
- permission by this project.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 3]
-
-Internet-Draft opportunistic May 2003
-
-
-1.2 Types of network traffic
-
- To aid in understanding the relationship between security processing
- and IPsec we divide network traffic into four categories:
-
- * Deny: networks to which traffic is always forbidden.
-
- * Permit: networks to which traffic in the clear is permitted.
-
- * Opportunistic tunnel: networks to which traffic is encrypted if
- possible, but otherwise is in the clear or fails depending on the
- default policy in place.
-
- * Configured tunnel: networks to which traffic must be encrypted, and
- traffic in the clear is never permitted.
-
- Traditional firewall devices handle the first two categories. No
- authentication is required. The permit policy is currently the
- default on the Internet.
-
- This document describes the third category - opportunistic tunnel,
- which is proposed as the new default for the Internet.
-
- Category four, encrypt traffic or drop it, requires authentication of
- the end points. As the number of end points is typically bounded and
- is typically under a single authority, arranging for distribution of
- authentication material, while difficult, does not require any new
- technology. The mechanism described here provides an additional way
- to distribute the authentication materials, that of a public key
- method that does not require deployment of an X.509 based
- infrastructure.
-
- Current Virtual Private Networks can often be replaced by an "OE
- paranoid" policy as described herein.
-
-1.3 Peer authentication in opportunistic encryption
-
- Opportunistic encryption creates tunnels between nodes that are
- essentially strangers. This is done without any prior bilateral
- arrangement. There is, therefore, the difficult question of how one
- knows to whom one is talking.
-
- One possible answer is that since no useful authentication can be
- done, none should be tried. This mode of operation is named
- "anonymous encryption". An active man-in-the-middle attack can be
- used to thwart the privacy of this type of communication. Without
- peer authentication, there is no way to prevent this kind of attack.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 4]
-
-Internet-Draft opportunistic May 2003
-
-
- Although a useful mode, anonymous encryption is not the goal of this
- project. Simpler methods are available that can achieve anonymous
- encryption only, but authentication of the peer is a desireable goal.
- The latter is achieved through key distribution in DNS, leveraging
- upon the authentication of the DNS in DNSSEC.
-
- Peers are, therefore, authenticated with DNSSEC when available.
- Local policy determines how much trust to extend when DNSSEC is not
- available.
-
- However, an essential premise of building private connections with
- strangers is that datagrams received through opportunistic tunnels
- are no more special than datagrams that arrive in the clear. Unlike
- in a VPN, these datagrams should not be given any special exceptions
- when it comes to auditing, further authentication or firewalling.
-
- When initiating outbound opportunistic encryption, local
- configuration determines what happens if tunnel setup fails. It may
- be that the packet goes out in the clear, or it may be dropped.
-
-1.4 Use of RFC2119 terms
-
- The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
- SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
- document, are to be interpreted as described in [5]
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 5]
-
-Internet-Draft opportunistic May 2003
-
-
-2. Overview
-
-2.1 Reference diagram
-
- ---------------------------------------------------------------------
-
- The following network diagram is used in the rest of this document as
- the canonical diagram:
-
- [Q] [R]
- . . AS2
- [A]----+----[SG-A].......+....+.......[SG-B]-------[B]
- | ......
- AS1 | ..PI..
- | ......
- [D]----+----[SG-D].......+....+.......[C] AS3
-
-
-
- Figure 1: Reference Network Diagram
-
- ---------------------------------------------------------------------
-
- In this diagram, there are four end-nodes: A, B, C and D. There are
- three gateways, SG-A, SG-B, SG-D. A, D, SG-A and SG-D are part of
- the same administrative authority, AS1. SG-A and SG-D are on two
- different exit paths from organization 1. SG-B/B is an independent
- organization, AS2. Nodes Q and R are nodes on the Internet. PI is
- the Public Internet ("The Wild").
-
-2.2 Terminology
-
- The following terminology is used in this document:
-
- Security gateway: a system that performs IPsec tunnel mode
- encapsulation/decapsulation. [SG-x] in the diagram.
-
- Alice: node [A] in the diagram. When an IP address is needed, this
- is 192.1.0.65.
-
- Bob: node [B] in the diagram. When an IP address is needed, this is
- 192.2.0.66.
-
- Carol: node [C] in the diagram. When an IP address is needed, this
- is 192.1.1.67.
-
- Dave: node [D] in the diagram. When an IP address is needed, this is
- 192.3.0.68.
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 6]
-
-Internet-Draft opportunistic May 2003
-
-
- SG-A: Alice's security gateway. Internally it is 192.1.0.1,
- externally it is 192.1.1.4.
-
- SG-B: Bob's security gateway. Internally it is 192.2.0.1, externally
- it is 192.1.1.5.
-
- SG-D: Dave's security gateway. Also Alice's backup security gateway.
- Internally it is 192.3.0.1, externally it is 192.1.1.6.
-
- - A single dash represents clear-text datagrams.
-
- = An equals sign represents phase 2 (IPsec) cipher-text datagrams.
-
- ~ A single tilde represents clear-text phase 1 datagrams.
-
- # A hash sign represents phase 1 (IKE) cipher-text datagrams.
-
- . A period represents an untrusted network of unknown type.
-
- Configured tunnel: a tunnel that is directly and deliberately hand
- configured on participating gateways. Configured tunnels are
- typically given a higher level of trust than opportunistic
- tunnels.
-
- Road warrior tunnel: a configured tunnel connecting one node with a
- fixed IP address and one node with a variable IP address. A road
- warrior (RW) connection must be initiated by the variable node,
- since the fixed node cannot know the current address for the road
- warrior.
-
- Anonymous encryption: the process of encrypting a session without any
- knowledge of who the other parties are. No authentication of
- identities is done.
-
- Opportunistic encryption: the process of encrypting a session with
- authenticated knowledge of who the other parties are.
-
- Lifetime: the period in seconds (bytes or datagrams) for which a
- security association will remain alive before needing to be re-
- keyed.
-
- Lifespan: the effective time for which a security association remains
- useful. A security association with a lifespan shorter than its
- lifetime would be removed when no longer needed. A security
- association with a lifespan longer than its lifetime would need to
- be re-keyed one or more times.
-
- Phase 1 SA: an ISAKMP/IKE security association sometimes referred to
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 7]
-
-Internet-Draft opportunistic May 2003
-
-
- as a keying channel.
-
- Phase 2 SA: an IPsec security association.
-
- Tunnel: another term for a set of phase 2 SA (one in each direction).
-
- NAT: Network Address Translation (see [20]).
-
- NAPT: Network Address and Port Translation (see [20]).
-
- AS: an autonomous system (AS) is a group of systems (a network) that
- are under the administrative control of a single organization.
-
- Default-free zone: a set of routers that maintain a complete set of
- routes to all currently reachable destinations. Having such a
- list, these routers never make use of a default route. A datagram
- with a destination address not matching any route will be dropped
- by such a router.
-
-
-2.3 Model of operation
-
- The opportunistic encryption security gateway (OE gateway) is a
- regular gateway node as described in [2] section 2.4 and [3] with the
- additional capabilities described here and in [7]. The algorithm
- described here provides a way to determine, for each datagram,
- whether or not to encrypt and tunnel the datagram. Two important
- things that must be determined are whether or not to encrypt and
- tunnel and, if so, the destination address or name of the tunnel end
- point which should be used.
-
-2.3.1 Tunnel authorization
-
- The OE gateway determines whether or not to create a tunnel based on
- the destination address of each packet. Upon receiving a packet with
- a destination address not recently seen, the OE gateway performs a
- lookup in DNS for an authorization resource record (see Section 5.2).
- The record is located using the IP address to perform a search in the
- in-addr.arpa (IPv4) or ip6.arpa (IPv6) maps. If an authorization
- record is found, the OE gateway interprets this as a request for a
- tunnel to be formed.
-
-2.3.2 Tunnel end-point discovery
-
- The authorization resource record also provides the address or name
- of the tunnel end point which should be used.
-
- The record may also provide the public RSA key of the tunnel end
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 8]
-
-Internet-Draft opportunistic May 2003
-
-
- point itself. This is provided for efficiency only. If the public
- RSA key is not present, the OE gateway performs a second lookup to
- find a KEY resource record for the end point address or name.
-
- Origin and integrity protection of the resource records is provided
- by DNSSEC ([16]). Section 3.2.4.1 documents an optional restriction
- on the tunnel end point if DNSSEC signatures are not available for
- the relevant records.
-
-2.3.3 Caching of authorization results
-
- The OE gateway maintains a cache, in the forwarding plane, of source/
- destination pairs for which opportunistic encryption has been
- attempted. This cache maintains a record of whether or not OE was
- successful so that subsequent datagrams can be forwarded properly
- without additional delay.
-
- Successful negotiation of OE instantiates a new security association.
- Failure to negotiate OE results in creation of a forwarding policy
- entry either to drop or transmit in the clear future datagrams. This
- negative cache is necessary to avoid the possibly lengthy process of
- repeatedly looking up the same information.
-
- The cache is timed out periodically, as described in Section 3.4.
- This removes entries that are no longer being used and permits the
- discovery of changes in authorization policy.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 9]
-
-Internet-Draft opportunistic May 2003
-
-
-3. Specification
-
- The OE gateway is modeled to have a forwarding plane and a control
- plane. A control channel, such as PF_KEY, connects the two planes.
- (See [6].) The forwarding plane performs per datagram operations.
- The control plane contains a keying daemon, such as ISAKMP/IKE, and
- performs all authorization, peer authentication and key derivation
- functions.
-
-3.1 Datagram state machine
-
- Let the OE gateway maintain a collection of objects -- a superset of
- the security policy database (SPD) specified in [7]. For each
- combination of source and destination address, an SPD object exists
- in one of five following states. Prior to forwarding each datagram,
- the responder uses the source and destination addresses to pick an
- entry from the SPD. The SPD then determines if and how the packet is
- forwarded.
-
-3.1.1 Non-existent policy
-
- If the responder does not find an entry, then this policy applies.
- The responder creates an entry with an initial state of "hold policy"
- and requests keying material from the keying daemon. The responder
- does not forward the datagram, rather it attaches the datagram to the
- SPD entry as the "first" datagram and retains it for eventual
- transmission in a new state.
-
-3.1.2 Hold policy
-
- The responder requests keying material. If the interface to the
- keying system is lossy (PF_KEY, for instance, can be), the
- implementation SHOULD include a mechanism to retransmit the keying
- request at a rate limited to less than 1 request per second. The
- responder does not forward the datagram. It attaches the datagram to
- the SPD entry as the "last" datagram where it is retained for
- eventual transmission. If there is a datagram already so stored,
- then that already stored datagram is discarded.
-
- Because the "first" datagram is probably a TCP SYN packet, the
- responder retains the "first" datagram in an attempt to avoid waiting
- for a TCP retransmit. The responder retains the "last" datagram in
- deference to streaming protocols that find it useful to know how much
- data has been lost. These are recommendations to decrease latency.
- There are no operational requirements for this.
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 10]
-
-Internet-Draft opportunistic May 2003
-
-
-3.1.3 Pass-through policy
-
- The responder forwards the datagram using the normal forwarding
- table. The responder enters this state only by command from the
- keying daemon, and upon entering this state, also forwards the
- "first" and "last" datagrams.
-
-3.1.4 Deny policy
-
- The responder discards the datagram. The responder enters this state
- only by command from the keying daemon, and upon entering this state,
- discards the "first" and "last" datagrams. Local administration
- decides if further datagrams cause ICMP messages to be generated
- (i.e. ICMP Destination Unreachable, Communication Administratively
- Prohibited. type=3, code=13).
-
-3.1.5 Encrypt policy
-
- The responder encrypts the datagram using the indicated security
- association database (SAD) entry. The responder enters this state
- only by command from the keying daemon, and upon entering this state,
- releases and forwards the "first" and "last" datagrams using the new
- encrypt policy.
-
- If the associated SAD entry expires because of byte, packet or time
- limits, then the entry returns to the Hold policy, and an expire
- message is sent to the keying daemon.
-
- All states may be created directly by the keying daemon while acting
- as a responder.
-
-3.2 Keying state machine - initiator
-
- Let the keying daemon maintain a collection of objects. Let them be
- called "connections" or "conn"s. There are two categories of
- connection objects: classes and instances. A class represents an
- abstract policy - what could be. An instance represents an actual
- connection - what is implemented at the time.
-
- Let there be two further subtypes of connections: keying channels
- (Phase 1 SAs) and data channels (Phase 2 SAs). Each data channel
- object may have a corresponding SPD and SAD entry maintained by the
- datagram state machine.
-
- For the purposes of opportunistic encryption, there MUST, at least,
- be connection classes known as "deny", "always-clear-text", "OE-
- permissive", and "OE-paranoid". The latter two connection classes
- define a set of source and/or destination addresses for which
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 11]
-
-Internet-Draft opportunistic May 2003
-
-
- opportunistic encryption will be attempted. The administrator MAY
- set policy options in a number of additional places. An
- implementation MAY create additional connection classes to further
- refine these policies.
-
- The simplest system may need only the "OE-permissive" connection, and
- would list its own (single) IP address as the source address of this
- policy and the wild-card address 0.0.0.0/0 as the destination IPv4
- address. That is, the simplest policy is to try opportunistic
- encryption with all destinations.
-
- The distinction between permissive and paranoid OE use will become
- clear in the state transition differences. In general a permissive
- OE will, on failure, install a pass-through policy, while a paranoid
- OE will, on failure, install a drop policy.
-
- In this description of the keying machine's state transitions, the
- states associated with the keying system itself are omitted because
- they are best documented in the keying system ([8], [9] and [10] for
- ISAKMP/IKE), and the details are keying system specific.
- Opportunistic encryption is not dependent upon any specific keying
- protocol, but this document does provide requirements for those using
- ISAKMP/IKE to assure that implementations inter-operate.
-
- The state transitions that may be involved in communicating with the
- forwarding plane are omitted. PF_KEY and similar protocols have
- their own set of states required for message sends and completion
- notifications.
-
- Finally, the retransmits and recursive lookups that are normal for
- DNS are not included in this description of the state machine.
-
-3.2.1 Nonexistent connection
-
- There is no connection instance for a given source/destination
- address pair. Upon receipt of a request for keying material for this
- source/destination pair, the initiator searches through the
- connection classes to determine the most appropriate policy. Upon
- determining an appropriate connection class, an instance object is
- created of that type. Both of the OE types result in a potential OE
- connection.
-
- Failure to find an appropriate connection class results in an
- administrator defined default.
-
- In each case, when the initiator finds an appropriate class for the
- new flow, an instance connection is made of the class which matched.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 12]
-
-Internet-Draft opportunistic May 2003
-
-
-3.2.2 Clear-text connection
-
- The non-existent connection makes a transition to this state when an
- always-clear-text class is instantiated, or when an OE-permissive
- connection fails. During the transition, the initiator creates a
- pass-through policy object in the forwarding plane for the
- appropriate flow.
-
- Timing out is the only way to leave this state (see Section 3.2.7).
-
-3.2.3 Deny connection
-
- The empty connection makes a transition to this state when a deny
- class is instantiated, or when an OE-paranoid connection fails.
- During the transition, the initiator creates a deny policy object in
- the forwarding plane for the appropriate flow.
-
- Timing out is the only way to leave this state (see Section 3.2.7).
-
-3.2.4 Potential OE connection
-
- The empty connection makes a transition to this state when one of
- either OE class is instantiated. During the transition to this
- state, the initiator creates a hold policy object in the forwarding
- plane for the appropriate flow.
-
- In addition, when making a transition into this state, DNS lookup is
- done in the reverse-map for a TXT delegation resource record (see
- Section 5.2). The lookup key is the destination address of the flow.
-
- There are three ways to exit this state:
-
- 1. DNS lookup finds a TXT delegation resource record.
-
- 2. DNS lookup does not find a TXT delegation resource record.
-
- 3. DNS lookup times out.
-
- Based upon the results of the DNS lookup, the potential OE connection
- makes a transition to the pending OE connection state. The
- conditions for a successful DNS look are:
-
- 1. DNS finds an appropriate resource record
-
- 2. It is properly formatted according to Section 5.2
-
- 3. if DNSSEC is enabled, then the signature has been vouched for.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 13]
-
-Internet-Draft opportunistic May 2003
-
-
- Note that if the initiator does not find the public key present in
- the TXT delegation record, then the public key must be looked up as a
- sub-state. Only successful completion of all the DNS lookups is
- considered a success.
-
- If DNS lookup does not find a resource record or DNS times out, then
- the initiator considers the receiver not OE capable. If this is an
- OE-paranoid instance, then the potential OE connection makes a
- transition to the deny connection state. If this is an OE-permissive
- instance, then the potential OE connection makes a transition to the
- clear-text connection state.
-
- If the initiator finds a resource record but it is not properly
- formatted, or if DNSSEC is enabled and reports a failure to
- authenticate, then the potential OE connection should make a
- transition to the deny connection state. This action SHOULD be
- logged. If the administrator wishes to override this transition
- between states, then an always-clear class can be installed for this
- flow. An implementation MAY make this situation a new class.
-
-3.2.4.1 Restriction on unauthenticated TXT delegation records
-
- An implementation SHOULD also provide an additional administrative
- control on delegation records and DNSSEC. This control would apply
- to delegation records (the TXT records in the reverse-map) that are
- not protected by DNSSEC. Records of this type are only permitted to
- delegate to their own address as a gateway. When this option is
- enabled, an active attack on DNS will be unable to redirect packets
- to other than the original destination.
-
-3.2.5 Pending OE connection
-
- The potential OE connection makes a transition to this state when the
- initiator determines that all the information required from the DNS
- lookup is present. Upon entering this state, the initiator attempts
- to initiate keying to the gateway provided.
-
- Exit from this state occurs either with a successfully created IPsec
- SA, or with a failure of some kind. Successful SA creation results
- in a transition to the key connection state.
-
- Three failures have caused significant problems. They are clearly
- not the only possible failures from keying.
-
- Note that if there are multiple gateways available in the TXT
- delegation records, then a failure can only be declared after all
- have been tried. Further, creation of a phase 1 SA does not
- constitute success. A set of phase 2 SAs (a tunnel) is considered
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 14]
-
-Internet-Draft opportunistic May 2003
-
-
- success.
-
- The first failure occurs when an ICMP port unreachable is
- consistently received without any other communication, or when there
- is silence from the remote end. This usually means that either the
- gateway is not alive, or the keying daemon is not functional. For an
- OE-permissive connection, the initiator makes a transition to the
- clear-text connection but with a low lifespan. For an OE-pessimistic
- connection, the initiator makes a transition to the deny connection
- again with a low lifespan. The lifespan in both cases is kept low
- because the remote gateway may be in the process of rebooting or be
- otherwise temporarily unavailable.
-
- The length of time to wait for the remote keying daemon to wake up is
- a matter of some debate. If there is a routing failure, 5 minutes is
- usually long enough for the network to re-converge. Many systems can
- reboot in that amount of time as well. However, 5 minutes is far too
- long for most users to wait to hear that they can not connect using
- OE. Implementations SHOULD make this a tunable parameter.
-
- The second failure occurs after a phase 1 SA has been created, but
- there is either no response to the phase 2 proposal, or the initiator
- receives a negative notify (the notify must be authenticated). The
- remote gateway is not prepared to do OE at this time. As before, the
- initiator makes a transition to the clear-text or the deny connection
- based upon connection class, but this time with a normal lifespan.
-
- The third failure occurs when there is signature failure while
- authenticating the remote gateway. This can occur when there has
- been a key roll-over, but DNS has not caught up. In this case again,
- the initiator makes a transition to the clear-text or the deny
- connection based upon the connection class. However, the lifespan
- depends upon the remaining time to live in the DNS. (Note that
- DNSSEC signed resource records have a different expiry time than non-
- signed records.)
-
-3.2.6 Keyed connection
-
- The pending OE connection makes a transition to this state when
- session keying material (the phase 2 SAs) is derived. The initiator
- creates an encrypt policy in the forwarding plane for this flow.
-
- There are three ways to exit this state. The first is by receipt of
- an authenticated delete message (via the keying channel) from the
- peer. This is normal teardown and results in a transition to the
- expired connection state.
-
- The second exit is by expiry of the forwarding plane keying material.
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 15]
-
-Internet-Draft opportunistic May 2003
-
-
- This starts a re-key operation with a transition back to pending OE
- connection. In general, the soft expiry occurs with sufficient time
- left to continue to use the keys. A re-key can fail, which may
- result in the connection failing to clear-text or deny as
- appropriate. In the event of a failure, the forwarding plane policy
- does not change until the phase 2 SA (IPsec SA) reaches its hard
- expiry.
-
- The third exit is in response to a negotiation from a remote gateway.
