summaryrefslogtreecommitdiff
path: root/doc/opportunism-spec.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/opportunism-spec.txt')
-rw-r--r--doc/opportunism-spec.txt1254
1 files changed, 1254 insertions, 0 deletions
diff --git a/doc/opportunism-spec.txt b/doc/opportunism-spec.txt
new file mode 100644
index 000000000..fbe319a57
--- /dev/null
+++ b/doc/opportunism-spec.txt
@@ -0,0 +1,1254 @@
+
+
+
+
+
+
+
+
+
+ Opportunistic Encryption
+
+ Henry Spencer
+ D. Hugh Redelmeier
+ henry@spsystems.net
+ hugh@mimosa.com
+ Linux FreeS/WAN Project
+
+
+
+ Opportunistic encryption permits secure
+ (encrypted, authenticated) communication via IPsec
+ without connection-by-connection prearrangement,
+ either explicitly between hosts (when the hosts
+ are capable of it) or transparently via packet-
+ intercepting security gateways. It uses DNS
+ records (authenticated with DNSSEC) to provide the
+ necessary information for gateway discovery and
+ gateway authentication, and constrains negotiation
+ enough to guarantee success.
+
+ Substantive changes since draft 3: write off
+ inverse queries as a lost cause; use Invalid-SPI
+ rather than Delete as notification of unknown SA;
+ minor wording improvements and clarifications.
+ This document takes over from the older ``Imple-
+ menting Opportunistic Encryption'' document.
+
+
+1. Introduction
+
+A major goal of the FreeS/WAN project is opportunistic
+encryption: a (security) gateway intercepts an outgoing
+packet aimed at a remote host, and quickly attempts to nego-
+tiate an IPsec tunnel to that host's security gateway. If
+the attempt succeeds, traffic can then be secure, transpar-
+ently (without changes to the host software). If the
+attempt fails, the packet (or a retry thereof) passes
+through in clear or is dropped, depending on local policy.
+Prearranged tunnels bypass the packet interception etc., so
+static VPNs can coexist with opportunistic encryption.
+
+This generalizes trivially to the end-to-end case: host and
+security gateway simply are one and the same. Some opti-
+mizations are possible in that case, but the basic scheme
+need not change.
+
+The objectives for security systems need to be explicitly
+stated. Opportunistic encryption is meant to achieve secure
+communication, without prearrangement of the individual con-
+nection (although some prearrangement on a per-host basis is
+
+
+
+Draft 4 3 May 2001 1
+
+
+
+
+
+ Opportunistic Encryption
+
+
+required), between any two hosts which implement the proto-
+col (and, if they act as security gateways, between hosts
+behind them). Here ``secure'' means strong encryption and
+authentication of packets, with authentication of partici-
+pants--to prevent man-in-the-middle and impersonation
+attacks--dependent on several factors. The biggest factor
+is the authentication of DNS records, via DNSSEC or equiva-
+lent means. A lesser factor is which exact variant of the
+setup procedure (see section 2.2) is used, because there is
+a tradeoff between strong authentication of the other end
+and ability to negotiate opportunistic encryption with hosts
+which have limited or no control of their reverse-map DNS
+records: without reverse-map information, we can verify that
+the host has the right to use a particular FQDN (Fully Qual-
+ified Domain Name), but not whether that FQDN is authorized
+to use that IP address. Local policy must decide whether
+authentication or connectivity has higher priority.
+
+Apart from careful attention to detail in various areas,
+there are three crucial design problems for opportunistic
+encryption. It needs a way to quickly identify the remote
+host's security gateway. It needs a way to quickly obtain
+an authentication key for the security gateway. And the
+numerous options which can be specified with IKE must be
+constrained sufficiently that two independent implementa-
+tions are guaranteed to reach agreement, without any
+explicit prearrangement or preliminary negotiation. The
+first two problems are solved using DNS, with DNSSEC ensur-
+ing that the data obtained is reliable; the third is solved
+by specifying a minimum standard which must be supported.
+
+A note on philosophy: we have deliberately avoided providing
+six different ways to do each job, in favor of specifying
+one good one. Choices are provided only when they appear to
+be necessary, or at least important.
+
+A note on terminology: to avoid constant circumlocutions, an
+ISAKMP/IKE SA, possibly recreated occasionally by rekeying,
+will be referred to as a ``keying channel'', and a set of
+IPsec SAs providing bidirectional communication between two
+IPsec hosts, possibly recreated occasionally by rekeying,
+will be referred to as a ``tunnel'' (it could conceivably
+use transport mode in the host-to-host case, but we advocate
+using tunnel mode even there). The word ``connection'' is
+here used in a more generic sense. The word ``lifetime''
+will be avoided in favor of ``rekeying interval'', since
+many of the connections will have useful lives far shorter
+than any reasonable rekeying interval, and hence the two
+concepts must be separated.
+
+A note on document structure: Discussions of why things were
+done a particular way, or not done a particular way, are
+broken out in paragraphs headed ``Rationale:'' (to preserve
+the flow of the text, many such paragraphs are deferred to
+
+
+
+Draft 4 3 May 2001 2
+
+
+
+
+
+ Opportunistic Encryption
+
+
+the ends of sections). Paragraphs headed ``Ahem:'' are dis-
+cussions of where the problem is being made significantly
+harder by problems elsewhere, and how that might be cor-
+rected. Some meta-comments are enclosed in [].
+
+Rationale: The motive is to get the Internet encrypted.
