From eed3bb6c48563b865be5560448577e7cfe4ce443 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer
Date: Wed, 23 Aug 2006 20:25:09 +0000
Subject: - Updated to new upstream version.
---
CHANGES | 16 +-
Makefile.ver | 2 +-
debian/changelog | 6 +
doc/draft-richardson-ipsec-opportunistic.txt | 2688 ++++++++++++++++++++
doc/draft-richardson-ipsec-rr.txt | 840 ++++++
doc/draft-spencer-ipsec-ike-implementation.nr | 1203 +++++++++
doc/draft-spencer-ipsec-ike-implementation.txt | 1232 +++++++++
doc/src/draft-richardson-ipsec-opportunistic.html | 2456 ++++++++++++++++++
doc/src/draft-richardson-ipsec-opportunistic.xml | 2519 ++++++++++++++++++
doc/src/draft-richardson-ipsec-rr.html | 659 +++++
doc/src/draft-richardson-ipsec-rr.xml | 560 ++++
lib/libfreeswan/Makefile | 6 +-
programs/Makefile.program | 4 +
programs/pluto/Makefile | 6 +-
programs/pluto/alg_info.c | 10 +-
programs/pluto/connections.c | 11 +-
programs/pluto/keys.c | 10 +-
programs/pluto/vendor.c | 6 +-
programs/pluto/vendor.h | 4 +-
testing/INSTALL | 6 +-
testing/testing.conf | 6 +-
testing/tests/alg-sha-equals-sha1/description.txt | 5 +
testing/tests/alg-sha-equals-sha1/evaltest.dat | 9 +
.../alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf | 26 +
.../alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf | 26 +
testing/tests/alg-sha-equals-sha1/posttest.dat | 2 +
testing/tests/alg-sha-equals-sha1/pretest.dat | 5 +
testing/tests/alg-sha-equals-sha1/test.conf | 22 +
28 files changed, 12315 insertions(+), 30 deletions(-)
create mode 100644 doc/draft-richardson-ipsec-opportunistic.txt
create mode 100644 doc/draft-richardson-ipsec-rr.txt
create mode 100644 doc/draft-spencer-ipsec-ike-implementation.nr
create mode 100644 doc/draft-spencer-ipsec-ike-implementation.txt
create mode 100644 doc/src/draft-richardson-ipsec-opportunistic.html
create mode 100644 doc/src/draft-richardson-ipsec-opportunistic.xml
create mode 100644 doc/src/draft-richardson-ipsec-rr.html
create mode 100644 doc/src/draft-richardson-ipsec-rr.xml
create mode 100644 testing/tests/alg-sha-equals-sha1/description.txt
create mode 100644 testing/tests/alg-sha-equals-sha1/evaltest.dat
create mode 100755 testing/tests/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
create mode 100755 testing/tests/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
create mode 100644 testing/tests/alg-sha-equals-sha1/posttest.dat
create mode 100644 testing/tests/alg-sha-equals-sha1/pretest.dat
create mode 100644 testing/tests/alg-sha-equals-sha1/test.conf
diff --git a/CHANGES b/CHANGES
index 4feaa188d..3d92f229a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,15 @@
+strongswan-2.7.3
+----------------
+
+- "sha" and "sha1" are now treated as synonyms in the ike= and esp=
+ algorithm configuration statements.
+
+- Fixed possible segmentation faults in the eroute, klipsdebug, and
+ other KLIPS-related auxiliary functions by making the USE_NAT_TRAVERSAL
+ compile-time condition defined in Makefile.inc known in
+ programs/Makefile.program.
+
+
strongswan-2.7.2
----------------
@@ -9,8 +21,8 @@ strongswan-2.7.2
the state pointer before logging current state information, causing an
immediate crash of the pluto keying daemon due to a NULL pointer.
- We strongly recommend to update to the 2.7.2 released which fixes this
- vulnerability to malformed proposal payload that could otherwise be
+ We strongly recommend to update to the 2.7.2 release which fixes this
+ vulnerability to malformed proposal payloads that could otherwise be
exploited by Denial-of-Service attacks.
diff --git a/Makefile.ver b/Makefile.ver
index 252fc3bf4..b8f0d8ffd 100644
--- a/Makefile.ver
+++ b/Makefile.ver
@@ -1 +1 @@
-IPSECVERSION=2.7.2
+IPSECVERSION=2.7.3
diff --git a/debian/changelog b/debian/changelog
index 1fae5162d..f27c56fd1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+strongswan (2.7.3-1) UNRELEASED; urgency=low
+
+ * (NOT RELEASED YET) New upstream release
+
+ -- Rene Mayrhofer Wed, 23 Aug 2006 21:23:36 +0100
+
strongswan (2.7.2+dfsg-1) unstable; urgency=low
* First upload to the main Debian archive. This does no longer build
diff --git a/doc/draft-richardson-ipsec-opportunistic.txt b/doc/draft-richardson-ipsec-opportunistic.txt
new file mode 100644
index 000000000..4c87d857a
--- /dev/null
+++ b/doc/draft-richardson-ipsec-opportunistic.txt
@@ -0,0 +1,2688 @@
+
+
+Independent submission M. Richardson
+Internet-Draft SSW
+Expires: November 19, 2003 D. Redelmeier
+ Mimosa
+ May 21, 2003
+
+
+ Opportunistic Encryption using The Internet Key Exchange (IKE)
+ draft-richardson-ipsec-opportunistic-11.txt
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at http://
+ www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on November 19, 2003.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document describes opportunistic encryption (OE) using the
+ Internet Key Exchange (IKE) and IPsec. Each system administrator
+ adds new resource records to his or her Domain Name System (DNS) to
+ support opportunistic encryption. The objective is to allow
+ encryption for secure communication without any pre-arrangement
+ specific to the pair of systems involved.
+
+ DNS is used to distribute the public keys of each system involved.
+ This is resistant to passive attacks. The use of DNS Security
+ (DNSSEC) secures this system against active attackers as well.
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 1]
+
+Internet-Draft opportunistic May 2003
+
+
+ As a result, the administrative overhead is reduced from the square
+ of the number of systems to a linear dependence, and it becomes
+ possible to make secure communication the default even when the
+ partner is not known in advance.
+
+ This document is offered up as an Informational RFC.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 4. Impacts on IKE . . . . . . . . . . . . . . . . . . . . . . . . 21
+ 5. DNS issues . . . . . . . . . . . . . . . . . . . . . . . . . . 24
+ 6. Network address translation interaction . . . . . . . . . . . 28
+ 7. Host implementations . . . . . . . . . . . . . . . . . . . . . 29
+ 8. Multi-homing . . . . . . . . . . . . . . . . . . . . . . . . . 30
+ 9. Failure modes . . . . . . . . . . . . . . . . . . . . . . . . 32
+ 10. Unresolved issues . . . . . . . . . . . . . . . . . . . . . . 34
+ 11. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
+ 12. Security considerations . . . . . . . . . . . . . . . . . . . 42
+ 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
+ 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 45
+ Normative references . . . . . . . . . . . . . . . . . . . . . 46
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 47
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . 48
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 2]
+
+Internet-Draft opportunistic May 2003
+
+
+1. Introduction
+
+1.1 Motivation
+
+ The objective of opportunistic encryption is to allow encryption
+ without any pre-arrangement specific to the pair of systems involved.
+ Each system administrator adds public key information to DNS records
+ to support opportunistic encryption and then enables this feature in
+ the nodes' IPsec stack. Once this is done, any two such nodes can
+ communicate securely.
+
+ This document describes opportunistic encryption as designed and
+ mostly implemented by the Linux FreeS/WAN project. For project
+ information, see http://www.freeswan.org.
+
+ The Internet Architecture Board (IAB) and Internet Engineering
+ Steering Group (IESG) have taken a strong stand that the Internet
+ should use powerful encryption to provide security and privacy [4].
+ The Linux FreeS/WAN project attempts to provide a practical means to
+ implement this policy.
+
+ The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC protocols
+ because they are standardized, widely available and can often be
+ deployed very easily without changing hardware or software or
+ retraining users.
+
+ The extensions to support opportunistic encryption are simple. No
+ changes to any on-the-wire formats are needed. The only changes are
+ to the policy decision making system. This means that opportunistic
+ encryption can be implemented with very minimal changes to an
+ existing IPsec implementation.
+
+ Opportunistic encryption creates a "fax effect". The proliferation
+ of the fax machine was possible because it did not require that
+ everyone buy one overnight. Instead, as each person installed one,
+ the value of having one increased - as there were more people that
+ could receive faxes. Once opportunistic encryption is installed it
+ automatically recognizes other boxes using opportunistic encryption,
+ without any further configuration by the network administrator. So,
+ as opportunistic encryption software is installed on more boxes, its
+ value as a tool increases.
+
+ This document describes the infrastructure to permit deployment of
+ Opportunistic Encryption.
+
+ The term S/WAN is a trademark of RSA Data Systems, and is used with
+ permission by this project.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 3]
+
+Internet-Draft opportunistic May 2003
+
+
+1.2 Types of network traffic
+
+ To aid in understanding the relationship between security processing
+ and IPsec we divide network traffic into four categories:
+
+ * Deny: networks to which traffic is always forbidden.
+
+ * Permit: networks to which traffic in the clear is permitted.
+
+ * Opportunistic tunnel: networks to which traffic is encrypted if
+ possible, but otherwise is in the clear or fails depending on the
+ default policy in place.
+
+ * Configured tunnel: networks to which traffic must be encrypted, and
+ traffic in the clear is never permitted.
+
+ Traditional firewall devices handle the first two categories. No
+ authentication is required. The permit policy is currently the
+ default on the Internet.
+
+ This document describes the third category - opportunistic tunnel,
+ which is proposed as the new default for the Internet.
+
+ Category four, encrypt traffic or drop it, requires authentication of
+ the end points. As the number of end points is typically bounded and
+ is typically under a single authority, arranging for distribution of
+ authentication material, while difficult, does not require any new
+ technology. The mechanism described here provides an additional way
+ to distribute the authentication materials, that of a public key
+ method that does not require deployment of an X.509 based
+ infrastructure.
+
+ Current Virtual Private Networks can often be replaced by an "OE
+ paranoid" policy as described herein.
+
+1.3 Peer authentication in opportunistic encryption
+
+ Opportunistic encryption creates tunnels between nodes that are
+ essentially strangers. This is done without any prior bilateral
+ arrangement. There is, therefore, the difficult question of how one
+ knows to whom one is talking.
+
+ One possible answer is that since no useful authentication can be
+ done, none should be tried. This mode of operation is named
+ "anonymous encryption". An active man-in-the-middle attack can be
+ used to thwart the privacy of this type of communication. Without
+ peer authentication, there is no way to prevent this kind of attack.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 4]
+
+Internet-Draft opportunistic May 2003
+
+
+ Although a useful mode, anonymous encryption is not the goal of this
+ project. Simpler methods are available that can achieve anonymous
+ encryption only, but authentication of the peer is a desireable goal.
+ The latter is achieved through key distribution in DNS, leveraging
+ upon the authentication of the DNS in DNSSEC.
+
+ Peers are, therefore, authenticated with DNSSEC when available.
+ Local policy determines how much trust to extend when DNSSEC is not
+ available.
+
+ However, an essential premise of building private connections with
+ strangers is that datagrams received through opportunistic tunnels
+ are no more special than datagrams that arrive in the clear. Unlike
+ in a VPN, these datagrams should not be given any special exceptions
+ when it comes to auditing, further authentication or firewalling.
+
+ When initiating outbound opportunistic encryption, local
+ configuration determines what happens if tunnel setup fails. It may
+ be that the packet goes out in the clear, or it may be dropped.
+
+1.4 Use of RFC2119 terms
+
+ The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
+ SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
+ document, are to be interpreted as described in [5]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 5]
+
+Internet-Draft opportunistic May 2003
+
+
+2. Overview
+
+2.1 Reference diagram
+
+ ---------------------------------------------------------------------
+
+ The following network diagram is used in the rest of this document as
+ the canonical diagram:
+
+ [Q] [R]
+ . . AS2
+ [A]----+----[SG-A].......+....+.......[SG-B]-------[B]
+ | ......
+ AS1 | ..PI..
+ | ......
+ [D]----+----[SG-D].......+....+.......[C] AS3
+
+
+
+ Figure 1: Reference Network Diagram
+
+ ---------------------------------------------------------------------
+
+ In this diagram, there are four end-nodes: A, B, C and D. There are
+ three gateways, SG-A, SG-B, SG-D. A, D, SG-A and SG-D are part of
+ the same administrative authority, AS1. SG-A and SG-D are on two
+ different exit paths from organization 1. SG-B/B is an independent
+ organization, AS2. Nodes Q and R are nodes on the Internet. PI is
+ the Public Internet ("The Wild").
+
+2.2 Terminology
+
+ The following terminology is used in this document:
+
+ Security gateway: a system that performs IPsec tunnel mode
+ encapsulation/decapsulation. [SG-x] in the diagram.
+
+ Alice: node [A] in the diagram. When an IP address is needed, this
+ is 192.1.0.65.
+
+ Bob: node [B] in the diagram. When an IP address is needed, this is
+ 192.2.0.66.
+
+ Carol: node [C] in the diagram. When an IP address is needed, this
+ is 192.1.1.67.
+
+ Dave: node [D] in the diagram. When an IP address is needed, this is
+ 192.3.0.68.
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 6]
+
+Internet-Draft opportunistic May 2003
+
+
+ SG-A: Alice's security gateway. Internally it is 192.1.0.1,
+ externally it is 192.1.1.4.
+
+ SG-B: Bob's security gateway. Internally it is 192.2.0.1, externally
+ it is 192.1.1.5.
+
+ SG-D: Dave's security gateway. Also Alice's backup security gateway.
+ Internally it is 192.3.0.1, externally it is 192.1.1.6.
+
+ - A single dash represents clear-text datagrams.
+
+ = An equals sign represents phase 2 (IPsec) cipher-text datagrams.
+
+ ~ A single tilde represents clear-text phase 1 datagrams.
+
+ # A hash sign represents phase 1 (IKE) cipher-text datagrams.
+
+ . A period represents an untrusted network of unknown type.
+
+ Configured tunnel: a tunnel that is directly and deliberately hand
+ configured on participating gateways. Configured tunnels are
+ typically given a higher level of trust than opportunistic
+ tunnels.
+
+ Road warrior tunnel: a configured tunnel connecting one node with a
+ fixed IP address and one node with a variable IP address. A road
+ warrior (RW) connection must be initiated by the variable node,
+ since the fixed node cannot know the current address for the road
+ warrior.
+
+ Anonymous encryption: the process of encrypting a session without any
+ knowledge of who the other parties are. No authentication of
+ identities is done.
+
+ Opportunistic encryption: the process of encrypting a session with
+ authenticated knowledge of who the other parties are.
+
+ Lifetime: the period in seconds (bytes or datagrams) for which a
+ security association will remain alive before needing to be re-
+ keyed.
+
+ Lifespan: the effective time for which a security association remains
+ useful. A security association with a lifespan shorter than its
+ lifetime would be removed when no longer needed. A security
+ association with a lifespan longer than its lifetime would need to
+ be re-keyed one or more times.
+
+ Phase 1 SA: an ISAKMP/IKE security association sometimes referred to
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 7]
+
+Internet-Draft opportunistic May 2003
+
+
+ as a keying channel.
+
+ Phase 2 SA: an IPsec security association.
+
+ Tunnel: another term for a set of phase 2 SA (one in each direction).
+
+ NAT: Network Address Translation (see [20]).
+
+ NAPT: Network Address and Port Translation (see [20]).
+
+ AS: an autonomous system (AS) is a group of systems (a network) that
+ are under the administrative control of a single organization.
+
+ Default-free zone: a set of routers that maintain a complete set of
+ routes to all currently reachable destinations. Having such a
+ list, these routers never make use of a default route. A datagram
+ with a destination address not matching any route will be dropped
+ by such a router.
+
+
+2.3 Model of operation
+
+ The opportunistic encryption security gateway (OE gateway) is a
+ regular gateway node as described in [2] section 2.4 and [3] with the
+ additional capabilities described here and in [7]. The algorithm
+ described here provides a way to determine, for each datagram,
+ whether or not to encrypt and tunnel the datagram. Two important
+ things that must be determined are whether or not to encrypt and
+ tunnel and, if so, the destination address or name of the tunnel end
+ point which should be used.
+
+2.3.1 Tunnel authorization
+
+ The OE gateway determines whether or not to create a tunnel based on
+ the destination address of each packet. Upon receiving a packet with
+ a destination address not recently seen, the OE gateway performs a
+ lookup in DNS for an authorization resource record (see Section 5.2).
+ The record is located using the IP address to perform a search in the
+ in-addr.arpa (IPv4) or ip6.arpa (IPv6) maps. If an authorization
+ record is found, the OE gateway interprets this as a request for a
+ tunnel to be formed.
+
+2.3.2 Tunnel end-point discovery
+
+ The authorization resource record also provides the address or name
+ of the tunnel end point which should be used.
+
+ The record may also provide the public RSA key of the tunnel end
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 8]
+
+Internet-Draft opportunistic May 2003
+
+
+ point itself. This is provided for efficiency only. If the public
+ RSA key is not present, the OE gateway performs a second lookup to
+ find a KEY resource record for the end point address or name.
+
+ Origin and integrity protection of the resource records is provided
+ by DNSSEC ([16]). Section 3.2.4.1 documents an optional restriction
+ on the tunnel end point if DNSSEC signatures are not available for
+ the relevant records.
+
+2.3.3 Caching of authorization results
+
+ The OE gateway maintains a cache, in the forwarding plane, of source/
+ destination pairs for which opportunistic encryption has been
+ attempted. This cache maintains a record of whether or not OE was
+ successful so that subsequent datagrams can be forwarded properly
+ without additional delay.
+
+ Successful negotiation of OE instantiates a new security association.
+ Failure to negotiate OE results in creation of a forwarding policy
+ entry either to drop or transmit in the clear future datagrams. This
+ negative cache is necessary to avoid the possibly lengthy process of
+ repeatedly looking up the same information.
+
+ The cache is timed out periodically, as described in Section 3.4.
+ This removes entries that are no longer being used and permits the
+ discovery of changes in authorization policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 9]
+
+Internet-Draft opportunistic May 2003
+
+
+3. Specification
+
+ The OE gateway is modeled to have a forwarding plane and a control
+ plane. A control channel, such as PF_KEY, connects the two planes.
+ (See [6].) The forwarding plane performs per datagram operations.
+ The control plane contains a keying daemon, such as ISAKMP/IKE, and
+ performs all authorization, peer authentication and key derivation
+ functions.
+
+3.1 Datagram state machine
+
+ Let the OE gateway maintain a collection of objects -- a superset of
+ the security policy database (SPD) specified in [7]. For each
+ combination of source and destination address, an SPD object exists
+ in one of five following states. Prior to forwarding each datagram,
+ the responder uses the source and destination addresses to pick an
+ entry from the SPD. The SPD then determines if and how the packet is
+ forwarded.
+
+3.1.1 Non-existent policy
+
+ If the responder does not find an entry, then this policy applies.