- If the forwarding plane signals the control plane that it has
- received an unknown SPI from the remote gateway, or an ICMP is
- received from the remote gateway indicating an unknown SPI, the
- initiator should consider that the remote gateway has rebooted or
- restarted. Since these indications are easily forged, the
- implementation must exercise care. The initiator should make a
- cautious (rate-limited) attempt to re-key the connection.
-
-3.2.7 Expiring connection
-
- The initiator will periodically place each of the deny, clear-text,
- and keyed connections into this sub-state. See Section 3.4 for more
- details of how often this occurs. The initiator queries the
- forwarding plane for last use time of the appropriate policy. If the
- last use time is relatively recent, then the connection returns to
- the previous deny, clear-text or keyed connection state. If not,
- then the connection enters the expired connection state.
-
- The DNS query and answer that lead to the expiring connection state
- are also examined. The DNS query may become stale. (A negative,
- i.e. no such record, answer is valid for the period of time given by
- the MINIMUM field in an attached SOA record. See [12] section
- 4.3.4.) If the DNS query is stale, then a new query is made. If the
- results change, then the connection makes a transition to a new state
- as described in potential OE connection state.
-
- Note that when considering how stale a connection is, both outgoing
- SPD and incoming SAD must be queried as some flows may be
- unidirectional for some time.
-
- Also note that the policy at the forwarding plane is not updated
- unless there is a conclusion that there should be a change.
-
-3.2.8 Expired connection
-
- Entry to this state occurs when no datagrams have been forwarded
- recently via the appropriate SPD and SAD objects. The objects in the
- forwarding plane are removed (logging any final byte and packet
- counts if appropriate) and the connection instance in the keying
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 16]
-
-Internet-Draft opportunistic May 2003
-
-
- plane is deleted.
-
- The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs
- as described in Section 3.4.
-
- Whether or not to delete the phase 1 SAs at this time is left as a
- local implementation issue. Implementations that do delete the phase
- 1 SAs MUST send authenticated delete messages to indicate that they
- are doing so. There is an advantage to keeping the phase 1 SAs until
- they expire - they may prove useful again in the near future.
-
-3.3 Keying state machine - responder
-
- The responder has a set of objects identical to those of the
- initiator.
-
- The responder receives an invitation to create a keying channel from
- an initiator.
-
-3.3.1 Unauthenticated OE peer
-
- Upon entering this state, the responder starts a DNS lookup for a KEY
- record for the initiator. The responder looks in the reverse-map for
- a KEY record for the initiator if the initiator has offered an
- ID_IPV4_ADDR, and in the forward map if the initiator has offered an
- ID_FQDN type. (See [8] section 4.6.2.1.)
-
- The responder exits this state upon successful receipt of a KEY from
- DNS, and use of the key to verify the signature of the initiator.
-
- Successful authentication of the peer results in a transition to the
- authenticated OE Peer state.
-
- Note that the unauthenticated OE peer state generally occurs in the
- middle of the key negotiation protocol. It is really a form of
- pseudo-state.
-
-3.3.2 Authenticated OE Peer
-
- The peer will eventually propose one or more phase 2 SAs. The
- responder uses the source and destination address in the proposal to
- finish instantiating the connection state using the connection class
- table. The responder MUST search for an identical connection object
- at this point.
-
- If an identical connection is found, then the responder deletes the
- old instance, and the new object makes a transition to the pending OE
- connection state. This means that new ISAKMP connections with a
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 17]
-
-Internet-Draft opportunistic May 2003
-
-
- given peer will always use the latest instance, which is the correct
- one if the peer has rebooted in the interim.
-
- If an identical connection is not found, then the responder makes the
- transition according to the rules given for the initiator.
-
- Note that if the initiator is in OE-paranoid mode and the responder
- is in either always-clear-text or deny, then no communication is
- possible according to policy. An implementation is permitted to
- create new types of policies such as "accept OE but do not initiate
- it". This is a local matter.
-
-3.4 Renewal and teardown
-
-3.4.1 Aging
-
- A potentially unlimited number of tunnels may exist. In practice,
- only a few tunnels are used during a period of time. Unused tunnels
- MUST, therefore, be torn down. Detecting when tunnels are no longer
- in use is the subject of this section.
-
- There are two methods for removing tunnels: explicit deletion or
- expiry.
-
- Explicit deletion requires an IKE delete message. As the deletes
- MUST be authenticated, both ends of the tunnel must maintain the key
- channel (phase 1 ISAKMP SA). An implementation which refuses to
- either maintain or recreate the keying channel SA will be unable to
- use this method.
-
- The tunnel expiry method, simply allows the IKE daemon to expire
- normally without attempting to re-key it.
-
- Regardless of which method is used to remove tunnels, the
- implementation requires a method to determine if the tunnel is still
- in use. The specifics are a local matter, but the FreeS/WAN project
- uses the following criteria. These criteria are currently
- implemented in the key management daemon, but could also be
- implemented at the SPD layer using an idle timer.
-
- Set a short initial (soft) lifespan of 1 minute since many net flows
- last only a few seconds.
-
- At the end of the lifespan, check to see if the tunnel was used by
- traffic in either direction during the last 30 seconds. If so,
- assign a longer tentative lifespan of 20 minutes after which, look
- again. If the tunnel is not in use, then close the tunnel.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 18]
-
-Internet-Draft opportunistic May 2003
-
-
- The expiring state in the key management system (see Section 3.2.7)
- implements these timeouts. The timer above may be in the forwarding
- plane, but then it must be re-settable.
-
- The tentative lifespan is independent of re-keying; it is just the
- time when the tunnel's future is next considered. (The term lifespan
- is used here rather than lifetime for this reason.) Unlike re-keying,
- this tunnel use check is not costly and should happen reasonably
- frequently.
-
- A multi-step back-off algorithm is not considered worth the effort
- here.
-
- If the security gateway and the client host are the same and not a
- Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel teardown
- decisions MAY pay attention to TCP connection status as reported by
- the local TCP layer. A still-open TCP connection is almost a
- guarantee that more traffic is expected. Closing of the only TCP
- connection through a tunnel is a strong hint that no more traffic is
- expected.
-
-3.4.2 Teardown and cleanup
-
- Teardown should always be coordinated between the two ends of the
- tunnel by interpreting and sending delete notifications. There is a
- detailed sub-state in the expired connection state of the key manager
- that relates to retransmits of the delete notifications, but this is
- considered to be a keying system detail.
-
- On receiving a delete for the outbound SAs of a tunnel (or some
- subset of them), tear down the inbound ones also and notify the
- remote end with a delete. If the local system receives a delete for
- a tunnel which is no longer in existence, then two delete messages
- have crossed paths. Ignore the delete. The operation has already
- been completed. Do not generate any messages in this situation.
-
- Tunnels are to be considered as bidirectional entities, even though
- the low-level protocols don't treat them this way.
-
- When the deletion is initiated locally, rather than as a response to
- a received delete, send a delete for (all) the inbound SAs of a
- tunnel. If the local system does not receive a responding delete for
- the outbound SAs, try re-sending the original delete. Three tries
- spaced 10 seconds apart seems a reasonable level of effort. A
- failure of the other end to respond after 3 attempts, indicates that
- the possibility of further communication is unlikely. Remove the
- outgoing SAs. (The remote system may be a mobile node that is no
- longer present or powered on.)
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 19]
-
-Internet-Draft opportunistic May 2003
-
-
- After re-keying, transmission should switch to using the new outgoing
- SAs (ISAKMP or IPsec) immediately, and the old leftover outgoing SAs
- should be cleared out promptly (delete should be sent for the
- outgoing SAs) rather than waiting for them to expire. This reduces
- clutter and minimizes confusion for the operator doing diagnostics.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 20]
-
-Internet-Draft opportunistic May 2003
-
-
-4. Impacts on IKE
-
-4.1 ISAKMP/IKE protocol
-
- The IKE wire protocol needs no modifications. The major changes are
- implementation issues relating to how the proposals are interpreted,
- and from whom they may come.
-
- As opportunistic encryption is designed to be useful between peers
- without prior operator configuration, an IKE daemon must be prepared
- to negotiate phase 1 SAs with any node. This may require a large
- amount of resources to maintain cookie state, as well as large
- amounts of entropy for nonces, cookies and so on.
-
- The major changes to support opportunistic encryption are at the IKE
- daemon level. These changes relate to handling of key acquisition
- requests, lookup of public keys and TXT records, and interactions
- with firewalls and other security facilities that may be co-resident
- on the same gateway.
-
-4.2 Gateway discovery process
-
- In a typical configured tunnel, the address of SG-B is provided via
- configuration. Furthermore, the mapping of an SPD entry to a gateway
- is typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique
- is used, then the mapping to a gateway is determined by the reverse
- DNS records.
-
- The need to do a DNS lookup and wait for a reply will typically
- introduce a new state and a new event source (DNS replies) to IKE.
- Although a synchronous DNS request can be implemented for proof of
- concept, experience is that it can cause very high latencies when a
- queue of queries must all timeout in series.
-
- Use of an asynchronous DNS lookup will also permit overlap of DNS
- lookups with some of the protocol steps.
-
-4.3 Self identification
-
- SG-A will have to establish its identity. Use an IPv4 ID in phase 1.
-
- There are many situations where the administrator of SG-A may not be
- able to control the reverse DNS records for SG-A's public IP address.
- Typical situations include dialup connections and most residential-
- type broadband Internet access (ADSL, cable-modem) connections. In
- these situations, a fully qualified domain name that is under the
- control of SG-A's administrator may be used when acting as an
- initiator only. The FQDN ID should be used in phase 1. See Section
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 21]
-
-Internet-Draft opportunistic May 2003
-
-
- 5.3 for more details and restrictions.
-
-4.4 Public key retrieval process
-
- Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID
- or an FQDN ID, an IKE daemon needs to examine local caches and
- configuration files to determine if this is part of a configured
- tunnel. If no configured tunnels are found, then the implementation
- should attempt to retrieve a KEY record from the reverse DNS in the
- case of an IPv4/IPv6 ID, or from the forward DNS in the case of FQDN
- ID.
-
- It is reasonable that if other non-local sources of policy are used
- (COPS, LDAP), they be consulted concurrently but some clear ordering
- of policy be provided. Note that due to variances in latency,
- implementations must wait for positive or negative replies from all
- sources of policy before making any decisions.
-
-4.5 Interactions with DNSSEC
-
- The implementation described (1.98) neither uses DNSSEC directly to
- explicitly verify the authenticity of zone information, nor uses the
- NXT records to provide authentication of the absence of a TXT or KEY
- record. Rather, this implementation uses a trusted path to a DNSSEC
- capable caching resolver.
-
- To distinguish between an authenticated and an unauthenticated DNS
- resource record, a stub resolver capable of returning DNSSEC
- information MUST be used.
-
-4.6 Required proposal types
-
-4.6.1 Phase 1 parameters
-
- Main mode MUST be used.
-
- The initiator MUST offer at least one proposal using some combination
- of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be
- proposed first. [11]
-
- The initiator MAY offer additional proposals, but the cipher MUST not
- be weaker than 3DES. The initiator SHOULD limit the number of
- proposals such that the IKE datagrams do not need to be fragmented.
-
- The responder MUST accept one of the proposals. If any configuration
- of the responder is required then the responder is not acting in an
- opportunistic way.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 22]
-
-Internet-Draft opportunistic May 2003
-
-
- SG-A SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the
- external interface of SG-A for phase 1. (There is an exception, see
- Section 5.3.) The authentication method MUST be RSA public key
- signatures. The RSA key for SG-A SHOULD be placed into a DNS KEY
- record in the reverse space of SG-A (i.e. using in-addr.arpa).
-
-4.6.2 Phase 2 parameters
-
- SG-A MUST propose a tunnel between Alice and Bob, using 3DES-CBC
- mode, MD5 or SHA1 authentication. Perfect Forward Secrecy MUST be
- specified.
-
- Tunnel mode MUST be used.
-
- Identities MUST be ID_IPV4_ADDR_SUBNET with the mask being /32.
-
- Authorization for SG-A to act on Alice's behalf is determined by
- looking for a TXT record in the reverse-map at Alice's address.
-
- Compression SHOULD NOT be mandatory. It may be offered as an option.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 23]
-
-Internet-Draft opportunistic May 2003
-
-
-5. DNS issues
-
-5.1 Use of KEY record
-
- In order to establish their own identities, SG-A and SG-B SHOULD
- publish their public keys in their reverse DNS via DNSSEC's KEY
- record. See section 3 of RFC 2535 [16].
-
- For example:
-
- KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
-
- 0x4200: The flag bits, indicating that this key is prohibited for
- confidentiality use (it authenticates the peer only, a separate
- Diffie-Hellman exchange is used for confidentiality), and that
- this key is associated with the non-zone entity whose name is the
- RR owner name. No other flags are set.
-
- 4: This indicates that this key is for use by IPsec.
-
- 1: An RSA key is present.
-
- AQNJjkKlIk9...nYyUkKK8: The public key of the host as described in
- [17].
-
- Use of several KEY records allows for key rollover. The SIG Payload
- in IKE phase 1 SHOULD be accepted if the public key given by any KEY
- RR validates it.
-
-5.2 Use of TXT delegation record
-
- Alice publishes a TXT record to provide authorization for SG-A to act
- on Alice's behalf. Bob publishes a TXT record to provide
- authorization for SG-B to act on Bob's behalf. These records are
- located in the reverse DNS (in-addr.arpa) for their respective IP
- addresses. The reverse DNS SHOULD be secured by DNSSEC, when it is
- deployed. DNSSEC is required to defend against active attacks.
-
- If Alice's address is P.Q.R.S, then she can authorize another node to
- act on her behalf by publishing records at:
-
- S.R.Q.P.in-addr.arpa
-
- The contents of the resource record are expected to be a string that
- uses the following syntax, as suggested in [15]. (Note that the
- reply to query may include other TXT resource records used by other
- applications.)
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 24]
-
-Internet-Draft opportunistic May 2003
-
-
- ---------------------------------------------------------------------
-
-
- X-IPsec-Server(P)=A.B.C.D KEY
-
- Figure 2: Format of reverse delegation record
-
- ---------------------------------------------------------------------
-
- P: Specifies a precedence for this record. This is similar to MX
- record preferences. Lower numbers have stronger preference.
-
- A.B.C.D: Specifies the IP address of the Security Gateway for this
- client machine.
-
- KEY: Is the encoded RSA Public key of the Security Gateway. The key
- is provided here to avoid a second DNS lookup. If this field is
- absent, then a KEY resource record should be looked up in the
- reverse-map of A.B.C.D. The key is transmitted in base64 format.
-
- The pieces of the record are separated by any whitespace (space, tab,
- newline, carriage return). An ASCII space SHOULD be used.
-
- In the case where Alice is located at a public address behind a
- security gateway that has no fixed address (or no control over its
- reverse-map), then Alice may delegate to a public key by domain name.
-
- ---------------------------------------------------------------------
-
-
- X-IPsec-Server(P)=@FQDN KEY
-
- Figure 3: Format of reverse delegation record (FQDN version)
-
- ---------------------------------------------------------------------
-
- P: Is as above.
-
- FQDN: Specifies the FQDN that the Security Gateway will identify
- itself with.
-
- KEY: Is the encoded RSA Public key of the Security Gateway.
-
- If there is more than one such TXT record with strongest (lowest
- numbered) precedence, one Security Gateway is picked arbitrarily from
- those specified in the strongest-preference records.
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 25]
-
-Internet-Draft opportunistic May 2003
-
-
-5.2.1 Long TXT records
-
- When packed into transport format, TXT records which are longer than
- 255 characters are divided into smaller <character-strings>. (See
- [13] section 3.3 and 3.3.14.) These MUST be reassembled into a single
- string for processing. Whitespace characters in the base64 encoding
- are to be ignored.
-
-5.2.2 Choice of TXT record
-
- It has been suggested to use the KEY, OPT, CERT, or KX records
- instead of a TXT record. None is satisfactory.
-
- The KEY RR has a protocol field which could be used to indicate a new
- protocol, and an algorithm field which could be used to indicate
- different contents in the key data. However, the KEY record is
- clearly not intended for storing what are really authorizations, it
- is just for identities. Other uses have been discouraged.
-
- OPT resource records, as defined in [14] are not intended to be used
- for storage of information. They are not to be loaded, cached or
- forwarded. They are, therefore, inappropriate for use here.
-
- CERT records [18] can encode almost any set of information. A custom
- type code could be used permitting any suitable encoding to be
- stored, not just X.509. According to the RFC, the certificate RRs
- are to be signed internally which may add undesirable and unnecessary
- bulk. Larger DNS records may require TCP instead of UDP transfers.
-
- At the time of protocol design, the CERT RR was not widely deployed
- and could not be counted upon. Use of CERT records will be
- investigated, and may be proposed in a future revision of this
- document.
-
- KX records are ideally suited for use instead of TXT records, but had
- not been deployed at the time of implementation.
-
-5.3 Use of FQDN IDs
-
- Unfortunately, not every administrator has control over the contents
- of the reverse-map. Where the initiator (SG-A) has no suitable
- reverse-map, the authorization record present in the reverse-map of
- Alice may refer to a FQDN instead of an IP address.
-
- In this case, the client's TXT record gives the fully qualified
- domain name (FQDN) in place of its security gateway's IP address.
- The initiator should use the ID_FQDN ID-payload in phase 1. A
- forward lookup for a KEY record on the FQDN must yield the
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 26]
-
-Internet-Draft opportunistic May 2003
-
-
- initiator's public key.
-
- This method can also be used when the external address of SG-A is
- dynamic.
-
- If SG-A is acting on behalf of Alice, then Alice must still delegate
- authority for SG-A to do so in her reverse-map. When Alice and SG-A
- are one and the same (i.e. Alice is acting as an end-node) then
- there is no need for this when initiating only.
-
- However, Alice must still delegate to herself if she wishes others
- to initiate OE to her. See Figure 3.
-
-5.4 Key roll-over
-
- Good cryptographic hygiene says that one should replace public/
- private key pairs periodically. Some administrators may wish to do
- this as often as daily. Typical DNS propagation delays are
- determined by the SOA Resource Record MINIMUM parameter, which
- controls how long DNS replies may be cached. For reasonable
- operation of DNS servers, administrators usually want this value to
- be at least several hours, sometimes as a long as a day. This
- presents a problem - a new key MUST not be used prior to it
- propagating through DNS.
-
- This problem is dealt with by having the Security Gateway generate a
- new public/private key pair at least MINIMUM seconds in advance of
- using it. It then adds this key to the DNS (both as a second KEY
- record and in additional TXT delegation records) at key generation
- time. Note: only one key is allowed in each TXT record.
-
- When authenticating, all gateways MUST have available all public keys
- that are found in DNS for this entity. This permits the
- authenticating end to check both the key for "today" and the key for
- "tomorrow". Note that it is the end which is creating the signature
- (possesses the private key) that determines which key is to be used.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 27]
-
-Internet-Draft opportunistic May 2003
-
-
-6. Network address translation interaction
-
- There are no fundamentally new issues for implementing opportunistic
- encryption in the presence of network address translation. Rather
- there are only the regular IPsec issues with NAT traversal.
-
- There are several situations to consider for NAT.
-
-6.1 Co-located NAT/NAPT
-
- If SG-A is also performing network address translation on behalf of
- Alice, then the packet should be translated prior to being subjected
- to opportunistic encryption. This is in contrast to typically
- configured tunnels which often exist to bridge islands of private
- network address space. SG-A will use the translated source address
- for phase 2, and so SG-B will look up that address to confirm SG-A's
- authorization.
-
- In the case of NAT (1:1), the address space into which the
- translation is done MUST be globally unique, and control over the
- reverse-map is assumed. Placing of TXT records is possible.
-
- In the case of NAPT (m:1), the address will be SG-A. The ability to
- get KEY and TXT records in place will again depend upon whether or
- not there is administrative control over the reverse-map. This is
- identical to situations involving a single host acting on behalf of
- itself. FQDN style can be used to get around a lack of a reverse-map
- for initiators only.
-
-6.2 SG-A behind NAT/NAPT
-
- If there is a NAT or NAPT between SG-A and SG-B, then normal IPsec
- NAT traversal rules apply. In addition to the transport problem
- which may be solved by other mechanisms, there is the issue of what
- phase 1 and phase 2 IDs to use. While FQDN could be used during
- phase 1 for SG-A, there is no appropriate ID for phase 2 that permits
- SG-B to determine that SG-A is in fact authorized to speak for Alice.
-
-6.3 Bob is behind a NAT/NAPT
-
- If Bob is behind a NAT (perhaps SG-B), then there is, in fact, no way
- for Alice to address a packet to Bob. Not only is opportunistic
- encryption impossible, but it is also impossible for Alice to
- initiate any communication to Bob. It may be possible for Bob to
- initiate in such a situation. This creates an asymmetry, but this is
- common for NAPT.