+That requires encryption without connection-by-connection
+prearrangement: a system must be able to reliably negotiate
+an encrypted, authenticated connection with a total
+stranger. While end-to-end encryption is preferable, doing
+opportunistic encryption in security gateways gives enormous
+leverage for quick deployment of this technology, in a world
+where end-host software is often primitive, rigid, and out-
+dated.
+
+Rationale: Speed is of the essence in tunnel setup: a con-
+nection-establishment delay longer than about 10 seconds
+begins to cause problems for users and applications. Thus
+the emphasis on rapidity in gateway discovery and key fetch-
+ing.
+
+Ahem: Host-to-host opportunistic encryption would be utterly
+trivial if a fast public-key encryption/signature algorithm
+was available. You would do a reverse lookup on the desti-
+nation address to obtain a public key for that address, and
+simply encrypt all packets going to it with that key, sign-
+ing them with your own private key. Alas, this is impracti-
+cal with current CPU speeds and current algorithms (although
+as noted later, it might be of some use for limited pur-
+poses). Nevertheless, it is a useful model.
+
+2. Connection Setup
+
+For purposes of discussion, the network is taken to look
+like this:
+
+ Source----Initiator----...----Responder----Destination
+
+The intercepted packet comes from the Source, bound for the
+Destination, and is intercepted at the Initiator. The Ini-
+tiator communicates over the insecure Internet to the
+Responder. The Source and the Initiator might be the same
+host, or the Source might be an end-user host and the Ini-
+tiator a security gateway (SG). Likewise for the Responder
+and the Destination.
+
+Given an intercepted packet, whose useful information (for
+our purposes) is essentially only the Destination's IP
+address, the Initiator must quickly determine the Responder
+(the Destination's SG) and fetch everything needed to
+authenticate it. The Responder must do likewise for the
+Initiator. Both must eventually also confirm that the other
+is authorized to act on behalf of the client host behind it
+(if any).
+
+
+
+Draft 4 3 May 2001 3
+
+
+
+
+
+ Opportunistic Encryption
+
+
+An important subtlety here is that if the alternative to an
+IPsec tunnel is plaintext transmission, negative results
+must be obtained quickly. That is, the decision that no
+tunnel can be established must also be made rapidly.
+
+2.1. Packet Interception
+
+Interception of outgoing packets is relatively straightfor-
+ward in principle. It is preferable to put the intercepted
+packet on hold rather than dropping it, since higher-level
+retries are not necessarily well-timed. There is a problem
+of hosts and applications retrying during negotiations. ARP
+implementations, which face the same problem, use the
+approach of keeping the most recent packet for an as-yet-
+unresolved address, and throwing away older ones. (Incre-
+menting of request numbers etc. means that replies to older
+ones may no longer be accepted.)
+
+Is it worth intercepting incoming packets, from the outside
+world, and attempting tunnel setup based on them? No,
+unless and until a way can be devised to initiate oppor-
+tunistic encryption to a non-opportunistic responder,
+because if the other end has not initiated tunnel setup
+itself, it will not be prepared to do so at our request.
+
+Rationale: Note, however, that most incoming packets will
+promptly be followed by an outgoing packet in response!
+Conceivably it might be useful to start early stages of
+negotiation, at least as far as looking up information, in
+response to an incoming packet.
+
+Rationale: If a plaintext incoming packet indicates that the
+other end is not prepared to do opportunistic encryption, it
+might seem that this fact should be noted, to avoid consum-
+ing resources and delaying traffic in an attempt at oppor-
+tunistic setup which is doomed to fail. However, this would
+be a major security hole, since the plaintext packet is not
+authenticated; see section 2.5.
+
+2.2. Algorithm
+
+For clarity, the following defers most discussion of error
+handling to the end.
+
+Step 1. Initiator does a DNS reverse lookup on the Destina-
+ tion address, asking not for the usual PTR records,
+ but for TXT records. Meanwhile, Initiator also
+ sends a ping to the Destination, to cause any other
+ dynamic setup actions to start happening. (Ping
+ replies are disregarded; the host might not be
+ reachable with plaintext pings.)
+
+Step 2A. If at least one suitable TXT record (see section
+ 2.3) comes back, each contains a potential
+
+
+
+Draft 4 3 May 2001 4
+
+
+
+
+
+ Opportunistic Encryption
+
+
+ Responder's IP address and that Responder's public
+ key (or where to find it). Initiator picks one TXT
+ record, based on priority (see 2.3), thus picking a
+ Responder. If there was no public key in the TXT
+ record, the Initiator also starts a DNS lookup (as
+ specified by the TXT record) to get KEY records.
+
+Step 2B. If no suitable TXT record is available, and policy
+ permits, Initiator designates the Destination
+ itself as the Responder (see section 2.4). If pol-
+ icy does not permit, or the Destination is unre-
+ sponsive to the negotiation, then opportunistic
+ encryption is not possible, and Initiator gives up
+ (see section 2.5).
+
+Step 3. If there already is a keying channel to the Respon-
+ der's IP address, the Initiator uses the existing
+ keying channel; skip to step 10. Otherwise, the
+ Initiator starts an IKE Phase 1 negotiation (see
+ section 2.7 for details) with the Responder. The
+ address family of the Responder's IP address dic-
+ tates whether the keying channel and the outside of
+ the tunnel should be IPv4 or IPv6.
+
+Step 4. Responder gets the first IKE message, and responds.
+ It also starts a DNS reverse lookup on the Initia-
+ tor's IP address, for KEY records, on speculation.
+
+Step 5. Initiator gets Responder's reply, and sends first
+ message of IKE's D-H exchange (see 2.4).
+
+Step 6. Responder gets Initiator's D-H message, and
+ responds with a matching one.