+ The responder creates an entry with an initial state of "hold policy"
+ and requests keying material from the keying daemon. The responder
+ does not forward the datagram, rather it attaches the datagram to the
+ SPD entry as the "first" datagram and retains it for eventual
+ transmission in a new state.
+
+3.1.2 Hold policy
+
+ The responder requests keying material. If the interface to the
+ keying system is lossy (PF_KEY, for instance, can be), the
+ implementation SHOULD include a mechanism to retransmit the keying
+ request at a rate limited to less than 1 request per second. The
+ responder does not forward the datagram. It attaches the datagram to
+ the SPD entry as the "last" datagram where it is retained for
+ eventual transmission. If there is a datagram already so stored,
+ then that already stored datagram is discarded.
+
+ Because the "first" datagram is probably a TCP SYN packet, the
+ responder retains the "first" datagram in an attempt to avoid waiting
+ for a TCP retransmit. The responder retains the "last" datagram in
+ deference to streaming protocols that find it useful to know how much
+ data has been lost. These are recommendations to decrease latency.
+ There are no operational requirements for this.
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 10]
+
+Internet-Draft opportunistic May 2003
+
+
+3.1.3 Pass-through policy
+
+ The responder forwards the datagram using the normal forwarding
+ table. The responder enters this state only by command from the
+ keying daemon, and upon entering this state, also forwards the
+ "first" and "last" datagrams.
+
+3.1.4 Deny policy
+
+ The responder discards the datagram. The responder enters this state
+ only by command from the keying daemon, and upon entering this state,
+ discards the "first" and "last" datagrams. Local administration
+ decides if further datagrams cause ICMP messages to be generated
+ (i.e. ICMP Destination Unreachable, Communication Administratively
+ Prohibited. type=3, code=13).
+
+3.1.5 Encrypt policy
+
+ The responder encrypts the datagram using the indicated security
+ association database (SAD) entry. The responder enters this state
+ only by command from the keying daemon, and upon entering this state,
+ releases and forwards the "first" and "last" datagrams using the new
+ encrypt policy.
+
+ If the associated SAD entry expires because of byte, packet or time
+ limits, then the entry returns to the Hold policy, and an expire
+ message is sent to the keying daemon.
+
+ All states may be created directly by the keying daemon while acting
+ as a responder.
+
+3.2 Keying state machine - initiator
+
+ Let the keying daemon maintain a collection of objects. Let them be
+ called "connections" or "conn"s. There are two categories of
+ connection objects: classes and instances. A class represents an
+ abstract policy - what could be. An instance represents an actual
+ connection - what is implemented at the time.
+
+ Let there be two further subtypes of connections: keying channels
+ (Phase 1 SAs) and data channels (Phase 2 SAs). Each data channel
+ object may have a corresponding SPD and SAD entry maintained by the
+ datagram state machine.
+
+ For the purposes of opportunistic encryption, there MUST, at least,
+ be connection classes known as "deny", "always-clear-text", "OE-
+ permissive", and "OE-paranoid". The latter two connection classes
+ define a set of source and/or destination addresses for which
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 11]
+
+Internet-Draft opportunistic May 2003
+
+
+ opportunistic encryption will be attempted. The administrator MAY
+ set policy options in a number of additional places. An
+ implementation MAY create additional connection classes to further
+ refine these policies.
+
+ The simplest system may need only the "OE-permissive" connection, and
+ would list its own (single) IP address as the source address of this
+ policy and the wild-card address 0.0.0.0/0 as the destination IPv4
+ address. That is, the simplest policy is to try opportunistic
+ encryption with all destinations.
+
+ The distinction between permissive and paranoid OE use will become
+ clear in the state transition differences. In general a permissive
+ OE will, on failure, install a pass-through policy, while a paranoid
+ OE will, on failure, install a drop policy.
+
+ In this description of the keying machine's state transitions, the
+ states associated with the keying system itself are omitted because
+ they are best documented in the keying system ([8], [9] and [10] for
+ ISAKMP/IKE), and the details are keying system specific.
+ Opportunistic encryption is not dependent upon any specific keying
+ protocol, but this document does provide requirements for those using
+ ISAKMP/IKE to assure that implementations inter-operate.
+
+ The state transitions that may be involved in communicating with the
+ forwarding plane are omitted. PF_KEY and similar protocols have
+ their own set of states required for message sends and completion
+ notifications.
+
+ Finally, the retransmits and recursive lookups that are normal for
+ DNS are not included in this description of the state machine.
+
+3.2.1 Nonexistent connection
+
+ There is no connection instance for a given source/destination
+ address pair. Upon receipt of a request for keying material for this
+ source/destination pair, the initiator searches through the
+ connection classes to determine the most appropriate policy. Upon
+ determining an appropriate connection class, an instance object is
+ created of that type. Both of the OE types result in a potential OE
+ connection.
+
+ Failure to find an appropriate connection class results in an
+ administrator defined default.
+
+ In each case, when the initiator finds an appropriate class for the
+ new flow, an instance connection is made of the class which matched.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 12]
+
+Internet-Draft opportunistic May 2003
+
+
+3.2.2 Clear-text connection
+
+ The non-existent connection makes a transition to this state when an
+ always-clear-text class is instantiated, or when an OE-permissive
+ connection fails. During the transition, the initiator creates a
+ pass-through policy object in the forwarding plane for the
+ appropriate flow.
+
+ Timing out is the only way to leave this state (see Section 3.2.7).
+
+3.2.3 Deny connection
+
+ The empty connection makes a transition to this state when a deny
+ class is instantiated, or when an OE-paranoid connection fails.
+ During the transition, the initiator creates a deny policy object in
+ the forwarding plane for the appropriate flow.
+
+ Timing out is the only way to leave this state (see Section 3.2.7).
+
+3.2.4 Potential OE connection
+
+ The empty connection makes a transition to this state when one of
+ either OE class is instantiated. During the transition to this
+ state, the initiator creates a hold policy object in the forwarding
+ plane for the appropriate flow.
+
+ In addition, when making a transition into this state, DNS lookup is
+ done in the reverse-map for a TXT delegation resource record (see
+ Section 5.2). The lookup key is the destination address of the flow.
+
+ There are three ways to exit this state:
+
+ 1. DNS lookup finds a TXT delegation resource record.
+
+ 2. DNS lookup does not find a TXT delegation resource record.
+
+ 3. DNS lookup times out.
+
+ Based upon the results of the DNS lookup, the potential OE connection
+ makes a transition to the pending OE connection state. The
+ conditions for a successful DNS look are:
+
+ 1. DNS finds an appropriate resource record
+
+ 2. It is properly formatted according to Section 5.2
+
+ 3. if DNSSEC is enabled, then the signature has been vouched for.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 13]
+
+Internet-Draft opportunistic May 2003
+
+
+ Note that if the initiator does not find the public key present in
+ the TXT delegation record, then the public key must be looked up as a
+ sub-state. Only successful completion of all the DNS lookups is
+ considered a success.
+
+ If DNS lookup does not find a resource record or DNS times out, then
+ the initiator considers the receiver not OE capable. If this is an
+ OE-paranoid instance, then the potential OE connection makes a
+ transition to the deny connection state. If this is an OE-permissive
+ instance, then the potential OE connection makes a transition to the
+ clear-text connection state.
+
+ If the initiator finds a resource record but it is not properly
+ formatted, or if DNSSEC is enabled and reports a failure to
+ authenticate, then the potential OE connection should make a
+ transition to the deny connection state. This action SHOULD be
+ logged. If the administrator wishes to override this transition
+ between states, then an always-clear class can be installed for this
+ flow. An implementation MAY make this situation a new class.
+
+3.2.4.1 Restriction on unauthenticated TXT delegation records
+
+ An implementation SHOULD also provide an additional administrative
+ control on delegation records and DNSSEC. This control would apply
+ to delegation records (the TXT records in the reverse-map) that are
+ not protected by DNSSEC. Records of this type are only permitted to
+ delegate to their own address as a gateway. When this option is
+ enabled, an active attack on DNS will be unable to redirect packets
+ to other than the original destination.
+
+3.2.5 Pending OE connection
+
+ The potential OE connection makes a transition to this state when the
+ initiator determines that all the information required from the DNS
+ lookup is present. Upon entering this state, the initiator attempts
+ to initiate keying to the gateway provided.
+
+ Exit from this state occurs either with a successfully created IPsec
+ SA, or with a failure of some kind. Successful SA creation results
+ in a transition to the key connection state.
+
+ Three failures have caused significant problems. They are clearly
+ not the only possible failures from keying.
+
+ Note that if there are multiple gateways available in the TXT
+ delegation records, then a failure can only be declared after all
+ have been tried. Further, creation of a phase 1 SA does not
+ constitute success. A set of phase 2 SAs (a tunnel) is considered
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 14]
+
+Internet-Draft opportunistic May 2003
+
+
+ success.
+
+ The first failure occurs when an ICMP port unreachable is
+ consistently received without any other communication, or when there
+ is silence from the remote end. This usually means that either the
+ gateway is not alive, or the keying daemon is not functional. For an
+ OE-permissive connection, the initiator makes a transition to the
+ clear-text connection but with a low lifespan. For an OE-pessimistic
+ connection, the initiator makes a transition to the deny connection
+ again with a low lifespan. The lifespan in both cases is kept low
+ because the remote gateway may be in the process of rebooting or be
+ otherwise temporarily unavailable.
+
+ The length of time to wait for the remote keying daemon to wake up is
+ a matter of some debate. If there is a routing failure, 5 minutes is
+ usually long enough for the network to re-converge. Many systems can
+ reboot in that amount of time as well. However, 5 minutes is far too
+ long for most users to wait to hear that they can not connect using
+ OE. Implementations SHOULD make this a tunable parameter.
+
+ The second failure occurs after a phase 1 SA has been created, but
+ there is either no response to the phase 2 proposal, or the initiator
+ receives a negative notify (the notify must be authenticated). The
+ remote gateway is not prepared to do OE at this time. As before, the
+ initiator makes a transition to the clear-text or the deny connection
+ based upon connection class, but this time with a normal lifespan.
+
+ The third failure occurs when there is signature failure while
+ authenticating the remote gateway. This can occur when there has
+ been a key roll-over, but DNS has not caught up. In this case again,
+ the initiator makes a transition to the clear-text or the deny
+ connection based upon the connection class. However, the lifespan
+ depends upon the remaining time to live in the DNS. (Note that
+ DNSSEC signed resource records have a different expiry time than non-
+ signed records.)
+
+3.2.6 Keyed connection
+
+ The pending OE connection makes a transition to this state when
+ session keying material (the phase 2 SAs) is derived. The initiator
+ creates an encrypt policy in the forwarding plane for this flow.
+
+ There are three ways to exit this state. The first is by receipt of
+ an authenticated delete message (via the keying channel) from the
+ peer. This is normal teardown and results in a transition to the
+ expired connection state.
+
+ The second exit is by expiry of the forwarding plane keying material.
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 15]
+
+Internet-Draft opportunistic May 2003
+
+
+ This starts a re-key operation with a transition back to pending OE
+ connection. In general, the soft expiry occurs with sufficient time
+ left to continue to use the keys. A re-key can fail, which may
+ result in the connection failing to clear-text or deny as
+ appropriate. In the event of a failure, the forwarding plane policy
+ does not change until the phase 2 SA (IPsec SA) reaches its hard
+ expiry.
+
+ The third exit is in response to a negotiation from a remote gateway.
+ If the forwarding plane signals the control plane that it has
+ received an unknown SPI from the remote gateway, or an ICMP is
+ received from the remote gateway indicating an unknown SPI, the
+ initiator should consider that the remote gateway has rebooted or
+ restarted. Since these indications are easily forged, the
+ implementation must exercise care. The initiator should make a
+ cautious (rate-limited) attempt to re-key the connection.
+
+3.2.7 Expiring connection
+
+ The initiator will periodically place each of the deny, clear-text,
+ and keyed connections into this sub-state. See Section 3.4 for more
+ details of how often this occurs. The initiator queries the
+ forwarding plane for last use time of the appropriate policy. If the
+ last use time is relatively recent, then the connection returns to
+ the previous deny, clear-text or keyed connection state. If not,
+ then the connection enters the expired connection state.
+
+ The DNS query and answer that lead to the expiring connection state
+ are also examined. The DNS query may become stale. (A negative,
+ i.e. no such record, answer is valid for the period of time given by
+ the MINIMUM field in an attached SOA record. See [12] section
+ 4.3.4.) If the DNS query is stale, then a new query is made. If the
+ results change, then the connection makes a transition to a new state
+ as described in potential OE connection state.
+
+ Note that when considering how stale a connection is, both outgoing
+ SPD and incoming SAD must be queried as some flows may be
+ unidirectional for some time.
+
+ Also note that the policy at the forwarding plane is not updated
+ unless there is a conclusion that there should be a change.
+
+3.2.8 Expired connection
+
+ Entry to this state occurs when no datagrams have been forwarded
+ recently via the appropriate SPD and SAD objects. The objects in the
+ forwarding plane are removed (logging any final byte and packet
+ counts if appropriate) and the connection instance in the keying
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 16]
+
+Internet-Draft opportunistic May 2003
+
+
+ plane is deleted.
+
+ The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs
+ as described in Section 3.4.
+
+ Whether or not to delete the phase 1 SAs at this time is left as a
+ local implementation issue. Implementations that do delete the phase
+ 1 SAs MUST send authenticated delete messages to indicate that they
+ are doing so. There is an advantage to keeping the phase 1 SAs until
+ they expire - they may prove useful again in the near future.
+
+3.3 Keying state machine - responder
+
+ The responder has a set of objects identical to those of the
+ initiator.
+
+ The responder receives an invitation to create a keying channel from
+ an initiator.
+
+3.3.1 Unauthenticated OE peer
+
+ Upon entering this state, the responder starts a DNS lookup for a KEY
+ record for the initiator. The responder looks in the reverse-map for
+ a KEY record for the initiator if the initiator has offered an
+ ID_IPV4_ADDR, and in the forward map if the initiator has offered an
+ ID_FQDN type. (See [8] section 4.6.2.1.)
+
+ The responder exits this state upon successful receipt of a KEY from
+ DNS, and use of the key to verify the signature of the initiator.
+
+ Successful authentication of the peer results in a transition to the
+ authenticated OE Peer state.
+
+ Note that the unauthenticated OE peer state generally occurs in the
+ middle of the key negotiation protocol. It is really a form of
+ pseudo-state.
+
+3.3.2 Authenticated OE Peer
+
+ The peer will eventually propose one or more phase 2 SAs. The
+ responder uses the source and destination address in the proposal to
+ finish instantiating the connection state using the connection class
+ table. The responder MUST search for an identical connection object
+ at this point.
+
+ If an identical connection is found, then the responder deletes the
+ old instance, and the new object makes a transition to the pending OE
+ connection state. This means that new ISAKMP connections with a
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 17]
+
+Internet-Draft opportunistic May 2003
+
+
+ given peer will always use the latest instance, which is the correct
+ one if the peer has rebooted in the interim.
+
+ If an identical connection is not found, then the responder makes the
+ transition according to the rules given for the initiator.
+
+ Note that if the initiator is in OE-paranoid mode and the responder
+ is in either always-clear-text or deny, then no communication is
+ possible according to policy. An implementation is permitted to
+ create new types of policies such as "accept OE but do not initiate
+ it". This is a local matter.
+
+3.4 Renewal and teardown
+
+3.4.1 Aging
+
+ A potentially unlimited number of tunnels may exist. In practice,
+ only a few tunnels are used during a period of time. Unused tunnels
+ MUST, therefore, be torn down. Detecting when tunnels are no longer
+ in use is the subject of this section.
+
+ There are two methods for removing tunnels: explicit deletion or
+ expiry.
+
+ Explicit deletion requires an IKE delete message. As the deletes
+ MUST be authenticated, both ends of the tunnel must maintain the key
+ channel (phase 1 ISAKMP SA). An implementation which refuses to
+ either maintain or recreate the keying channel SA will be unable to
+ use this method.
+
+ The tunnel expiry method, simply allows the IKE daemon to expire
+ normally without attempting to re-key it.
+
+ Regardless of which method is used to remove tunnels, the
+ implementation requires a method to determine if the tunnel is still
+ in use. The specifics are a local matter, but the FreeS/WAN project
+ uses the following criteria. These criteria are currently
+ implemented in the key management daemon, but could also be
+ implemented at the SPD layer using an idle timer.
+
+ Set a short initial (soft) lifespan of 1 minute since many net flows
+ last only a few seconds.
+
+ At the end of the lifespan, check to see if the tunnel was used by
+ traffic in either direction during the last 30 seconds. If so,
+ assign a longer tentative lifespan of 20 minutes after which, look
+ again. If the tunnel is not in use, then close the tunnel.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 18]
+
+Internet-Draft opportunistic May 2003
+
+
+ The expiring state in the key management system (see Section 3.2.7)
+ implements these timeouts. The timer above may be in the forwarding
+ plane, but then it must be re-settable.
+
+ The tentative lifespan is independent of re-keying; it is just the
+ time when the tunnel's future is next considered. (The term lifespan
+ is used here rather than lifetime for this reason.) Unlike re-keying,
+ this tunnel use check is not costly and should happen reasonably
+ frequently.
+
+ A multi-step back-off algorithm is not considered worth the effort
+ here.
+
+ If the security gateway and the client host are the same and not a
+ Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel teardown
+ decisions MAY pay attention to TCP connection status as reported by
+ the local TCP layer. A still-open TCP connection is almost a
+ guarantee that more traffic is expected. Closing of the only TCP
+ connection through a tunnel is a strong hint that no more traffic is
+ expected.
+
+3.4.2 Teardown and cleanup
+
+ Teardown should always be coordinated between the two ends of the
+ tunnel by interpreting and sending delete notifications. There is a
+ detailed sub-state in the expired connection state of the key manager
+ that relates to retransmits of the delete notifications, but this is
+ considered to be a keying system detail.
+
+ On receiving a delete for the outbound SAs of a tunnel (or some
+ subset of them), tear down the inbound ones also and notify the
+ remote end with a delete. If the local system receives a delete for
+ a tunnel which is no longer in existence, then two delete messages
+ have crossed paths. Ignore the delete. The operation has already
+ been completed. Do not generate any messages in this situation.
+
+ Tunnels are to be considered as bidirectional entities, even though
+ the low-level protocols don't treat them this way.
+
+ When the deletion is initiated locally, rather than as a response to
+ a received delete, send a delete for (all) the inbound SAs of a
+ tunnel. If the local system does not receive a responding delete for
+ the outbound SAs, try re-sending the original delete. Three tries
+ spaced 10 seconds apart seems a reasonable level of effort. A
+ failure of the other end to respond after 3 attempts, indicates that
+ the possibility of further communication is unlikely. Remove the
+ outgoing SAs. (The remote system may be a mobile node that is no
+ longer present or powered on.)
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 19]
+
+Internet-Draft opportunistic May 2003
+
+
+ After re-keying, transmission should switch to using the new outgoing
+ SAs (ISAKMP or IPsec) immediately, and the old leftover outgoing SAs
+ should be cleared out promptly (delete should be sent for the
+ outgoing SAs) rather than waiting for them to expire. This reduces
+ clutter and minimizes confusion for the operator doing diagnostics.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 20]
+
+Internet-Draft opportunistic May 2003
+
+
+4. Impacts on IKE
+
+4.1 ISAKMP/IKE protocol
+
+ The IKE wire protocol needs no modifications. The major changes are
+ implementation issues relating to how the proposals are interpreted,
+ and from whom they may come.