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 28]
-
-Internet-Draft opportunistic May 2003
-
-
-7. Host implementations
-
- When Alice and SG-A are components of the same system, they are
- considered to be a host implementation. The packet sequence scenario
- remains unchanged.
-
- Components marked Alice are the upper layers (TCP, UDP, the
- application), and SG-A is the IP layer.
-
- Note that tunnel mode is still required.
-
- As Alice and SG-A are acting on behalf of themselves, no TXT based
- delegation record is necessary for Alice to initiate. She can rely
- on FQDN in a forward map. This is particularly attractive to mobile
- nodes such as notebook computers at conferences. To respond, Alice/
- SG-A will still need an entry in Alice's reverse-map.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 29]
-
-Internet-Draft opportunistic May 2003
-
-
-8. Multi-homing
-
- If there are multiple paths between Alice and Bob (as illustrated in
- the diagram with SG-D), then additional DNS records are required to
- establish authorization.
-
- In Figure 1, Alice has two ways to exit her network: SG-A and SG-D.
- Previously SG-D has been ignored. Postulate that there are routers
- between Alice and her set of security gateways (denoted by the +
- signs and the marking of an autonomous system number for Alice's
- network). Datagrams may, therefore, travel to either SG-A or SG-D en
- route to Bob.
-
- As long as all network connections are in good order, it does not
- matter how datagrams exit Alice's network. When they reach either
- security gateway, the security gateway will find the TXT delegation
- record in Bob's reverse-map, and establish an SA with SG-B.
-
- SG-B has no problem establishing that either of SG-A or SG-D may
- speak for Alice, because Alice has published two equally weighted TXT
- delegation records:
-
- ---------------------------------------------------------------------
-
-
- X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
- X-IPsec-Server(10)=192.1.1.6 AAJN...j8r9==
-
- Figure 4: Multiple gateway delegation example for Alice
-
- ---------------------------------------------------------------------
-
- Alice's routers can now do any kind of load sharing needed. Both SG-
- A and SG-D send datagrams addressed to Bob through their tunnel to
- SG-B.
-
- Alice's use of non-equal weight delegation records to show preference
- of one gateway over another, has relevance only when SG-B is
- initiating to Alice.
-
- If the precedences are the same, then SG-B has a more difficult time.
- It must decide which of the two tunnels to use. SG-B has no
- information about which link is less loaded, nor which security
- gateway has more cryptographic resources available. SG-B, in fact,
- has no knowledge of whether both gateways are even reachable.
-
- The Public Internet's default-free zone may well know a good route to
- Alice, but the datagrams that SG-B creates must be addressed to
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 30]
-
-Internet-Draft opportunistic May 2003
-
-
- either SG-A or SG-D; they can not be addressed to Alice directly.
-
- SG-B may make a number of choices:
-
- 1. It can ignore the problem and round robin among the tunnels.
- This causes losses during times when one or the other security
- gateway is unreachable. If this worries Alice, she can change
- the weights in her TXT delegation records.
-
- 2. It can send to the gateway from which it most recently received
- datagrams. This assumes that routing and reachability are
- symmetrical.
-
- 3. It can listen to BGP information from the Internet to decide
- which system is currently up. This is clearly much more
- complicated, but if SG-B is already participating in the BGP
- peering system to announce Bob, the results data may already be
- available to it.
-
- 4. It can refuse to negotiate the second tunnel. (It is unclear
- whether or not this is even an option.)
-
- 5. It can silently replace the outgoing portion of the first tunnel
- with the second one while still retaining the incoming portions
- of both. SG-B can, thus, accept datagrams from either SG-A or
- SG-D, but send only to the gateway that most recently re-keyed
- with it.
-
- Local policy determines which choice SG-B makes. Note that even if
- SG-B has perfect knowledge about the reachability of SG-A and SG-D,
- Alice may not be reachable from either of these security gateways
- because of internal reachability issues.
-
- FreeS/WAN implements option 5. Implementing a different option is
- being considered. The multi-homing aspects of OE are not well
- developed and may be the subject of a future document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 31]
-
-Internet-Draft opportunistic May 2003
-
-
-9. Failure modes
-
-9.1 DNS failures
-
- If a DNS server fails to respond, local policy decides whether or not
- to permit communication in the clear as embodied in the connection
- classes in Section 3.2. It is easy to mount a denial of service
- attack on the DNS server responsible for a particular network's
- reverse-map. Such an attack may cause all communication with that
- network to go in the clear if the policy is permissive, or fail
- completely if the policy is paranoid. Please note that this is an
- active attack.
-
- There are still many networks that do not have properly configured
- reverse-maps. Further, if the policy is not to communicate, the
- above denial of service attack isolates the target network.
- Therefore, the decision of whether or not to permit communication in
- the clear MUST be a matter of local policy.
-
-9.2 DNS configured, IKE failures
-
- DNS records claim that opportunistic encryption should occur, but the
- target gateway either does not respond on port 500, or refuses the
- proposal. This may be because of a crash or reboot, a faulty
- configuration, or a firewall filtering port 500.
-
- The receipt of ICMP port, host or network unreachable messages
- indicates a potential problem, but MUST NOT cause communication to
- fail immediately. ICMP messages are easily forged by attackers. If
- such a forgery caused immediate failure, then an active attacker
- could easily prevent any encryption from ever occurring, possibly
- preventing all communication.
-
- In these situations a clear log should be produced and local policy
- should dictate if communication is then permitted in the clear.
-
-9.3 System reboots
-
- Tunnels sometimes go down because the remote end crashes,
- disconnects, or has a network link break. In general there is no
- notification of this. Even in the event of a crash and successful
- reboot, other SGs don't hear about it unless the rebooted SG has
- specific reason to talk to them immediately. Over-quick response to
- temporary network outages is undesirable. Note that a tunnel can be
- torn down and then re-established without any effect visible to the
- user except a pause in traffic. On the other hand, if one end
- reboots, the other end can't get datagrams to it at all (except via
- IKE) until the situation is noticed. So a bias toward quick response
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 32]
-
-Internet-Draft opportunistic May 2003
-
-
- is appropriate even at the cost of occasional false alarms.
-
- A mechanism for recovery after reboot is a topic of current research
- and is not specified in this document.
-
- A deliberate shutdown should include an attempt, using deletes, to
- notify all other SGs currently connected by phase 1 SAs that
- communication is about to fail. Again, a remote SG will assume this
- is a teardown. Attempts by the remote SGs to negotiate new tunnels
- as replacements should be ignored. When possible, SGs should attempt
- to preserve information about currently-connected SGs in non-volatile
- storage, so that after a crash, an Initial-Contact can be sent to
- previous partners to indicate loss of all previously established
- connections.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 33]
-
-Internet-Draft opportunistic May 2003
-
-
-10. Unresolved issues
-
-10.1 Control of reverse DNS
-
- The method of obtaining information by reverse DNS lookup causes
- problems for people who cannot control their reverse DNS bindings.
- This is an unresolved problem in this version, and is out of scope.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 34]
-
-Internet-Draft opportunistic May 2003
-
-
-11. Examples
-
-11.1 Clear-text usage (permit policy)
-
- Two example scenarios follow. In the first example GW-A (Gateway A)
- and GW-B (Gateway B) have always-clear-text policies, and in the
- second example they have an OE policy.
-
- ---------------------------------------------------------------------
-
-
- Alice SG-A DNS SG-B Bob
- (1)
- ------(2)-------------->
- <-----(3)---------------
- (4)----(5)----->
- ----------(6)------>
- ------(7)----->
- <------(8)------
- <----------(9)------
- <----(10)-----
- (11)----------->
- ----------(12)----->
- -------------->
- <---------------
- <-------------------
- <-------------
-
- Figure 5: Timing of regular transaction
-
- ---------------------------------------------------------------------
-
- Alice wants to communicate with Bob. Perhaps she wants to retrieve a
- web page from Bob's web server. In the absence of opportunistic
- encryptors, the following events occur:
-
- (1) Human or application 'clicks' with a name.
-
- (2) Application looks up name in DNS to get IP address.
-
- (3) Resolver returns A record to application.
-
- (4) Application starts a TCP session or UDP session and OS sends
- datagram.
-
- (5) Datagram is seen at first gateway from Alice (SG-A). (SG-A makes
- a transition through Empty connection to always-clear connection
- and instantiates a pass-through policy at the forwarding plane.)
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 35]
-
-Internet-Draft opportunistic May 2003
-
-
- (6) Datagram is seen at last gateway before Bob (SG-B).
-
- (7) First datagram from Alice is seen by Bob.
-
- (8) First return datagram is sent by Bob.
-
- (9) Datagram is seen at Bob's gateway. (SG-B makes a transition
- through Empty connection to always-clear connection and
- instantiates a pass-through policy at the forwarding plane.)
-
- (10) Datagram is seen at Alice's gateway.
-
- (11) OS hands datagram to application. Alice sends another datagram.
-
- (12) A second datagram traverses the Internet.
-
-
-11.2 Opportunistic encryption
-
- In the presence of properly configured opportunistic encryptors, the
- event list is extended.
-
- ---------------------------------------------------------------------
-
-
- Alice SG-A DNS SG-B Bob
- (1)
- ------(2)-------------->
- <-----(3)---------------
- (4)----(5)----->+
- ----(5B)->
- <---(5C)--
- ~~~~~~~~~~~~~(5D)~~~>
- <~~~~~~~~~~~~(5E1)~~~
- ~~~~~~~~~~~~~(5E2)~~>
- <~~~~~~~~~~~~(5E3)~~~
- #############(5E4)##>
- <############(5E5)###
- <----(5F1)--
- -----(5F2)->
- #############(5G1)##>
- <----(5H1)--
- -----(5H2)->
- <############(5G2)###
- #############(5G3)##>
- ============(6)====>
- ------(7)----->
- <------(8)------
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 36]
-
-Internet-Draft opportunistic May 2003
-
-
- <==========(9)======
- <-----(10)----
- (11)----------->
- ==========(12)=====>
- -------------->
- <---------------
- <===================
- <-------------
-
- Figure 6: Timing of opportunistic encryption transaction
-
- ---------------------------------------------------------------------
-
- (1) Human or application clicks with a name.
-
- (2) Application initiates DNS mapping.
-
- (3) Resolver returns A record to application.
-
- (4) Application starts a TCP session or UDP.
-
- (5) SG-A (host or SG) sees datagram to target, and buffers it.
-
- (5B) SG-A asks DNS for TXT record.
-
- (5C) DNS returns TXT record(s).
-
- (5D) Initial IKE Main Mode Packet goes out.
-
- (5E) IKE ISAKMP phase 1 succeeds.
-
- (5F) SG-B asks DNS for TXT record to prove SG-A is an agent for
- Alice.
-
- (5G) IKE phase 2 negotiation.
-
- (5H) DNS lookup by responder (SG-B).
-
- (6) Buffered datagram is sent by SG-A.
-
- (7) Datagram is received by SG-B, decrypted, and sent to Bob.
-
- (8) Bob replies, and datagram is seen by SG-B.
-
- (9) SG-B already has tunnel up with SG-A, and uses it.
-
- (10) SG-A decrypts datagram and gives it to Alice.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 37]
-
-Internet-Draft opportunistic May 2003
-
-
- (11) Alice receives datagram. Sends new packet to Bob.
-
- (12) SG-A gets second datagram, sees that tunnel is up, and uses it.
-
- For the purposes of this section, we will describe only the changes
- that occur between Figure 5 and Figure 6. This corresponds to time
- points 5, 6, 7, 9 and 10 on the list above.
-
-11.2.1 (5) IPsec datagram interception
-
- At point (5), SG-A intercepts the datagram because this source/
- destination pair lacks a policy (the non-existent policy state). SG-
- A creates a hold policy, and buffers the datagram. SG-A requests
- keys from the keying daemon.
-
-11.2.2 (5B) DNS lookup for TXT record
-
- SG-A's IKE daemon, having looked up the source/destination pair in
- the connection class list, creates a new Potential OE connection
- instance. SG-A starts DNS queries.
-
-11.2.3 (5C) DNS returns TXT record(s)
-
- DNS returns properly formed TXT delegation records, and SG-A's IKE
- daemon causes this instance to make a transition from Potential OE
- connection to Pending OE connection.
-
- Using the example above, the returned record might contain:
-
- ---------------------------------------------------------------------
-
-
- X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
-
- Figure 7: Example of reverse delegation record for Bob
-
- ---------------------------------------------------------------------
-
- with SG-B's IP address and public key listed.
-
-11.2.4 (5D) Initial IKE main mode packet goes out
-
- Upon entering Pending OE connection, SG-A sends the initial ISAKMP
- message with proposals. See Section 4.6.1.
-
-11.2.5 (5E1) Message 2 of phase 1 exchange
-
- SG-B receives the message. A new connection instance is created in
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 38]
-
-Internet-Draft opportunistic May 2003
-
-
- the unauthenticated OE peer state.
-
-11.2.6 (5E2) Message 3 of phase 1 exchange
-
- SG-A sends a Diffie-Hellman exponent. This is an internal state of
- the keying daemon.
-
-11.2.7 (5E3) Message 4 of phase 1 exchange
-
- SG-B responds with a Diffie-Hellman exponent. This is an internal
- state of the keying protocol.
-
-11.2.8 (5E4) Message 5 of phase 1 exchange
-
- SG-A uses the phase 1 SA to send its identity under encryption. The
- choice of identity is discussed in Section 4.6.1. This is an
- internal state of the keying protocol.
-
-11.2.9 (5F1) Responder lookup of initiator key
-
- SG-B asks DNS for the public key of the initiator. DNS looks for a
- KEY record by IP address in the reverse-map. That is, a KEY resource
- record is queried for 4.1.1.192.in-addr.arpa (recall that SG-A's
- external address is 192.1.1.4). SG-B uses the resulting public key
- to authenticate the initiator. See Section 5.1 for further details.
-
-11.2.10 (5F2) DNS replies with public key of initiator
-
- Upon successfully authenticating the peer, the connection instance
- makes a transition to authenticated OE peer on SG-B.
-
- The format of the TXT record returned is described in Section 5.2.
-
-11.2.11 (5E5) Responder replies with ID and authentication
-
- SG-B sends its ID along with authentication material. This is an
- internal state for the keying protocol.
-
-11.2.12 (5G) IKE phase 2
-
-11.2.12.1 (5G1) Initiator proposes tunnel
-
- Having established mutually agreeable authentications (via KEY) and
- authorizations (via TXT), SG-A proposes to create an IPsec tunnel for
- datagrams transiting from Alice to Bob. This tunnel is established
- only for the Alice/Bob combination, not for any subnets that may be
- behind SG-A and SG-B.
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 39]
-
-Internet-Draft opportunistic May 2003
-
-
-11.2.12.2 (5H1) Responder determines initiator's authority
-
- While the identity of SG-A has been established, its authority to
- speak for Alice has not yet been confirmed. SG-B does a reverse
- lookup on Alice's address for a TXT record.
-
- Upon receiving this specific proposal, SG-B's connection instance
- makes a transition into the potential OE connection state. SG-B may
- already have an instance, and the check is made as described above.
-
-11.2.12.3 (5H2) DNS replies with TXT record(s)
-
- The returned key and IP address should match that of SG-A.
-
-11.2.12.4 (5G2) Responder agrees to proposal
-
- Should additional communication occur between, for instance, Dave and
- Bob using SG-A and SG-B, a new tunnel (phase 2 SA) would be
- established. The phase 1 SA may be reusable.
-
- SG-A, having successfully keyed the tunnel, now makes a transition
- from Pending OE connection to Keyed OE connection.
-
- The responder MUST setup the inbound IPsec SAs before sending its
- reply.
-
-11.2.12.5 (5G3) Final acknowledgment from initiator
-
- The initiator agrees with the responder's choice and sets up the
- tunnel. The initiator sets up the inbound and outbound IPsec SAs.
-
- The proper authorization returned with keys prompts SG-B to make a
- transition to the keyed OE connection state.
-
- Upon receipt of this message, the responder may now setup the
- outbound IPsec SAs.
-
-11.2.13 (6) IPsec succeeds, and sets up tunnel for communication between
- Alice and Bob
-
- SG-A sends the datagram saved at step (5) through the newly created
- tunnel to SG-B, where it gets decrypted and forwarded. Bob receives
- it at (7) and replies at (8).
-
-11.2.14 (9) SG-B already has tunnel up with G1 and uses it
-
- At (9), SG-B has already established an SPD entry mapping Bob->Alice
- via a tunnel, so this tunnel is simply applied. The datagram is
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 40]
-
-Internet-Draft opportunistic May 2003
-
-
- encrypted to SG-A, decrypted by SG-A and passed to Alice at (10).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 41]
-
-Internet-Draft opportunistic May 2003
-
-
-12. Security considerations
-
-12.1 Configured vs opportunistic tunnels
-
- Configured tunnels are those which are setup using bilateral
- mechanisms: exchanging public keys (raw RSA, DSA, PKIX), pre-shared
- secrets, or by referencing keys that are in known places
- (distinguished name from LDAP, DNS). These keys are then used to
- configure a specific tunnel.
-
- A pre-configured tunnel may be on all the time, or may be keyed only
- when needed. The end points of the tunnel are not necessarily
- static: many mobile applications (road warrior) are considered to be
- configured tunnels.
-
- The primary characteristic is that configured tunnels are assigned
- specific security properties. They may be trusted in different ways
- relating to exceptions to firewall rules, exceptions to NAT
- processing, and to bandwidth or other quality of service
- restrictions.
-
- Opportunistic tunnels are not inherently trusted in any strong way.
- They are created without prior arrangement. As the two parties are
- strangers, there MUST be no confusion of datagrams that arrive from
- opportunistic peers and those that arrive from configured tunnels. A
- security gateway MUST take care that an opportunistic peer can not
- impersonate a configured peer.
-
- Ingress filtering MUST be used to make sure that only datagrams
- authorized by negotiation (and the concomitant authentication and
- authorization) are accepted from a tunnel. This is to prevent one
- peer from impersonating another.
-
- An implementation suggestion is to treat opportunistic tunnel
- datagrams as if they arrive on a logical interface distinct from
- other configured tunnels. As the number of opportunistic tunnels
- that may be created automatically on a system is potentially very
- high, careful attention to scaling should be taken into account.
-
- As with any IKE negotiation, opportunistic encryption cannot be
- secure without authentication. Opportunistic encryption relies on
- DNS for its authentication information and, therefore, cannot be
- fully secure without a secure DNS. Without secure DNS, opportunistic
- encryption can protect against passive eavesdropping but not against
- active man-in-the-middle attacks.
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 42]
-
-Internet-Draft opportunistic May 2003
-
-
-12.2 Firewalls versus Opportunistic Tunnels
-
- Typical usage of per datagram access control lists is to implement
- various kinds of security gateways. These are typically called
- "firewalls".
-
- Typical usage of a virtual private network (VPN) within a firewall is
- to bypass all or part of the access controls between two networks.
- Additional trust (as outlined in the previous section) is given to
- datagrams that arrive in the VPN.
-
- Datagrams that arrive via opportunistically configured tunnels MUST
- not be trusted. Any security policy that would apply to a datagram
- arriving in the clear SHOULD also be applied to datagrams arriving
- opportunistically.
-
-12.3 Denial of service
-
- There are several different forms of denial of service that an
- implementor should concern themselves with. Most of these problems
- are shared with security gateways that have large numbers of mobile
- peers (road warriors).
-
- The design of ISAKMP/IKE, and its use of cookies, defend against many
- kinds of denial of service. Opportunism changes the assumption that
- if the phase 1 (ISAKMP) SA is authenticated, that it was worthwhile
- creating. Because the gateway will communicate with any machine, it
- is possible to form phase 1 SAs with any machine on the Internet.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 43]
-
-Internet-Draft opportunistic May 2003
-
-
-13. IANA Considerations
-
- There are no known numbers which IANA will need to manage.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 44]
-
-Internet-Draft opportunistic May 2003
-
-
-14. Acknowledgments
-
- Substantive portions of this document are based upon previous work by
- Henry Spencer.
-
- Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert
- Moskowitz, Jakob Schlyter, Bill Sommerfeld, John Gilmore and John
- Denker for their comments and constructive criticism.
-
- Sandra Hoffman and Bill Dickie did the detailed proof reading and
- editing.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 45]
-
-Internet-Draft opportunistic May 2003
-
-
-Normative references
-
- [1] Redelmeier, D. and H. Spencer, "Opportunistic Encryption",
- paper http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/
- opportunism.spec, May 2001.
-
- [2] Defense Advanced Research Projects Agency (DARPA), Information
- Processing Techniques Office and University of Southern
- California (USC)/Information Sciences Institute, "Internet
- Protocol", STD 5, RFC 791, September 1981.