+
+Step 7. Initiator gets Responder's D-H message; encryption
+ is now established, authentication remains to be
+ done. Initiator sends IKE authentication message,
+ with an FQDN identity if a reverse lookup on its
+ address will not yield a suitable KEY record.
+ (Note, an FQDN need not actually correspond to a
+ host--e.g., the DNS data for it need not include an
+ A record.)
+
+Step 8. Responder gets Initiator's authentication message.
+ If there is no identity included, Responder waits
+ for step 4's speculative DNS lookup to finish; it
+ should yield a suitable KEY record (see 2.3). If
+ there is an FQDN identity, responder discards any
+ data obtained from step 4's DNS lookup; does a for-
+ ward lookup on the FQDN, for a KEY record; waits
+ for that lookup to return; it should yield a suit-
+ able KEY record. Either way, Responder uses the
+ KEY data to verify the message's hash. Responder
+ replies with an authentication message, with an
+
+
+
+Draft 4 3 May 2001 5
+
+
+
+
+
+ Opportunistic Encryption
+
+
+ FQDN identity if a reverse lookup on its address
+ will not yield a suitable KEY record.
+
+Step 9A. (If step 2A was used.) The Initiator gets the
+ Responder's authentication message. Step 2A has
+ provided a key (from the TXT record or via DNS
+ lookup). Verify message's hash. Encrypted and
+ authenticated keying channel established, man-in-
+ middle attack precluded.
+
+Step 9B. (If step 2B was used.) The Initiator gets the
+ Responder's authentication message, which must con-
+ tain an FQDN identity (if the Responder can't put a
+ TXT in his reverse map he presumably can't do a KEY
+ either). Do forward lookup on the FQDN, get suit-
+ able KEY record, verify hash. Encrypted keying
+ channel established, man-in-middle attack pre-
+ cluded, but authentication weak (see 2.4).
+
+Step 10. Initiator initiates IKE Phase 2 negotiation (see
+ 2.7) to establish tunnel, specifying Source and
+ Destination identities as IP addresses (see 2.6).
+ The address family of those addresses also deter-
+ mines whether the inside of the tunnel should be
+ IPv4 or IPv6.
+
+Step 11. Responder gets first Phase 2 message. Now the
+ Responder finally knows what's going on! Unless
+ the specified Source is identical to the Initiator,
+ Responder initiates DNS reverse lookup on Source IP
+ address, for TXT records; waits for result; gets
+ suitable TXT record(s) (see 2.3), which should con-
+ tain either the Initiator's IP address or an FQDN
+ identity identical to that supplied by the Initia-
+ tor in step 7. This verifies that the Initiator is
+ authorized to act as SG for the Source. Responder
+ replies with second Phase 2 message, selecting
+ acceptable details (see 2.7), and establishes tun-
+ nel.
+
+Step 12. Initiator gets second Phase 2 message, establishes
+ tunnel (if he didn't already), and releases the
+ intercepted packet into it, finally.
+
+Step 13. Communication proceeds. See section 3 for what
+ happens later.
+
+As additional information becomes available, notably in
+steps 1, 2, 4, 8, 9, 11, and 12, there is always a possibil-
+ity that local policy (e.g., access limitations) might pre-
+vent further progress. Whenever possible, at least attempt
+to inform the other end of this.
+
+
+
+
+
+Draft 4 3 May 2001 6
+
+
+
+
+
+ Opportunistic Encryption
+
+
+At any time, there is a possibility of the negotiation fail-
+ing due to unexpected responses, e.g. the Responder not
+responding at all or rejecting all Initiator's proposals.
+If multiple SGs were found as possible Responders, the Ini-
+tiator should try at least one more before giving up. The
+number tried should be influenced by what the alternative
+is: if the traffic will otherwise be discarded, trying the
+full list is probably appropriate, while if the alternative
+is plaintext transmission, it might be based on how long the
+tries are taking. The Initiator should try as many as it
+reasonably can, ideally all of them.
+
+There is a sticky problem with timeouts. If the Responder
+is down or otherwise inaccessible, in the worst case we
+won't hear about this except by not getting responses. Some
+other, more pathological or even evil, failure cases can
+have the same result. The problem is that in the case where
+plaintext is permitted, we want to decide whether a tunnel
+is possible quickly. There is no good solution to this,
+alas; we just have to take the time and do it right. (Pass-
+ing plaintext meanwhile looks attractive at first glance...
+but exposing the first few seconds of a connection is often
+almost as bad as exposing the whole thing. Worse, if the
+user checks the status of the connection, after that brief
+window it looks secure!)
+
+The flip side of waiting for a timeout is that all other
+forms of feedback, e.g. ``host not reachable'', arguably
+should be ignored, because in the absence of authenticated
+ICMP, you cannot trust them!
+
+Rationale: An alternative, sometimes suggested, to the use
+of explicit DNS records for SG discovery is to directly
+attempt IKE negotiation with the destination host, and
+assume that any relevant SG will be on the packet path, will
+intercept the IKE packets, and will impersonate the destina-
+tion host for the IKE negotiation. This is superficially
+attractive but is a very bad idea. It assumes that routing
+is stable throughout negotiation, that the SG is on the
+plaintext-packets path, and that the destination host is
+routable (yes, it is possible to have (private) DNS data for
+an unroutable host). Playing extra games in the plaintext-
+packet path hurts performance and can be expected to be
+unpopular. Various difficulties ensue when there are multi-
+ple SGs along the path (there is already bad experience with
+this, in RSVP), and the presence of even one can make it
+impossible to do IKE direct to the host when that is what's
+wanted. Worst of all, such impersonation breaks the IP net-
+work model badly, making problems difficult to diagnose and
+impossible to work around (and there is already bad experi-
+ence with this, in areas like web caching).