+
+ As opportunistic encryption is designed to be useful between peers
+ without prior operator configuration, an IKE daemon must be prepared
+ to negotiate phase 1 SAs with any node. This may require a large
+ amount of resources to maintain cookie state, as well as large
+ amounts of entropy for nonces, cookies and so on.
+
+ The major changes to support opportunistic encryption are at the IKE
+ daemon level. These changes relate to handling of key acquisition
+ requests, lookup of public keys and TXT records, and interactions
+ with firewalls and other security facilities that may be co-resident
+ on the same gateway.
+
+4.2 Gateway discovery process
+
+ In a typical configured tunnel, the address of SG-B is provided via
+ configuration. Furthermore, the mapping of an SPD entry to a gateway
+ is typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique
+ is used, then the mapping to a gateway is determined by the reverse
+ DNS records.
+
+ The need to do a DNS lookup and wait for a reply will typically
+ introduce a new state and a new event source (DNS replies) to IKE.
+ Although a synchronous DNS request can be implemented for proof of
+ concept, experience is that it can cause very high latencies when a
+ queue of queries must all timeout in series.
+
+ Use of an asynchronous DNS lookup will also permit overlap of DNS
+ lookups with some of the protocol steps.
+
+4.3 Self identification
+
+ SG-A will have to establish its identity. Use an IPv4 ID in phase 1.
+
+ There are many situations where the administrator of SG-A may not be
+ able to control the reverse DNS records for SG-A's public IP address.
+ Typical situations include dialup connections and most residential-
+ type broadband Internet access (ADSL, cable-modem) connections. In
+ these situations, a fully qualified domain name that is under the
+ control of SG-A's administrator may be used when acting as an
+ initiator only. The FQDN ID should be used in phase 1. See Section
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 21]
+
+Internet-Draft opportunistic May 2003
+
+
+ 5.3 for more details and restrictions.
+
+4.4 Public key retrieval process
+
+ Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID
+ or an FQDN ID, an IKE daemon needs to examine local caches and
+ configuration files to determine if this is part of a configured
+ tunnel. If no configured tunnels are found, then the implementation
+ should attempt to retrieve a KEY record from the reverse DNS in the
+ case of an IPv4/IPv6 ID, or from the forward DNS in the case of FQDN
+ ID.
+
+ It is reasonable that if other non-local sources of policy are used
+ (COPS, LDAP), they be consulted concurrently but some clear ordering
+ of policy be provided. Note that due to variances in latency,
+ implementations must wait for positive or negative replies from all
+ sources of policy before making any decisions.
+
+4.5 Interactions with DNSSEC
+
+ The implementation described (1.98) neither uses DNSSEC directly to
+ explicitly verify the authenticity of zone information, nor uses the
+ NXT records to provide authentication of the absence of a TXT or KEY
+ record. Rather, this implementation uses a trusted path to a DNSSEC
+ capable caching resolver.
+
+ To distinguish between an authenticated and an unauthenticated DNS
+ resource record, a stub resolver capable of returning DNSSEC
+ information MUST be used.
+
+4.6 Required proposal types
+
+4.6.1 Phase 1 parameters
+
+ Main mode MUST be used.
+
+ The initiator MUST offer at least one proposal using some combination
+ of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be
+ proposed first. [11]
+
+ The initiator MAY offer additional proposals, but the cipher MUST not
+ be weaker than 3DES. The initiator SHOULD limit the number of
+ proposals such that the IKE datagrams do not need to be fragmented.
+
+ The responder MUST accept one of the proposals. If any configuration
+ of the responder is required then the responder is not acting in an
+ opportunistic way.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 22]
+
+Internet-Draft opportunistic May 2003
+
+
+ SG-A SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the
+ external interface of SG-A for phase 1. (There is an exception, see
+ Section 5.3.) The authentication method MUST be RSA public key
+ signatures. The RSA key for SG-A SHOULD be placed into a DNS KEY
+ record in the reverse space of SG-A (i.e. using in-addr.arpa).
+
+4.6.2 Phase 2 parameters
+
+ SG-A MUST propose a tunnel between Alice and Bob, using 3DES-CBC
+ mode, MD5 or SHA1 authentication. Perfect Forward Secrecy MUST be
+ specified.
+
+ Tunnel mode MUST be used.
+
+ Identities MUST be ID_IPV4_ADDR_SUBNET with the mask being /32.
+
+ Authorization for SG-A to act on Alice's behalf is determined by
+ looking for a TXT record in the reverse-map at Alice's address.
+
+ Compression SHOULD NOT be mandatory. It may be offered as an option.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 23]
+
+Internet-Draft opportunistic May 2003
+
+
+5. DNS issues
+
+5.1 Use of KEY record
+
+ In order to establish their own identities, SG-A and SG-B SHOULD
+ publish their public keys in their reverse DNS via DNSSEC's KEY
+ record. See section 3 of RFC 2535 [16].
+
+ For example:
+
+ KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
+ 0x4200: The flag bits, indicating that this key is prohibited for
+ confidentiality use (it authenticates the peer only, a separate
+ Diffie-Hellman exchange is used for confidentiality), and that
+ this key is associated with the non-zone entity whose name is the
+ RR owner name. No other flags are set.
+
+ 4: This indicates that this key is for use by IPsec.
+
+ 1: An RSA key is present.
+
+ AQNJjkKlIk9...nYyUkKK8: The public key of the host as described in
+ [17].
+
+ Use of several KEY records allows for key rollover. The SIG Payload
+ in IKE phase 1 SHOULD be accepted if the public key given by any KEY
+ RR validates it.
+
+5.2 Use of TXT delegation record
+
+ Alice publishes a TXT record to provide authorization for SG-A to act
+ on Alice's behalf. Bob publishes a TXT record to provide
+ authorization for SG-B to act on Bob's behalf. These records are
+ located in the reverse DNS (in-addr.arpa) for their respective IP
+ addresses. The reverse DNS SHOULD be secured by DNSSEC, when it is
+ deployed. DNSSEC is required to defend against active attacks.
+
+ If Alice's address is P.Q.R.S, then she can authorize another node to
+ act on her behalf by publishing records at:
+
+ S.R.Q.P.in-addr.arpa
+
+ The contents of the resource record are expected to be a string that
+ uses the following syntax, as suggested in [15]. (Note that the
+ reply to query may include other TXT resource records used by other
+ applications.)
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 24]
+
+Internet-Draft opportunistic May 2003
+
+
+ ---------------------------------------------------------------------
+
+
+ X-IPsec-Server(P)=A.B.C.D KEY
+
+ Figure 2: Format of reverse delegation record
+
+ ---------------------------------------------------------------------
+
+ P: Specifies a precedence for this record. This is similar to MX
+ record preferences. Lower numbers have stronger preference.
+
+ A.B.C.D: Specifies the IP address of the Security Gateway for this
+ client machine.
+
+ KEY: Is the encoded RSA Public key of the Security Gateway. The key
+ is provided here to avoid a second DNS lookup. If this field is
+ absent, then a KEY resource record should be looked up in the
+ reverse-map of A.B.C.D. The key is transmitted in base64 format.
+
+ The pieces of the record are separated by any whitespace (space, tab,
+ newline, carriage return). An ASCII space SHOULD be used.
+
+ In the case where Alice is located at a public address behind a
+ security gateway that has no fixed address (or no control over its
+ reverse-map), then Alice may delegate to a public key by domain name.
+
+ ---------------------------------------------------------------------
+
+
+ X-IPsec-Server(P)=@FQDN KEY
+
+ Figure 3: Format of reverse delegation record (FQDN version)
+
+ ---------------------------------------------------------------------
+
+ P: Is as above.
+
+ FQDN: Specifies the FQDN that the Security Gateway will identify
+ itself with.
+
+ KEY: Is the encoded RSA Public key of the Security Gateway.
+
+ If there is more than one such TXT record with strongest (lowest
+ numbered) precedence, one Security Gateway is picked arbitrarily from
+ those specified in the strongest-preference records.
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 25]
+
+Internet-Draft opportunistic May 2003
+
+
+5.2.1 Long TXT records
+
+ When packed into transport format, TXT records which are longer than
+ 255 characters are divided into smaller . (See
+ [13] section 3.3 and 3.3.14.) These MUST be reassembled into a single
+ string for processing. Whitespace characters in the base64 encoding
+ are to be ignored.
+
+5.2.2 Choice of TXT record
+
+ It has been suggested to use the KEY, OPT, CERT, or KX records
+ instead of a TXT record. None is satisfactory.
+
+ The KEY RR has a protocol field which could be used to indicate a new
+ protocol, and an algorithm field which could be used to indicate
+ different contents in the key data. However, the KEY record is
+ clearly not intended for storing what are really authorizations, it
+ is just for identities. Other uses have been discouraged.
+
+ OPT resource records, as defined in [14] are not intended to be used
+ for storage of information. They are not to be loaded, cached or
+ forwarded. They are, therefore, inappropriate for use here.
+
+ CERT records [18] can encode almost any set of information. A custom
+ type code could be used permitting any suitable encoding to be
+ stored, not just X.509. According to the RFC, the certificate RRs
+ are to be signed internally which may add undesirable and unnecessary
+ bulk. Larger DNS records may require TCP instead of UDP transfers.
+
+ At the time of protocol design, the CERT RR was not widely deployed
+ and could not be counted upon. Use of CERT records will be
+ investigated, and may be proposed in a future revision of this
+ document.
+
+ KX records are ideally suited for use instead of TXT records, but had
+ not been deployed at the time of implementation.
+
+5.3 Use of FQDN IDs
+
+ Unfortunately, not every administrator has control over the contents
+ of the reverse-map. Where the initiator (SG-A) has no suitable
+ reverse-map, the authorization record present in the reverse-map of
+ Alice may refer to a FQDN instead of an IP address.
+
+ In this case, the client's TXT record gives the fully qualified
+ domain name (FQDN) in place of its security gateway's IP address.
+ The initiator should use the ID_FQDN ID-payload in phase 1. A
+ forward lookup for a KEY record on the FQDN must yield the
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 26]
+
+Internet-Draft opportunistic May 2003
+
+
+ initiator's public key.
+
+ This method can also be used when the external address of SG-A is
+ dynamic.
+
+ If SG-A is acting on behalf of Alice, then Alice must still delegate
+ authority for SG-A to do so in her reverse-map. When Alice and SG-A
+ are one and the same (i.e. Alice is acting as an end-node) then
+ there is no need for this when initiating only.
+
+ However, Alice must still delegate to herself if she wishes others
+ to initiate OE to her. See Figure 3.
+
+5.4 Key roll-over
+
+ Good cryptographic hygiene says that one should replace public/
+ private key pairs periodically. Some administrators may wish to do
+ this as often as daily. Typical DNS propagation delays are
+ determined by the SOA Resource Record MINIMUM parameter, which
+ controls how long DNS replies may be cached. For reasonable
+ operation of DNS servers, administrators usually want this value to
+ be at least several hours, sometimes as a long as a day. This
+ presents a problem - a new key MUST not be used prior to it
+ propagating through DNS.
+
+ This problem is dealt with by having the Security Gateway generate a
+ new public/private key pair at least MINIMUM seconds in advance of
+ using it. It then adds this key to the DNS (both as a second KEY
+ record and in additional TXT delegation records) at key generation
+ time. Note: only one key is allowed in each TXT record.
+
+ When authenticating, all gateways MUST have available all public keys
+ that are found in DNS for this entity. This permits the
+ authenticating end to check both the key for "today" and the key for
+ "tomorrow". Note that it is the end which is creating the signature
+ (possesses the private key) that determines which key is to be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 27]
+
+Internet-Draft opportunistic May 2003
+
+
+6. Network address translation interaction
+
+ There are no fundamentally new issues for implementing opportunistic
+ encryption in the presence of network address translation. Rather
+ there are only the regular IPsec issues with NAT traversal.
+
+ There are several situations to consider for NAT.
+
+6.1 Co-located NAT/NAPT
+
+ If SG-A is also performing network address translation on behalf of
+ Alice, then the packet should be translated prior to being subjected
+ to opportunistic encryption. This is in contrast to typically
+ configured tunnels which often exist to bridge islands of private
+ network address space. SG-A will use the translated source address
+ for phase 2, and so SG-B will look up that address to confirm SG-A's
+ authorization.
+
+ In the case of NAT (1:1), the address space into which the
+ translation is done MUST be globally unique, and control over the
+ reverse-map is assumed. Placing of TXT records is possible.
+
+ In the case of NAPT (m:1), the address will be SG-A. The ability to
+ get KEY and TXT records in place will again depend upon whether or
+ not there is administrative control over the reverse-map. This is
+ identical to situations involving a single host acting on behalf of
+ itself. FQDN style can be used to get around a lack of a reverse-map
+ for initiators only.
+
+6.2 SG-A behind NAT/NAPT
+
+ If there is a NAT or NAPT between SG-A and SG-B, then normal IPsec
+ NAT traversal rules apply. In addition to the transport problem
+ which may be solved by other mechanisms, there is the issue of what
+ phase 1 and phase 2 IDs to use. While FQDN could be used during
+ phase 1 for SG-A, there is no appropriate ID for phase 2 that permits
+ SG-B to determine that SG-A is in fact authorized to speak for Alice.
+
+6.3 Bob is behind a NAT/NAPT
+
+ If Bob is behind a NAT (perhaps SG-B), then there is, in fact, no way
+ for Alice to address a packet to Bob. Not only is opportunistic
+ encryption impossible, but it is also impossible for Alice to
+ initiate any communication to Bob. It may be possible for Bob to
+ initiate in such a situation. This creates an asymmetry, but this is
+ common for NAPT.
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 28]
+
+Internet-Draft opportunistic May 2003
+
+
+7. Host implementations
+
+ When Alice and SG-A are components of the same system, they are
+ considered to be a host implementation. The packet sequence scenario
+ remains unchanged.
+
+ Components marked Alice are the upper layers (TCP, UDP, the
+ application), and SG-A is the IP layer.
+
+ Note that tunnel mode is still required.
+
+ As Alice and SG-A are acting on behalf of themselves, no TXT based
+ delegation record is necessary for Alice to initiate. She can rely
+ on FQDN in a forward map. This is particularly attractive to mobile
+ nodes such as notebook computers at conferences. To respond, Alice/
+ SG-A will still need an entry in Alice's reverse-map.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 29]
+
+Internet-Draft opportunistic May 2003
+
+
+8. Multi-homing
+
+ If there are multiple paths between Alice and Bob (as illustrated in
+ the diagram with SG-D), then additional DNS records are required to
+ establish authorization.
+
+ In Figure 1, Alice has two ways to exit her network: SG-A and SG-D.
+ Previously SG-D has been ignored. Postulate that there are routers
+ between Alice and her set of security gateways (denoted by the +
+ signs and the marking of an autonomous system number for Alice's
+ network). Datagrams may, therefore, travel to either SG-A or SG-D en
+ route to Bob.
+
+ As long as all network connections are in good order, it does not
+ matter how datagrams exit Alice's network. When they reach either
+ security gateway, the security gateway will find the TXT delegation
+ record in Bob's reverse-map, and establish an SA with SG-B.
+
+ SG-B has no problem establishing that either of SG-A or SG-D may
+ speak for Alice, because Alice has published two equally weighted TXT
+ delegation records:
+
+ ---------------------------------------------------------------------
+
+
+ X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
+ X-IPsec-Server(10)=192.1.1.6 AAJN...j8r9==
+
+ Figure 4: Multiple gateway delegation example for Alice
+
+ ---------------------------------------------------------------------
+
+ Alice's routers can now do any kind of load sharing needed. Both SG-
+ A and SG-D send datagrams addressed to Bob through their tunnel to
+ SG-B.
+
+ Alice's use of non-equal weight delegation records to show preference
+ of one gateway over another, has relevance only when SG-B is
+ initiating to Alice.
+
+ If the precedences are the same, then SG-B has a more difficult time.
+ It must decide which of the two tunnels to use. SG-B has no
+ information about which link is less loaded, nor which security
+ gateway has more cryptographic resources available. SG-B, in fact,
+ has no knowledge of whether both gateways are even reachable.
+
+ The Public Internet's default-free zone may well know a good route to
+ Alice, but the datagrams that SG-B creates must be addressed to
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 30]
+
+Internet-Draft opportunistic May 2003
+
+
+ either SG-A or SG-D; they can not be addressed to Alice directly.
+
+ SG-B may make a number of choices:
+
+ 1. It can ignore the problem and round robin among the tunnels.
+ This causes losses during times when one or the other security
+ gateway is unreachable. If this worries Alice, she can change
+ the weights in her TXT delegation records.
+
+ 2. It can send to the gateway from which it most recently received
+ datagrams. This assumes that routing and reachability are
+ symmetrical.
+
+ 3. It can listen to BGP information from the Internet to decide
+ which system is currently up. This is clearly much more
+ complicated, but if SG-B is already participating in the BGP
+ peering system to announce Bob, the results data may already be
+ available to it.
+
+ 4. It can refuse to negotiate the second tunnel. (It is unclear
+ whether or not this is even an option.)
+
+ 5. It can silently replace the outgoing portion of the first tunnel
+ with the second one while still retaining the incoming portions
+ of both. SG-B can, thus, accept datagrams from either SG-A or
+ SG-D, but send only to the gateway that most recently re-keyed
+ with it.
+
+ Local policy determines which choice SG-B makes. Note that even if
+ SG-B has perfect knowledge about the reachability of SG-A and SG-D,
+ Alice may not be reachable from either of these security gateways
+ because of internal reachability issues.
+
+ FreeS/WAN implements option 5. Implementing a different option is
+ being considered. The multi-homing aspects of OE are not well
+ developed and may be the subject of a future document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 31]
+
+Internet-Draft opportunistic May 2003
+
+
+9. Failure modes
+
+9.1 DNS failures
+
+ If a DNS server fails to respond, local policy decides whether or not
+ to permit communication in the clear as embodied in the connection
+ classes in Section 3.2. It is easy to mount a denial of service
+ attack on the DNS server responsible for a particular network's
+ reverse-map. Such an attack may cause all communication with that
+ network to go in the clear if the policy is permissive, or fail
+ completely if the policy is paranoid. Please note that this is an
+ active attack.
+
+ There are still many networks that do not have properly configured
+ reverse-maps. Further, if the policy is not to communicate, the
+ above denial of service attack isolates the target network.
+ Therefore, the decision of whether or not to permit communication in
+ the clear MUST be a matter of local policy.
+
+9.2 DNS configured, IKE failures
+
+ DNS records claim that opportunistic encryption should occur, but the
+ target gateway either does not respond on port 500, or refuses the
+ proposal. This may be because of a crash or reboot, a faulty
+ configuration, or a firewall filtering port 500.
+
+ The receipt of ICMP port, host or network unreachable messages
+ indicates a potential problem, but MUST NOT cause communication to
+ fail immediately. ICMP messages are easily forged by attackers. If
+ such a forgery caused immediate failure, then an active attacker
+ could easily prevent any encryption from ever occurring, possibly
+ preventing all communication.