-
- [3] Braden, R. and J. Postel, "Requirements for Internet gateways",
- RFC 1009, June 1987.
-
- [4] IAB, IESG, Carpenter, B. and F. Baker, "IAB and IESG Statement
- on Cryptographic Technology and the Internet", RFC 1984, August
- 1996.
-
- [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", BCP 14, RFC 2119, March 1997.
-
- [6] McDonald, D., Metz, C. and B. Phan, "PF_KEY Key Management API,
- Version 2", RFC 2367, July 1998.
-
- [7] Kent, S. and R. Atkinson, "Security Architecture for the
- Internet Protocol", RFC 2401, November 1998.
-
- [8] Piper, D., "The Internet IP Security Domain of Interpretation
- for ISAKMP", RFC 2407, November 1998.
-
- [9] Maughan, D., Schneider, M. and M. Schertler, "Internet Security
- Association and Key Management Protocol (ISAKMP)", RFC 2408,
- November 1998.
-
- [10] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
- RFC 2409, November 1998.
-
- [11] Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman groups for
- IKE", RFC 3526, March 2003.
-
- [12] Mockapetris, P., "Domain names - concepts and facilities", STD
- 13, RFC 1034, November 1987.
-
- [13] Mockapetris, P., "Domain names - implementation and
- specification", STD 13, RFC 1035, November 1987.
-
- [14] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
- August 1999.
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 46]
-
-Internet-Draft opportunistic May 2003
-
-
- [15] Rosenbaum, R., "Using the Domain Name System To Store Arbitrary
- String Attributes", RFC 1464, May 1993.
-
- [16] Eastlake, D., "Domain Name System Security Extensions", RFC
- 2535, March 1999.
-
- [17] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
- System (DNS)", RFC 3110, May 2001.
-
- [18] Eastlake, D. and O. Gudmundsson, "Storing Certificates in the
- Domain Name System (DNS)", RFC 2538, March 1999.
-
- [19] Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, R. and A.
- Sastry, "The COPS (Common Open Policy Service) Protocol", RFC
- 2748, January 2000.
-
- [20] Srisuresh, P. and M. Holdrege, "IP Network Address Translator
- (NAT) Terminology and Considerations", RFC 2663, August 1999.
-
-
-Authors' Addresses
-
- Michael C. Richardson
- Sandelman Software Works
- 470 Dawson Avenue
- Ottawa, ON K1Z 5V7
- CA
-
- EMail: mcr@sandelman.ottawa.on.ca
- URI: http://www.sandelman.ottawa.on.ca/
-
-
- D. Hugh Redelmeier
- Mimosa
- Toronto, ON
- CA
-
- EMail: hugh@mimosa.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 47]
-
-Internet-Draft opportunistic May 2003
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson & Redelmeier Expires November 19, 2003 [Page 48]
-
diff --git a/doc/draft-richardson-ipsec-rr.txt b/doc/draft-richardson-ipsec-rr.txt
deleted file mode 100644
index 7c229b8e1..000000000
--- a/doc/draft-richardson-ipsec-rr.txt
+++ /dev/null
@@ -1,840 +0,0 @@
-
-
-IPSECKEY WG M. Richardson
-Internet-Draft SSW
-Expires: March 4, 2004 September 4, 2003
-
-
- A method for storing IPsec keying material in DNS.
- draft-ietf-ipseckey-rr-07.txt
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at http://
- www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on March 4, 2004.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
- This document describes a new resource record for DNS. This record
- may be used to store public keys for use in IPsec systems.
-
- This record replaces the functionality of the sub-type #1 of the KEY
- Resource Record, which has been obsoleted by RFC3445.
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 1]
-
-Internet-Draft ipsecrr September 2003
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 1.2 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Storage formats . . . . . . . . . . . . . . . . . . . . . . . 4
- 2.1 IPSECKEY RDATA format . . . . . . . . . . . . . . . . . . . . 4
- 2.2 RDATA format - precedence . . . . . . . . . . . . . . . . . . 4
- 2.3 RDATA format - algorithm type . . . . . . . . . . . . . . . . 4
- 2.4 RDATA format - gateway type . . . . . . . . . . . . . . . . . 4
- 2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . . 5
- 2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . . 5
- 3. Presentation formats . . . . . . . . . . . . . . . . . . . . . 7
- 3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . . 7
- 3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
- 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
- 4.1 Active attacks against unsecured IPSECKEY resource records . . 9
- 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
- 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
- Normative references . . . . . . . . . . . . . . . . . . . . . 13
- Non-normative references . . . . . . . . . . . . . . . . . . . 14
- Author's Address . . . . . . . . . . . . . . . . . . . . . . . 14
- Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 2]
-
-Internet-Draft ipsecrr September 2003
-
-
-1. Introduction
-
- The type number for the IPSECKEY RR is TBD.
-
-1.1 Overview
-
- The IPSECKEY resource record (RR) is used to publish a public key
- that is to be associated with a Domain Name System (DNS) name for use
- with the IPsec protocol suite. This can be the public key of a
- host, network, or application (in the case of per-port keying).
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC2119 [8].
-
-1.2 Usage Criteria
-
- An IPSECKEY resource record SHOULD be used in combination with DNSSEC
- unless some other means of authenticating the IPSECKEY resource
- record is available.
-
- It is expected that there will often be multiple IPSECKEY resource
- records at the same name. This will be due to the presence of
- multiple gateways and the need to rollover keys.
-
- This resource record is class independent.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 3]
-
-Internet-Draft ipsecrr September 2003
-
-
-2. Storage formats
-
-2.1 IPSECKEY RDATA format
-
- The RDATA for an IPSECKEY RR consists of a precedence value, a public
- key, algorithm type, and an optional gateway address.
-
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | precedence | gateway type | algorithm | gateway |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ +
- ~ gateway ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | /
- / public key /
- / /
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-
-2.2 RDATA format - precedence
-
- This is an 8-bit precedence for this record. This is interpreted in
- the same way as the PREFERENCE field described in section 3.3.9 of
- RFC1035 [2].
-
- Gateways listed in IPSECKEY records with lower precedence are to be
- attempted first. Where there is a tie in precedence, the order
- should be non-deterministic.
-
-2.3 RDATA format - algorithm type
-
- The algorithm type field identifies the public key's cryptographic
- algorithm and determines the format of the public key field.
-
- A value of 0 indicates that no key is present.
-
- The following values are defined:
-
- 1 A DSA key is present, in the format defined in RFC2536 [11]
-
- 2 A RSA key is present, in the format defined in RFC3110 [12]
-
-
-2.4 RDATA format - gateway type
-
- The gateway type field indicates the format of the information that
- is stored in the gateway field.
-
-
-
-Richardson Expires March 4, 2004 [Page 4]
-
-Internet-Draft ipsecrr September 2003
-
-
- The following values are defined:
-
- 0 No gateway is present
-
- 1 A 4-byte IPv4 address is present
-
- 2 A 16-byte IPv6 address is present
-
- 3 A wire-encoded domain name is present. The wire-encoded format is
- self-describing, so the length is implicit. The domain name MUST
- NOT be compressed.
-
-
-2.5 RDATA format - gateway
-
- The gateway field indicates a gateway to which an IPsec tunnel may be
- created in order to reach the entity named by this resource record.
-
- There are three formats:
-
- A 32-bit IPv4 address is present in the gateway field. The data
- portion is an IPv4 address as described in section 3.4.1 of RFC1035
- [2]. This is a 32-bit number in network byte order.
-
- A 128-bit IPv6 address is present in the gateway field. The data
- portion is an IPv6 address as described in section 2.2 of RFC1886
- [7]. This is a 128-bit number in network byte order.
-
- The gateway field is a normal wire-encoded domain name, as described
- in section 3.3 of RFC1035 [2]. Compression MUST NOT be used.
-
-2.6 RDATA format - public keys
-
- Both of the public key types defined in this document (RSA and DSA)
- inherit their public key formats from the corresponding KEY RR
- formats. Specifically, the public key field contains the algorithm-
- specific portion of the KEY RR RDATA, which is all of the KEY RR DATA
- after the first four octets. This is the same portion of the KEY RR
- that must be specified by documents that define a DNSSEC algorithm.
- Those documents also specify a message digest to be used for
- generation of SIG RRs; that specification is not relevant for
- IPSECKEY RR.
-
- Future algorithms, if they are to be used by both DNSSEC (in the KEY
- RR) and IPSECKEY, are likely to use the same public key encodings in
- both records. Unless otherwise specified, the IPSECKEY public key
- field will contain the algorithm-specific portion of the KEY RR RDATA
- for the corresponding algorithm. The algorithm must still be
-
-
-
-Richardson Expires March 4, 2004 [Page 5]
-
-Internet-Draft ipsecrr September 2003
-
-
- designated for use by IPSECKEY, and an IPSECKEY algorithm type number
- (which might be different than the DNSSEC algorithm number) must be
- assigned to it.
-
- The DSA key format is defined in RFC2536 [11]
-
- The RSA key format is defined in RFC3110 [12], with the following
- changes:
-
- The earlier definition of RSA/MD5 in RFC2065 limited the exponent and
- modulus to 2552 bits in length. RFC3110 extended that limit to 4096
- bits for RSA/SHA1 keys. The IPSECKEY RR imposes no length limit on
- RSA public keys, other than the 65535 octet limit imposed by the two-
- octet length encoding. This length extension is applicable only to
- IPSECKEY and not to KEY RRs.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 6]
-
-Internet-Draft ipsecrr September 2003
-
-
-3. Presentation formats
-
-3.1 Representation of IPSECKEY RRs
-
- IPSECKEY RRs may appear in a zone data master file. The precedence,
- gateway type and algorithm and gateway fields are REQUIRED. The
- base64 encoded public key block is OPTIONAL; if not present, then the
- public key field of the resource record MUST be construed as being
- zero octets in length.
-
- The algorithm field is an unsigned integer. No mnemonics are
- defined.
-
- If no gateway is to be indicated, then the gateway type field MUST be
- zero, and the gateway field MUST be "."
-
- The Public Key field is represented as a Base64 encoding of the
- Public Key. Whitespace is allowed within the Base64 text. For a
- definition of Base64 encoding, see RFC1521 [3] Section 5.2.
-
- The general presentation for the record as as follows:
-
- IN IPSECKEY ( precedence gateway-type algorithm
- gateway base64-encoded-public-key )
-
-
-3.2 Examples
-
- An example of a node 192.0.2.38 that will accept IPsec tunnels on its
- own behalf.
-
- 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2
- 192.0.2.38
- AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
- An example of a node, 192.0.2.38 that has published its key only.
-
- 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 0 2
- .
- AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
- An example of a node, 192.0.2.38 that has delegated authority to the
- node 192.0.2.3.
-
- 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2
- 192.0.2.3
- AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-
-
-
-Richardson Expires March 4, 2004 [Page 7]
-
-Internet-Draft ipsecrr September 2003
-
-
- An example of a node, 192.0.1.38 that has delegated authority to the
- node with the identity "mygateway.example.com".
-
- 38.1.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 3 2
- mygateway.example.com.
- AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
- An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has
- delegated authority to the node 2001:0DB8:c000:0200:2::1
-
- $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.int.
- 0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN IPSECKEY ( 10 2 2
- 2001:0DB8:0:8002::2000:1
- AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 8]
-
-Internet-Draft ipsecrr September 2003
-
-
-4. Security Considerations
-
- This entire memo pertains to the provision of public keying material
- for use by key management protocols such as ISAKMP/IKE (RFC2407) [9].
-
- The IPSECKEY resource record contains information that SHOULD be
- communicated to the end client in an integral fashion - i.e. free
- from modification. The form of this channel is up to the consumer of
- the data - there must be a trust relationship between the end
- consumer of this resource record and the server. This relationship
- may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
- another secure source, a secure local channel on the host, or some
- combination of the above.
-
- The keying material provided by the IPSECKEY resource record is not
- sensitive to passive attacks. The keying material may be freely
- disclosed to any party without any impact on the security properties
- of the resulting IPsec session: IPsec and IKE provide for defense
- against both active and passive attacks.
-
- Any user of this resource record MUST carefully document their trust
- model, and why the trust model of DNSSEC is appropriate, if that is
- the secure channel used.
-
-4.1 Active attacks against unsecured IPSECKEY resource records
-
- This section deals with active attacks against the DNS. These
- attacks require that DNS requests and responses be intercepted and
- changed. DNSSEC is designed to defend against attacks of this kind.
-
- The first kind of active attack is when the attacker replaces the
- keying material with either a key under its control or with garbage.
-
- If the attacker is not able to mount a subsequent man-in-the-middle
- attack on the IKE negotiation after replacing the public key, then
- this will result in a denial of service, as the authenticator used by
- IKE would fail.
-
- If the attacker is able to both to mount active attacks against DNS
- and is also in a position to perform a man-in-the-middle attack on
- IKE and IPsec negotiations, then the attacker will be in a position
- to compromise the resulting IPsec channel. Note that an attacker
- must be able to perform active DNS attacks on both sides of the IKE
- negotiation in order for this to succeed.
-
- The second kind of active attack is one in which the attacker
- replaces the the gateway address to point to a node under the
- attacker's control. The attacker can then either replace the public
-
-
-
-Richardson Expires March 4, 2004 [Page 9]
-
-Internet-Draft ipsecrr September 2003
-
-
- key or remove it, thus providing an IPSECKEY record of its own to
- match the gateway address.
-
- This later form creates a simple man-in-the-middle since the attacker
- can then create a second tunnel to the real destination. Note that,
- as before, this requires that the attacker also mount an active
- attack against the responder.
-
- Note that the man-in-the-middle can not just forward cleartext
- packets to the original destination. While the destination may be
- willing to speak in the clear, replying to the original sender, the
- sender will have already created a policy expecting ciphertext.
- Thus, the attacker will need to intercept traffic from both sides.
- In some cases, the attacker may be able to accomplish the full
- intercept by use of Network Addresss/Port Translation (NAT/NAPT)
- technology.
-
- Note that the danger here only applies to cases where the gateway
- field of the IPSECKEY RR indicates a different entity than the owner
- name of the IPSECKEY RR. In cases where the end-to-end integrity of
- the IPSECKEY RR is suspect, the end client MUST restrict its use of
- the IPSECKEY RR to cases where the RR owner name matches the content
- of the gateway field.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 10]
-
-Internet-Draft ipsecrr September 2003
-
-
-5. IANA Considerations
-
- This document updates the IANA Registry for DNS Resource Record Types
- by assigning type X to the IPSECKEY record.
-
- This document creates an IANA registry for the algorithm type field.
-
- Values 0, 1 and 2 are defined in Section 2.3. Algorithm numbers 3
- through 255 can be assigned by IETF Consensus (see RFC2434 [6]).
-
- This document creates an IANA registry for the gateway type field.
-
- Values 0, 1, 2 and 3 are defined in Section 2.4. Algorithm numbers 4
- through 255 can be assigned by Standards Action (see RFC2434 [6]).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 11]
-
-Internet-Draft ipsecrr September 2003
-
-
-6. Acknowledgments
-
- My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
- Austein, and Olafur Gurmundsson who reviewed this document carefully.
- Additional thanks to Olafur Gurmundsson for a reference
- implementation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 12]
-
-Internet-Draft ipsecrr September 2003
-
-
-Normative references
-
- [1] Mockapetris, P., "Domain names - concepts and facilities", STD
- 13, RFC 1034, November 1987.
-
- [2] Mockapetris, P., "Domain names - implementation and
- specification", STD 13, RFC 1035, November 1987.
-
- [3] Borenstein, N. and N. Freed, "MIME (Multipurpose Internet Mail
- Extensions) Part One: Mechanisms for Specifying and Describing
- the Format of Internet Message Bodies", RFC 1521, September
- 1993.
-
- [4] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
- 9, RFC 2026, October 1996.
-
- [5] Eastlake, D. and C. Kaufman, "Domain Name System Security
- Extensions", RFC 2065, January 1997.
-
- [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
- Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 13]
-
-Internet-Draft ipsecrr September 2003
-
-
-Non-normative references
-
- [7] Thomson, S. and C. Huitema, "DNS Extensions to support IP
- version 6", RFC 1886, December 1995.
-
- [8] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", BCP 14, RFC 2119, March 1997.
-
- [9] Piper, D., "The Internet IP Security Domain of Interpretation
- for ISAKMP", RFC 2407, November 1998.
-
- [10] Eastlake, D., "Domain Name System Security Extensions", RFC
- 2535, March 1999.
-
- [11] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
- (DNS)", RFC 2536, March 1999.
-
- [12] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
- System (DNS)", RFC 3110, May 2001.
-
- [13] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
- Record (RR)", RFC 3445, December 2002.
-
-
-Author's Address
-
- Michael C. Richardson
- Sandelman Software Works
- 470 Dawson Avenue
- Ottawa, ON K1Z 5V7
- CA
-
- EMail: mcr@sandelman.ottawa.on.ca
- URI: http://www.sandelman.ottawa.on.ca/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 14]
-
-Internet-Draft ipsecrr September 2003
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson Expires March 4, 2004 [Page 15]
-
diff --git a/doc/draft-spencer-ipsec-ike-implementation.nr b/doc/draft-spencer-ipsec-ike-implementation.nr
deleted file mode 100644
index 5b5776e22..000000000
--- a/doc/draft-spencer-ipsec-ike-implementation.nr
+++ /dev/null
@@ -1,1203 +0,0 @@
-.\" date, expiry date, copyright year, and revision
-.DA "26 Feb 2002"
-.ds e "26 Aug 2002
-.ds c 2002
-.ds r 02
-.\" boilerplate
-.pl 10i
-.nr PL 10i
-.po 0
-.nr PO 0
-.ll 7.2i
-.nr LL 7.2i
-.lt 7.2i
-.nr LT 7.2i
-.hy 0
-.nr HY 0
-.ad l
-.nr PD 1v
-.\" macros for paragraph, section header, reference, TOC
-.de P
-.br
-.LP
-.in 3
-..
-.de H
-.br
-.ne 5
-.LP
-.in 0
-..
-.de R
-.IP " [\\$1]" 14
-..
-.de T
-.ie \\$1=1 \{\
-.nf
-.ta \n(LLu-3nR
-.\}
-.el \{\
-.fi
-.\}
-..
-.de S
-.ie '\\$1'' \\$2 \a \\$3
-.el \\$1. \\$2 \a \\$3
-..
-.\" headers/footers
-.ds LH "Internet Draft
-.ds CH "IKE Implementation Issues
-.ds RH "\*(DY
-.ds LF "Spencer & Redelmeier
-.ds CF "
-.ds RF "[Page %]
-.\" and let's get started
-.RT
-.nf
-.tl 'Network Working Group''Henry Spencer'
-.tl 'Internet Draft''SP Systems'
-.tl 'Expires: \*e''D. Hugh Redelmeier'
-.tl '''Mimosa Systems'
-.tl '''\*(DY'
-.sp
-.ce 99
-IKE Implementation Issues
-<draft-spencer-ipsec-ike-implementation-\*r.txt>
-.ce 0
-.H
-Status of this Memo
-.P
-This document is an Internet-Draft and is in full conformance with
-all provisions of Section 10 of RFC2026.
-.P
-(If approved as an Informational RFC...)
-This memo provides information for the Internet community.
-This memo does not specify an Internet standard of any kind.
-.P
-Distribution of this memo is unlimited.
-.P
-Internet-Drafts are working documents of the Internet Engineering
-Task Force (IETF), its areas, and its working groups.
-Note that
-other groups may also distribute working documents as Internet-Drafts.
-.P
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time.
-It is inappropriate to use Internet-Drafts as reference
-material or to cite them other than as "work in progress."
-.P
-The list of current Internet-Drafts can be accessed at
-http://www.ietf.org/ietf/1id-abstracts.txt.
-.P
-The list of Internet-Draft Shadow Directories can be accessed at
-http://www.ietf.org/shadow.html.
-.P
-This Internet-Draft will expire on \*e.
-.H
-Copyright Notice
-.P
-Copyright (C) The Internet Society \*c. All Rights Reserved.