+
+Rationale: (Step 1.) Dynamic setup actions might include
+establishment of demand-dialed links. These might be
+
+
+
+Draft 4 3 May 2001 7
+
+
+
+
+
+ Opportunistic Encryption
+
+
+present anywhere along the path, so one cannot rely on out-
+of-band communication at the Initiator to trigger them.
+Hence the ping.
+
+Rationale: (Step 2.) In many cases, the IP address on the
+intercepted packet will be the result of a name lookup just
+done. Inverse queries, an obscure DNS feature from the dis-
+tant past, in theory can be used to ask a DNS server to
+reverse that lookup, giving the name that produced the
+address. This is not the same as a reverse lookup, and the
+difference can matter a great deal in cases where a host
+does not control its reverse map (e.g., when the host's IP
+address is dynamically assigned). Unfortunately, inverse
+queries were never widely implemented and are now considered
+obsolete. Phooey.
+
+Ahem: Support for a small subset of this admittedly-obscure
+feature would be useful. Unfortunately, it seems unlikely.
+
+Rationale: (Step 3.) Using only IP addresses to decide
+whether there is already a relevant keying channel avoids
+some difficult problems. In particular, it might seem that
+this should be based on identities, but those are not known
+until very late in IKE Phase 1 negotiations.
+
+Rationale: (Step 4.) The DNS lookup is done on speculation
+because the data will probably be useful and the lookup can
+be done in parallel with IKE activity, potentially speeding
+things up.
+
+Rationale: (Steps 7 and 8.) If an SG does not control its
+reverse map, there is no way it can prove its right to use
+an IP address, but it can nevertheless supply both an iden-
+tity (as an FQDN) and proof of its right to use that iden-
+tity. This is somewhat better than nothing, and may be
+quite useful if the SG is representing a client host which
+can prove its right to its IP address. (For example, a
+fixed-address subnet might live behind an SG with a dynami-
+cally-assigned address; such an SG has to be the Initiator,
+not the Responder, so the subnet's TXT records can contain
+FQDN identities, but with that restriction, this works.) It
+might sound like this would permit some man-in-the-middle
+attacks in important cases like Road Warrior, but the RW can
+still do full authentication of the home base, so a man in
+the middle cannot successfully impersonate home base, and
+the D-H exchange doesn't work unless the man in the middle
+impersonates both ends.
+
+Rationale: (Steps 7 and 8.) Another situation where proof
+of the right to use an identity can be very useful is when
+access is deliberately limited. While opportunistic encryp-
+tion is intended as a general-purpose connection mechanism
+between strangers, it may well be convenient for prearranged
+connections to use the same mechanism.
+
+
+
+Draft 4 3 May 2001 8
+
+
+
+
+
+ Opportunistic Encryption
+
+
+Rationale: (Steps 7 and 8.) FQDNs as identities are avoided
+where possible, since they can involve synchronous DNS
+lookups.
+
+Rationale: (Step 11.) Note that only here, in Phase 2, does
+the Responder actually learn who the Source and Destination
+hosts are. This unfortunately demands a synchronous DNS
+lookup to verify that the Initiator is authorized to repre-
+sent the Source, unless they are one and the same. This and
+the initial TXT lookup are the only synchronous DNS lookups
+absolutely required by the algorithm, and they appear to be
+unavoidable.
+
+Rationale: While it might seem unlikely that a refusal to
+cooperate from one SG could be remedied by trying another--
+presumably they all use the same policies--it's conceivable
+that one might be misconfigured. Preferably they should all
+be tried, but it may be necessary to set some limits on this
+if alternatives exist.
+
+2.3. DNS Records
+
+Gateway discovery and key lookup are based on TXT and KEY
+DNS records. The TXT record specifies IP address or other
+identity of a host's SG, and possibly supplies its public
+key as well, while the KEY record supplies public keys not
+found in TXT records.
+
+2.3.1. TXT
+
+Opportunistic-encryption SG discovery uses TXT records with
+the content:
+
+ X-IPsec-Gateway(nnn)=iii kkk
+
+following RFC 1464 attribute/value notation. Records which
+do not contain an ``='', or which do not have exactly the
+specified form to the left of it, are ignored. (Near misses
+perhaps should be reported.)
+
+The nnn is an unsigned integer which will fit in 16 bits,
+specifying an MX-style preference (lower number = stronger
+preference) to control the order in which multiple SGs are
+tried. If there are ties, pick one, randomly enough that
+the choice will probably be different each time. The pref-
+erence field is not optional; use ``0'' if there is no mean-
+ingful preference ordering.
+
+The iii part identifies the SG. Normally this is a dotted-
+decimal IPv4 address or a colon-hex IPv6 address. The sole
+exception is if the SG has no fixed address (see 2.4) but
+the host(s) behind it do, in which case iii is of the form
+``@fqdn'', where fqdn is the FQDN that the SG will use to
+identify itself (in step 7 of section 2.2); such a record
+
+
+
+Draft 4 3 May 2001 9
+
+
+
+
+
+ Opportunistic Encryption
+
+
+cannot be used for SG discovery by an Initiator, but can be
+used for SG verification (step 11 of 2.2) by a Responder.
+
+The kkk part is optional. If it is present, it is an RSA-
+MD5 public key in base-64 notation, as in the text form of
+an RFC 2535 KEY record. If it is not present, this speci-
+fies that the public key can be found in a KEY record
+located based on the SG's identification: if iii is an IP
+address, do a reverse lookup on that address, else do a for-
+ward lookup on the FQDN.