+
+ In these situations a clear log should be produced and local policy
+ should dictate if communication is then permitted in the clear.
+
+9.3 System reboots
+
+ Tunnels sometimes go down because the remote end crashes,
+ disconnects, or has a network link break. In general there is no
+ notification of this. Even in the event of a crash and successful
+ reboot, other SGs don't hear about it unless the rebooted SG has
+ specific reason to talk to them immediately. Over-quick response to
+ temporary network outages is undesirable. Note that a tunnel can be
+ torn down and then re-established without any effect visible to the
+ user except a pause in traffic. On the other hand, if one end
+ reboots, the other end can't get datagrams to it at all (except via
+ IKE) until the situation is noticed. So a bias toward quick response
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 32]
+
+Internet-Draft opportunistic May 2003
+
+
+ is appropriate even at the cost of occasional false alarms.
+
+ A mechanism for recovery after reboot is a topic of current research
+ and is not specified in this document.
+
+ A deliberate shutdown should include an attempt, using deletes, to
+ notify all other SGs currently connected by phase 1 SAs that
+ communication is about to fail. Again, a remote SG will assume this
+ is a teardown. Attempts by the remote SGs to negotiate new tunnels
+ as replacements should be ignored. When possible, SGs should attempt
+ to preserve information about currently-connected SGs in non-volatile
+ storage, so that after a crash, an Initial-Contact can be sent to
+ previous partners to indicate loss of all previously established
+ connections.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 33]
+
+Internet-Draft opportunistic May 2003
+
+
+10. Unresolved issues
+
+10.1 Control of reverse DNS
+
+ The method of obtaining information by reverse DNS lookup causes
+ problems for people who cannot control their reverse DNS bindings.
+ This is an unresolved problem in this version, and is out of scope.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 34]
+
+Internet-Draft opportunistic May 2003
+
+
+11. Examples
+
+11.1 Clear-text usage (permit policy)
+
+ Two example scenarios follow. In the first example GW-A (Gateway A)
+ and GW-B (Gateway B) have always-clear-text policies, and in the
+ second example they have an OE policy.
+
+ ---------------------------------------------------------------------
+
+
+ Alice SG-A DNS SG-B Bob
+ (1)
+ ------(2)-------------->
+ <-----(3)---------------
+ (4)----(5)----->
+ ----------(6)------>
+ ------(7)----->
+ <------(8)------
+ <----------(9)------
+ <----(10)-----
+ (11)----------->
+ ----------(12)----->
+ -------------->
+ <---------------
+ <-------------------
+ <-------------
+
+ Figure 5: Timing of regular transaction
+
+ ---------------------------------------------------------------------
+
+ Alice wants to communicate with Bob. Perhaps she wants to retrieve a
+ web page from Bob's web server. In the absence of opportunistic
+ encryptors, the following events occur:
+
+ (1) Human or application 'clicks' with a name.
+
+ (2) Application looks up name in DNS to get IP address.
+
+ (3) Resolver returns A record to application.
+
+ (4) Application starts a TCP session or UDP session and OS sends
+ datagram.
+
+ (5) Datagram is seen at first gateway from Alice (SG-A). (SG-A makes
+ a transition through Empty connection to always-clear connection
+ and instantiates a pass-through policy at the forwarding plane.)
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 35]
+
+Internet-Draft opportunistic May 2003
+
+
+ (6) Datagram is seen at last gateway before Bob (SG-B).
+
+ (7) First datagram from Alice is seen by Bob.
+
+ (8) First return datagram is sent by Bob.
+
+ (9) Datagram is seen at Bob's gateway. (SG-B makes a transition
+ through Empty connection to always-clear connection and
+ instantiates a pass-through policy at the forwarding plane.)
+
+ (10) Datagram is seen at Alice's gateway.
+
+ (11) OS hands datagram to application. Alice sends another datagram.
+
+ (12) A second datagram traverses the Internet.
+
+
+11.2 Opportunistic encryption
+
+ In the presence of properly configured opportunistic encryptors, the
+ event list is extended.
+
+ ---------------------------------------------------------------------
+
+
+ Alice SG-A DNS SG-B Bob
+ (1)
+ ------(2)-------------->
+ <-----(3)---------------
+ (4)----(5)----->+
+ ----(5B)->
+ <---(5C)--
+ ~~~~~~~~~~~~~(5D)~~~>
+ <~~~~~~~~~~~~(5E1)~~~
+ ~~~~~~~~~~~~~(5E2)~~>
+ <~~~~~~~~~~~~(5E3)~~~
+ #############(5E4)##>
+ <############(5E5)###
+ <----(5F1)--
+ -----(5F2)->
+ #############(5G1)##>
+ <----(5H1)--
+ -----(5H2)->
+ <############(5G2)###
+ #############(5G3)##>
+ ============(6)====>
+ ------(7)----->
+ <------(8)------
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 36]
+
+Internet-Draft opportunistic May 2003
+
+
+ <==========(9)======
+ <-----(10)----
+ (11)----------->
+ ==========(12)=====>
+ -------------->
+ <---------------
+ <===================
+ <-------------
+
+ Figure 6: Timing of opportunistic encryption transaction
+
+ ---------------------------------------------------------------------
+
+ (1) Human or application clicks with a name.
+
+ (2) Application initiates DNS mapping.
+
+ (3) Resolver returns A record to application.
+
+ (4) Application starts a TCP session or UDP.
+
+ (5) SG-A (host or SG) sees datagram to target, and buffers it.
+
+ (5B) SG-A asks DNS for TXT record.
+
+ (5C) DNS returns TXT record(s).
+
+ (5D) Initial IKE Main Mode Packet goes out.
+
+ (5E) IKE ISAKMP phase 1 succeeds.
+
+ (5F) SG-B asks DNS for TXT record to prove SG-A is an agent for
+ Alice.
+
+ (5G) IKE phase 2 negotiation.
+
+ (5H) DNS lookup by responder (SG-B).
+
+ (6) Buffered datagram is sent by SG-A.
+
+ (7) Datagram is received by SG-B, decrypted, and sent to Bob.
+
+ (8) Bob replies, and datagram is seen by SG-B.
+
+ (9) SG-B already has tunnel up with SG-A, and uses it.
+
+ (10) SG-A decrypts datagram and gives it to Alice.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 37]
+
+Internet-Draft opportunistic May 2003
+
+
+ (11) Alice receives datagram. Sends new packet to Bob.
+
+ (12) SG-A gets second datagram, sees that tunnel is up, and uses it.
+
+ For the purposes of this section, we will describe only the changes
+ that occur between Figure 5 and Figure 6. This corresponds to time
+ points 5, 6, 7, 9 and 10 on the list above.
+
+11.2.1 (5) IPsec datagram interception
+
+ At point (5), SG-A intercepts the datagram because this source/
+ destination pair lacks a policy (the non-existent policy state). SG-
+ A creates a hold policy, and buffers the datagram. SG-A requests
+ keys from the keying daemon.
+
+11.2.2 (5B) DNS lookup for TXT record
+
+ SG-A's IKE daemon, having looked up the source/destination pair in
+ the connection class list, creates a new Potential OE connection
+ instance. SG-A starts DNS queries.
+
+11.2.3 (5C) DNS returns TXT record(s)
+
+ DNS returns properly formed TXT delegation records, and SG-A's IKE
+ daemon causes this instance to make a transition from Potential OE
+ connection to Pending OE connection.
+
+ Using the example above, the returned record might contain:
+
+ ---------------------------------------------------------------------
+
+
+ X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
+
+ Figure 7: Example of reverse delegation record for Bob
+
+ ---------------------------------------------------------------------
+
+ with SG-B's IP address and public key listed.
+
+11.2.4 (5D) Initial IKE main mode packet goes out
+
+ Upon entering Pending OE connection, SG-A sends the initial ISAKMP
+ message with proposals. See Section 4.6.1.
+
+11.2.5 (5E1) Message 2 of phase 1 exchange
+
+ SG-B receives the message. A new connection instance is created in
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 38]
+
+Internet-Draft opportunistic May 2003
+
+
+ the unauthenticated OE peer state.
+
+11.2.6 (5E2) Message 3 of phase 1 exchange
+
+ SG-A sends a Diffie-Hellman exponent. This is an internal state of
+ the keying daemon.
+
+11.2.7 (5E3) Message 4 of phase 1 exchange
+
+ SG-B responds with a Diffie-Hellman exponent. This is an internal
+ state of the keying protocol.
+
+11.2.8 (5E4) Message 5 of phase 1 exchange
+
+ SG-A uses the phase 1 SA to send its identity under encryption. The
+ choice of identity is discussed in Section 4.6.1. This is an
+ internal state of the keying protocol.
+
+11.2.9 (5F1) Responder lookup of initiator key
+
+ SG-B asks DNS for the public key of the initiator. DNS looks for a
+ KEY record by IP address in the reverse-map. That is, a KEY resource
+ record is queried for 4.1.1.192.in-addr.arpa (recall that SG-A's
+ external address is 192.1.1.4). SG-B uses the resulting public key
+ to authenticate the initiator. See Section 5.1 for further details.
+
+11.2.10 (5F2) DNS replies with public key of initiator
+
+ Upon successfully authenticating the peer, the connection instance
+ makes a transition to authenticated OE peer on SG-B.
+
+ The format of the TXT record returned is described in Section 5.2.
+
+11.2.11 (5E5) Responder replies with ID and authentication
+
+ SG-B sends its ID along with authentication material. This is an
+ internal state for the keying protocol.
+
+11.2.12 (5G) IKE phase 2
+
+11.2.12.1 (5G1) Initiator proposes tunnel
+
+ Having established mutually agreeable authentications (via KEY) and
+ authorizations (via TXT), SG-A proposes to create an IPsec tunnel for
+ datagrams transiting from Alice to Bob. This tunnel is established
+ only for the Alice/Bob combination, not for any subnets that may be
+ behind SG-A and SG-B.
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 39]
+
+Internet-Draft opportunistic May 2003
+
+
+11.2.12.2 (5H1) Responder determines initiator's authority
+
+ While the identity of SG-A has been established, its authority to
+ speak for Alice has not yet been confirmed. SG-B does a reverse
+ lookup on Alice's address for a TXT record.
+
+ Upon receiving this specific proposal, SG-B's connection instance
+ makes a transition into the potential OE connection state. SG-B may
+ already have an instance, and the check is made as described above.
+
+11.2.12.3 (5H2) DNS replies with TXT record(s)
+
+ The returned key and IP address should match that of SG-A.
+
+11.2.12.4 (5G2) Responder agrees to proposal
+
+ Should additional communication occur between, for instance, Dave and
+ Bob using SG-A and SG-B, a new tunnel (phase 2 SA) would be
+ established. The phase 1 SA may be reusable.
+
+ SG-A, having successfully keyed the tunnel, now makes a transition
+ from Pending OE connection to Keyed OE connection.
+
+ The responder MUST setup the inbound IPsec SAs before sending its
+ reply.
+
+11.2.12.5 (5G3) Final acknowledgment from initiator
+
+ The initiator agrees with the responder's choice and sets up the
+ tunnel. The initiator sets up the inbound and outbound IPsec SAs.
+
+ The proper authorization returned with keys prompts SG-B to make a
+ transition to the keyed OE connection state.
+
+ Upon receipt of this message, the responder may now setup the
+ outbound IPsec SAs.
+
+11.2.13 (6) IPsec succeeds, and sets up tunnel for communication between
+ Alice and Bob
+
+ SG-A sends the datagram saved at step (5) through the newly created
+ tunnel to SG-B, where it gets decrypted and forwarded. Bob receives
+ it at (7) and replies at (8).
+
+11.2.14 (9) SG-B already has tunnel up with G1 and uses it
+
+ At (9), SG-B has already established an SPD entry mapping Bob->Alice
+ via a tunnel, so this tunnel is simply applied. The datagram is
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 40]
+
+Internet-Draft opportunistic May 2003
+
+
+ encrypted to SG-A, decrypted by SG-A and passed to Alice at (10).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 41]
+
+Internet-Draft opportunistic May 2003
+
+
+12. Security considerations
+
+12.1 Configured vs opportunistic tunnels
+
+ Configured tunnels are those which are setup using bilateral
+ mechanisms: exchanging public keys (raw RSA, DSA, PKIX), pre-shared
+ secrets, or by referencing keys that are in known places
+ (distinguished name from LDAP, DNS). These keys are then used to
+ configure a specific tunnel.
+
+ A pre-configured tunnel may be on all the time, or may be keyed only
+ when needed. The end points of the tunnel are not necessarily
+ static: many mobile applications (road warrior) are considered to be
+ configured tunnels.
+
+ The primary characteristic is that configured tunnels are assigned
+ specific security properties. They may be trusted in different ways
+ relating to exceptions to firewall rules, exceptions to NAT
+ processing, and to bandwidth or other quality of service
+ restrictions.
+
+ Opportunistic tunnels are not inherently trusted in any strong way.
+ They are created without prior arrangement. As the two parties are
+ strangers, there MUST be no confusion of datagrams that arrive from
+ opportunistic peers and those that arrive from configured tunnels. A
+ security gateway MUST take care that an opportunistic peer can not
+ impersonate a configured peer.
+
+ Ingress filtering MUST be used to make sure that only datagrams
+ authorized by negotiation (and the concomitant authentication and
+ authorization) are accepted from a tunnel. This is to prevent one
+ peer from impersonating another.
+
+ An implementation suggestion is to treat opportunistic tunnel
+ datagrams as if they arrive on a logical interface distinct from
+ other configured tunnels. As the number of opportunistic tunnels
+ that may be created automatically on a system is potentially very
+ high, careful attention to scaling should be taken into account.
+
+ As with any IKE negotiation, opportunistic encryption cannot be
+ secure without authentication. Opportunistic encryption relies on
+ DNS for its authentication information and, therefore, cannot be
+ fully secure without a secure DNS. Without secure DNS, opportunistic
+ encryption can protect against passive eavesdropping but not against
+ active man-in-the-middle attacks.
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 42]
+
+Internet-Draft opportunistic May 2003
+
+
+12.2 Firewalls versus Opportunistic Tunnels
+
+ Typical usage of per datagram access control lists is to implement
+ various kinds of security gateways. These are typically called
+ "firewalls".
+
+ Typical usage of a virtual private network (VPN) within a firewall is
+ to bypass all or part of the access controls between two networks.
+ Additional trust (as outlined in the previous section) is given to
+ datagrams that arrive in the VPN.
+
+ Datagrams that arrive via opportunistically configured tunnels MUST
+ not be trusted. Any security policy that would apply to a datagram
+ arriving in the clear SHOULD also be applied to datagrams arriving
+ opportunistically.
+
+12.3 Denial of service
+
+ There are several different forms of denial of service that an
+ implementor should concern themselves with. Most of these problems
+ are shared with security gateways that have large numbers of mobile
+ peers (road warriors).
+
+ The design of ISAKMP/IKE, and its use of cookies, defend against many
+ kinds of denial of service. Opportunism changes the assumption that
+ if the phase 1 (ISAKMP) SA is authenticated, that it was worthwhile
+ creating. Because the gateway will communicate with any machine, it
+ is possible to form phase 1 SAs with any machine on the Internet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 43]
+
+Internet-Draft opportunistic May 2003
+
+
+13. IANA Considerations
+
+ There are no known numbers which IANA will need to manage.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 44]
+
+Internet-Draft opportunistic May 2003
+
+
+14. Acknowledgments
+
+ Substantive portions of this document are based upon previous work by
+ Henry Spencer.
+
+ Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert
+ Moskowitz, Jakob Schlyter, Bill Sommerfeld, John Gilmore and John
+ Denker for their comments and constructive criticism.
+
+ Sandra Hoffman and Bill Dickie did the detailed proof reading and
+ editing.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 45]
+
+Internet-Draft opportunistic May 2003
+
+
+Normative references
+
+ [1] Redelmeier, D. and H. Spencer, "Opportunistic Encryption",
+ paper http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/
+ opportunism.spec, May 2001.
+
+ [2] Defense Advanced Research Projects Agency (DARPA), Information
+ Processing Techniques Office and University of Southern
+ California (USC)/Information Sciences Institute, "Internet
+ Protocol", STD 5, RFC 791, September 1981.
+
+ [3] Braden, R. and J. Postel, "Requirements for Internet gateways",
+ RFC 1009, June 1987.
+
+ [4] IAB, IESG, Carpenter, B. and F. Baker, "IAB and IESG Statement
+ on Cryptographic Technology and the Internet", RFC 1984, August
+ 1996.
+
+ [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [6] McDonald, D., Metz, C. and B. Phan, "PF_KEY Key Management API,
+ Version 2", RFC 2367, July 1998.
+
+ [7] Kent, S. and R. Atkinson, "Security Architecture for the
+ Internet Protocol", RFC 2401, November 1998.
+
+ [8] Piper, D., "The Internet IP Security Domain of Interpretation
+ for ISAKMP", RFC 2407, November 1998.
+
+ [9] Maughan, D., Schneider, M. and M. Schertler, "Internet Security
+ Association and Key Management Protocol (ISAKMP)", RFC 2408,
+ November 1998.
+
+ [10] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
+ RFC 2409, November 1998.
+
+ [11] Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman groups for
+ IKE", RFC 3526, March 2003.
+
+ [12] Mockapetris, P., "Domain names - concepts and facilities", STD
+ 13, RFC 1034, November 1987.
+
+ [13] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [14] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
+ August 1999.
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 46]
+
+Internet-Draft opportunistic May 2003
+
+
+ [15] Rosenbaum, R., "Using the Domain Name System To Store Arbitrary
+ String Attributes", RFC 1464, May 1993.
+
+ [16] Eastlake, D., "Domain Name System Security Extensions", RFC
+ 2535, March 1999.
+
+ [17] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+ System (DNS)", RFC 3110, May 2001.
+
+ [18] Eastlake, D. and O. Gudmundsson, "Storing Certificates in the
+ Domain Name System (DNS)", RFC 2538, March 1999.
+
+ [19] Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, R. and A.
+ Sastry, "The COPS (Common Open Policy Service) Protocol", RFC
+ 2748, January 2000.
+
+ [20] Srisuresh, P. and M. Holdrege, "IP Network Address Translator
+ (NAT) Terminology and Considerations", RFC 2663, August 1999.
+
+
+Authors' Addresses
+
+ Michael C. Richardson
+ Sandelman Software Works
+ 470 Dawson Avenue
+ Ottawa, ON K1Z 5V7
+ CA
+
+ EMail: mcr@sandelman.ottawa.on.ca
+ URI: http://www.sandelman.ottawa.on.ca/
+
+
+ D. Hugh Redelmeier
+ Mimosa
+ Toronto, ON
+ CA
+
+ EMail: hugh@mimosa.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 47]
+
+Internet-Draft opportunistic May 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson & Redelmeier Expires November 19, 2003 [Page 48]
+
diff --git a/doc/draft-richardson-ipsec-rr.txt b/doc/draft-richardson-ipsec-rr.txt
new file mode 100644
index 000000000..7c229b8e1
--- /dev/null
+++ b/doc/draft-richardson-ipsec-rr.txt
@@ -0,0 +1,840 @@
+
+
+IPSECKEY WG M. Richardson
+Internet-Draft SSW
+Expires: March 4, 2004 September 4, 2003
+
+
+ A method for storing IPsec keying material in DNS.