-.bp
-.H
-Table of Contents
-.P
-.T 1
-.S "1" "Introduction" "3"
-.S "2" "Lower-level Background and Notes" "4"
-.S "2.1" "Packet Handling" "4"
-.S "2.2" "Ciphers" "5"
-.S "2.3" "Interfaces" "5"
-.S "3" "IKE Infrastructural Issues" "5"
-.S "3.1" "Continuous Channel" "5"
-.S "3.2" "Retransmission" "5"
-.S "3.3" "Replay Prevention" "6"
-.S "4" "Basic Keying and Rekeying" "7"
-.S "4.1" "When to Create SAs" "7"
-.S "4.2" "When to Rekey" "8"
-.S "4.3" "Choosing an SA" "9"
-.S "4.4" "Why to Rekey" "9"
-.S "4.5" "Rekeying ISAKMP SAs" "10"
-.S "4.6" "Bulk Negotiation" "10"
-.S "5" "Deletions, Teardowns, Crashes" "11"
-.S "5.1" "Deletions" "11"
-.S "5.2" "Teardowns and Shutdowns" "12"
-.S "5.3" "Crashes" "13"
-.S "5.4" "Network Partitions" "13"
-.S "5.5" "Unknown SAs" "14"
-.S "6" "Misc. IKE Issues" "16"
-.S "6.1" "Groups 1 and 5" "16"
-.S "6.2" "To PFS Or Not To PFS" "16"
-.S "6.3" "Debugging Tools, Lack Thereof" "16"
-.S "6.4" "Terminology, Vagueness Thereof" "17"
-.S "6.5" "A Question of Identity" "17"
-.S "6.6" "Opportunistic Encryption" "17"
-.S "6.7" "Authentication and RSA Keys" "17"
-.S "6.8" "Misc. Snags" "18"
-.S "7" "Security Considerations" "19"
-.S "8" "References" "19"
-.S "" "Authors' Addresses" "20"
-.S "" "Full Copyright Statement" "21"
-.T 0
-.bp
-.H
-Abstract
-.P
-The current IPsec specifications for key exchange and connection management,
-RFCs 2408 [ISAKMP] and 2409 [IKE],
-leave many aspects of connection management unspecified,
-most prominently rekeying practices.
-Pending clarifications in future revisions of the specifications,
-this document sets down some successful experiences,
-to minimize the extent to which new implementors have to rely
-on unwritten folklore.
-.P
-The Linux FreeS/WAN implementation of IPsec interoperates
-with almost every other IPsec implementation.
-This document describes how the FreeS/WAN project has resolved
-some of the gaps in the IPsec specifications
-(and plans to resolve some others),
-and what difficulties have been encountered,
-in hopes that this generally-successful experience
-might be informative to new implementors.
-.P
-This is offered as an Informational RFC.
-.P
-This -\*r revision mainly:
-discusses ISAKMP SA expiry during IPsec-SA rekeying (4.5),
-revises the discussion of bidirectional Deletes (5.1),
-suggests remembering the parameters of successful negotiations
-for later use (4.2, 5.3),
-notes an unsuccessful negotiation from the other end as a hint of a possibly
-broken connection (5.5),
-and adds sections on network partitions (5.4),
-authentication methods and the subtleties of RSA public keys (6.7),
-and miscellaneous interoperability concerns (6.8).
-.H
-1. Introduction
-.P
-The current IPsec specifications for key exchange and connection management,
-RFCs 2408 [ISAKMP] and 2409 [IKE],
-leave many aspects of connection management unspecified,
-most prominently rekeying practices.
-This is a cryptic puzzle which
-each group of implementors has to struggle with,
-and differences in how the ambiguities and gaps are resolved are
-potentially a fruitful source of interoperability problems.
-We can hope that future revisions of the specifications will clear this up.
-Meanwhile, it seems useful to set down some successful experiences,
-to minimize the extent to which new implementors have to rely
-on unwritten folklore.
-.P
-The Linux FreeS/WAN implementation of IPsec interoperates
-with almost every other IPsec implementation,
-and because of its free nature,
-it also sees some use as a reference implementation by other implementors.
-The high degree of interoperability is noteworthy
-given its organizers' strong minimalist bias,
-which has caused them to implement only
-a small subset of the full glory of IPsec.
-This document describes how the FreeS/WAN project has resolved
-some of the gaps in the IPsec specifications
-(and plans to resolve some others),
-and what difficulties have been encountered,
-in hopes that this generally-successful experience
-might be informative to new implementors.
-.P
-One small caution about applicability:
-this experience may not be relevant
-to severely resource-constrained implementations.
-FreeS/WAN's target environment is previous-generation PCs,
-now available at trivial cost (often,
-within an organization, at no cost),
-which have quite impressive CPU power and memory by the standards
-of only a few years ago.
-Some of the approaches discussed here may be inapplicable to
-implementations with severe external constraints which prevent them
-from taking advantage of modern hardware technology.
-.H
-2. Lower-level Background and Notes
-.H
-2.1. Packet Handling
-.P
-FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly,
-although AH sees little use among our users.
-Our ESP/AH implementation cannot currently handle packets
-with IP options;
-somewhat surprisingly, this has caused little difficulty.
-We insist on encryption and do not support authentication-only
-connections, and this has not caused significant difficulty either.
-.P
-MTU and fragmentation issues, by contrast, have been a constant headache.
-We will not describe the details of our current approach to them,
-because it still needs work.
-One difficulty we have encountered is that many combinations of
-packet source and packet destination
-apparently cannot cope with an "interior minimum" in the path MTU,
-e.g. where an IPsec tunnel intervenes and its headers reduce the MTU
-for an intermediate link.
-This is particularly prevalent when using common PC software to
-connect to large well-known web sites;
-we think it is largely due to
-misconfigured firewalls which do not pass ICMP
-Fragmentation Required messages.
-The only solution we have yet found is to lie about the MTU of the tunnel,
-accepting the (undesirable) fragmentation of the ESP packets
-for the sake of preserving connectivity.
-.P
-We currently zero out the TOS field of ESP packets,
-rather than copying it from the inner header,
-on the grounds that it lends itself too well to traffic analysis
-and covert channels.
-We provide an option to restore RFC 2401 [IPSEC] copying behavior,
-but this appears to see little use.
-.H
-2.2. Ciphers
-.P
-We initially implemented both DES [DES] and 3DES [CIPHERS] for both
-IKE and ESP,
-but after the Deep Crack effort [CRACK] demonstrated its inherent insecurity,
-we dropped support for DES.
-Somewhat surprisingly,
-our insistence on 3DES has caused almost no interoperability problems,
-despite DES being officially mandatory.
-A very few other systems either do not support 3DES or support it only
-as an optional upgrade,
-which inconveniences a few would-be users.
-There have also been one or two cases of systems
-which don't quite seem to know the difference!
-.P
-See also section 6.1 for a consequence of our insistence on 3DES.
-.H
-2.3. Interfaces
-.P
-We currently employ PF_KEY version 2 [PFKEY],
-plus various non-standard extensions,
-as our interface between keying and ESP.
-This has not proven entirely satisfactory.
-Our feeling now is that keying issues and policy issues
-do not really lend
-themselves to the clean separation that PF_KEY envisions.
-.H
-3. IKE Infrastructural Issues
-.P
-A number of problems in IPsec connection management become easier if
-some attention is first paid to providing an infrastructure
-to support solving them.
-.H
-3.1. Continuous Channel
-.P
-FreeS/WAN uses an approximation to the "continuous channel" model,
-in which ISAKMP SAs are maintained between IKEs
-so long as any IPsec SAs are open between the two systems.
-The resource consumption of this is minor:
-the only substantial overhead is occasional rekeying.
-IPsec SA management becomes significantly simpler if there is always
-a channel for transmission of control messages.
-We suggest (although we do not yet fully implement this) that
-inability to maintain (e.g., to rekey) this control path
-should be grounds for tearing down the IPsec SAs as well.
-.P
-As a corollary of this,
-there is one and only one ISAKMP SA maintained between a pair of IKEs
-(although see sections 5.3 and 6.5 for minor complications).
-.H
-3.2. Retransmission
-.P
-The unreliable nature of UDP transmission is a nuisance.
-IKE implementations should always be prepared to retransmit the most recent
-message they sent on an ISAKMP SA,
-since there is some possibility that the other end did not get it.
-This means, in particular,
-that the system sending the supposedly-last message of an exchange
-cannot relax and assume that the exchange is complete,
-at least not until a significant timeout has elapsed.
-.P
-Systems must also retain information about the message most recently received
-in an exchange,
-so that a duplicate of it can be detected
-(and possibly interpreted as a NACK for the response).
-.P
-The retransmission rules FreeS/WAN follows are:
-(1) if a reply is expected, retransmit only if it does not appear
-before a timeout;
-and (2) if a reply is not expected (last message of the exchange),
-retransmit only on receiving a retransmission of the previous message.
-Notably, in case (1) we do NOT retransmit on receiving a retransmission,
-which avoids possible congestion problems arising from packet duplication,
-at the price of slowing response to packet loss.
-The timeout for case (1) is 10 seconds for the first retry,
-20 seconds for the second, and 40 seconds for all subsequent
-retries (normally only one,
-except when
-configuration settings call for persistence and the message is
-the first message of Main Mode with a new peer).
-These retransmission rules have been entirely successful.
-.P
-(Michael Thomas of Cisco has pointed out that the retry timeouts should
-include some random jitter, to de-synchronize hosts which are
-initially synchronized by, e.g., a power outage.
-We already jitter our rekeying times,
-as noted in section 4.2,
-but that does not help with initial startup.
-We're implementing jittered retries,
-but cannot yet report on experience with this.)
-.P
-There is a deeper problem, of course, when an entire "exchange" consists
-of a single message,
-e.g. the ISAKMP Informational Exchange.
-Then there is no way to decide whether or when a retransmission is
-warranted at all.
-This seems like poor design, to put it mildly
-(and there is now talk of fixing it).
-We have no experience in dealing with this problem at this time,
-although it is part of the reason why we have delayed implementing
-Notification messages.
-.H
-3.3. Replay Prevention
-.P
-The unsequenced nature of UDP transmission is also troublesome,
-because it means that higher levels must consider the possibility
-of replay attacks.
-FreeS/WAN takes the position that systematically eliminating this
-possibility at a low level is strongly preferable to forcing careful
-consideration of possible impacts at every step of an exchange.
-RFC 2408 [ISAKMP] section 3.1 states that the Message ID of an
-ISAKMP message must be "unique".
-FreeS/WAN interprets this literally,
-as forbidding duplication of Message IDs
-within the set of all messages sent via a single ISAKMP SA.
-.P
-This requires remembering all Message IDs until the ISAKMP SA is
-superseded by rekeying,
-but that is not costly (four bytes per sent or received message),
-and it ELIMINATES replay attacks from consideration;
-we believe this investment of resources is well worthwhile.
-If the resource consumption becomes excessive\(emin our experience
-it has not\(emthe ISAKMP SA can be rekeyed early to collect the garbage.
-.P
-There is theoretically an interoperability problem when talking to
-implementations which interpret "unique" more loosely
-and may re-use Message IDs,
-but it has not been encountered in practice.
-This approach appears to be completely interoperable.
-.P
-The proposal by
-Andrew Krywaniuk [REPLAY],
-which advocates turning the Message ID into an anti-replay counter,
-would achieve the same goal without the minor per-message memory overhead.
-This may be preferable,
-although it means an actual protocol change and more study is needed.
-.H
-4. Basic Keying and Rekeying
-.H
-4.1. When to Create SAs
-.P
-As Tim Jenkins [REKEY] pointed out,
-there is a potential race condition in Quick Mode:
-a fast lightly-loaded Initiator might start using IPsec SAs very
-shortly after sending QM3 (the third and last message of Quick Mode),
-while a slow heavily-loaded Responder might
-not be ready to receive them until after spending
-a significant amount of time creating its inbound SAs.
-The problem is even worse if QM3 gets delayed or lost.
-.P
-FreeS/WAN's approach to this is what Jenkins called "Responder Pre-Setup":
-the Responder creates its inbound IPsec SAs before it sends QM2,
-so they are always ready and waiting
-when the Initiator sends QM3 and begins sending traffic.
-This approach is simple and reliable,
-and in our experience it interoperates with everybody.
-(There is potentially still a problem if FreeS/WAN is the Initiator
-and the Responder does not use Responder Pre-Setup,
-but no such problems have been seen.)
-The only real weakness of Responder Pre-Setup
-is the possibility of replay attacks,
-which we have eliminated by other means (see section 3.3).
-.P
-With this approach, the Commit Bit is useless,
-and we ignore it.
-In fact, until quite recently we discarded any IKE message containing it,
-and this caused surprisingly few interoperability problems;
-apparently it is not widely used.
-We have recently been persuaded that simply ignoring it is preferable;
-preliminary experience with this indicates that the result is successful
-interoperation with implementations which set it.
-.H
-4.2. When to Rekey
-.P
-To preserve connectivity for user traffic,
-rekeying of a connection
-(that is, creation of new IPsec SAs to supersede the current ones)
-must begin before its current IPsec SAs expire.
-Preferably one end should predictably start rekeying negotiations first,
-to avoid the extra overhead of two simultaneous negotiations,
-although either end should be prepared to rekey if the other does not.
-There is also a problem with "convoys" of keying negotiations:
-for example, a "hub" gateway with many IPsec connections
-can be inundated with rekeying negotiations
-exactly one connection-expiry time after it reboots,
-and the massive overload this induces tends to make this
-situation self-perpetuating,
-so it recurs regularly.
-(Convoys can also evolve gradually from initially-unsynchronized negotiations.)
-.P
-FreeS/WAN has the concept of a "rekeying margin", measured in seconds.
-If FreeS/WAN was the Initiator for the previous rekeying
-(or the startup, if none) of the connection,
-it nominally starts rekeying negotiations at expiry time
-minus one rekeying margin.
-Some random jitter is added to break up convoys:
-rather than starting rekeying exactly at minus one margin,
-it starts at a random time between minus one margin
-and minus two margins.
-(The randomness here need not be cryptographic in quality,
-so long as it varies over time and between hosts.
-We use an ordinary PRNG seeded with a few bytes from a cryptographic
-randomness source.
-The seeding mostly just ensures that the PRNG sequence is different
-for different hosts, even if they start up simultaneously.)
-.P
-If FreeS/WAN was the Responder for the previous rekeying/startup,
-and nothing has been heard from the previous Initiator
-at expiry time minus one-half the rekeying margin,
-FreeS/WAN will initiate rekeying negotiations.
-No jitter is applied;
-we now believe that it should be jittered,
-say between minus one-half margin and minus one-quarter margin.
-.P
-Having the Initiator lead the way is an obvious way of deciding
-who should speak first,
-since there is already an Initiator/Responder asymmetry in the connection.
-Moreover, our experience has been that Initiator lead gives a significantly
-higher probability of successful negotiation!
-The negotiation process itself is asymmetric,
-because the Initiator must make a few specific proposals which the Responder
-can only accept or reject,
-so the Initiator must try to guess where its "acceptable" region
-(in parameter space)
-might overlap with the Responder's.
-We have seen situations where negotiations would succeed or fail
-depending on which end initiated them,
-because one end was making better guesses.
-Given an existing connection,
-we KNOW that the previous Initiator WAS able to initiate a successful
-negotiation,
-so it should (if at all possible) take the lead again.
-Also, the Responder should remember the Initiator's successful proposal,
-and start from that
-rather than from his own default proposals if he must take the lead;
-we don't currently implement this completely but plan to.
-.P
-FreeS/WAN defaults the rekeying margin to 9 minutes,
-although this can be changed by configuration.
-There is also
-a configuration option to alter the permissible range of jitter.
-The defaults were chosen somewhat arbitrarily,
-but they work extremely well
-and the configuration options are rarely used.
-.H
-4.3. Choosing an SA
-.P
-Once rekeying has occurred,
-both old and new IPsec SAs for the connection exist,
-at least momentarily.
-FreeS/WAN accepts incoming traffic
-on either old or new inbound SAs,
-but sends outgoing traffic only on the new outbound ones.
-This approach appears to be significantly more robust than
-using the old ones until they expire,
-notably in cases where renegotiation has occurred because something has
-gone wrong on the other end.
-It avoids having to pay meticulous attention to the state of the other end,
-state which is difficult to learn reliably given the limitations of IKE.
-.P
-This approach has interoperated successfully with ALMOST all other
-implementations.
-The only (well-characterized) problem cases have been implementations
-which rely on receiving a Delete message for the old SAs to tell them
-to switch over to the new ones.
-Since delivery of Delete is unreliable,
-and support for Delete is optional,
-this reliance seems like a serious mistake.
-This is all the more true because Delete
-announces that the deletion has
-already occurred [ISAKMP, section 3.15], not that it is about to occur,
-so packets already in transit in the other direction could be lost.
-Delete should be used for resource cleanup, not for switchover control.
-(These matters are discussed further in section 5.)
-.H
-4.4. Why to Rekey
-.P
-FreeS/WAN currently implements only time-based expiry (life in seconds),
-although we are working toward
-supporting volume-based expiry (life in kilobytes) as well.
-The lack of volume-based expiry has not been an interoperability
-problem so far.
-.P
-Volume-based expiry does add some minor complications.
-In particular, it makes explicit Delete of now-disused SAs more important,
-because once an SA stops being used,
-it might not expire on its own.
-We believe this lacks robustness and is generally unwise,
-especially given the lack of a reliable Delete,
-and expect to use volume-based expiry only as a supplement
-to time-based expiry.
-However, Delete support (see section 5) does seem advisable
-for use with volume-based expiry.
-.P
-We do not believe that volume-based expiry alters the desirability
-of switching immediately to the new SAs after rekeying.
-Rekeying margins are normally a small fraction of the total life of an SA,
-so we feel there is no great need to "use it all up".
-.H
-4.5. Rekeying ISAKMP SAs
-.P
-The above discussion has focused on rekeying for IPsec SAs,
-but FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs,
-with similar success.
-.P
-One issue which we have noticed, but not explicitly dealt with,
-is that difficulties may ensue if an IPsec-SA rekeying negotiation
-is in progress at the time when the relevant ISAKMP SA gets rekeyed.
-The IKE specification [IKE] hints, but does not actually say,
-that a Quick Mode negotiation should remain on a single ISAKMP SA throughout.
-.P
-A reasonable rekeying margin will generally
-prevent the old ISAKMP SA from actually expiring during a negotiation.
-Some attention may be needed to prevent in-progress negotiations from
-being switched to the new ISAKMP SA.
-Any attempt at pre-expiry deletion of the ISAKMP SA must be postponed
-until after such dangling negotiations are completed,
-and there should be enough delay between ISAKMP-SA rekeying and a
-deletion attempt to (more or less)
-ensure that there are no negotiation-starting packets still in transit
-from before the rekeying.
-.P
-At present, FreeS/WAN does none of this,
-and we don't KNOW of any resulting trouble.
-With normal lifetimes, the problem should be uncommon,
-and we speculate that an occasional disrupted negotiation simply gets retried.
-.H
-4.6. Bulk Negotiation
-.P
-Quick Mode nominally provides for negotiating possibly-large numbers of
-similar but unrelated IPsec SAs simultaneously
-[IKE, section 9].
-Nobody appears to do this.
-FreeS/WAN does not support it, and its absence has caused no problems.
-.H
-5. Deletions, Teardowns, Crashes
-.P
-FreeS/WAN currently ignores all Notifications and Deletes,
-and never generates them.
-This has caused little difficulty in interoperability,
-which shouldn't be surprising (since Notification and Delete support is
-officially entirely optional) but does seem to surprise some people.
-Nevertheless, we do plan some changes to this approach
-based on past experience.
-.H
-5.1. Deletions
-.P
-As hinted at above,
-we plan to implement Delete support, done as follows.
-Shortly after rekeying of IPsec SAs,
-the Responder issues a Delete for its old inbound SAs
-(but does not actually delete them yet).
-The Responder initiates this because the Initiator started using the
-new SAs on sending QM3, while the Responder started using them only
-on (or somewhat after) receiving QM3,
-so there is less chance of old-SA packets still being in transit from
-the Initiator.
-The Initiator issues an unsolicited Delete only if it does not hear one
-from the Responder after a longer delay.
-.P
-Either party, on receiving a Delete
-for one or more of the old outbound SAs of a connection,
-deletes ALL the connection's SAs,
-and acknowledges with a Delete for the old inbound SAs.
-A Delete for nonexistent SAs
-(e.g., SAs which have already been expired or deleted) is ignored.
-There is no retransmission of unacknowledged Deletes.
-.P
-In the normal case,
-with prompt reliable transmission (except possibly for loss of the
-Responder's initial Delete)
-and conforming implementations
-on both ends, this results in three Deletes being transmitted,
-resembling the classic three-way handshake.
-Loss of a Delete after the first, or multiple losses,
-will cause the SAs not to be deleted on at least one end.
-It appears difficult to do much better without at least
-a distinction between request and acknowledgement.
-.P
-RFC 2409 section 9 "strongly suggests" that there be no response to
-informational messages such as Deletes,
-but the only rationale offered is prevention of infinite loops
-endlessly exchanging "I don't understand you" informationals.
-Since Deletes cannot lead to such a loop
-(and in any case, the nonexistent-SA rule prevents more than one
-acknowledgement for the same connection),
-we believe this recommendation is inapplicable here.
-.P
-As noted in section 4.3, these Deletes are intended for
-resource cleanup, not to control switching between SAs.
-But we expect that they will improve interoperability
-with some broken implementations.