+
+Rationale: While it is unusual for a reverse lookup to go
+for records other than PTR records (or possibly CNAME
+records, for RFC 2317 classless delegation), there's no rea-
+son why it can't. The TXT record is a temporary stand-in
+for (we hope, someday) a new DNS record for SG identifica-
+tion and keying. Keeping the setup process fast requires
+minimizing the number of DNS lookups, hence the desire to
+put all the information in one place.
+
+Rationale: The use of RFC 1464 notation avoids collisions
+with other uses of TXT records. The ``X-'' in the attribute
+name indicates that this format is tentative and experimen-
+tal; this design will probably need modification after ini-
+tial experiments. The format is chosen with an eye on even-
+tual binary encoding. Note, in particular, that the TXT
+record normally contains the address of the SG, not (repeat,
+not) its name. Name-to-address conversion is the job of
+whatever generates the TXT record, which is expected to be a
+program, not a human--this is conceptually a binary record,
+temporarily using a text encoding. The ``@fqdn'' form of
+the SG identity is for specialized uses and is never mapped
+to an address.
+
+Ahem: A DNS TXT record contains one or more character
+strings, but RFC 1035 does not describe exactly how a multi-
+string TXT record is interpreted. This is relevant because
+a string can be at most 255 characters, and public keys can
+exceed this. Empirically, the standard pattern is that each
+string which is both less than 255 characters and not the
+final string of the record should have a blank appended to
+it, and the strings of the record should then be concate-
+nated. (This observation is based on how BIND 8 transforms
+a TXT record from text to DNS binary.)
+
+2.3.2. KEY
+
+An opportunistic-encryption KEY record is an Authentication-
+permitted, Entity (host), non-Signatory, IPsec, RSA/MD5
+record (that is, its first four bytes are 0x42000401), as
+per RFCs 2535 and 2537. KEY records with other flags, pro-
+tocol, or algorithm values are ignored.
+
+
+
+
+
+Draft 4 3 May 2001 10
+
+
+
+
+
+ Opportunistic Encryption
+
+
+Rationale: Unfortunately, the public key has to be associ-
+ated with the SG, not the client host behind it. The
+Responder does not know which client it is supposed to be
+representing, or which client the Initiator is representing,
+until far too late.
+
+Ahem: Per-client keys would reduce vulnerability to key com-
+promise, and simplify key changes, but they would require
+changes to IKE Phase 1, to separately identify the SG and
+its initial client(s). (At present, the client identities
+are not known to the Responder until IKE Phase 2.) While
+the current IKE standard does not actually specify (!) who
+is being identified by identity payloads, the overwhelming
+consensus is that they identify the SG, and as seen earlier,
+this has important uses.
+
+2.3.3. Summary
+
+For reference, the minimum set of DNS records needed to make
+this all work is either:
+
+1. TXT in Destination reverse map, identifying Responder
+ and providing public key.
+
+2. KEY in Initiator reverse map, providing public key.
+
+3. TXT in Source reverse map, verifying relationship to
+ Initiator.
+
+or:
+
+1. TXT in Destination reverse map, identifying Responder.
+
+2. KEY in Responder reverse map, providing public key.
+
+3. KEY in Initiator reverse map, providing public key.
+
+4. TXT in Source reverse map, verifying relationship to
+ Initiator.
+
+Slight complications ensue for dynamic addresses, lack of
+control over reverse maps, etc.
+
+2.3.4. Implementation
+
+In the long run, we need either a tree of trust or a web of
+trust, so we can trust our DNS data. The obvious approach
+for DNS is a tree of trust, but there are various practical
+problems with running all of this through the root servers,
+and a web of trust is arguably more robust anyway. This is
+logically independent of opportunistic encryption, and a
+separate design proposal will be prepared.
+
+
+
+
+
+Draft 4 3 May 2001 11
+
+
+
+
+
+ Opportunistic Encryption
+
+
+Interim stages of implementation of this will require a bit
+of thought. Notably, we need some way of dealing with the
+lack of fully signed DNSSEC records right away. Without
+user interaction, probably the best we can do is to remember
+the results of old fetches, compare them to the results of
+new fetches, and complain and disbelieve all of it if
+there's a mismatch. This does mean that somebody who gets
+fake data into our very first fetch will fool us, at least
+for a while, but that seems an acceptable tradeoff. (Obvi-
+ously there needs to be a way to manually flush the remem-
+bered results for a specific host, to permit deliberate
+changes.)
+
+2.4. Responders Without Credentials
+
+In cases where the Destination simply does not control its
+DNS reverse-map entries, there is no verifiable way to
+determine a suitable SG. This does not make communication
+utterly impossible, though.
+
+Simply attempting negotiation directly with the host is a
+last resort. (An aggressive implementation might wish to
+attempt it in parallel, rather than waiting until other
+options are known to be unavailable.) In particular, in
+many cases involving dynamic addresses, it will work. It
+has the disadvantage of delaying the discovery that oppor-
+tunistic encryption is entirely impossible, but the case
+seems common enough to justify the overhead.
+
+However, there are policy issues here either way, because it
+is possible to impersonate such a host. The host can supply
+an FQDN identity and verify its right to use that identity,
+but except by prearrangement, there is no way to verify that
+the FQDN is the right one for that IP address. (The data
+from forward lookups may be controlled by people who do not
+own the address, so it cannot be trusted.) The encryption
+is still solid, though, so in many cases this may be useful.