+ draft-ietf-ipseckey-rr-07.txt
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at http://
+ www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on March 4, 2004.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document describes a new resource record for DNS. This record
+ may be used to store public keys for use in IPsec systems.
+
+ This record replaces the functionality of the sub-type #1 of the KEY
+ Resource Record, which has been obsoleted by RFC3445.
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 1]
+
+Internet-Draft ipsecrr September 2003
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.2 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Storage formats . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.1 IPSECKEY RDATA format . . . . . . . . . . . . . . . . . . . . 4
+ 2.2 RDATA format - precedence . . . . . . . . . . . . . . . . . . 4
+ 2.3 RDATA format - algorithm type . . . . . . . . . . . . . . . . 4
+ 2.4 RDATA format - gateway type . . . . . . . . . . . . . . . . . 4
+ 2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . . 5
+ 2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . . 5
+ 3. Presentation formats . . . . . . . . . . . . . . . . . . . . . 7
+ 3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . . 7
+ 3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
+ 4.1 Active attacks against unsecured IPSECKEY resource records . . 9
+ 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
+ 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
+ Normative references . . . . . . . . . . . . . . . . . . . . . 13
+ Non-normative references . . . . . . . . . . . . . . . . . . . 14
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . 14
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 2]
+
+Internet-Draft ipsecrr September 2003
+
+
+1. Introduction
+
+ The type number for the IPSECKEY RR is TBD.
+
+1.1 Overview
+
+ The IPSECKEY resource record (RR) is used to publish a public key
+ that is to be associated with a Domain Name System (DNS) name for use
+ with the IPsec protocol suite. This can be the public key of a
+ host, network, or application (in the case of per-port keying).
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC2119 [8].
+
+1.2 Usage Criteria
+
+ An IPSECKEY resource record SHOULD be used in combination with DNSSEC
+ unless some other means of authenticating the IPSECKEY resource
+ record is available.
+
+ It is expected that there will often be multiple IPSECKEY resource
+ records at the same name. This will be due to the presence of
+ multiple gateways and the need to rollover keys.
+
+ This resource record is class independent.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 3]
+
+Internet-Draft ipsecrr September 2003
+
+
+2. Storage formats
+
+2.1 IPSECKEY RDATA format
+
+ The RDATA for an IPSECKEY RR consists of a precedence value, a public
+ key, algorithm type, and an optional gateway address.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | precedence | gateway type | algorithm | gateway |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ +
+ ~ gateway ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | /
+ / public key /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+
+2.2 RDATA format - precedence
+
+ This is an 8-bit precedence for this record. This is interpreted in
+ the same way as the PREFERENCE field described in section 3.3.9 of
+ RFC1035 [2].
+
+ Gateways listed in IPSECKEY records with lower precedence are to be
+ attempted first. Where there is a tie in precedence, the order
+ should be non-deterministic.
+
+2.3 RDATA format - algorithm type
+
+ The algorithm type field identifies the public key's cryptographic
+ algorithm and determines the format of the public key field.
+
+ A value of 0 indicates that no key is present.
+
+ The following values are defined:
+
+ 1 A DSA key is present, in the format defined in RFC2536 [11]
+
+ 2 A RSA key is present, in the format defined in RFC3110 [12]
+
+
+2.4 RDATA format - gateway type
+
+ The gateway type field indicates the format of the information that
+ is stored in the gateway field.
+
+
+
+Richardson Expires March 4, 2004 [Page 4]
+
+Internet-Draft ipsecrr September 2003
+
+
+ The following values are defined:
+
+ 0 No gateway is present
+
+ 1 A 4-byte IPv4 address is present
+
+ 2 A 16-byte IPv6 address is present
+
+ 3 A wire-encoded domain name is present. The wire-encoded format is
+ self-describing, so the length is implicit. The domain name MUST
+ NOT be compressed.
+
+
+2.5 RDATA format - gateway
+
+ The gateway field indicates a gateway to which an IPsec tunnel may be
+ created in order to reach the entity named by this resource record.
+
+ There are three formats:
+
+ A 32-bit IPv4 address is present in the gateway field. The data
+ portion is an IPv4 address as described in section 3.4.1 of RFC1035
+ [2]. This is a 32-bit number in network byte order.
+
+ A 128-bit IPv6 address is present in the gateway field. The data
+ portion is an IPv6 address as described in section 2.2 of RFC1886
+ [7]. This is a 128-bit number in network byte order.
+
+ The gateway field is a normal wire-encoded domain name, as described
+ in section 3.3 of RFC1035 [2]. Compression MUST NOT be used.
+
+2.6 RDATA format - public keys
+
+ Both of the public key types defined in this document (RSA and DSA)
+ inherit their public key formats from the corresponding KEY RR
+ formats. Specifically, the public key field contains the algorithm-
+ specific portion of the KEY RR RDATA, which is all of the KEY RR DATA
+ after the first four octets. This is the same portion of the KEY RR
+ that must be specified by documents that define a DNSSEC algorithm.
+ Those documents also specify a message digest to be used for
+ generation of SIG RRs; that specification is not relevant for
+ IPSECKEY RR.
+
+ Future algorithms, if they are to be used by both DNSSEC (in the KEY
+ RR) and IPSECKEY, are likely to use the same public key encodings in
+ both records. Unless otherwise specified, the IPSECKEY public key
+ field will contain the algorithm-specific portion of the KEY RR RDATA
+ for the corresponding algorithm. The algorithm must still be
+
+
+
+Richardson Expires March 4, 2004 [Page 5]
+
+Internet-Draft ipsecrr September 2003
+
+
+ designated for use by IPSECKEY, and an IPSECKEY algorithm type number
+ (which might be different than the DNSSEC algorithm number) must be
+ assigned to it.
+
+ The DSA key format is defined in RFC2536 [11]
+
+ The RSA key format is defined in RFC3110 [12], with the following
+ changes:
+
+ The earlier definition of RSA/MD5 in RFC2065 limited the exponent and
+ modulus to 2552 bits in length. RFC3110 extended that limit to 4096
+ bits for RSA/SHA1 keys. The IPSECKEY RR imposes no length limit on
+ RSA public keys, other than the 65535 octet limit imposed by the two-
+ octet length encoding. This length extension is applicable only to
+ IPSECKEY and not to KEY RRs.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 6]
+
+Internet-Draft ipsecrr September 2003
+
+
+3. Presentation formats
+
+3.1 Representation of IPSECKEY RRs
+
+ IPSECKEY RRs may appear in a zone data master file. The precedence,
+ gateway type and algorithm and gateway fields are REQUIRED. The
+ base64 encoded public key block is OPTIONAL; if not present, then the
+ public key field of the resource record MUST be construed as being
+ zero octets in length.
+
+ The algorithm field is an unsigned integer. No mnemonics are
+ defined.
+
+ If no gateway is to be indicated, then the gateway type field MUST be
+ zero, and the gateway field MUST be "."
+
+ The Public Key field is represented as a Base64 encoding of the
+ Public Key. Whitespace is allowed within the Base64 text. For a
+ definition of Base64 encoding, see RFC1521 [3] Section 5.2.
+
+ The general presentation for the record as as follows:
+
+ IN IPSECKEY ( precedence gateway-type algorithm
+ gateway base64-encoded-public-key )
+
+
+3.2 Examples
+
+ An example of a node 192.0.2.38 that will accept IPsec tunnels on its
+ own behalf.
+
+ 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2
+ 192.0.2.38
+ AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+ An example of a node, 192.0.2.38 that has published its key only.
+
+ 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 0 2
+ .
+ AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+ An example of a node, 192.0.2.38 that has delegated authority to the
+ node 192.0.2.3.
+
+ 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2
+ 192.0.2.3
+ AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+
+
+
+Richardson Expires March 4, 2004 [Page 7]
+
+Internet-Draft ipsecrr September 2003
+
+
+ An example of a node, 192.0.1.38 that has delegated authority to the
+ node with the identity "mygateway.example.com".
+
+ 38.1.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 3 2
+ mygateway.example.com.
+ AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+ An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has
+ delegated authority to the node 2001:0DB8:c000:0200:2::1
+
+ $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.int.
+ 0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN IPSECKEY ( 10 2 2
+ 2001:0DB8:0:8002::2000:1
+ AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 8]
+
+Internet-Draft ipsecrr September 2003
+
+
+4. Security Considerations
+
+ This entire memo pertains to the provision of public keying material
+ for use by key management protocols such as ISAKMP/IKE (RFC2407) [9].
+
+ The IPSECKEY resource record contains information that SHOULD be
+ communicated to the end client in an integral fashion - i.e. free
+ from modification. The form of this channel is up to the consumer of
+ the data - there must be a trust relationship between the end
+ consumer of this resource record and the server. This relationship
+ may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
+ another secure source, a secure local channel on the host, or some
+ combination of the above.
+
+ The keying material provided by the IPSECKEY resource record is not
+ sensitive to passive attacks. The keying material may be freely
+ disclosed to any party without any impact on the security properties
+ of the resulting IPsec session: IPsec and IKE provide for defense
+ against both active and passive attacks.
+
+ Any user of this resource record MUST carefully document their trust
+ model, and why the trust model of DNSSEC is appropriate, if that is
+ the secure channel used.
+
+4.1 Active attacks against unsecured IPSECKEY resource records
+
+ This section deals with active attacks against the DNS. These
+ attacks require that DNS requests and responses be intercepted and
+ changed. DNSSEC is designed to defend against attacks of this kind.
+
+ The first kind of active attack is when the attacker replaces the
+ keying material with either a key under its control or with garbage.
+
+ If the attacker is not able to mount a subsequent man-in-the-middle
+ attack on the IKE negotiation after replacing the public key, then
+ this will result in a denial of service, as the authenticator used by
+ IKE would fail.
+
+ If the attacker is able to both to mount active attacks against DNS
+ and is also in a position to perform a man-in-the-middle attack on
+ IKE and IPsec negotiations, then the attacker will be in a position
+ to compromise the resulting IPsec channel. Note that an attacker
+ must be able to perform active DNS attacks on both sides of the IKE
+ negotiation in order for this to succeed.
+
+ The second kind of active attack is one in which the attacker
+ replaces the the gateway address to point to a node under the
+ attacker's control. The attacker can then either replace the public
+
+
+
+Richardson Expires March 4, 2004 [Page 9]
+
+Internet-Draft ipsecrr September 2003
+
+
+ key or remove it, thus providing an IPSECKEY record of its own to
+ match the gateway address.
+
+ This later form creates a simple man-in-the-middle since the attacker
+ can then create a second tunnel to the real destination. Note that,
+ as before, this requires that the attacker also mount an active
+ attack against the responder.
+
+ Note that the man-in-the-middle can not just forward cleartext
+ packets to the original destination. While the destination may be
+ willing to speak in the clear, replying to the original sender, the
+ sender will have already created a policy expecting ciphertext.
+ Thus, the attacker will need to intercept traffic from both sides.
+ In some cases, the attacker may be able to accomplish the full
+ intercept by use of Network Addresss/Port Translation (NAT/NAPT)
+ technology.
+
+ Note that the danger here only applies to cases where the gateway
+ field of the IPSECKEY RR indicates a different entity than the owner
+ name of the IPSECKEY RR. In cases where the end-to-end integrity of
+ the IPSECKEY RR is suspect, the end client MUST restrict its use of
+ the IPSECKEY RR to cases where the RR owner name matches the content
+ of the gateway field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 10]
+
+Internet-Draft ipsecrr September 2003
+
+
+5. IANA Considerations
+
+ This document updates the IANA Registry for DNS Resource Record Types
+ by assigning type X to the IPSECKEY record.
+
+ This document creates an IANA registry for the algorithm type field.
+
+ Values 0, 1 and 2 are defined in Section 2.3. Algorithm numbers 3
+ through 255 can be assigned by IETF Consensus (see RFC2434 [6]).
+
+ This document creates an IANA registry for the gateway type field.
+
+ Values 0, 1, 2 and 3 are defined in Section 2.4. Algorithm numbers 4
+ through 255 can be assigned by Standards Action (see RFC2434 [6]).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 11]
+
+Internet-Draft ipsecrr September 2003
+
+
+6. Acknowledgments
+
+ My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
+ Austein, and Olafur Gurmundsson who reviewed this document carefully.
+ Additional thanks to Olafur Gurmundsson for a reference
+ implementation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 12]
+
+Internet-Draft ipsecrr September 2003
+
+
+Normative references
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities", STD
+ 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Borenstein, N. and N. Freed, "MIME (Multipurpose Internet Mail
+ Extensions) Part One: Mechanisms for Specifying and Describing
+ the Format of Internet Message Bodies", RFC 1521, September
+ 1993.
+
+ [4] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
+ 9, RFC 2026, October 1996.
+
+ [5] Eastlake, D. and C. Kaufman, "Domain Name System Security
+ Extensions", RFC 2065, January 1997.
+
+ [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 13]
+
+Internet-Draft ipsecrr September 2003
+
+
+Non-normative references
+
+ [7] Thomson, S. and C. Huitema, "DNS Extensions to support IP
+ version 6", RFC 1886, December 1995.
+
+ [8] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [9] Piper, D., "The Internet IP Security Domain of Interpretation
+ for ISAKMP", RFC 2407, November 1998.
+
+ [10] Eastlake, D., "Domain Name System Security Extensions", RFC
+ 2535, March 1999.
+
+ [11] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
+ (DNS)", RFC 2536, March 1999.
+
+ [12] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+ System (DNS)", RFC 3110, May 2001.
+
+ [13] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
+ Record (RR)", RFC 3445, December 2002.
+
+
+Author's Address
+
+ Michael C. Richardson
+ Sandelman Software Works
+ 470 Dawson Avenue
+ Ottawa, ON K1Z 5V7
+ CA
+
+ EMail: mcr@sandelman.ottawa.on.ca
+ URI: http://www.sandelman.ottawa.on.ca/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 14]
+
+Internet-Draft ipsecrr September 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richardson Expires March 4, 2004 [Page 15]
+
diff --git a/doc/draft-spencer-ipsec-ike-implementation.nr b/doc/draft-spencer-ipsec-ike-implementation.nr
new file mode 100644
index 000000000..5b5776e22
--- /dev/null
+++ b/doc/draft-spencer-ipsec-ike-implementation.nr
@@ -0,0 +1,1203 @@
+.\" date, expiry date, copyright year, and revision
+.DA "26 Feb 2002"
+.ds e "26 Aug 2002
+.ds c 2002
+.ds r 02
+.\" boilerplate
+.pl 10i
+.nr PL 10i
+.po 0
+.nr PO 0
+.ll 7.2i
+.nr LL 7.2i
+.lt 7.2i
+.nr LT 7.2i
+.hy 0
+.nr HY 0
+.ad l
+.nr PD 1v
+.\" macros for paragraph, section header, reference, TOC
+.de P
+.br
+.LP
+.in 3
+..
+.de H
+.br
+.ne 5
+.LP
+.in 0
+..
+.de R
+.IP " [\\$1]" 14
+..
+.de T
+.ie \\$1=1 \{\
+.nf
+.ta \n(LLu-3nR
+.\}
+.el \{\
+.fi
+.\}
+..
+.de S
+.ie '\\$1'' \\$2 \a \\$3
+.el \\$1. \\$2 \a \\$3
+..
+.\" headers/footers
+.ds LH "Internet Draft
+.ds CH "IKE Implementation Issues
+.ds RH "\*(DY
+.ds LF "Spencer & Redelmeier
+.ds CF "
+.ds RF "[Page %]
+.\" and let's get started
+.RT
+.nf
+.tl 'Network Working Group''Henry Spencer'
+.tl 'Internet Draft''SP Systems'
+.tl 'Expires: \*e''D. Hugh Redelmeier'
+.tl '''Mimosa Systems'
+.tl '''\*(DY'
+.sp
+.ce 99
+IKE Implementation Issues
+
+.ce 0
+.H
+Status of this Memo
+.P
+This document is an Internet-Draft and is in full conformance with
+all provisions of Section 10 of RFC2026.
+.P
+(If approved as an Informational RFC...)
+This memo provides information for the Internet community.
+This memo does not specify an Internet standard of any kind.
+.P
+Distribution of this memo is unlimited.
+.P
+Internet-Drafts are working documents of the Internet Engineering
+Task Force (IETF), its areas, and its working groups.
+Note that
+other groups may also distribute working documents as Internet-Drafts.
+.P
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.
+It is inappropriate to use Internet-Drafts as reference
+material or to cite them other than as "work in progress."
+.P
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt.
+.P
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+.P
+This Internet-Draft will expire on \*e.
+.H
+Copyright Notice
+.P
+Copyright (C) The Internet Society \*c. All Rights Reserved.
+.bp
+.H
+Table of Contents
+.P
+.T 1
+.S "1" "Introduction" "3"
+.S "2" "Lower-level Background and Notes" "4"
+.S "2.1" "Packet Handling" "4"
+.S "2.2" "Ciphers" "5"
+.S "2.3" "Interfaces" "5"
+.S "3" "IKE Infrastructural Issues" "5"
+.S "3.1" "Continuous Channel" "5"
+.S "3.2" "Retransmission" "5"
+.S "3.3" "Replay Prevention" "6"
+.S "4" "Basic Keying and Rekeying" "7"
+.S "4.1" "When to Create SAs" "7"
+.S "4.2" "When to Rekey" "8"
+.S "4.3" "Choosing an SA" "9"
+.S "4.4" "Why to Rekey" "9"
+.S "4.5" "Rekeying ISAKMP SAs" "10"
+.S "4.6" "Bulk Negotiation" "10"
+.S "5" "Deletions, Teardowns, Crashes" "11"
+.S "5.1" "Deletions" "11"
+.S "5.2" "Teardowns and Shutdowns" "12"
+.S "5.3" "Crashes" "13"
+.S "5.4" "Network Partitions" "13"
+.S "5.5" "Unknown SAs" "14"
+.S "6" "Misc. IKE Issues" "16"
+.S "6.1" "Groups 1 and 5" "16"
+.S "6.2" "To PFS Or Not To PFS" "16"
+.S "6.3" "Debugging Tools, Lack Thereof" "16"
+.S "6.4" "Terminology, Vagueness Thereof" "17"
+.S "6.5" "A Question of Identity" "17"
+.S "6.6" "Opportunistic Encryption" "17"
+.S "6.7" "Authentication and RSA Keys" "17"
+.S "6.8" "Misc. Snags" "18"
+.S "7" "Security Considerations" "19"
+.S "8" "References" "19"
+.S "" "Authors' Addresses" "20"
+.S "" "Full Copyright Statement" "21"
+.T 0
+.bp
+.H
+Abstract
+.P
+The current IPsec specifications for key exchange and connection management,
+RFCs 2408 [ISAKMP] and 2409 [IKE],
+leave many aspects of connection management unspecified,
+most prominently rekeying practices.
+Pending clarifications in future revisions of the specifications,
+this document sets down some successful experiences,
+to minimize the extent to which new implementors have to rely
+on unwritten folklore.
+.P
+The Linux FreeS/WAN implementation of IPsec interoperates
+with almost every other IPsec implementation.