-.P
-We believe strongly that connections need to be considered as a whole,
-rather than treating each SA as an independent entity.
-We will issue Deletes only for the full set of inbound SAs of
-a connection,
-and will treat a Delete for any outbound SA as equivalent to deletion
-of all the outbound SAs for the associated connection.
-.P
-The above is phrased in terms of IPsec SAs,
-but essentially the same approach can be applied to ISAKMP SAs
-(the Deletes for the old ISAKMP SA should be sent via the new one).
-.H
-5.2. Teardowns and Shutdowns
-.P
-When a connection is not intended to be up permanently,
-there is a need to coordinate teardown,
-so that both ends are aware that the connection is down.
-This is both for recovery of resources,
-and to avoid routing packets through
-dangling SAs which can no longer deliver them.
-.P
-Connection teardown will use the same bidirectional exchange of Deletes
-as discussed in section 5.1:
-a Delete received for current IPsec SAs (not yet obsoleted by rekeying)
-indicates that the other host wishes to tear down the associated connection.
-.P
-A Delete received for a current ISAKMP SA indicates that the other host
-wishes to tear down not only the ISAKMP SA but also all IPsec SAs
-currently under the supervision of that ISAKMP SA.
-The 5.1 bidirectional exchange might seem impossible in this case,
-since reception of an ISAKMP-SA Delete indicates that the other end
-will ignore further traffic on that ISAKMP SA.
-We suggest using the same tactic discussed in 5.1 for IPsec SAs:
-the first Delete is sent without actually doing the deletion,
-and the response to receiving a Delete is to do the deletion and reply
-with another Delete.
-If there is no response to the first Delete,
-retry a small number of times and then give up and do the deletion;
-apart from being robust against packet loss,
-this also maximizes the probability that an implementation which does
-not do the bidirectional Delete will receive at least one of the Deletes.
-.P
-When a host with current connections knows that it is about to shut down,
-it will issue Deletes for all SAs involved (both IPsec and ISAKMP),
-advising its peers (as per the meaning of Delete [ISAKMP, section 3.15])
-that the SAs have become useless.
-It will ignore attempts at rekeying or connection startup thereafter,
-until it shuts down.
-.P
-It would be better to have a Final-Contact notification,
-analogous to Initial-Contact but indicating that no new negotiations
-should be attempted until further notice.
-Initial-Contact actually could be used for shutdown notification (!),
-but in networks where connections are intended to exist permanently,
-it seems likely to provoke unwanted attempts
-to renegotiate the lost connections.
-.H
-5.3. Crashes
-.P
-Systems sometimes crash.
-Coping with the resulting loss of information is easily the most
-difficult problem we have found in implementing robust IPsec systems.
-.P
-When connections are intended to be permanent,
-it is simple to specify renegotiation on reboot.
-With our approach to SA selection (see section 4.3),
-this handles such cases robustly and well.
-We do have to tell users that BOTH hosts should be set this way.
-In cases where crashes are synchronized (e.g. by power interruptions),
-this may result in simultaneous negotiations at reboot.
-We currently allow both negotiations to proceed to completion,
-but our use-newest selection method
-effectively ignores one connection or the other,
-and when one of them rekeys,
-we notice that the new SAs replace those of both old connections,
-and we then refrain from rekeying the other.
-(This duplicate detection is desirable in any event, for robustness,
-to ensure that the system converges on a reasonable state eventually
-after it is perturbed by difficulties or bugs.)
-.P
-When connections are not permanent, the situation is less happy.
-One particular situation in which we see problems is when a number of
-"Road Warrior" hosts occasionally call in to a central server.
-The server is normally configured not to initiate such connections,
-since it does not know when the Road Warrior is available (or what IP
-address it is using).
-Unfortunately, if the server crashes and reboots,
-any Road Warriors then connected have a problem:
-they don't know that the server has crashed,
-so they can't renegotiate,
-and the server has forgotten both the connections and
-their (transient) IP addresses,
-so it cannot renegotiate.
-.P
-We believe that the simplest answer to this problem is what John Denker
-has dubbed "address inertia":
-the server makes a best-effort attempt to remember (in nonvolatile storage)
-which connections were active and what the far-end addresses were
-(and what the successful proposal's parameters were),
-so that it can attempt renegotiation on reboot.
-We have not implemented this yet, but intend to;
-Denker has implemented it himself,
-although in a somewhat messy way,
-and reports excellent results.
-.H
-5.4. Network Partitions
-.P
-A network partition, making the two ends unable to reach each other,
-has many of the same characteristics as having the other end crash... until
-the network reconnects.
-It is desirable that recovery from this be automatic.
-.P
-If the network reconnects before any rekeying attempts
-or other IKE activities occurred,
-recovery is fully transparent,
-because the IKEs have no idea that there was any problem.
-(Complaints such as ICMP Host Unreachable messages are unauthenticated
-and hence cannot be given much weight.)
-This fits the general mold of TCP/IP:
-if nobody wanted to send any traffic, a network outage doesn't matter.
-.P
-If IKE activity did occur,
-the IKE implementation will discover that the other end doesn't seem
-to be responding.
-The preferred response to this depends on the nature of the connection.
-If it was intended to be ephemeral (e.g. opportunistic encryption [OE]),
-closing it down after a few retries is reasonable.
-If the other end is expected to sometimes drop the connection without
-warning, it may not be desirable to retry at all.
-(We support both these forms of configurability,
-and indeed we also have a configuration option to suppress
-rekeying entirely on one end.)
-.P
-If the connection was intended to be permanent, however,
-then persistent attempts to re-establish it are appropriate.
-Some degree of backoff is appropriate here,
-so that retries get less frequent as the outage gets prolonged.
-Backoff should be limited,
-so that re-established connectivity is not followed by a long delay
-before a retry.
-Finally, after many retries (say 24 hours' worth),
-it may be preferable to just declare the connection down and rely
-on manual intervention to re-establish it,
-should this be desirable.
-We do not yet fully support all this.
-.H
-5.5. Unknown SAs
-.P
-A more complete solution to crashes
-would be for an IPsec host to note the arrival
-of ESP packets on an unknown IPsec SA,
-and report it somehow to the other host, which can then decide to renegotiate.
-This arguably might be preferable in any case\(emif
-the non-rebooted host has no traffic to send,
-it does not care whether the connection is intact\(embut
-delays and packet loss will be reduced
-if the connection is renegotiated BEFORE there is traffic for it.
-So unknown-SA detection is best reserved as a fallback method,
-with address inertia used to deal with most such cases.
-.P
-A difficulty with unknown-SA detection is,
-just HOW should the other host be notified?
-IKE provides no good way to do the notification:
-Notification payloads (e.g., Initial-Contact) are unauthenticated
-unless they are sent under protection of an ISAKMP SA.
-A "Security Failures - Bad SPI" ICMP message [SECFAIL]
-is an interesting alternative,
-but has the disadvantage of likewise being unauthenticated.
-It's fundamentally unlikely that there is a simple solution to this,
-given that almost any way of arranging or checking authentication for such a
-notification is costly.
-.P
-We think the best answer to this is a two-step approach.
-An unauthenticated Initial-Contact or
-Security Failures - Bad SPI cannot be taken as a reliable
-report of a problem,
-but can be taken as a hint that a problem MIGHT exist.
-Then there needs to be some reliable way of checking such hints,
-subject to rate limiting since the checks are likely to be costly
-(and checking the same connection repeatedly at short intervals is unlikely
-to be worthwhile anyway).
-So the rebooted host sends the notification,
-and the non-rebooted host\(emwhich still thinks it has a connection\(emchecks
-whether the connection still works,
-and renegotiates if not.
-.P
-Also, if an IPsec host which believes it has a connection to another host
-sees an unsuccessful attempt by that host to negotiate a new one,
-that is also a hint of possible problems,
-justifying a check and possible renegotiation.
-("Unsuccessful" here means a negotiation failure due to lack of a
-satisfactory proposal.
-A failure due to authentication failure
-suggests a denial-of-service attack by a third party,
-rather than a genuine problem on the legitimate other end.)
-As noted in section 4.2,
-it is possible for negotiations to succeed or fail based on which
-end initiates them, and some robustness against that is desirable.
-.P
-We have not yet decided what form the notification should take.
-IKE Initial-Contact is an obvious possibility,
-but has some disadvantages.
-It does not specify which connection has had difficulties.
-Also, the specification [IKE section 4.6.3.3]
-refers to "remote system" and "sending system"
-without clearly specifying just what "system" means;
-in the case of a multi-homed host using multiple forms of identification,
-the question is not trivial.
-Initial-Contact does have the fairly-decisive advantage
-that it is likely to convey the right general
-meaning even to an implementation which does not do things
-exactly the way ours does.
-.P
-A more fundamental difficulty is what form the reliable check takes.
-What is wanted is an "IKE ping",
-verifying that the ISAKMP SA is still intact
-(it being unlikely that IPsec SAs have been lost while the ISAKMP SA has not).
-The lack of such a facility is a serious failing of IKE.
-An acknowledged Notification of some sort would be ideal,
-but there is none at present.
-Some existing implementations are known
-to use the private Notification values 30000 as ping
-and 30002 as ping reply,
-and that seems the most attractive choice at present.
-If it is not recognized, there will probably be no reply,
-and the result will be an unnecessary renegotiation,
-so this needs strict rate limiting.
-(Also, when a new connection is set up,
-it's probably worth determining by experiment whether the other end
-supports IKE ping, and remembering that.)
-.P
-While we think this facility is desirable,
-and is about the best that can be done with the poor tools available,
-we have not gotten very far in implementation and cannot comment
-intelligently about how well it works or interoperates.
-.H
-6. Misc. IKE Issues
-.H
-6.1. Groups 1 and 5
-.P
-We have dropped support for the first Oakley Group (group 1),
-despite it being officially mandatory,
-on the grounds that it is
-grossly too weak to provide enough randomness for 3DES.
-There have been some interoperability problems,
-mostly quite minor:
-ALMOST everyone supports group 2 as well,
-although sometimes it has to be explicitly configured.
-.P
-We also support the quasi-standard group 5 [GROUPS].
-This has not been seriously exercised yet,
-because historically
-we offered group 2 first and almost everyone accepted it.
-We have recently changed to offering group 5 first,
-and no difficulties have been reported.
-.H
-6.2. To PFS Or Not To PFS
-.P
-A persistent small interoperability problem is that
-the presence or absence of PFS (for keys [IKE, section 5.5])
-is neither negotiated nor announced.
-We have it enabled by default,
-and successful interoperation often requires having
-the other end turn it on in their implementation,
-or having the FreeS/WAN end disable it.
-Almost everyone supports it, but it's usually not the default,
-and interoperability is often impossible unless the two ends
-somehow reach prior agreement on it.
-.P
-We do not explicitly support the other flavor of PFS,
-for identities [IKE, section 8],
-and this has caused no interoperability problems.
-.H
-6.3. Debugging Tools, Lack Thereof
-.P
-We find IKE lacking in basic debugging tools.
-Section 5.4, above,
-notes that an IKE ping would be useful for connectivity verification.
-It would also be extremely helpful for determining that UDP/500
-packets get back and forth successfully between the two ends,
-which is often an important first step in debugging.
-.P
-It's also quite common to have IKE negotiate a connection successfully,
-but to have some firewall along the way blocking ESP.
-Users find this mysterious and difficult to diagnose.
-We have no immediate suggestions on what could be done about it.
-.H
-6.4. Terminology, Vagueness Thereof
-.P
-The terminology of IPsec needs work.
-We feel that both the specifications and user-oriented
-documentation would be greatly clarified by concise, intelligible names for
-certain concepts.
-.P
-We semi-consistently use "group" for the set of IPsec SAs which are
-established in one direction
-by a single Quick Mode negotiation and are used together
-to process a packet (e.g., an ESP SA plus an AH SA),
-"connection" for the logical packet path provided
-by a succession of pairs of groups
-(each rekeying providing a new pair, one group in each direction),
-and "keying channel" for the corresponding supervisory path provided
-by a sequence of ISAKMP SAs.
-.P
-We think it's a botch that "PFS" is used to refer to two very different things,
-but we have no specific new terms to suggest, since we only implement
-one kind of PFS and thus can just ignore the other.
-.H
-6.5. A Question of Identity
-.P
-One specification problem deserves note:
-exactly when can an existing phase 1 negotiation
-be re-used for a new phase 2 negotiation,
-as IKE [IKE, section 4] specifies?
-Presumably,
-when it connects the same two "parties"... but exactly what is a "party"?
-.P
-As noted in section 5.4,
-in cases involving multi-homing and multiple identities,
-it's not clear exactly what criteria are used for deciding
-whether the intended far end for a new negotiation is the same one
-as for a previous negotiation.
-Is it by Identification Payload?
-By IP address?
-Or what?
-.P
-We currently use a somewhat-vague notion of "identity",
-basically what gets sent in Identification Payloads,
-for this, and this seems to be successful,
-but we think this needs better specification.
-.H
-6.6. Opportunistic Encryption
-.P
-Further IKE challenges appear in the context of Opportunistic Encryption
-[OE],
-but operational experience with it is too limited as yet for us
-to comment usefully right now.
-.H
-6.7. Authentication and RSA Keys
-.P
-We provide two IKE authentication methods:
-shared secrets ("pre-shared keys")
-and RSA digital signatures.
-(A user-provided add-on package generalizes the latter to limited
-support for certificates;
-we have not worked extensively with it ourselves yet and cannot comment
-on it yet.)
-.P
-Shared secrets, despite their administrative difficulties,
-see considerable use,
-and are also the method of last resort for interoperability problems.
-.P
-For digital signatures,
-we have taken the somewhat unorthodox approach of using "bare" RSA public keys,
-either supplied in configuration files or fetched from DNS,
-rather than getting involved in the complexity of certificates.
-We encode our RSA public keys using the DNS KEY encoding [DNSRSA]
-(aka "RFC 2537", although that RFC is now outdated),
-which has given us no difficulties and which we highly recommend.
-We have seen two difficulties in connection with RSA keys, however.
-.P
-First,
-while a number of IPsec implementations are able to take "bare" RSA public keys,
-each one seems to have its own idea of what format should be used
-for transporting them.
-We've had little success with interoperability here,
-mostly because of key-format issues;
-the implementations generally WILL interoperate successfully if you can
-somehow get an RSA key into them at all, but that's hard.
-X.509 certificates seem to be the lowest (!)
-common denominator for key transfer.
-.P
-Second,
-although the content of RSA public keys has been stable,
-there has been a small but subtle change over time in the content
-of RSA private keys.
-The "internal modulus",
-used to compute the private exponent "d" from the public exponent "e"
-(or vice-versa)
-was originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1),
-where p and q are the two primes.
-However, more recent definitions [PKCS1v2] call it
-"lambda(n)" and define it to be lcm(p-1,\ q-1);
-this appears to be a minor optimization.
-The result is that private keys generated with the new definition
-often fail consistency checks in implementations using the old definition.
-Fortunately, it is seldom necessary to move private keys around.
-Our software now consistently uses the new definition
-(and thus will accept keys generated with either definition),
-but our key generator also has an option to generate old-definition keys,
-for the benefit of users who upgrade their networks incrementally.
-.H
-6.8. Misc. Snags
-.P
-Nonce size is another characteristic that is neither negotiated nor announced
-but that the two ends must somehow be able to agree on.
-Our software accepts anything between 8 and 256, and defaults to 16.
-These numbers were chosen rather arbitrarily,
-but we have seen no interoperability failures here.
-.P
-Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says
-explicitly that a normal Message ID must be non-zero,
-but a zero Message ID in fact causes failures.
-.P
-Similarly, there is nothing in the specs which says that ISAKMP cookies
-must be non-zero, but zero cookies will in fact cause trouble.
-.H
-7. Security Considerations
-.P
-Since this document discusses aspects of building robust and
-interoperable IPsec implementations,
-security considerations permeate it.
-.H
-8. References
-.R AH
-Kent, S., and Atkinson, R.,
-"IP Authentication Header",
-RFC 2402,
-Nov 1998.
-.R CIPHERS
-Pereira, R., and Adams, R.,
-"The ESP CBC-Mode Cipher Algorithms",
-RFC 2451,
-Nov 1998.
-.R CRACK
-Electronic Frontier Foundation,
-"Cracking DES:
-Secrets of Encryption Research, Wiretap Politics and Chip Design",
-O'Reilly 1998,
-ISBN 1-56592-520-3.
-.R DES
-Madson, C., and Doraswamy, N.,
-"The ESP DES-CBC Cipher Algorithm",
-RFC 2405,
-Nov 1998.
-.R DNSRSA
-D. Eastlake 3rd,
-"RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)",
-RFC 3110,
-May 2001.
-.R ESP
-Kent, S., and Atkinson, R.,
-"IP Encapsulating Security Payload (ESP)",
-RFC 2406,
-Nov 1998.
-.R GROUPS
-Kivinen, T., and Kojo, M.,
-"More MODP Diffie-Hellman groups for IKE",
-<draft-ietf-ipsec-ike-modp-groups-04.txt>,
-13 Dec 2001 (work in progress).
-.R IKE
-Harkins, D., and Carrel, D.,
-"The Internet Key Exchange (IKE)",
-RFC 2409, Nov 1998.
-.R IPSEC
-Kent, S., and Atkinson, R.,
-"Security Architecture for the Internet Protocol",
-RFC 2401, Nov 1998.
-.R ISAKMP
-Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
-"Internet Security Association and Key Management Protocol (ISAKMP)",
-RFC 2408, Nov 1998.
-.R OE
-Richardson, M., Redelmeier, D. H., and Spencer, H.,
-"A method for doing opportunistic encryption with IKE",
-<draft-richardson-ipsec-opportunistic-06.txt>,
-21 Feb 2002 (work in progress).
-.R PKCS1v1
-Kaliski, B.,
-"PKCS #1: RSA Encryption, Version 1.5",
-RFC 2313, March 1998.
-.R PKCS1v2
-Kaliski, B., and Staddon, J.,
-"PKCS #1: RSA Cryptography Specifications, Version 2.0",
-RFC 2437, Oct 1998.
-.R PFKEY
-McDonald, D., Metz, C., and Phan, B.,
-"PF_KEY Key Management API, Version 2",
-RFC 2367, July 1998.
-.R REKEY
-Tim Jenkins, "IPsec Re-keying Issues",
-<draft-jenkins-ipsec-rekeying-06.txt>,
-2 May 2000 (draft expired, work no longer in progress).
-.R REPLAY
-Krywaniuk, A.,
-"Using Isakmp Message Ids for Replay Protection",
-<draft-krywaniuk-ipsec-antireplay-00.txt>,
-9 July 2001
-(work in progress).
-.R RSA
-Rivest, R.L., Shamir, A., and Adleman, L.,
-"A Method for Obtaining Digital Signatures and Public-Key
-Cryptosystems",
-Communications of the ACM v21n2, Feb 1978, p. 120.
-.R SCHNEIER
-Bruce Schneier, "Applied Cryptography", 2nd ed.,
-Wiley 1996, ISBN 0-471-11709-9.
-.R SECFAIL
-Karn, P., and Simpson, W.,
-"ICMP Security Failures Messages",
-RFC 2521,
-March 1999.
-.H
-Authors' Addresses
-.P
-.nf
-.ne 8
-Henry Spencer
-SP Systems
-Box 280 Stn. A
-Toronto, Ont. M5W1B2
-Canada
-
-henry@spsystems.net
-416-690-6561
-.ne 8
-.sp 2
-D. Hugh Redelmeier
-Mimosa Systems Inc.
-29 Donino Ave.
-Toronto, Ont. M4N2W6
-Canada
-
-hugh@mimosa.com
-416-482-8253
-.bp
-.H
-Full Copyright Statement
-.P
-Copyright (C) The Internet Society \*c. All Rights
-Reserved.
-
-This document and translations of it may be copied and
-furnished to others, and derivative works that comment on or
-otherwise explain it or assist in its implmentation may be
-prepared, copied, published and distributed, in whole or in
-part, without restriction of any kind, provided that the above
-copyright notice and this paragraph are included on all such
-copies and derivative works. However, this document itself may
-not be modified in any way, such as by removing the copyright
-notice or references to the Internet Society or other Internet
-organizations, except as needed for the purpose of developing
-Internet standards in which case the procedures for copyrights
-defined in the Internet Standards process must be followed, or
-as required to translate it into languages other than English.
-
-The limited permissions granted above are perpetual and will
-not be revoked by the Internet Society or its successors or
-assigns.