+
+2.5. Failure of Opportunism
+
+When there is no way to do opportunistic encryption, a pol-
+icy issue arises: whether to put in a bypass (which allows
+plaintext traffic through) or a block (which discards it,
+perhaps with notification back to the sender). The choice
+is very much a matter of local policy, and may depend on
+details such as the higher-level protocol being used. For
+example, an SG might well permit plaintext HTTP but forbid
+plaintext Telnet, in which case both a block and a bypass
+would be set up if opportunistic encryption failed.
+
+A bypass/block must, in practice, be treated much like an
+IPsec tunnel. It should persist for a while, so that high-
+overhead processing doesn't have to be done for every
+packet, but should go away eventually to return resources.
+
+
+
+Draft 4 3 May 2001 12
+
+
+
+
+
+ Opportunistic Encryption
+
+
+It may be simplest to treat it as a degenerate tunnel. It
+should have a relatively long lifetime (say 6h) to keep the
+frequency of negotiation attempts down, except in the case
+where the other SG simply did not respond to IKE packets,
+where the lifetime should be short (say 10min) because the
+other SG is presumably down and might come back up again.
+(Cases where the other SG responded to IKE with unauthenti-
+cated error reports like ``port unreachable'' are border-
+line, and might deserve to be treated as an intermediate
+case: while such reports cannot be trusted unreservedly, in
+the absence of any other response, they do give some reason
+to suspect that the other SG is unable or unwilling to par-
+ticipate in opportunistic encryption.)
+
+As noted in section 2.1, one might think that arrival of a
+plaintext incoming packet should cause a bypass/block to be
+set up for its source host: such a packet is almost always
+followed by an outgoing reply packet; the incoming packet is
+clear evidence that opportunistic encryption is not avail-
+able at the other end; attempting it will waste resources
+and delay traffic to no good purpose. Unfortunately, this
+means that anyone out on the Internet who can forge a source
+address can prevent encrypted communication! Since their
+source addresses are not authenticated, plaintext packets
+cannot be taken as evidence of anything, except perhaps that
+communication from that host is likely to occur soon.
+
+There needs to be a way for local administrators to remove a
+bypass/block ahead of its normal expiry time, to force a
+retry after a problem at the other end is known to have been
+fixed.
+
+2.6. Subnet Opportunism
+
+In principle, when the Source or Destination host belongs to
+a subnet and the corresponding SG is willing to provide tun-
+nels to the whole subnet, this should be done. There is no
+extra overhead, and considerable potential for avoiding
+later overhead if similar communication occurs with other
+members of the subnet. Unfortunately, at the moment, oppor-
+tunistic tunnels can only have degenerate subnets (single
+hosts) at their ends. (This does, at least, set up the key-
+ing channel, so that negotiations for tunnels to other hosts
+in the same subnets will be considerably faster.)
+
+The crucial problem is step 11 of section 2.2: the Responder
+must verify that the Initiator is authorized to represent
+the Source, and this is impossible for a subnet because
+there is no way to do a reverse lookup on it. Information
+in DNS records for a name or a single address cannot be
+trusted, because they may be controlled by people who do not
+control the whole subnet.
+
+
+
+
+
+Draft 4 3 May 2001 13
+
+
+
+
+
+ Opportunistic Encryption
+
+
+Ahem: Except in the special case of a subnet masked on a
+byte boundary (in which case RFC 1035's convention of an
+incomplete in-addr.arpa name could be used), subnet lookup
+would need extensions to the reverse-map name space, perhaps
+along the lines of that commonly done for RFC 2317 delega-
+tion. IPv6 already has suitable name syntax, as in RFC
+2874, but has no specific provisions for subnet entries in
+its reverse maps. Fixing all this is is not conceptually
+difficult, but is logically independent of opportunistic
+encryption, and will be proposed separately.
+
+A less-troublesome problem is that the Initiator, in step 10
+of 2.2, must know exactly what subnet is present on the
+Responder's end so he can propose a tunnel to it. This
+information could be included in the TXT record of the Des-
+tination (it would have to be verified with a subnet lookup,
+but that could be done in parallel with other operations).
+The Initiator presumably can be configured to know what sub-
+net(s) are present on its end.
+
+2.7. Option Settings
+
+IPsec and IKE have far too many useless options, and a few
+useful ones. IKE negotiation is quite simplistic, and can-
+not handle even simple discrepancies between the two SGs.
+So it is necessary to be quite specific about what should be
+done and what should be proposed, to guarantee interoper-
+ability without prearrangement or other negotiation proto-
+cols.
+
+Rationale: The prohibition of other negotiations is simply
+because there is no time. The setup algorithm (section 2.2)
+is lengthy already.
+
+[Open question: should opportunistic IKE use a different
+port than normal IKE?]
+
+Somewhat arbitrarily and tentatively, opportunistic SGs must
+support Main Mode, Oakley group 5 for D-H, 3DES encryption
+and MD5 authentication for both ISAKMP and IPsec SAs,
+RSA/MD5 digital-signature authentication with keys between
+2048 and 8192 bits, and ESP doing both encryption and
+authentication. They must do key PFS in Quick Mode, but not
+identity PFS. They may support IPComp, preferably using
+Deflate, but must not insist on it. They may support AES as
+an alternative to 3DES, but must not insist on it.
+
+Rationale: Identity PFS essentially requires establishing a
+complete new keying channel for each new tunnel, but key PFS
+just does a new Diffie-Hellman exchange for each rekeying,
+which is relatively cheap.