+This document describes how the FreeS/WAN project has resolved
+some of the gaps in the IPsec specifications
+(and plans to resolve some others),
+and what difficulties have been encountered,
+in hopes that this generally-successful experience
+might be informative to new implementors.
+.P
+This is offered as an Informational RFC.
+.P
+This -\*r revision mainly:
+discusses ISAKMP SA expiry during IPsec-SA rekeying (4.5),
+revises the discussion of bidirectional Deletes (5.1),
+suggests remembering the parameters of successful negotiations
+for later use (4.2, 5.3),
+notes an unsuccessful negotiation from the other end as a hint of a possibly
+broken connection (5.5),
+and adds sections on network partitions (5.4),
+authentication methods and the subtleties of RSA public keys (6.7),
+and miscellaneous interoperability concerns (6.8).
+.H
+1. Introduction
+.P
+The current IPsec specifications for key exchange and connection management,
+RFCs 2408 [ISAKMP] and 2409 [IKE],
+leave many aspects of connection management unspecified,
+most prominently rekeying practices.
+This is a cryptic puzzle which
+each group of implementors has to struggle with,
+and differences in how the ambiguities and gaps are resolved are
+potentially a fruitful source of interoperability problems.
+We can hope that future revisions of the specifications will clear this up.
+Meanwhile, it seems useful to set down some successful experiences,
+to minimize the extent to which new implementors have to rely
+on unwritten folklore.
+.P
+The Linux FreeS/WAN implementation of IPsec interoperates
+with almost every other IPsec implementation,
+and because of its free nature,
+it also sees some use as a reference implementation by other implementors.
+The high degree of interoperability is noteworthy
+given its organizers' strong minimalist bias,
+which has caused them to implement only
+a small subset of the full glory of IPsec.
+This document describes how the FreeS/WAN project has resolved
+some of the gaps in the IPsec specifications
+(and plans to resolve some others),
+and what difficulties have been encountered,
+in hopes that this generally-successful experience
+might be informative to new implementors.
+.P
+One small caution about applicability:
+this experience may not be relevant
+to severely resource-constrained implementations.
+FreeS/WAN's target environment is previous-generation PCs,
+now available at trivial cost (often,
+within an organization, at no cost),
+which have quite impressive CPU power and memory by the standards
+of only a few years ago.
+Some of the approaches discussed here may be inapplicable to
+implementations with severe external constraints which prevent them
+from taking advantage of modern hardware technology.
+.H
+2. Lower-level Background and Notes
+.H
+2.1. Packet Handling
+.P
+FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly,
+although AH sees little use among our users.
+Our ESP/AH implementation cannot currently handle packets
+with IP options;
+somewhat surprisingly, this has caused little difficulty.
+We insist on encryption and do not support authentication-only
+connections, and this has not caused significant difficulty either.
+.P
+MTU and fragmentation issues, by contrast, have been a constant headache.
+We will not describe the details of our current approach to them,
+because it still needs work.
+One difficulty we have encountered is that many combinations of
+packet source and packet destination
+apparently cannot cope with an "interior minimum" in the path MTU,
+e.g. where an IPsec tunnel intervenes and its headers reduce the MTU
+for an intermediate link.
+This is particularly prevalent when using common PC software to
+connect to large well-known web sites;
+we think it is largely due to
+misconfigured firewalls which do not pass ICMP
+Fragmentation Required messages.
+The only solution we have yet found is to lie about the MTU of the tunnel,
+accepting the (undesirable) fragmentation of the ESP packets
+for the sake of preserving connectivity.
+.P
+We currently zero out the TOS field of ESP packets,
+rather than copying it from the inner header,
+on the grounds that it lends itself too well to traffic analysis
+and covert channels.
+We provide an option to restore RFC 2401 [IPSEC] copying behavior,
+but this appears to see little use.
+.H
+2.2. Ciphers
+.P
+We initially implemented both DES [DES] and 3DES [CIPHERS] for both
+IKE and ESP,
+but after the Deep Crack effort [CRACK] demonstrated its inherent insecurity,
+we dropped support for DES.
+Somewhat surprisingly,
+our insistence on 3DES has caused almost no interoperability problems,
+despite DES being officially mandatory.
+A very few other systems either do not support 3DES or support it only
+as an optional upgrade,
+which inconveniences a few would-be users.
+There have also been one or two cases of systems
+which don't quite seem to know the difference!
+.P
+See also section 6.1 for a consequence of our insistence on 3DES.
+.H
+2.3. Interfaces
+.P
+We currently employ PF_KEY version 2 [PFKEY],
+plus various non-standard extensions,
+as our interface between keying and ESP.
+This has not proven entirely satisfactory.
+Our feeling now is that keying issues and policy issues
+do not really lend
+themselves to the clean separation that PF_KEY envisions.
+.H
+3. IKE Infrastructural Issues
+.P
+A number of problems in IPsec connection management become easier if
+some attention is first paid to providing an infrastructure
+to support solving them.
+.H
+3.1. Continuous Channel
+.P
+FreeS/WAN uses an approximation to the "continuous channel" model,
+in which ISAKMP SAs are maintained between IKEs
+so long as any IPsec SAs are open between the two systems.
+The resource consumption of this is minor:
+the only substantial overhead is occasional rekeying.
+IPsec SA management becomes significantly simpler if there is always
+a channel for transmission of control messages.
+We suggest (although we do not yet fully implement this) that
+inability to maintain (e.g., to rekey) this control path
+should be grounds for tearing down the IPsec SAs as well.
+.P
+As a corollary of this,
+there is one and only one ISAKMP SA maintained between a pair of IKEs
+(although see sections 5.3 and 6.5 for minor complications).
+.H
+3.2. Retransmission
+.P
+The unreliable nature of UDP transmission is a nuisance.
+IKE implementations should always be prepared to retransmit the most recent
+message they sent on an ISAKMP SA,
+since there is some possibility that the other end did not get it.
+This means, in particular,
+that the system sending the supposedly-last message of an exchange
+cannot relax and assume that the exchange is complete,
+at least not until a significant timeout has elapsed.
+.P
+Systems must also retain information about the message most recently received
+in an exchange,
+so that a duplicate of it can be detected
+(and possibly interpreted as a NACK for the response).
+.P
+The retransmission rules FreeS/WAN follows are:
+(1) if a reply is expected, retransmit only if it does not appear
+before a timeout;
+and (2) if a reply is not expected (last message of the exchange),
+retransmit only on receiving a retransmission of the previous message.
+Notably, in case (1) we do NOT retransmit on receiving a retransmission,
+which avoids possible congestion problems arising from packet duplication,
+at the price of slowing response to packet loss.
+The timeout for case (1) is 10 seconds for the first retry,
+20 seconds for the second, and 40 seconds for all subsequent
+retries (normally only one,
+except when
+configuration settings call for persistence and the message is
+the first message of Main Mode with a new peer).
+These retransmission rules have been entirely successful.
+.P
+(Michael Thomas of Cisco has pointed out that the retry timeouts should
+include some random jitter, to de-synchronize hosts which are
+initially synchronized by, e.g., a power outage.
+We already jitter our rekeying times,
+as noted in section 4.2,
+but that does not help with initial startup.
+We're implementing jittered retries,
+but cannot yet report on experience with this.)
+.P
+There is a deeper problem, of course, when an entire "exchange" consists
+of a single message,
+e.g. the ISAKMP Informational Exchange.
+Then there is no way to decide whether or when a retransmission is
+warranted at all.
+This seems like poor design, to put it mildly
+(and there is now talk of fixing it).
+We have no experience in dealing with this problem at this time,
+although it is part of the reason why we have delayed implementing
+Notification messages.
+.H
+3.3. Replay Prevention
+.P
+The unsequenced nature of UDP transmission is also troublesome,
+because it means that higher levels must consider the possibility
+of replay attacks.
+FreeS/WAN takes the position that systematically eliminating this
+possibility at a low level is strongly preferable to forcing careful
+consideration of possible impacts at every step of an exchange.
+RFC 2408 [ISAKMP] section 3.1 states that the Message ID of an
+ISAKMP message must be "unique".
+FreeS/WAN interprets this literally,
+as forbidding duplication of Message IDs
+within the set of all messages sent via a single ISAKMP SA.
+.P
+This requires remembering all Message IDs until the ISAKMP SA is
+superseded by rekeying,
+but that is not costly (four bytes per sent or received message),
+and it ELIMINATES replay attacks from consideration;
+we believe this investment of resources is well worthwhile.
+If the resource consumption becomes excessive\(emin our experience
+it has not\(emthe ISAKMP SA can be rekeyed early to collect the garbage.
+.P
+There is theoretically an interoperability problem when talking to
+implementations which interpret "unique" more loosely
+and may re-use Message IDs,
+but it has not been encountered in practice.
+This approach appears to be completely interoperable.
+.P
+The proposal by
+Andrew Krywaniuk [REPLAY],
+which advocates turning the Message ID into an anti-replay counter,
+would achieve the same goal without the minor per-message memory overhead.
+This may be preferable,
+although it means an actual protocol change and more study is needed.
+.H
+4. Basic Keying and Rekeying
+.H
+4.1. When to Create SAs
+.P
+As Tim Jenkins [REKEY] pointed out,
+there is a potential race condition in Quick Mode:
+a fast lightly-loaded Initiator might start using IPsec SAs very
+shortly after sending QM3 (the third and last message of Quick Mode),
+while a slow heavily-loaded Responder might
+not be ready to receive them until after spending
+a significant amount of time creating its inbound SAs.
+The problem is even worse if QM3 gets delayed or lost.
+.P
+FreeS/WAN's approach to this is what Jenkins called "Responder Pre-Setup":
+the Responder creates its inbound IPsec SAs before it sends QM2,
+so they are always ready and waiting
+when the Initiator sends QM3 and begins sending traffic.
+This approach is simple and reliable,
+and in our experience it interoperates with everybody.
+(There is potentially still a problem if FreeS/WAN is the Initiator
+and the Responder does not use Responder Pre-Setup,
+but no such problems have been seen.)
+The only real weakness of Responder Pre-Setup
+is the possibility of replay attacks,
+which we have eliminated by other means (see section 3.3).
+.P
+With this approach, the Commit Bit is useless,
+and we ignore it.
+In fact, until quite recently we discarded any IKE message containing it,
+and this caused surprisingly few interoperability problems;
+apparently it is not widely used.
+We have recently been persuaded that simply ignoring it is preferable;
+preliminary experience with this indicates that the result is successful
+interoperation with implementations which set it.
+.H
+4.2. When to Rekey
+.P
+To preserve connectivity for user traffic,
+rekeying of a connection
+(that is, creation of new IPsec SAs to supersede the current ones)
+must begin before its current IPsec SAs expire.
+Preferably one end should predictably start rekeying negotiations first,
+to avoid the extra overhead of two simultaneous negotiations,
+although either end should be prepared to rekey if the other does not.
+There is also a problem with "convoys" of keying negotiations:
+for example, a "hub" gateway with many IPsec connections
+can be inundated with rekeying negotiations
+exactly one connection-expiry time after it reboots,
+and the massive overload this induces tends to make this
+situation self-perpetuating,
+so it recurs regularly.
+(Convoys can also evolve gradually from initially-unsynchronized negotiations.)
+.P
+FreeS/WAN has the concept of a "rekeying margin", measured in seconds.
+If FreeS/WAN was the Initiator for the previous rekeying
+(or the startup, if none) of the connection,
+it nominally starts rekeying negotiations at expiry time
+minus one rekeying margin.
+Some random jitter is added to break up convoys:
+rather than starting rekeying exactly at minus one margin,
+it starts at a random time between minus one margin
+and minus two margins.
+(The randomness here need not be cryptographic in quality,
+so long as it varies over time and between hosts.
+We use an ordinary PRNG seeded with a few bytes from a cryptographic
+randomness source.
+The seeding mostly just ensures that the PRNG sequence is different
+for different hosts, even if they start up simultaneously.)
+.P
+If FreeS/WAN was the Responder for the previous rekeying/startup,
+and nothing has been heard from the previous Initiator
+at expiry time minus one-half the rekeying margin,
+FreeS/WAN will initiate rekeying negotiations.
+No jitter is applied;
+we now believe that it should be jittered,
+say between minus one-half margin and minus one-quarter margin.
+.P
+Having the Initiator lead the way is an obvious way of deciding
+who should speak first,
+since there is already an Initiator/Responder asymmetry in the connection.
+Moreover, our experience has been that Initiator lead gives a significantly
+higher probability of successful negotiation!
+The negotiation process itself is asymmetric,
+because the Initiator must make a few specific proposals which the Responder
+can only accept or reject,
+so the Initiator must try to guess where its "acceptable" region
+(in parameter space)
+might overlap with the Responder's.
+We have seen situations where negotiations would succeed or fail
+depending on which end initiated them,
+because one end was making better guesses.
+Given an existing connection,
+we KNOW that the previous Initiator WAS able to initiate a successful
+negotiation,
+so it should (if at all possible) take the lead again.
+Also, the Responder should remember the Initiator's successful proposal,
+and start from that
+rather than from his own default proposals if he must take the lead;
+we don't currently implement this completely but plan to.
+.P
+FreeS/WAN defaults the rekeying margin to 9 minutes,
+although this can be changed by configuration.
+There is also
+a configuration option to alter the permissible range of jitter.
+The defaults were chosen somewhat arbitrarily,
+but they work extremely well
+and the configuration options are rarely used.
+.H
+4.3. Choosing an SA
+.P
+Once rekeying has occurred,
+both old and new IPsec SAs for the connection exist,
+at least momentarily.
+FreeS/WAN accepts incoming traffic
+on either old or new inbound SAs,
+but sends outgoing traffic only on the new outbound ones.
+This approach appears to be significantly more robust than
+using the old ones until they expire,
+notably in cases where renegotiation has occurred because something has
+gone wrong on the other end.
+It avoids having to pay meticulous attention to the state of the other end,
+state which is difficult to learn reliably given the limitations of IKE.
+.P
+This approach has interoperated successfully with ALMOST all other
+implementations.
+The only (well-characterized) problem cases have been implementations
+which rely on receiving a Delete message for the old SAs to tell them
+to switch over to the new ones.
+Since delivery of Delete is unreliable,
+and support for Delete is optional,
+this reliance seems like a serious mistake.
+This is all the more true because Delete
+announces that the deletion has
+already occurred [ISAKMP, section 3.15], not that it is about to occur,
+so packets already in transit in the other direction could be lost.
+Delete should be used for resource cleanup, not for switchover control.
+(These matters are discussed further in section 5.)
+.H
+4.4. Why to Rekey
+.P
+FreeS/WAN currently implements only time-based expiry (life in seconds),
+although we are working toward
+supporting volume-based expiry (life in kilobytes) as well.
+The lack of volume-based expiry has not been an interoperability
+problem so far.
+.P
+Volume-based expiry does add some minor complications.
+In particular, it makes explicit Delete of now-disused SAs more important,
+because once an SA stops being used,
+it might not expire on its own.
+We believe this lacks robustness and is generally unwise,
+especially given the lack of a reliable Delete,
+and expect to use volume-based expiry only as a supplement
+to time-based expiry.
+However, Delete support (see section 5) does seem advisable
+for use with volume-based expiry.
+.P
+We do not believe that volume-based expiry alters the desirability
+of switching immediately to the new SAs after rekeying.
+Rekeying margins are normally a small fraction of the total life of an SA,
+so we feel there is no great need to "use it all up".
+.H
+4.5. Rekeying ISAKMP SAs
+.P
+The above discussion has focused on rekeying for IPsec SAs,
+but FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs,
+with similar success.
+.P
+One issue which we have noticed, but not explicitly dealt with,
+is that difficulties may ensue if an IPsec-SA rekeying negotiation
+is in progress at the time when the relevant ISAKMP SA gets rekeyed.
+The IKE specification [IKE] hints, but does not actually say,
+that a Quick Mode negotiation should remain on a single ISAKMP SA throughout.
+.P
+A reasonable rekeying margin will generally
+prevent the old ISAKMP SA from actually expiring during a negotiation.
+Some attention may be needed to prevent in-progress negotiations from
+being switched to the new ISAKMP SA.
+Any attempt at pre-expiry deletion of the ISAKMP SA must be postponed
+until after such dangling negotiations are completed,
+and there should be enough delay between ISAKMP-SA rekeying and a
+deletion attempt to (more or less)
+ensure that there are no negotiation-starting packets still in transit
+from before the rekeying.
+.P
+At present, FreeS/WAN does none of this,
+and we don't KNOW of any resulting trouble.
+With normal lifetimes, the problem should be uncommon,
+and we speculate that an occasional disrupted negotiation simply gets retried.
+.H
+4.6. Bulk Negotiation
+.P
+Quick Mode nominally provides for negotiating possibly-large numbers of
+similar but unrelated IPsec SAs simultaneously
+[IKE, section 9].
+Nobody appears to do this.
+FreeS/WAN does not support it, and its absence has caused no problems.
+.H
+5. Deletions, Teardowns, Crashes
+.P
+FreeS/WAN currently ignores all Notifications and Deletes,
+and never generates them.
+This has caused little difficulty in interoperability,
+which shouldn't be surprising (since Notification and Delete support is
+officially entirely optional) but does seem to surprise some people.
+Nevertheless, we do plan some changes to this approach
+based on past experience.
+.H
+5.1. Deletions
+.P
+As hinted at above,
+we plan to implement Delete support, done as follows.
+Shortly after rekeying of IPsec SAs,
+the Responder issues a Delete for its old inbound SAs
+(but does not actually delete them yet).
+The Responder initiates this because the Initiator started using the
+new SAs on sending QM3, while the Responder started using them only
+on (or somewhat after) receiving QM3,
+so there is less chance of old-SA packets still being in transit from
+the Initiator.
+The Initiator issues an unsolicited Delete only if it does not hear one
+from the Responder after a longer delay.
+.P
+Either party, on receiving a Delete
+for one or more of the old outbound SAs of a connection,
+deletes ALL the connection's SAs,
+and acknowledges with a Delete for the old inbound SAs.
+A Delete for nonexistent SAs
+(e.g., SAs which have already been expired or deleted) is ignored.
+There is no retransmission of unacknowledged Deletes.
+.P
+In the normal case,
+with prompt reliable transmission (except possibly for loss of the
+Responder's initial Delete)
+and conforming implementations
+on both ends, this results in three Deletes being transmitted,
+resembling the classic three-way handshake.
+Loss of a Delete after the first, or multiple losses,
+will cause the SAs not to be deleted on at least one end.
+It appears difficult to do much better without at least
+a distinction between request and acknowledgement.
+.P
+RFC 2409 section 9 "strongly suggests" that there be no response to
+informational messages such as Deletes,
+but the only rationale offered is prevention of infinite loops
+endlessly exchanging "I don't understand you" informationals.
+Since Deletes cannot lead to such a loop
+(and in any case, the nonexistent-SA rule prevents more than one
+acknowledgement for the same connection),
+we believe this recommendation is inapplicable here.
+.P
+As noted in section 4.3, these Deletes are intended for
+resource cleanup, not to control switching between SAs.
+But we expect that they will improve interoperability
+with some broken implementations.
+.P
+We believe strongly that connections need to be considered as a whole,
+rather than treating each SA as an independent entity.