-
-This document and the information contained herein is provided
-on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
-ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
-OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
-IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
-PARTICULAR PURPOSE.
diff --git a/doc/draft-spencer-ipsec-ike-implementation.txt b/doc/draft-spencer-ipsec-ike-implementation.txt
deleted file mode 100644
index 145c00ba8..000000000
--- a/doc/draft-spencer-ipsec-ike-implementation.txt
+++ /dev/null
@@ -1,1232 +0,0 @@
-
-
-
-Network Working Group Henry Spencer
-Internet Draft SP Systems
-Expires: 26 Aug 2002 D. Hugh Redelmeier
- Mimosa Systems
- 26 Feb 2002
-
- IKE Implementation Issues
- <draft-spencer-ipsec-ike-implementation-02.txt>
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- (If approved as an Informational RFC...) This memo provides
- information for the Internet community. This memo does not specify
- an Internet standard of any kind.
-
- Distribution of this memo is unlimited.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on 26 Aug 2002.
-
-Copyright Notice
-
- Copyright (C) The Internet Society 2002. All Rights Reserved.
-
-
-
-
-
-
-
-
-
-
-Spencer & Redelmeier [Page 1]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
-Table of Contents
-
- 1. Introduction ................................................... 3
- 2. Lower-level Background and Notes ............................... 4
- 2.1. Packet Handling .............................................. 4
- 2.2. Ciphers ...................................................... 5
- 2.3. Interfaces ................................................... 5
- 3. IKE Infrastructural Issues ..................................... 5
- 3.1. Continuous Channel ........................................... 5
- 3.2. Retransmission ............................................... 5
- 3.3. Replay Prevention ............................................ 6
- 4. Basic Keying and Rekeying ...................................... 7
- 4.1. When to Create SAs ........................................... 7
- 4.2. When to Rekey ................................................ 8
- 4.3. Choosing an SA ............................................... 9
- 4.4. Why to Rekey ................................................. 9
- 4.5. Rekeying ISAKMP SAs ......................................... 10
- 4.6. Bulk Negotiation ............................................ 10
- 5. Deletions, Teardowns, Crashes ................................. 11
- 5.1. Deletions ................................................... 11
- 5.2. Teardowns and Shutdowns ..................................... 12
- 5.3. Crashes ..................................................... 13
- 5.4. Network Partitions .......................................... 13
- 5.5. Unknown SAs ................................................. 14
- 6. Misc. IKE Issues .............................................. 16
- 6.1. Groups 1 and 5 .............................................. 16
- 6.2. To PFS Or Not To PFS ........................................ 16
- 6.3. Debugging Tools, Lack Thereof ............................... 16
- 6.4. Terminology, Vagueness Thereof .............................. 17
- 6.5. A Question of Identity ...................................... 17
- 6.6. Opportunistic Encryption .................................... 17
- 6.7. Authentication and RSA Keys ................................. 17
- 6.8. Misc. Snags ................................................. 18
- 7. Security Considerations ....................................... 19
- 8. References .................................................... 19
- Authors' Addresses ............................................... 20
- Full Copyright Statement ......................................... 21
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Spencer & Redelmeier [Page 2]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
-Abstract
-
- The current IPsec specifications for key exchange and connection
- management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of
- connection management unspecified, most prominently rekeying
- practices. Pending clarifications in future revisions of the
- specifications, this document sets down some successful experiences,
- to minimize the extent to which new implementors have to rely on
- unwritten folklore.
-
- The Linux FreeS/WAN implementation of IPsec interoperates with almost
- every other IPsec implementation. This document describes how the
- FreeS/WAN project has resolved some of the gaps in the IPsec
- specifications (and plans to resolve some others), and what
- difficulties have been encountered, in hopes that this generally-
- successful experience might be informative to new implementors.
-
- This is offered as an Informational RFC.
-
- This -02 revision mainly: discusses ISAKMP SA expiry during IPsec-SA
- rekeying (4.5), revises the discussion of bidirectional Deletes
- (5.1), suggests remembering the parameters of successful negotiations
- for later use (4.2, 5.3), notes an unsuccessful negotiation from the
- other end as a hint of a possibly broken connection (5.5), and adds
- sections on network partitions (5.4), authentication methods and the
- subtleties of RSA public keys (6.7), and miscellaneous
- interoperability concerns (6.8).
-
-1. Introduction
-
- The current IPsec specifications for key exchange and connection
- management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of
- connection management unspecified, most prominently rekeying
- practices. This is a cryptic puzzle which each group of implementors
- has to struggle with, and differences in how the ambiguities and gaps
- are resolved are potentially a fruitful source of interoperability
- problems. We can hope that future revisions of the specifications
- will clear this up. Meanwhile, it seems useful to set down some
- successful experiences, to minimize the extent to which new
- implementors have to rely on unwritten folklore.
-
- The Linux FreeS/WAN implementation of IPsec interoperates with almost
- every other IPsec implementation, and because of its free nature, it
- also sees some use as a reference implementation by other
- implementors. The high degree of interoperability is noteworthy
- given its organizers' strong minimalist bias, which has caused them
- to implement only a small subset of the full glory of IPsec. This
- document describes how the FreeS/WAN project has resolved some of the
-
-
-
-Spencer & Redelmeier [Page 3]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- gaps in the IPsec specifications (and plans to resolve some others),
- and what difficulties have been encountered, in hopes that this
- generally-successful experience might be informative to new
- implementors.
-
- One small caution about applicability: this experience may not be
- relevant to severely resource-constrained implementations.
- FreeS/WAN's target environment is previous-generation PCs, now
- available at trivial cost (often, within an organization, at no
- cost), which have quite impressive CPU power and memory by the
- standards of only a few years ago. Some of the approaches discussed
- here may be inapplicable to implementations with severe external
- constraints which prevent them from taking advantage of modern
- hardware technology.
-
-2. Lower-level Background and Notes
-
-2.1. Packet Handling
-
- FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly,
- although AH sees little use among our users. Our ESP/AH
- implementation cannot currently handle packets with IP options;
- somewhat surprisingly, this has caused little difficulty. We insist
- on encryption and do not support authentication-only connections, and
- this has not caused significant difficulty either.
-
- MTU and fragmentation issues, by contrast, have been a constant
- headache. We will not describe the details of our current approach
- to them, because it still needs work. One difficulty we have
- encountered is that many combinations of packet source and packet
- destination apparently cannot cope with an "interior minimum" in the
- path MTU, e.g. where an IPsec tunnel intervenes and its headers
- reduce the MTU for an intermediate link. This is particularly
- prevalent when using common PC software to connect to large well-
- known web sites; we think it is largely due to misconfigured
- firewalls which do not pass ICMP Fragmentation Required messages.
- The only solution we have yet found is to lie about the MTU of the
- tunnel, accepting the (undesirable) fragmentation of the ESP packets
- for the sake of preserving connectivity.
-
- We currently zero out the TOS field of ESP packets, rather than
- copying it from the inner header, on the grounds that it lends itself
- too well to traffic analysis and covert channels. We provide an
- option to restore RFC 2401 [IPSEC] copying behavior, but this appears
- to see little use.
-
-
-
-
-
-
-Spencer & Redelmeier [Page 4]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
-2.2. Ciphers
-
- We initially implemented both DES [DES] and 3DES [CIPHERS] for both
- IKE and ESP, but after the Deep Crack effort [CRACK] demonstrated its
- inherent insecurity, we dropped support for DES. Somewhat
- surprisingly, our insistence on 3DES has caused almost no
- interoperability problems, despite DES being officially mandatory. A
- very few other systems either do not support 3DES or support it only
- as an optional upgrade, which inconveniences a few would-be users.
- There have also been one or two cases of systems which don't quite
- seem to know the difference!
-
- See also section 6.1 for a consequence of our insistence on 3DES.
-
-2.3. Interfaces
-
- We currently employ PF_KEY version 2 [PFKEY], plus various non-
- standard extensions, as our interface between keying and ESP. This
- has not proven entirely satisfactory. Our feeling now is that keying
- issues and policy issues do not really lend themselves to the clean
- separation that PF_KEY envisions.
-
-3. IKE Infrastructural Issues
-
- A number of problems in IPsec connection management become easier if
- some attention is first paid to providing an infrastructure to
- support solving them.
-
-3.1. Continuous Channel
-
- FreeS/WAN uses an approximation to the "continuous channel" model, in
- which ISAKMP SAs are maintained between IKEs so long as any IPsec SAs
- are open between the two systems. The resource consumption of this
- is minor: the only substantial overhead is occasional rekeying.
- IPsec SA management becomes significantly simpler if there is always
- a channel for transmission of control messages. We suggest (although
- we do not yet fully implement this) that inability to maintain (e.g.,
- to rekey) this control path should be grounds for tearing down the
- IPsec SAs as well.
-
- As a corollary of this, there is one and only one ISAKMP SA
- maintained between a pair of IKEs (although see sections 5.3 and 6.5
- for minor complications).
-
-3.2. Retransmission
-
- The unreliable nature of UDP transmission is a nuisance. IKE
- implementations should always be prepared to retransmit the most
-
-
-
-Spencer & Redelmeier [Page 5]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- recent message they sent on an ISAKMP SA, since there is some
- possibility that the other end did not get it. This means, in
- particular, that the system sending the supposedly-last message of an
- exchange cannot relax and assume that the exchange is complete, at
- least not until a significant timeout has elapsed.
-
- Systems must also retain information about the message most recently
- received in an exchange, so that a duplicate of it can be detected
- (and possibly interpreted as a NACK for the response).
-
- The retransmission rules FreeS/WAN follows are: (1) if a reply is
- expected, retransmit only if it does not appear before a timeout; and
- (2) if a reply is not expected (last message of the exchange),
- retransmit only on receiving a retransmission of the previous
- message. Notably, in case (1) we do NOT retransmit on receiving a
- retransmission, which avoids possible congestion problems arising
- from packet duplication, at the price of slowing response to packet
- loss. The timeout for case (1) is 10 seconds for the first retry, 20
- seconds for the second, and 40 seconds for all subsequent retries
- (normally only one, except when configuration settings call for
- persistence and the message is the first message of Main Mode with a
- new peer). These retransmission rules have been entirely successful.
-
- (Michael Thomas of Cisco has pointed out that the retry timeouts
- should include some random jitter, to de-synchronize hosts which are
- initially synchronized by, e.g., a power outage. We already jitter
- our rekeying times, as noted in section 4.2, but that does not help
- with initial startup. We're implementing jittered retries, but
- cannot yet report on experience with this.)
-
- There is a deeper problem, of course, when an entire "exchange"
- consists of a single message, e.g. the ISAKMP Informational Exchange.
- Then there is no way to decide whether or when a retransmission is
- warranted at all. This seems like poor design, to put it mildly (and
- there is now talk of fixing it). We have no experience in dealing
- with this problem at this time, although it is part of the reason why
- we have delayed implementing Notification messages.
-
-3.3. Replay Prevention
-
- The unsequenced nature of UDP transmission is also troublesome,
- because it means that higher levels must consider the possibility of
- replay attacks. FreeS/WAN takes the position that systematically
- eliminating this possibility at a low level is strongly preferable to
- forcing careful consideration of possible impacts at every step of an
- exchange. RFC 2408 [ISAKMP] section 3.1 states that the Message ID
- of an ISAKMP message must be "unique". FreeS/WAN interprets this
- literally, as forbidding duplication of Message IDs within the set of
-
-
-
-Spencer & Redelmeier [Page 6]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- all messages sent via a single ISAKMP SA.
-
- This requires remembering all Message IDs until the ISAKMP SA is
- superseded by rekeying, but that is not costly (four bytes per sent
- or received message), and it ELIMINATES replay attacks from
- consideration; we believe this investment of resources is well
- worthwhile. If the resource consumption becomes excessive--in our
- experience it has not--the ISAKMP SA can be rekeyed early to collect
- the garbage.
-
- There is theoretically an interoperability problem when talking to
- implementations which interpret "unique" more loosely and may re-use
- Message IDs, but it has not been encountered in practice. This
- approach appears to be completely interoperable.
-
- The proposal by Andrew Krywaniuk [REPLAY], which advocates turning
- the Message ID into an anti-replay counter, would achieve the same
- goal without the minor per-message memory overhead. This may be
- preferable, although it means an actual protocol change and more
- study is needed.
-
-4. Basic Keying and Rekeying
-
-4.1. When to Create SAs
-
- As Tim Jenkins [REKEY] pointed out, there is a potential race
- condition in Quick Mode: a fast lightly-loaded Initiator might start
- using IPsec SAs very shortly after sending QM3 (the third and last
- message of Quick Mode), while a slow heavily-loaded Responder might
- not be ready to receive them until after spending a significant
- amount of time creating its inbound SAs. The problem is even worse
- if QM3 gets delayed or lost.
-
- FreeS/WAN's approach to this is what Jenkins called "Responder Pre-
- Setup": the Responder creates its inbound IPsec SAs before it sends
- QM2, so they are always ready and waiting when the Initiator sends
- QM3 and begins sending traffic. This approach is simple and
- reliable, and in our experience it interoperates with everybody.
- (There is potentially still a problem if FreeS/WAN is the Initiator
- and the Responder does not use Responder Pre-Setup, but no such
- problems have been seen.) The only real weakness of Responder Pre-
- Setup is the possibility of replay attacks, which we have eliminated
- by other means (see section 3.3).
-
- With this approach, the Commit Bit is useless, and we ignore it. In
- fact, until quite recently we discarded any IKE message containing
- it, and this caused surprisingly few interoperability problems;
- apparently it is not widely used. We have recently been persuaded
-
-
-
-Spencer & Redelmeier [Page 7]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- that simply ignoring it is preferable; preliminary experience with
- this indicates that the result is successful interoperation with
- implementations which set it.
-
-4.2. When to Rekey
-
- To preserve connectivity for user traffic, rekeying of a connection
- (that is, creation of new IPsec SAs to supersede the current ones)
- must begin before its current IPsec SAs expire. Preferably one end
- should predictably start rekeying negotiations first, to avoid the
- extra overhead of two simultaneous negotiations, although either end
- should be prepared to rekey if the other does not. There is also a
- problem with "convoys" of keying negotiations: for example, a "hub"
- gateway with many IPsec connections can be inundated with rekeying
- negotiations exactly one connection-expiry time after it reboots, and
- the massive overload this induces tends to make this situation self-
- perpetuating, so it recurs regularly. (Convoys can also evolve
- gradually from initially-unsynchronized negotiations.)
-
- FreeS/WAN has the concept of a "rekeying margin", measured in
- seconds. If FreeS/WAN was the Initiator for the previous rekeying
- (or the startup, if none) of the connection, it nominally starts
- rekeying negotiations at expiry time minus one rekeying margin. Some
- random jitter is added to break up convoys: rather than starting
- rekeying exactly at minus one margin, it starts at a random time
- between minus one margin and minus two margins. (The randomness here
- need not be cryptographic in quality, so long as it varies over time
- and between hosts. We use an ordinary PRNG seeded with a few bytes
- from a cryptographic randomness source. The seeding mostly just
- ensures that the PRNG sequence is different for different hosts, even
- if they start up simultaneously.)
-
- If FreeS/WAN was the Responder for the previous rekeying/startup, and
- nothing has been heard from the previous Initiator at expiry time
- minus one-half the rekeying margin, FreeS/WAN will initiate rekeying
- negotiations. No jitter is applied; we now believe that it should be
- jittered, say between minus one-half margin and minus one-quarter
- margin.
-
- Having the Initiator lead the way is an obvious way of deciding who
- should speak first, since there is already an Initiator/Responder
- asymmetry in the connection. Moreover, our experience has been that
- Initiator lead gives a significantly higher probability of successful
- negotiation! The negotiation process itself is asymmetric, because
- the Initiator must make a few specific proposals which the Responder
- can only accept or reject, so the Initiator must try to guess where
- its "acceptable" region (in parameter space) might overlap with the
- Responder's. We have seen situations where negotiations would
-
-
-
-Spencer & Redelmeier [Page 8]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- succeed or fail depending on which end initiated them, because one
- end was making better guesses. Given an existing connection, we KNOW
- that the previous Initiator WAS able to initiate a successful
- negotiation, so it should (if at all possible) take the lead again.
- Also, the Responder should remember the Initiator's successful
- proposal, and start from that rather than from his own default
- proposals if he must take the lead; we don't currently implement this
- completely but plan to.
-
- FreeS/WAN defaults the rekeying margin to 9 minutes, although this
- can be changed by configuration. There is also a configuration
- option to alter the permissible range of jitter. The defaults were
- chosen somewhat arbitrarily, but they work extremely well and the
- configuration options are rarely used.
-
-4.3. Choosing an SA
-
- Once rekeying has occurred, both old and new IPsec SAs for the
- connection exist, at least momentarily. FreeS/WAN accepts incoming
- traffic on either old or new inbound SAs, but sends outgoing traffic
- only on the new outbound ones. This approach appears to be
- significantly more robust than using the old ones until they expire,
- notably in cases where renegotiation has occurred because something
- has gone wrong on the other end. It avoids having to pay meticulous
- attention to the state of the other end, state which is difficult to
- learn reliably given the limitations of IKE.
-
- This approach has interoperated successfully with ALMOST all other
- implementations. The only (well-characterized) problem cases have
- been implementations which rely on receiving a Delete message for the
- old SAs to tell them to switch over to the new ones. Since delivery
- of Delete is unreliable, and support for Delete is optional, this
- reliance seems like a serious mistake. This is all the more true
- because Delete announces that the deletion has already occurred
- [ISAKMP, section 3.15], not that it is about to occur, so packets
- already in transit in the other direction could be lost. Delete
- should be used for resource cleanup, not for switchover control.
- (These matters are discussed further in section 5.)
-
-4.4. Why to Rekey
-
- FreeS/WAN currently implements only time-based expiry (life in
- seconds), although we are working toward supporting volume-based
- expiry (life in kilobytes) as well. The lack of volume-based expiry
- has not been an interoperability problem so far.
-
- Volume-based expiry does add some minor complications. In
- particular, it makes explicit Delete of now-disused SAs more
-
-
-
-Spencer & Redelmeier [Page 9]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- important, because once an SA stops being used, it might not expire
- on its own. We believe this lacks robustness and is generally
- unwise, especially given the lack of a reliable Delete, and expect to
- use volume-based expiry only as a supplement to time-based expiry.
- However, Delete support (see section 5) does seem advisable for use
- with volume-based expiry.
-
- We do not believe that volume-based expiry alters the desirability of
- switching immediately to the new SAs after rekeying. Rekeying
- margins are normally a small fraction of the total life of an SA, so
- we feel there is no great need to "use it all up".
-
-4.5. Rekeying ISAKMP SAs
-
- The above discussion has focused on rekeying for IPsec SAs, but
- FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs,
- with similar success.
-
- One issue which we have noticed, but not explicitly dealt with, is
- that difficulties may ensue if an IPsec-SA rekeying negotiation is in
- progress at the time when the relevant ISAKMP SA gets rekeyed. The
- IKE specification [IKE] hints, but does not actually say, that a
- Quick Mode negotiation should remain on a single ISAKMP SA
- throughout.
-
- A reasonable rekeying margin will generally prevent the old ISAKMP SA
- from actually expiring during a negotiation. Some attention may be
- needed to prevent in-progress negotiations from being switched to the
- new ISAKMP SA. Any attempt at pre-expiry deletion of the ISAKMP SA
- must be postponed until after such dangling negotiations are
- completed, and there should be enough delay between ISAKMP-SA
- rekeying and a deletion attempt to (more or less) ensure that there
- are no negotiation-starting packets still in transit from before the
- rekeying.
-
- At present, FreeS/WAN does none of this, and we don't KNOW of any
- resulting trouble. With normal lifetimes, the problem should be
- uncommon, and we speculate that an occasional disrupted negotiation
- simply gets retried.
-
-4.6. Bulk Negotiation
-
- Quick Mode nominally provides for negotiating possibly-large numbers
- of similar but unrelated IPsec SAs simultaneously [IKE, section 9].
- Nobody appears to do this. FreeS/WAN does not support it, and its
- absence has caused no problems.
-
-
-
-
-
-Spencer & Redelmeier [Page 10]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
-5. Deletions, Teardowns, Crashes
-
- FreeS/WAN currently ignores all Notifications and Deletes, and never
- generates them. This has caused little difficulty in
- interoperability, which shouldn't be surprising (since Notification
- and Delete support is officially entirely optional) but does seem to
- surprise some people. Nevertheless, we do plan some changes to this
- approach based on past experience.
-
-5.1. Deletions
-
- As hinted at above, we plan to implement Delete support, done as
- follows. Shortly after rekeying of IPsec SAs, the Responder issues a
- Delete for its old inbound SAs (but does not actually delete them
- yet). The Responder initiates this because the Initiator started
- using the new SAs on sending QM3, while the Responder started using
- them only on (or somewhat after) receiving QM3, so there is less
- chance of old-SA packets still being in transit from the Initiator.
- The Initiator issues an unsolicited Delete only if it does not hear
- one from the Responder after a longer delay.