+
+Keying channels must remain in existence at least as long as
+any tunnel created with them remains (they are not costly,
+
+
+
+Draft 4 3 May 2001 14
+
+
+
+
+
+ Opportunistic Encryption
+
+
+and keeping the management path up and available simplifies
+various issues). See section 3.1 for related issues. Given
+the use of key PFS, frequent rekeying does not seem critical
+here. In the absence of strong reason to do otherwise, the
+Initiator should propose rekeying at 8hr-or-1MB. The
+Responder must accept any proposal which specifies a rekey-
+ing time between 1hr and 24hr inclusive and a rekeying vol-
+ume between 100KB and 10MB inclusive.
+
+Given the short expected useful life of most tunnels (see
+section 3.1), very few of them will survive long enough to
+be rekeyed. In the absence of strong reason to do other-
+wise, the Initiator should propose rekeying at 1hr-or-100MB.
+The Responder must accept any proposal which specifies a
+rekeying time between 10min and 8hr inclusive and a rekeying
+volume between 1MB and 1000MB inclusive.
+
+It is highly desirable to add some random jitter to the
+times of actual rekeying attempts, to break up ``convoys''
+of rekeying events; this and certain other aspects of robust
+rekeying practice will be the subject of a separate design
+proposal.
+
+Rationale: The numbers used here for rekeying intervals are
+chosen quite arbitrarily and should be re-assessed after
+some implementation experience is gathered.
+
+3. Renewal and Teardown
+
+3.1. Aging
+
+When to tear tunnels down is a bit problematic, but if we're
+setting up a potentially unbounded number of them, we have
+to tear them down somehow sometime.
+
+Set a short initial tentative lifespan, say 1min, since most
+net flows in fact last only a few seconds. When that
+expires, look to see if the tunnel is still in use (defini-
+tion: has had traffic, in either direction, in the last half
+of the tentative lifespan). If so, assign it a somewhat
+longer tentative lifespan, say 20min, after which, look
+again. If not, close it down. (This tentative lifespan is
+independent of rekeying; it is just the time when the tun-
+nel's future is next considered. This should happen reason-
+ably frequently, unlike rekeying, which is costly and
+shouldn't be too frequent.) Multi-step backoff algorithms
+are not worth the trouble; looking every 20min doesn't seem
+onerous.
+
+If the security gateway and the client host are one and the
+same, tunnel teardown decisions might wish to pay attention
+to TCP connection status, as reported by the local TCP
+layer. A still-open TCP connection is almost a guarantee
+that more traffic is coming, while the demise of the only
+
+
+
+Draft 4 3 May 2001 15
+
+
+
+
+
+ Opportunistic Encryption
+
+
+TCP connection through a tunnel is a strong hint that none
+is. If the SG and the client host are separate machines,
+though, tracking TCP connection status requires packet
+snooping, which is complicated and probably not worthwhile.
+
+IKE keying channels likewise are torn down when it appears
+the need has passed. They always linger longer than the
+last tunnel they administer, in case they are needed again;
+the cost of retaining them is low. Other than that, unless
+the number of keying channels on the SG gets large, the SG
+should simply retain all of them until rekeying time, since
+rekeying is the only costly event. When about to rekey a
+keying channel which has no current tunnels, note when the
+last actual keying-channel traffic occurred, and close the
+keying channel down if it wasn't in the last, say, 30min.
+When rekeying a keying channel (or perhaps shortly before
+rekeying is expected), Initiator and Responder should re-
+fetch the public keys used for SG authentication, against
+the possibility that they have changed or disappeared.
+
+See section 2.7 for discussion of rekeying intervals.
+
+Given the low user impact of tearing down and rebuilding a
+connection (a tunnel or a keying channel), rekeying attempts
+should not be too persistent: one can always just rebuild
+when needed, so heroic efforts to preserve an existing con-
+nection are unnecessary. Say, try every 10s for a minute
+and every minute for 5min, and then give up and declare the
+connection (and all other connections to that IKE peer)
+dead.
+
+Rationale: In future, more sophisticated, versions of this
+protocol, examining the initial packet might permit a more
+intelligent guess at the tunnel's useful life. HTTP connec-
+tions in particular are notoriously bursty and repetitive.
+
+Rationale: Note that rekeying a keying connection basically
+consists of building a new keying connection from scratch,
+using IKE Phase 1, and abandoning the old one.
+
+3.2. Teardown and Cleanup
+
+Teardown should always be coordinated with the other end.
+This means interpreting and sending Delete notifications.
+
+On receiving a Delete for the outbound SAs of a tunnel (or
+some subset of them), tear down the inbound ones too, and
+notify the other end with a Delete. Tunnels need to be con-
+sidered as bidirectional entities, even though the low-level
+protocols don't think of them that way.
+
+When the deletion is initiated locally, rather than as a
+response to a received Delete, send a Delete for (all) the
+inbound SAs of a tunnel. If no responding Delete is
+
+
+
+Draft 4 3 May 2001 16
+
+
+
+
+
+ Opportunistic Encryption
+
+
+received for the outbound SAs, try re-sending the original
+Delete. Three tries spaced 10s apart seems a reasonable
+level of effort. (Indefinite persistence is not necessary;
+whether the other end isn't cooperating because it doesn't
+feel like it, or because it is down/disconnected/etc., the
+problem will eventually be cleared up by other means.)
+
+After rekeying, transmission should switch to using the new
+SAs (ISAKMP or IPsec) immediately, and the old leftover SAs
+should be cleared out promptly (and Deletes sent) rather
+than waiting for them to expire. This reduces clutter and
+minimizes confusion.