+We will issue Deletes only for the full set of inbound SAs of
+a connection,
+and will treat a Delete for any outbound SA as equivalent to deletion
+of all the outbound SAs for the associated connection.
+.P
+The above is phrased in terms of IPsec SAs,
+but essentially the same approach can be applied to ISAKMP SAs
+(the Deletes for the old ISAKMP SA should be sent via the new one).
+.H
+5.2. Teardowns and Shutdowns
+.P
+When a connection is not intended to be up permanently,
+there is a need to coordinate teardown,
+so that both ends are aware that the connection is down.
+This is both for recovery of resources,
+and to avoid routing packets through
+dangling SAs which can no longer deliver them.
+.P
+Connection teardown will use the same bidirectional exchange of Deletes
+as discussed in section 5.1:
+a Delete received for current IPsec SAs (not yet obsoleted by rekeying)
+indicates that the other host wishes to tear down the associated connection.
+.P
+A Delete received for a current ISAKMP SA indicates that the other host
+wishes to tear down not only the ISAKMP SA but also all IPsec SAs
+currently under the supervision of that ISAKMP SA.
+The 5.1 bidirectional exchange might seem impossible in this case,
+since reception of an ISAKMP-SA Delete indicates that the other end
+will ignore further traffic on that ISAKMP SA.
+We suggest using the same tactic discussed in 5.1 for IPsec SAs:
+the first Delete is sent without actually doing the deletion,
+and the response to receiving a Delete is to do the deletion and reply
+with another Delete.
+If there is no response to the first Delete,
+retry a small number of times and then give up and do the deletion;
+apart from being robust against packet loss,
+this also maximizes the probability that an implementation which does
+not do the bidirectional Delete will receive at least one of the Deletes.
+.P
+When a host with current connections knows that it is about to shut down,
+it will issue Deletes for all SAs involved (both IPsec and ISAKMP),
+advising its peers (as per the meaning of Delete [ISAKMP, section 3.15])
+that the SAs have become useless.
+It will ignore attempts at rekeying or connection startup thereafter,
+until it shuts down.
+.P
+It would be better to have a Final-Contact notification,
+analogous to Initial-Contact but indicating that no new negotiations
+should be attempted until further notice.
+Initial-Contact actually could be used for shutdown notification (!),
+but in networks where connections are intended to exist permanently,
+it seems likely to provoke unwanted attempts
+to renegotiate the lost connections.
+.H
+5.3. Crashes
+.P
+Systems sometimes crash.
+Coping with the resulting loss of information is easily the most
+difficult problem we have found in implementing robust IPsec systems.
+.P
+When connections are intended to be permanent,
+it is simple to specify renegotiation on reboot.
+With our approach to SA selection (see section 4.3),
+this handles such cases robustly and well.
+We do have to tell users that BOTH hosts should be set this way.
+In cases where crashes are synchronized (e.g. by power interruptions),
+this may result in simultaneous negotiations at reboot.
+We currently allow both negotiations to proceed to completion,
+but our use-newest selection method
+effectively ignores one connection or the other,
+and when one of them rekeys,
+we notice that the new SAs replace those of both old connections,
+and we then refrain from rekeying the other.
+(This duplicate detection is desirable in any event, for robustness,
+to ensure that the system converges on a reasonable state eventually
+after it is perturbed by difficulties or bugs.)
+.P
+When connections are not permanent, the situation is less happy.
+One particular situation in which we see problems is when a number of
+"Road Warrior" hosts occasionally call in to a central server.
+The server is normally configured not to initiate such connections,
+since it does not know when the Road Warrior is available (or what IP
+address it is using).
+Unfortunately, if the server crashes and reboots,
+any Road Warriors then connected have a problem:
+they don't know that the server has crashed,
+so they can't renegotiate,
+and the server has forgotten both the connections and
+their (transient) IP addresses,
+so it cannot renegotiate.
+.P
+We believe that the simplest answer to this problem is what John Denker
+has dubbed "address inertia":
+the server makes a best-effort attempt to remember (in nonvolatile storage)
+which connections were active and what the far-end addresses were
+(and what the successful proposal's parameters were),
+so that it can attempt renegotiation on reboot.
+We have not implemented this yet, but intend to;
+Denker has implemented it himself,
+although in a somewhat messy way,
+and reports excellent results.
+.H
+5.4. Network Partitions
+.P
+A network partition, making the two ends unable to reach each other,
+has many of the same characteristics as having the other end crash... until
+the network reconnects.
+It is desirable that recovery from this be automatic.
+.P
+If the network reconnects before any rekeying attempts
+or other IKE activities occurred,
+recovery is fully transparent,
+because the IKEs have no idea that there was any problem.
+(Complaints such as ICMP Host Unreachable messages are unauthenticated
+and hence cannot be given much weight.)
+This fits the general mold of TCP/IP:
+if nobody wanted to send any traffic, a network outage doesn't matter.
+.P
+If IKE activity did occur,
+the IKE implementation will discover that the other end doesn't seem
+to be responding.
+The preferred response to this depends on the nature of the connection.
+If it was intended to be ephemeral (e.g. opportunistic encryption [OE]),
+closing it down after a few retries is reasonable.
+If the other end is expected to sometimes drop the connection without
+warning, it may not be desirable to retry at all.
+(We support both these forms of configurability,
+and indeed we also have a configuration option to suppress
+rekeying entirely on one end.)
+.P
+If the connection was intended to be permanent, however,
+then persistent attempts to re-establish it are appropriate.
+Some degree of backoff is appropriate here,
+so that retries get less frequent as the outage gets prolonged.
+Backoff should be limited,
+so that re-established connectivity is not followed by a long delay
+before a retry.
+Finally, after many retries (say 24 hours' worth),
+it may be preferable to just declare the connection down and rely
+on manual intervention to re-establish it,
+should this be desirable.
+We do not yet fully support all this.
+.H
+5.5. Unknown SAs
+.P
+A more complete solution to crashes
+would be for an IPsec host to note the arrival
+of ESP packets on an unknown IPsec SA,
+and report it somehow to the other host, which can then decide to renegotiate.
+This arguably might be preferable in any case\(emif
+the non-rebooted host has no traffic to send,
+it does not care whether the connection is intact\(embut
+delays and packet loss will be reduced
+if the connection is renegotiated BEFORE there is traffic for it.
+So unknown-SA detection is best reserved as a fallback method,
+with address inertia used to deal with most such cases.
+.P
+A difficulty with unknown-SA detection is,
+just HOW should the other host be notified?
+IKE provides no good way to do the notification:
+Notification payloads (e.g., Initial-Contact) are unauthenticated
+unless they are sent under protection of an ISAKMP SA.
+A "Security Failures - Bad SPI" ICMP message [SECFAIL]
+is an interesting alternative,
+but has the disadvantage of likewise being unauthenticated.
+It's fundamentally unlikely that there is a simple solution to this,
+given that almost any way of arranging or checking authentication for such a
+notification is costly.
+.P
+We think the best answer to this is a two-step approach.
+An unauthenticated Initial-Contact or
+Security Failures - Bad SPI cannot be taken as a reliable
+report of a problem,
+but can be taken as a hint that a problem MIGHT exist.
+Then there needs to be some reliable way of checking such hints,
+subject to rate limiting since the checks are likely to be costly
+(and checking the same connection repeatedly at short intervals is unlikely
+to be worthwhile anyway).
+So the rebooted host sends the notification,
+and the non-rebooted host\(emwhich still thinks it has a connection\(emchecks
+whether the connection still works,
+and renegotiates if not.
+.P
+Also, if an IPsec host which believes it has a connection to another host
+sees an unsuccessful attempt by that host to negotiate a new one,
+that is also a hint of possible problems,
+justifying a check and possible renegotiation.
+("Unsuccessful" here means a negotiation failure due to lack of a
+satisfactory proposal.
+A failure due to authentication failure
+suggests a denial-of-service attack by a third party,
+rather than a genuine problem on the legitimate other end.)
+As noted in section 4.2,
+it is possible for negotiations to succeed or fail based on which
+end initiates them, and some robustness against that is desirable.
+.P
+We have not yet decided what form the notification should take.
+IKE Initial-Contact is an obvious possibility,
+but has some disadvantages.
+It does not specify which connection has had difficulties.
+Also, the specification [IKE section 4.6.3.3]
+refers to "remote system" and "sending system"
+without clearly specifying just what "system" means;
+in the case of a multi-homed host using multiple forms of identification,
+the question is not trivial.
+Initial-Contact does have the fairly-decisive advantage
+that it is likely to convey the right general
+meaning even to an implementation which does not do things
+exactly the way ours does.
+.P
+A more fundamental difficulty is what form the reliable check takes.
+What is wanted is an "IKE ping",
+verifying that the ISAKMP SA is still intact
+(it being unlikely that IPsec SAs have been lost while the ISAKMP SA has not).
+The lack of such a facility is a serious failing of IKE.
+An acknowledged Notification of some sort would be ideal,
+but there is none at present.
+Some existing implementations are known
+to use the private Notification values 30000 as ping
+and 30002 as ping reply,
+and that seems the most attractive choice at present.
+If it is not recognized, there will probably be no reply,
+and the result will be an unnecessary renegotiation,
+so this needs strict rate limiting.
+(Also, when a new connection is set up,
+it's probably worth determining by experiment whether the other end
+supports IKE ping, and remembering that.)
+.P
+While we think this facility is desirable,
+and is about the best that can be done with the poor tools available,
+we have not gotten very far in implementation and cannot comment
+intelligently about how well it works or interoperates.
+.H
+6. Misc. IKE Issues
+.H
+6.1. Groups 1 and 5
+.P
+We have dropped support for the first Oakley Group (group 1),
+despite it being officially mandatory,
+on the grounds that it is
+grossly too weak to provide enough randomness for 3DES.
+There have been some interoperability problems,
+mostly quite minor:
+ALMOST everyone supports group 2 as well,
+although sometimes it has to be explicitly configured.
+.P
+We also support the quasi-standard group 5 [GROUPS].
+This has not been seriously exercised yet,
+because historically
+we offered group 2 first and almost everyone accepted it.
+We have recently changed to offering group 5 first,
+and no difficulties have been reported.
+.H
+6.2. To PFS Or Not To PFS
+.P
+A persistent small interoperability problem is that
+the presence or absence of PFS (for keys [IKE, section 5.5])
+is neither negotiated nor announced.
+We have it enabled by default,
+and successful interoperation often requires having
+the other end turn it on in their implementation,
+or having the FreeS/WAN end disable it.
+Almost everyone supports it, but it's usually not the default,
+and interoperability is often impossible unless the two ends
+somehow reach prior agreement on it.
+.P
+We do not explicitly support the other flavor of PFS,
+for identities [IKE, section 8],
+and this has caused no interoperability problems.
+.H
+6.3. Debugging Tools, Lack Thereof
+.P
+We find IKE lacking in basic debugging tools.
+Section 5.4, above,
+notes that an IKE ping would be useful for connectivity verification.
+It would also be extremely helpful for determining that UDP/500
+packets get back and forth successfully between the two ends,
+which is often an important first step in debugging.
+.P
+It's also quite common to have IKE negotiate a connection successfully,
+but to have some firewall along the way blocking ESP.
+Users find this mysterious and difficult to diagnose.
+We have no immediate suggestions on what could be done about it.
+.H
+6.4. Terminology, Vagueness Thereof
+.P
+The terminology of IPsec needs work.
+We feel that both the specifications and user-oriented
+documentation would be greatly clarified by concise, intelligible names for
+certain concepts.
+.P
+We semi-consistently use "group" for the set of IPsec SAs which are
+established in one direction
+by a single Quick Mode negotiation and are used together
+to process a packet (e.g., an ESP SA plus an AH SA),
+"connection" for the logical packet path provided
+by a succession of pairs of groups
+(each rekeying providing a new pair, one group in each direction),
+and "keying channel" for the corresponding supervisory path provided
+by a sequence of ISAKMP SAs.
+.P
+We think it's a botch that "PFS" is used to refer to two very different things,
+but we have no specific new terms to suggest, since we only implement
+one kind of PFS and thus can just ignore the other.
+.H
+6.5. A Question of Identity
+.P
+One specification problem deserves note:
+exactly when can an existing phase 1 negotiation
+be re-used for a new phase 2 negotiation,
+as IKE [IKE, section 4] specifies?
+Presumably,
+when it connects the same two "parties"... but exactly what is a "party"?
+.P
+As noted in section 5.4,
+in cases involving multi-homing and multiple identities,
+it's not clear exactly what criteria are used for deciding
+whether the intended far end for a new negotiation is the same one
+as for a previous negotiation.
+Is it by Identification Payload?
+By IP address?
+Or what?
+.P
+We currently use a somewhat-vague notion of "identity",
+basically what gets sent in Identification Payloads,
+for this, and this seems to be successful,
+but we think this needs better specification.
+.H
+6.6. Opportunistic Encryption
+.P
+Further IKE challenges appear in the context of Opportunistic Encryption
+[OE],
+but operational experience with it is too limited as yet for us
+to comment usefully right now.
+.H
+6.7. Authentication and RSA Keys
+.P
+We provide two IKE authentication methods:
+shared secrets ("pre-shared keys")
+and RSA digital signatures.
+(A user-provided add-on package generalizes the latter to limited
+support for certificates;
+we have not worked extensively with it ourselves yet and cannot comment
+on it yet.)
+.P
+Shared secrets, despite their administrative difficulties,
+see considerable use,
+and are also the method of last resort for interoperability problems.
+.P
+For digital signatures,
+we have taken the somewhat unorthodox approach of using "bare" RSA public keys,
+either supplied in configuration files or fetched from DNS,
+rather than getting involved in the complexity of certificates.
+We encode our RSA public keys using the DNS KEY encoding [DNSRSA]
+(aka "RFC 2537", although that RFC is now outdated),
+which has given us no difficulties and which we highly recommend.
+We have seen two difficulties in connection with RSA keys, however.
+.P
+First,
+while a number of IPsec implementations are able to take "bare" RSA public keys,
+each one seems to have its own idea of what format should be used
+for transporting them.
+We've had little success with interoperability here,
+mostly because of key-format issues;
+the implementations generally WILL interoperate successfully if you can
+somehow get an RSA key into them at all, but that's hard.
+X.509 certificates seem to be the lowest (!)
+common denominator for key transfer.
+.P
+Second,
+although the content of RSA public keys has been stable,
+there has been a small but subtle change over time in the content
+of RSA private keys.
+The "internal modulus",
+used to compute the private exponent "d" from the public exponent "e"
+(or vice-versa)
+was originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1),
+where p and q are the two primes.
+However, more recent definitions [PKCS1v2] call it
+"lambda(n)" and define it to be lcm(p-1,\ q-1);
+this appears to be a minor optimization.
+The result is that private keys generated with the new definition
+often fail consistency checks in implementations using the old definition.
+Fortunately, it is seldom necessary to move private keys around.
+Our software now consistently uses the new definition
+(and thus will accept keys generated with either definition),
+but our key generator also has an option to generate old-definition keys,
+for the benefit of users who upgrade their networks incrementally.
+.H
+6.8. Misc. Snags
+.P
+Nonce size is another characteristic that is neither negotiated nor announced
+but that the two ends must somehow be able to agree on.
+Our software accepts anything between 8 and 256, and defaults to 16.
+These numbers were chosen rather arbitrarily,
+but we have seen no interoperability failures here.
+.P
+Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says
+explicitly that a normal Message ID must be non-zero,
+but a zero Message ID in fact causes failures.
+.P
+Similarly, there is nothing in the specs which says that ISAKMP cookies
+must be non-zero, but zero cookies will in fact cause trouble.
+.H
+7. Security Considerations
+.P
+Since this document discusses aspects of building robust and
+interoperable IPsec implementations,
+security considerations permeate it.
+.H
+8. References
+.R AH
+Kent, S., and Atkinson, R.,
+"IP Authentication Header",
+RFC 2402,
+Nov 1998.
+.R CIPHERS
+Pereira, R., and Adams, R.,
+"The ESP CBC-Mode Cipher Algorithms",
+RFC 2451,
+Nov 1998.
+.R CRACK
+Electronic Frontier Foundation,
+"Cracking DES:
+Secrets of Encryption Research, Wiretap Politics and Chip Design",
+O'Reilly 1998,
+ISBN 1-56592-520-3.
+.R DES
+Madson, C., and Doraswamy, N.,
+"The ESP DES-CBC Cipher Algorithm",
+RFC 2405,
+Nov 1998.
+.R DNSRSA
+D. Eastlake 3rd,
+"RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)",
+RFC 3110,
+May 2001.
+.R ESP
+Kent, S., and Atkinson, R.,
+"IP Encapsulating Security Payload (ESP)",
+RFC 2406,
+Nov 1998.
+.R GROUPS
+Kivinen, T., and Kojo, M.,
+"More MODP Diffie-Hellman groups for IKE",
+,
+13 Dec 2001 (work in progress).
+.R IKE
+Harkins, D., and Carrel, D.,
+"The Internet Key Exchange (IKE)",
+RFC 2409, Nov 1998.
+.R IPSEC
+Kent, S., and Atkinson, R.,
+"Security Architecture for the Internet Protocol",
+RFC 2401, Nov 1998.
+.R ISAKMP
+Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
+"Internet Security Association and Key Management Protocol (ISAKMP)",
+RFC 2408, Nov 1998.
+.R OE
+Richardson, M., Redelmeier, D. H., and Spencer, H.,
+"A method for doing opportunistic encryption with IKE",
+,
+21 Feb 2002 (work in progress).
+.R PKCS1v1
+Kaliski, B.,
+"PKCS #1: RSA Encryption, Version 1.5",
+RFC 2313, March 1998.
+.R PKCS1v2
+Kaliski, B., and Staddon, J.,
+"PKCS #1: RSA Cryptography Specifications, Version 2.0",
+RFC 2437, Oct 1998.
+.R PFKEY
+McDonald, D., Metz, C., and Phan, B.,
+"PF_KEY Key Management API, Version 2",
+RFC 2367, July 1998.
+.R REKEY
+Tim Jenkins, "IPsec Re-keying Issues",
+,
+2 May 2000 (draft expired, work no longer in progress).
+.R REPLAY
+Krywaniuk, A.,
+"Using Isakmp Message Ids for Replay Protection",
+,
+9 July 2001
+(work in progress).
+.R RSA
+Rivest, R.L., Shamir, A., and Adleman, L.,
+"A Method for Obtaining Digital Signatures and Public-Key
+Cryptosystems",
+Communications of the ACM v21n2, Feb 1978, p. 120.
+.R SCHNEIER
+Bruce Schneier, "Applied Cryptography", 2nd ed.,
+Wiley 1996, ISBN 0-471-11709-9.
+.R SECFAIL
+Karn, P., and Simpson, W.,
+"ICMP Security Failures Messages",
+RFC 2521,
+March 1999.
+.H
+Authors' Addresses
+.P
+.nf
+.ne 8
+Henry Spencer
+SP Systems
+Box 280 Stn. A
+Toronto, Ont. M5W1B2
+Canada
+
+henry@spsystems.net
+416-690-6561
+.ne 8
+.sp 2
+D. Hugh Redelmeier
+Mimosa Systems Inc.
+29 Donino Ave.