-
- Either party, on receiving a Delete for one or more of the old
- outbound SAs of a connection, deletes ALL the connection's SAs, and
- acknowledges with a Delete for the old inbound SAs. A Delete for
- nonexistent SAs (e.g., SAs which have already been expired or
- deleted) is ignored. There is no retransmission of unacknowledged
- Deletes.
-
- In the normal case, with prompt reliable transmission (except
- possibly for loss of the Responder's initial Delete) and conforming
- implementations on both ends, this results in three Deletes being
- transmitted, resembling the classic three-way handshake. Loss of a
- Delete after the first, or multiple losses, will cause the SAs not to
- be deleted on at least one end. It appears difficult to do much
- better without at least a distinction between request and
- acknowledgement.
-
- RFC 2409 section 9 "strongly suggests" that there be no response to
- informational messages such as Deletes, but the only rationale
- offered is prevention of infinite loops endlessly exchanging "I don't
- understand you" informationals. Since Deletes cannot lead to such a
- loop (and in any case, the nonexistent-SA rule prevents more than one
- acknowledgement for the same connection), we believe this
- recommendation is inapplicable here.
-
- As noted in section 4.3, these Deletes are intended for resource
- cleanup, not to control switching between SAs. But we expect that
- they will improve interoperability with some broken implementations.
-
-
-
-Spencer & Redelmeier [Page 11]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- We believe strongly that connections need to be considered as a
- whole, rather than treating each SA as an independent entity. We
- will issue Deletes only for the full set of inbound SAs of a
- connection, and will treat a Delete for any outbound SA as equivalent
- to deletion of all the outbound SAs for the associated connection.
-
- The above is phrased in terms of IPsec SAs, but essentially the same
- approach can be applied to ISAKMP SAs (the Deletes for the old ISAKMP
- SA should be sent via the new one).
-
-5.2. Teardowns and Shutdowns
-
- When a connection is not intended to be up permanently, there is a
- need to coordinate teardown, so that both ends are aware that the
- connection is down. This is both for recovery of resources, and to
- avoid routing packets through dangling SAs which can no longer
- deliver them.
-
- Connection teardown will use the same bidirectional exchange of
- Deletes as discussed in section 5.1: a Delete received for current
- IPsec SAs (not yet obsoleted by rekeying) indicates that the other
- host wishes to tear down the associated connection.
-
- A Delete received for a current ISAKMP SA indicates that the other
- host wishes to tear down not only the ISAKMP SA but also all IPsec
- SAs currently under the supervision of that ISAKMP SA. The 5.1
- bidirectional exchange might seem impossible in this case, since
- reception of an ISAKMP-SA Delete indicates that the other end will
- ignore further traffic on that ISAKMP SA. We suggest using the same
- tactic discussed in 5.1 for IPsec SAs: the first Delete is sent
- without actually doing the deletion, and the response to receiving a
- Delete is to do the deletion and reply with another Delete. If there
- is no response to the first Delete, retry a small number of times and
- then give up and do the deletion; apart from being robust against
- packet loss, this also maximizes the probability that an
- implementation which does not do the bidirectional Delete will
- receive at least one of the Deletes.
-
- When a host with current connections knows that it is about to shut
- down, it will issue Deletes for all SAs involved (both IPsec and
- ISAKMP), advising its peers (as per the meaning of Delete [ISAKMP,
- section 3.15]) that the SAs have become useless. It will ignore
- attempts at rekeying or connection startup thereafter, until it shuts
- down.
-
- It would be better to have a Final-Contact notification, analogous to
- Initial-Contact but indicating that no new negotiations should be
- attempted until further notice. Initial-Contact actually could be
-
-
-
-Spencer & Redelmeier [Page 12]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- used for shutdown notification (!), but in networks where connections
- are intended to exist permanently, it seems likely to provoke
- unwanted attempts to renegotiate the lost connections.
-
-5.3. Crashes
-
- Systems sometimes crash. Coping with the resulting loss of
- information is easily the most difficult problem we have found in
- implementing robust IPsec systems.
-
- When connections are intended to be permanent, it is simple to
- specify renegotiation on reboot. With our approach to SA selection
- (see section 4.3), this handles such cases robustly and well. We do
- have to tell users that BOTH hosts should be set this way. In cases
- where crashes are synchronized (e.g. by power interruptions), this
- may result in simultaneous negotiations at reboot. We currently
- allow both negotiations to proceed to completion, but our use-newest
- selection method effectively ignores one connection or the other, and
- when one of them rekeys, we notice that the new SAs replace those of
- both old connections, and we then refrain from rekeying the other.
- (This duplicate detection is desirable in any event, for robustness,
- to ensure that the system converges on a reasonable state eventually
- after it is perturbed by difficulties or bugs.)
-
- When connections are not permanent, the situation is less happy. One
- particular situation in which we see problems is when a number of
- "Road Warrior" hosts occasionally call in to a central server. The
- server is normally configured not to initiate such connections, since
- it does not know when the Road Warrior is available (or what IP
- address it is using). Unfortunately, if the server crashes and
- reboots, any Road Warriors then connected have a problem: they don't
- know that the server has crashed, so they can't renegotiate, and the
- server has forgotten both the connections and their (transient) IP
- addresses, so it cannot renegotiate.
-
- We believe that the simplest answer to this problem is what John
- Denker has dubbed "address inertia": the server makes a best-effort
- attempt to remember (in nonvolatile storage) which connections were
- active and what the far-end addresses were (and what the successful
- proposal's parameters were), so that it can attempt renegotiation on
- reboot. We have not implemented this yet, but intend to; Denker has
- implemented it himself, although in a somewhat messy way, and reports
- excellent results.
-
-5.4. Network Partitions
-
- A network partition, making the two ends unable to reach each other,
- has many of the same characteristics as having the other end crash...
-
-
-
-Spencer & Redelmeier [Page 13]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- until the network reconnects. It is desirable that recovery from
- this be automatic.
-
- If the network reconnects before any rekeying attempts or other IKE
- activities occurred, recovery is fully transparent, because the IKEs
- have no idea that there was any problem. (Complaints such as ICMP
- Host Unreachable messages are unauthenticated and hence cannot be
- given much weight.) This fits the general mold of TCP/IP: if nobody
- wanted to send any traffic, a network outage doesn't matter.
-
- If IKE activity did occur, the IKE implementation will discover that
- the other end doesn't seem to be responding. The preferred response
- to this depends on the nature of the connection. If it was intended
- to be ephemeral (e.g. opportunistic encryption [OE]), closing it down
- after a few retries is reasonable. If the other end is expected to
- sometimes drop the connection without warning, it may not be
- desirable to retry at all. (We support both these forms of
- configurability, and indeed we also have a configuration option to
- suppress rekeying entirely on one end.)
-
- If the connection was intended to be permanent, however, then
- persistent attempts to re-establish it are appropriate. Some degree
- of backoff is appropriate here, so that retries get less frequent as
- the outage gets prolonged. Backoff should be limited, so that re-
- established connectivity is not followed by a long delay before a
- retry. Finally, after many retries (say 24 hours' worth), it may be
- preferable to just declare the connection down and rely on manual
- intervention to re-establish it, should this be desirable. We do not
- yet fully support all this.
-
-5.5. Unknown SAs
-
- A more complete solution to crashes would be for an IPsec host to
- note the arrival of ESP packets on an unknown IPsec SA, and report it
- somehow to the other host, which can then decide to renegotiate.
- This arguably might be preferable in any case--if the non-rebooted
- host has no traffic to send, it does not care whether the connection
- is intact--but delays and packet loss will be reduced if the
- connection is renegotiated BEFORE there is traffic for it. So
- unknown-SA detection is best reserved as a fallback method, with
- address inertia used to deal with most such cases.
-
- A difficulty with unknown-SA detection is, just HOW should the other
- host be notified? IKE provides no good way to do the notification:
- Notification payloads (e.g., Initial-Contact) are unauthenticated
- unless they are sent under protection of an ISAKMP SA. A "Security
- Failures - Bad SPI" ICMP message [SECFAIL] is an interesting
- alternative, but has the disadvantage of likewise being
-
-
-
-Spencer & Redelmeier [Page 14]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- unauthenticated. It's fundamentally unlikely that there is a simple
- solution to this, given that almost any way of arranging or checking
- authentication for such a notification is costly.
-
- We think the best answer to this is a two-step approach. An
- unauthenticated Initial-Contact or Security Failures - Bad SPI cannot
- be taken as a reliable report of a problem, but can be taken as a
- hint that a problem MIGHT exist. Then there needs to be some
- reliable way of checking such hints, subject to rate limiting since
- the checks are likely to be costly (and checking the same connection
- repeatedly at short intervals is unlikely to be worthwhile anyway).
- So the rebooted host sends the notification, and the non-rebooted
- host--which still thinks it has a connection--checks whether the
- connection still works, and renegotiates if not.
-
- Also, if an IPsec host which believes it has a connection to another
- host sees an unsuccessful attempt by that host to negotiate a new
- one, that is also a hint of possible problems, justifying a check and
- possible renegotiation. ("Unsuccessful" here means a negotiation
- failure due to lack of a satisfactory proposal. A failure due to
- authentication failure suggests a denial-of-service attack by a third
- party, rather than a genuine problem on the legitimate other end.)
- As noted in section 4.2, it is possible for negotiations to succeed
- or fail based on which end initiates them, and some robustness
- against that is desirable.
-
- We have not yet decided what form the notification should take. IKE
- Initial-Contact is an obvious possibility, but has some
- disadvantages. It does not specify which connection has had
- difficulties. Also, the specification [IKE section 4.6.3.3] refers
- to "remote system" and "sending system" without clearly specifying
- just what "system" means; in the case of a multi-homed host using
- multiple forms of identification, the question is not trivial.
- Initial-Contact does have the fairly-decisive advantage that it is
- likely to convey the right general meaning even to an implementation
- which does not do things exactly the way ours does.
-
- A more fundamental difficulty is what form the reliable check takes.
- What is wanted is an "IKE ping", verifying that the ISAKMP SA is
- still intact (it being unlikely that IPsec SAs have been lost while
- the ISAKMP SA has not). The lack of such a facility is a serious
- failing of IKE. An acknowledged Notification of some sort would be
- ideal, but there is none at present. Some existing implementations
- are known to use the private Notification values 30000 as ping and
- 30002 as ping reply, and that seems the most attractive choice at
- present. If it is not recognized, there will probably be no reply,
- and the result will be an unnecessary renegotiation, so this needs
- strict rate limiting. (Also, when a new connection is set up, it's
-
-
-
-Spencer & Redelmeier [Page 15]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- probably worth determining by experiment whether the other end
- supports IKE ping, and remembering that.)
-
- While we think this facility is desirable, and is about the best that
- can be done with the poor tools available, we have not gotten very
- far in implementation and cannot comment intelligently about how well
- it works or interoperates.
-
-6. Misc. IKE Issues
-
-6.1. Groups 1 and 5
-
- We have dropped support for the first Oakley Group (group 1), despite
- it being officially mandatory, on the grounds that it is grossly too
- weak to provide enough randomness for 3DES. There have been some
- interoperability problems, mostly quite minor: ALMOST everyone
- supports group 2 as well, although sometimes it has to be explicitly
- configured.
-
- We also support the quasi-standard group 5 [GROUPS]. This has not
- been seriously exercised yet, because historically we offered group 2
- first and almost everyone accepted it. We have recently changed to
- offering group 5 first, and no difficulties have been reported.
-
-6.2. To PFS Or Not To PFS
-
- A persistent small interoperability problem is that the presence or
- absence of PFS (for keys [IKE, section 5.5]) is neither negotiated
- nor announced. We have it enabled by default, and successful
- interoperation often requires having the other end turn it on in
- their implementation, or having the FreeS/WAN end disable it. Almost
- everyone supports it, but it's usually not the default, and
- interoperability is often impossible unless the two ends somehow
- reach prior agreement on it.
-
- We do not explicitly support the other flavor of PFS, for identities
- [IKE, section 8], and this has caused no interoperability problems.
-
-6.3. Debugging Tools, Lack Thereof
-
- We find IKE lacking in basic debugging tools. Section 5.4, above,
- notes that an IKE ping would be useful for connectivity verification.
- It would also be extremely helpful for determining that UDP/500
- packets get back and forth successfully between the two ends, which
- is often an important first step in debugging.
-
- It's also quite common to have IKE negotiate a connection
- successfully, but to have some firewall along the way blocking ESP.
-
-
-
-Spencer & Redelmeier [Page 16]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- Users find this mysterious and difficult to diagnose. We have no
- immediate suggestions on what could be done about it.
-
-6.4. Terminology, Vagueness Thereof
-
- The terminology of IPsec needs work. We feel that both the
- specifications and user-oriented documentation would be greatly
- clarified by concise, intelligible names for certain concepts.
-
- We semi-consistently use "group" for the set of IPsec SAs which are
- established in one direction by a single Quick Mode negotiation and
- are used together to process a packet (e.g., an ESP SA plus an AH
- SA), "connection" for the logical packet path provided by a
- succession of pairs of groups (each rekeying providing a new pair,
- one group in each direction), and "keying channel" for the
- corresponding supervisory path provided by a sequence of ISAKMP SAs.
-
- We think it's a botch that "PFS" is used to refer to two very
- different things, but we have no specific new terms to suggest, since
- we only implement one kind of PFS and thus can just ignore the other.
-
-6.5. A Question of Identity
-
- One specification problem deserves note: exactly when can an existing
- phase 1 negotiation be re-used for a new phase 2 negotiation, as IKE
- [IKE, section 4] specifies? Presumably, when it connects the same
- two "parties"... but exactly what is a "party"?
-
- As noted in section 5.4, in cases involving multi-homing and multiple
- identities, it's not clear exactly what criteria are used for
- deciding whether the intended far end for a new negotiation is the
- same one as for a previous negotiation. Is it by Identification
- Payload? By IP address? Or what?
-
- We currently use a somewhat-vague notion of "identity", basically
- what gets sent in Identification Payloads, for this, and this seems
- to be successful, but we think this needs better specification.
-
-6.6. Opportunistic Encryption
-
- Further IKE challenges appear in the context of Opportunistic
- Encryption [OE], but operational experience with it is too limited as
- yet for us to comment usefully right now.
-
-6.7. Authentication and RSA Keys
-
- We provide two IKE authentication methods: shared secrets ("pre-
- shared keys") and RSA digital signatures. (A user-provided add-on
-
-
-
-Spencer & Redelmeier [Page 17]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- package generalizes the latter to limited support for certificates;
- we have not worked extensively with it ourselves yet and cannot
- comment on it yet.)
-
- Shared secrets, despite their administrative difficulties, see
- considerable use, and are also the method of last resort for
- interoperability problems.
-
- For digital signatures, we have taken the somewhat unorthodox
- approach of using "bare" RSA public keys, either supplied in
- configuration files or fetched from DNS, rather than getting involved
- in the complexity of certificates. We encode our RSA public keys
- using the DNS KEY encoding [DNSRSA] (aka "RFC 2537", although that
- RFC is now outdated), which has given us no difficulties and which we
- highly recommend. We have seen two difficulties in connection with
- RSA keys, however.
-
- First, while a number of IPsec implementations are able to take
- "bare" RSA public keys, each one seems to have its own idea of what
- format should be used for transporting them. We've had little
- success with interoperability here, mostly because of key-format
- issues; the implementations generally WILL interoperate successfully
- if you can somehow get an RSA key into them at all, but that's hard.
- X.509 certificates seem to be the lowest (!) common denominator for
- key transfer.
-
- Second, although the content of RSA public keys has been stable,
- there has been a small but subtle change over time in the content of
- RSA private keys. The "internal modulus", used to compute the
- private exponent "d" from the public exponent "e" (or vice-versa) was
- originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1),
- where p and q are the two primes. However, more recent definitions
- [PKCS1v2] call it "lambda(n)" and define it to be lcm(p-1, q-1); this
- appears to be a minor optimization. The result is that private keys
- generated with the new definition often fail consistency checks in
- implementations using the old definition. Fortunately, it is seldom
- necessary to move private keys around. Our software now consistently
- uses the new definition (and thus will accept keys generated with
- either definition), but our key generator also has an option to
- generate old-definition keys, for the benefit of users who upgrade
- their networks incrementally.
-
-6.8. Misc. Snags
-
- Nonce size is another characteristic that is neither negotiated nor
- announced but that the two ends must somehow be able to agree on.
- Our software accepts anything between 8 and 256, and defaults to 16.
- These numbers were chosen rather arbitrarily, but we have seen no
-
-
-
-Spencer & Redelmeier [Page 18]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- interoperability failures here.
-
- Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says
- explicitly that a normal Message ID must be non-zero, but a zero
- Message ID in fact causes failures.
-
- Similarly, there is nothing in the specs which says that ISAKMP
- cookies must be non-zero, but zero cookies will in fact cause
- trouble.
-
-7. Security Considerations
-
- Since this document discusses aspects of building robust and
- interoperable IPsec implementations, security considerations permeate
- it.
-
-8. References
-
- [AH] Kent, S., and Atkinson, R., "IP Authentication Header",
- RFC 2402, Nov 1998.
-
- [CIPHERS] Pereira, R., and Adams, R., "The ESP CBC-Mode Cipher
- Algorithms", RFC 2451, Nov 1998.
-
- [CRACK] Electronic Frontier Foundation, "Cracking DES: Secrets of
- Encryption Research, Wiretap Politics and Chip Design",
- O'Reilly 1998, ISBN 1-56592-520-3.
-
- [DES] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher
- Algorithm", RFC 2405, Nov 1998.
-
- [DNSRSA] D. Eastlake 3rd, "RSA/SHA-1 SIGs and RSA KEYs in the
- Domain Name System (DNS)", RFC 3110, May 2001.
-
- [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
- Payload (ESP)", RFC 2406, Nov 1998.
-
- [GROUPS] Kivinen, T., and Kojo, M., "More MODP Diffie-Hellman
- groups for IKE", <draft-ietf-ipsec-ike-modp-
- groups-04.txt>, 13 Dec 2001 (work in progress).
-
- [IKE] Harkins, D., and Carrel, D., "The Internet Key Exchange
- (IKE)", RFC 2409, Nov 1998.
-
- [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
- Internet Protocol", RFC 2401, Nov 1998.
-
-
-
-
-
-Spencer & Redelmeier [Page 19]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- [ISAKMP] Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
- "Internet Security Association and Key Management Protocol
- (ISAKMP)", RFC 2408, Nov 1998.
-
- [OE] Richardson, M., Redelmeier, D. H., and Spencer, H., "A
- method for doing opportunistic encryption with IKE",
- <draft-richardson-ipsec-opportunistic-06.txt>, 21 Feb 2002
- (work in progress).
-
- [PKCS1v1] Kaliski, B., "PKCS #1: RSA Encryption, Version 1.5", RFC
- 2313, March 1998.
-
- [PKCS1v2] Kaliski, B., and Staddon, J., "PKCS #1: RSA Cryptography
- Specifications, Version 2.0", RFC 2437, Oct 1998.
-
- [PFKEY] McDonald, D., Metz, C., and Phan, B., "PF_KEY Key
- Management API, Version 2", RFC 2367, July 1998.
-
- [REKEY] Tim Jenkins, "IPsec Re-keying Issues", <draft-jenkins-
- ipsec-rekeying-06.txt>, 2 May 2000 (draft expired, work no
- longer in progress).
-
- [REPLAY] Krywaniuk, A., "Using Isakmp Message Ids for Replay
- Protection", <draft-krywaniuk-ipsec-antireplay-00.txt>, 9
- July 2001 (work in progress).
-
- [RSA] Rivest, R.L., Shamir, A., and Adleman, L., "A Method for
- Obtaining Digital Signatures and Public-Key
- Cryptosystems", Communications of the ACM v21n2, Feb 1978,
- p. 120.
-
- [SCHNEIER] Bruce Schneier, "Applied Cryptography", 2nd ed., Wiley
- 1996, ISBN 0-471-11709-9.
-
- [SECFAIL] Karn, P., and Simpson, W., "ICMP Security Failures
- Messages", RFC 2521, March 1999.
-
-Authors' Addresses
-
- Henry Spencer
- SP Systems
- Box 280 Stn. A
- Toronto, Ont. M5W1B2
- Canada
-
- henry@spsystems.net
- 416-690-6561
-
-
-
-
-Spencer & Redelmeier [Page 20]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
- D. Hugh Redelmeier
- Mimosa Systems Inc.
- 29 Donino Ave.
- Toronto, Ont. M4N2W6
- Canada
-
- hugh@mimosa.com
- 416-482-8253
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Spencer & Redelmeier [Page 21]
-
-Internet Draft IKE Implementation Issues 26 Feb 2002
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society 2002. All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implmentation may be prepared, copied, published and
- distributed, in whole or in part, without restriction of any kind,
- provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Spencer & Redelmeier [Page 22]
-