+
+Since there is only one keying channel per remote IP
+address, the question of whether a Delete notification has
+appeared on a ``suitable'' keying channel does not arise.
+
+Rationale: The pairing of Delete notifications effectively
+constitutes an acknowledged Delete, which is highly desir-
+able.
+
+3.3. Outages and Reboots
+
+Tunnels sometimes go down because the other end crashes, or
+disconnects, or has a network link break, and there is no
+notice of this in the general case. (Even in the event of a
+crash and successful reboot, other SGs don't hear about it
+unless the rebooted SG has specific reason to talk to them
+immediately.) Over-quick response to temporary network out-
+ages is undesirable... but note that a tunnel can be torn
+down and then re-established without any user-visible effect
+except a pause in traffic, whereas if one end does reboot,
+the other end can't get packets to it at all (except via
+IKE) until the situation is noticed. So a bias toward quick
+response is appropriate, even at the cost of occasional
+false alarms.
+
+Heartbeat mechanisms are somewhat unsatisfactory for this.
+Unless they are very frequent, which causes other problems,
+they do not detect the problem promptly.
+
+Ahem: What is really wanted is authenticated ICMP. This
+might be a case where public-key encryption/authentication
+of network packets is the right thing to do, despite the
+expense.
+
+In the absence of that, a two-part approach seems warranted.
+
+First, when an SG receives an IPsec packet that is addressed
+to it, and otherwise appears healthy, but specifies an
+unknown SA and is from a host that the receiver currently
+has no keying channel to, the receiver must attempt to
+inform the sender via an IKE Initial-Contact notification
+(necessarily sent in plaintext, since there is no suitable
+
+
+
+Draft 4 3 May 2001 17
+
+
+
+
+
+ Opportunistic Encryption
+
+
+keying channel). This must be severely rate-limited on both
+ends; one notification per SG pair per minute seems ample.
+
+Second, there is an obvious difficulty with this: the Ini-
+tial-Contact notification is unauthenticated and cannot be
+trusted. So it must be taken as a hint only: there must be
+a way to confirm it.
+
+What is needed here is something that's desirable for debug-
+ging and testing anyway: an IKE-level ping mechanism. Ping-
+ing direct at the IP level instead will not tell us about a
+crash/reboot event. Sending pings through tunnels has vari-
+ous complications (they should stop at the far mouth of the
+tunnel instead of going on to a subnet; they should not
+count against idle timers; etc.). What is needed is a con-
+tinuity check on a keying channel. (This could also be used
+as a heartbeat, should that seem useful.)
+
+IKE Ping delivery need not be reliable, since the whole
+point of a ping is simply to provoke an acknowledgement.
+They should preferably be authenticated, but it is not clear
+that this is absolutely necessary, although if they are not
+they need encryption plus a timestamp or a nonce, to foil
+replay mischief. How they are implemented is a secondary
+issue, and a separate design proposal will be prepared.
+
+Ahem: Some existing implementations are already using (pri-
+vate) notify value 30000 (``LIKE_HELLO'') as ping and (pri-
+vate) notify value 30002 (``SHUT_UP'') as ping reply.
+
+If an IKE Ping gets no response, try some (say 8) IP pings,
+spaced a few seconds apart, to check IP connectivity; if one
+comes back, try another IKE Ping; if that gets no response,
+the other end probably has rebooted, or otherwise been re-
+initialized, and its tunnels and keying channel(s) should be
+torn down.
+
+In a similar vein, giving limited rekeying persistence, a
+short network outage could take some tunnels down without
+disrupting others. On receiving a packet for an unknown SA
+from a host that a keying channel is currently open to, send
+that host a Invalid-SPI notification for that SA. The other
+host can then tear down the half-torn-down tunnel, and nego-
+tiate a new tunnel for the traffic it presumably still wants
+to send.
+
+Finally, it would be helpful if SGs made some attempt to
+deal intelligently with crashes and reboots. A deliberate
+shutdown should include an attempt to notify all other SGs
+currently connected by keying channels, using Deletes, that
+communication is about to fail. (Again, these will be taken
+as teardowns; attempts by the other SGs to negotiate new
+tunnels as replacements should be ignored at this point.)
+And when possible, SGs should attempt to preserve
+
+
+
+Draft 4 3 May 2001 18
+
+
+
+
+
+ Opportunistic Encryption
+
+
+information about currently-connected SGs in non-volatile
+storage, so that after a crash, an Initial-Contact can be
+sent to previous partners to indicate loss of all previ-
+ously-established connections.
+
+4. Conclusions
+
+This design appears to achieve the objective of setting up
+encryption with strangers. The authentication aspects also
+seem adequately addressed if the destination controls its
+reverse-map DNS entries and the DNS data itself can be reli-
+ably authenticated as having originated from the legitimate
+administrators of that subnet/FQDN. The authentication sit-
+uation is less satisfactory when DNS is less helpful, but it
+is difficult to see what else could be done about it.
+
+5. References
+
+[TBW]
+
+6. Appendix: Separate Design Proposals TBW
+
+o How can we build a web of trust with DNSSEC? (See sec-
+ tion 2.3.4.)
+
+o How can we extend DNS reverse lookups to permit reverse
+ lookup on a subnet? (Both address and mask must appear
+ in the name to be looked up.) (See section 2.6.)
+
+o How can rekeying be done as robustly as possible? (At
+ least partly, this is just documenting current FreeS/WAN
+ practice.) (See section 2.7.)
+
+o How should IKE Pings be implemented? (See section 3.3.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Draft 4 3 May 2001 19
+
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-28 04:48:11 +0000