+Toronto, Ont. M4N2W6
+Canada
+
+hugh@mimosa.com
+416-482-8253
+.bp
+.H
+Full Copyright Statement
+.P
+Copyright (C) The Internet Society \*c. All Rights
+Reserved.
+
+This document and translations of it may be copied and
+furnished to others, and derivative works that comment on or
+otherwise explain it or assist in its implmentation may be
+prepared, copied, published and distributed, in whole or in
+part, without restriction of any kind, provided that the above
+copyright notice and this paragraph are included on all such
+copies and derivative works. However, this document itself may
+not be modified in any way, such as by removing the copyright
+notice or references to the Internet Society or other Internet
+organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights
+defined in the Internet Standards process must be followed, or
+as required to translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will
+not be revoked by the Internet Society or its successors or
+assigns.
+
+This document and the information contained herein is provided
+on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
+ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
+OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
+IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
+PARTICULAR PURPOSE.
diff --git a/doc/draft-spencer-ipsec-ike-implementation.txt b/doc/draft-spencer-ipsec-ike-implementation.txt
new file mode 100644
index 000000000..145c00ba8
--- /dev/null
+++ b/doc/draft-spencer-ipsec-ike-implementation.txt
@@ -0,0 +1,1232 @@
+
+
+
+Network Working Group Henry Spencer
+Internet Draft SP Systems
+Expires: 26 Aug 2002 D. Hugh Redelmeier
+ Mimosa Systems
+ 26 Feb 2002
+
+ IKE Implementation Issues
+
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026.
+
+ (If approved as an Informational RFC...) This memo provides
+ information for the Internet community. This memo does not specify
+ an Internet standard of any kind.
+
+ Distribution of this memo is unlimited.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on 26 Aug 2002.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society 2002. All Rights Reserved.
+
+
+
+
+
+
+
+
+
+
+Spencer & Redelmeier [Page 1]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+Table of Contents
+
+ 1. Introduction ................................................... 3
+ 2. Lower-level Background and Notes ............................... 4
+ 2.1. Packet Handling .............................................. 4
+ 2.2. Ciphers ...................................................... 5
+ 2.3. Interfaces ................................................... 5
+ 3. IKE Infrastructural Issues ..................................... 5
+ 3.1. Continuous Channel ........................................... 5
+ 3.2. Retransmission ............................................... 5
+ 3.3. Replay Prevention ............................................ 6
+ 4. Basic Keying and Rekeying ...................................... 7
+ 4.1. When to Create SAs ........................................... 7
+ 4.2. When to Rekey ................................................ 8
+ 4.3. Choosing an SA ............................................... 9
+ 4.4. Why to Rekey ................................................. 9
+ 4.5. Rekeying ISAKMP SAs ......................................... 10
+ 4.6. Bulk Negotiation ............................................ 10
+ 5. Deletions, Teardowns, Crashes ................................. 11
+ 5.1. Deletions ................................................... 11
+ 5.2. Teardowns and Shutdowns ..................................... 12
+ 5.3. Crashes ..................................................... 13
+ 5.4. Network Partitions .......................................... 13
+ 5.5. Unknown SAs ................................................. 14
+ 6. Misc. IKE Issues .............................................. 16
+ 6.1. Groups 1 and 5 .............................................. 16
+ 6.2. To PFS Or Not To PFS ........................................ 16
+ 6.3. Debugging Tools, Lack Thereof ............................... 16
+ 6.4. Terminology, Vagueness Thereof .............................. 17
+ 6.5. A Question of Identity ...................................... 17
+ 6.6. Opportunistic Encryption .................................... 17
+ 6.7. Authentication and RSA Keys ................................. 17
+ 6.8. Misc. Snags ................................................. 18
+ 7. Security Considerations ....................................... 19
+ 8. References .................................................... 19
+ Authors' Addresses ............................................... 20
+ Full Copyright Statement ......................................... 21
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Spencer & Redelmeier [Page 2]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+Abstract
+
+ The current IPsec specifications for key exchange and connection
+ management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of
+ connection management unspecified, most prominently rekeying
+ practices. Pending clarifications in future revisions of the
+ specifications, this document sets down some successful experiences,
+ to minimize the extent to which new implementors have to rely on
+ unwritten folklore.
+
+ The Linux FreeS/WAN implementation of IPsec interoperates with almost
+ every other IPsec implementation. This document describes how the
+ FreeS/WAN project has resolved some of the gaps in the IPsec
+ specifications (and plans to resolve some others), and what
+ difficulties have been encountered, in hopes that this generally-
+ successful experience might be informative to new implementors.
+
+ This is offered as an Informational RFC.
+
+ This -02 revision mainly: discusses ISAKMP SA expiry during IPsec-SA
+ rekeying (4.5), revises the discussion of bidirectional Deletes
+ (5.1), suggests remembering the parameters of successful negotiations
+ for later use (4.2, 5.3), notes an unsuccessful negotiation from the
+ other end as a hint of a possibly broken connection (5.5), and adds
+ sections on network partitions (5.4), authentication methods and the
+ subtleties of RSA public keys (6.7), and miscellaneous
+ interoperability concerns (6.8).
+
+1. Introduction
+
+ The current IPsec specifications for key exchange and connection
+ management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of
+ connection management unspecified, most prominently rekeying
+ practices. This is a cryptic puzzle which each group of implementors
+ has to struggle with, and differences in how the ambiguities and gaps
+ are resolved are potentially a fruitful source of interoperability
+ problems. We can hope that future revisions of the specifications
+ will clear this up. Meanwhile, it seems useful to set down some
+ successful experiences, to minimize the extent to which new
+ implementors have to rely on unwritten folklore.
+
+ The Linux FreeS/WAN implementation of IPsec interoperates with almost
+ every other IPsec implementation, and because of its free nature, it
+ also sees some use as a reference implementation by other
+ implementors. The high degree of interoperability is noteworthy
+ given its organizers' strong minimalist bias, which has caused them
+ to implement only a small subset of the full glory of IPsec. This
+ document describes how the FreeS/WAN project has resolved some of the
+
+
+
+Spencer & Redelmeier [Page 3]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ gaps in the IPsec specifications (and plans to resolve some others),
+ and what difficulties have been encountered, in hopes that this
+ generally-successful experience might be informative to new
+ implementors.
+
+ One small caution about applicability: this experience may not be
+ relevant to severely resource-constrained implementations.
+ FreeS/WAN's target environment is previous-generation PCs, now
+ available at trivial cost (often, within an organization, at no
+ cost), which have quite impressive CPU power and memory by the
+ standards of only a few years ago. Some of the approaches discussed
+ here may be inapplicable to implementations with severe external
+ constraints which prevent them from taking advantage of modern
+ hardware technology.
+
+2. Lower-level Background and Notes
+
+2.1. Packet Handling
+
+ FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly,
+ although AH sees little use among our users. Our ESP/AH
+ implementation cannot currently handle packets with IP options;
+ somewhat surprisingly, this has caused little difficulty. We insist
+ on encryption and do not support authentication-only connections, and
+ this has not caused significant difficulty either.
+
+ MTU and fragmentation issues, by contrast, have been a constant
+ headache. We will not describe the details of our current approach
+ to them, because it still needs work. One difficulty we have
+ encountered is that many combinations of packet source and packet
+ destination apparently cannot cope with an "interior minimum" in the
+ path MTU, e.g. where an IPsec tunnel intervenes and its headers
+ reduce the MTU for an intermediate link. This is particularly
+ prevalent when using common PC software to connect to large well-
+ known web sites; we think it is largely due to misconfigured
+ firewalls which do not pass ICMP Fragmentation Required messages.
+ The only solution we have yet found is to lie about the MTU of the
+ tunnel, accepting the (undesirable) fragmentation of the ESP packets
+ for the sake of preserving connectivity.
+
+ We currently zero out the TOS field of ESP packets, rather than
+ copying it from the inner header, on the grounds that it lends itself
+ too well to traffic analysis and covert channels. We provide an
+ option to restore RFC 2401 [IPSEC] copying behavior, but this appears
+ to see little use.
+
+
+
+
+
+
+Spencer & Redelmeier [Page 4]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+2.2. Ciphers
+
+ We initially implemented both DES [DES] and 3DES [CIPHERS] for both
+ IKE and ESP, but after the Deep Crack effort [CRACK] demonstrated its
+ inherent insecurity, we dropped support for DES. Somewhat
+ surprisingly, our insistence on 3DES has caused almost no
+ interoperability problems, despite DES being officially mandatory. A
+ very few other systems either do not support 3DES or support it only
+ as an optional upgrade, which inconveniences a few would-be users.
+ There have also been one or two cases of systems which don't quite
+ seem to know the difference!
+
+ See also section 6.1 for a consequence of our insistence on 3DES.
+
+2.3. Interfaces
+
+ We currently employ PF_KEY version 2 [PFKEY], plus various non-
+ standard extensions, as our interface between keying and ESP. This
+ has not proven entirely satisfactory. Our feeling now is that keying
+ issues and policy issues do not really lend themselves to the clean
+ separation that PF_KEY envisions.
+
+3. IKE Infrastructural Issues
+
+ A number of problems in IPsec connection management become easier if
+ some attention is first paid to providing an infrastructure to
+ support solving them.
+
+3.1. Continuous Channel
+
+ FreeS/WAN uses an approximation to the "continuous channel" model, in
+ which ISAKMP SAs are maintained between IKEs so long as any IPsec SAs
+ are open between the two systems. The resource consumption of this
+ is minor: the only substantial overhead is occasional rekeying.
+ IPsec SA management becomes significantly simpler if there is always
+ a channel for transmission of control messages. We suggest (although
+ we do not yet fully implement this) that inability to maintain (e.g.,
+ to rekey) this control path should be grounds for tearing down the
+ IPsec SAs as well.
+
+ As a corollary of this, there is one and only one ISAKMP SA
+ maintained between a pair of IKEs (although see sections 5.3 and 6.5
+ for minor complications).
+
+3.2. Retransmission
+
+ The unreliable nature of UDP transmission is a nuisance. IKE
+ implementations should always be prepared to retransmit the most
+
+
+
+Spencer & Redelmeier [Page 5]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ recent message they sent on an ISAKMP SA, since there is some
+ possibility that the other end did not get it. This means, in
+ particular, that the system sending the supposedly-last message of an
+ exchange cannot relax and assume that the exchange is complete, at
+ least not until a significant timeout has elapsed.
+
+ Systems must also retain information about the message most recently
+ received in an exchange, so that a duplicate of it can be detected
+ (and possibly interpreted as a NACK for the response).
+
+ The retransmission rules FreeS/WAN follows are: (1) if a reply is
+ expected, retransmit only if it does not appear before a timeout; and
+ (2) if a reply is not expected (last message of the exchange),
+ retransmit only on receiving a retransmission of the previous
+ message. Notably, in case (1) we do NOT retransmit on receiving a
+ retransmission, which avoids possible congestion problems arising
+ from packet duplication, at the price of slowing response to packet
+ loss. The timeout for case (1) is 10 seconds for the first retry, 20
+ seconds for the second, and 40 seconds for all subsequent retries
+ (normally only one, except when configuration settings call for
+ persistence and the message is the first message of Main Mode with a
+ new peer). These retransmission rules have been entirely successful.
+
+ (Michael Thomas of Cisco has pointed out that the retry timeouts
+ should include some random jitter, to de-synchronize hosts which are
+ initially synchronized by, e.g., a power outage. We already jitter
+ our rekeying times, as noted in section 4.2, but that does not help
+ with initial startup. We're implementing jittered retries, but
+ cannot yet report on experience with this.)
+
+ There is a deeper problem, of course, when an entire "exchange"
+ consists of a single message, e.g. the ISAKMP Informational Exchange.
+ Then there is no way to decide whether or when a retransmission is
+ warranted at all. This seems like poor design, to put it mildly (and
+ there is now talk of fixing it). We have no experience in dealing
+ with this problem at this time, although it is part of the reason why
+ we have delayed implementing Notification messages.
+
+3.3. Replay Prevention
+
+ The unsequenced nature of UDP transmission is also troublesome,
+ because it means that higher levels must consider the possibility of
+ replay attacks. FreeS/WAN takes the position that systematically
+ eliminating this possibility at a low level is strongly preferable to
+ forcing careful consideration of possible impacts at every step of an
+ exchange. RFC 2408 [ISAKMP] section 3.1 states that the Message ID
+ of an ISAKMP message must be "unique". FreeS/WAN interprets this
+ literally, as forbidding duplication of Message IDs within the set of
+
+
+
+Spencer & Redelmeier [Page 6]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ all messages sent via a single ISAKMP SA.
+
+ This requires remembering all Message IDs until the ISAKMP SA is
+ superseded by rekeying, but that is not costly (four bytes per sent
+ or received message), and it ELIMINATES replay attacks from
+ consideration; we believe this investment of resources is well
+ worthwhile. If the resource consumption becomes excessive--in our
+ experience it has not--the ISAKMP SA can be rekeyed early to collect
+ the garbage.
+
+ There is theoretically an interoperability problem when talking to
+ implementations which interpret "unique" more loosely and may re-use
+ Message IDs, but it has not been encountered in practice. This
+ approach appears to be completely interoperable.
+
+ The proposal by Andrew Krywaniuk [REPLAY], which advocates turning
+ the Message ID into an anti-replay counter, would achieve the same
+ goal without the minor per-message memory overhead. This may be
+ preferable, although it means an actual protocol change and more
+ study is needed.
+
+4. Basic Keying and Rekeying
+
+4.1. When to Create SAs
+
+ As Tim Jenkins [REKEY] pointed out, there is a potential race
+ condition in Quick Mode: a fast lightly-loaded Initiator might start
+ using IPsec SAs very shortly after sending QM3 (the third and last
+ message of Quick Mode), while a slow heavily-loaded Responder might
+ not be ready to receive them until after spending a significant
+ amount of time creating its inbound SAs. The problem is even worse
+ if QM3 gets delayed or lost.
+
+ FreeS/WAN's approach to this is what Jenkins called "Responder Pre-
+ Setup": the Responder creates its inbound IPsec SAs before it sends
+ QM2, so they are always ready and waiting when the Initiator sends
+ QM3 and begins sending traffic. This approach is simple and
+ reliable, and in our experience it interoperates with everybody.
+ (There is potentially still a problem if FreeS/WAN is the Initiator
+ and the Responder does not use Responder Pre-Setup, but no such
+ problems have been seen.) The only real weakness of Responder Pre-
+ Setup is the possibility of replay attacks, which we have eliminated
+ by other means (see section 3.3).
+
+ With this approach, the Commit Bit is useless, and we ignore it. In
+ fact, until quite recently we discarded any IKE message containing
+ it, and this caused surprisingly few interoperability problems;
+ apparently it is not widely used. We have recently been persuaded
+
+
+
+Spencer & Redelmeier [Page 7]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ that simply ignoring it is preferable; preliminary experience with
+ this indicates that the result is successful interoperation with
+ implementations which set it.
+
+4.2. When to Rekey
+
+ To preserve connectivity for user traffic, rekeying of a connection
+ (that is, creation of new IPsec SAs to supersede the current ones)
+ must begin before its current IPsec SAs expire. Preferably one end
+ should predictably start rekeying negotiations first, to avoid the
+ extra overhead of two simultaneous negotiations, although either end
+ should be prepared to rekey if the other does not. There is also a
+ problem with "convoys" of keying negotiations: for example, a "hub"
+ gateway with many IPsec connections can be inundated with rekeying
+ negotiations exactly one connection-expiry time after it reboots, and
+ the massive overload this induces tends to make this situation self-
+ perpetuating, so it recurs regularly. (Convoys can also evolve
+ gradually from initially-unsynchronized negotiations.)
+
+ FreeS/WAN has the concept of a "rekeying margin", measured in
+ seconds. If FreeS/WAN was the Initiator for the previous rekeying
+ (or the startup, if none) of the connection, it nominally starts
+ rekeying negotiations at expiry time minus one rekeying margin. Some
+ random jitter is added to break up convoys: rather than starting
+ rekeying exactly at minus one margin, it starts at a random time
+ between minus one margin and minus two margins. (The randomness here
+ need not be cryptographic in quality, so long as it varies over time
+ and between hosts. We use an ordinary PRNG seeded with a few bytes
+ from a cryptographic randomness source. The seeding mostly just
+ ensures that the PRNG sequence is different for different hosts, even
+ if they start up simultaneously.)
+
+ If FreeS/WAN was the Responder for the previous rekeying/startup, and
+ nothing has been heard from the previous Initiator at expiry time
+ minus one-half the rekeying margin, FreeS/WAN will initiate rekeying
+ negotiations. No jitter is applied; we now believe that it should be
+ jittered, say between minus one-half margin and minus one-quarter
+ margin.
+
+ Having the Initiator lead the way is an obvious way of deciding who
+ should speak first, since there is already an Initiator/Responder
+ asymmetry in the connection. Moreover, our experience has been that
+ Initiator lead gives a significantly higher probability of successful
+ negotiation! The negotiation process itself is asymmetric, because
+ the Initiator must make a few specific proposals which the Responder
+ can only accept or reject, so the Initiator must try to guess where
+ its "acceptable" region (in parameter space) might overlap with the
+ Responder's. We have seen situations where negotiations would
+
+
+
+Spencer & Redelmeier [Page 8]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ succeed or fail depending on which end initiated them, because one
+ end was making better guesses. Given an existing connection, we KNOW
+ that the previous Initiator WAS able to initiate a successful
+ negotiation, so it should (if at all possible) take the lead again.
+ Also, the Responder should remember the Initiator's successful
+ proposal, and start from that rather than from his own default
+ proposals if he must take the lead; we don't currently implement this
+ completely but plan to.
+
+ FreeS/WAN defaults the rekeying margin to 9 minutes, although this
+ can be changed by configuration. There is also a configuration
+ option to alter the permissible range of jitter. The defaults were
+ chosen somewhat arbitrarily, but they work extremely well and the
+ configuration options are rarely used.
+
+4.3. Choosing an SA
+
+ Once rekeying has occurred, both old and new IPsec SAs for the
+ connection exist, at least momentarily. FreeS/WAN accepts incoming
+ traffic on either old or new inbound SAs, but sends outgoing traffic
+ only on the new outbound ones. This approach appears to be
+ significantly more robust than using the old ones until they expire,
+ notably in cases where renegotiation has occurred because something
+ has gone wrong on the other end. It avoids having to pay meticulous
+ attention to the state of the other end, state which is difficult to
+ learn reliably given the limitations of IKE.
+
+ This approach has interoperated successfully with ALMOST all other
+ implementations. The only (well-characterized) problem cases have
+ been implementations which rely on receiving a Delete message for the
+ old SAs to tell them to switch over to the new ones. Since delivery
+ of Delete is unreliable, and support for Delete is optional, this
+ reliance seems like a serious mistake. This is all the more true
+ because Delete announces that the deletion has already occurred
+ [ISAKMP, section 3.15], not that it is about to occur, so packets
+ already in transit in the other direction could be lost. Delete
+ should be used for resource cleanup, not for switchover control.
+ (These matters are discussed further in section 5.)
+
+4.4. Why to Rekey
+
+ FreeS/WAN currently implements only time-based expiry (life in
+ seconds), although we are working toward supporting volume-based
+ expiry (life in kilobytes) as well. The lack of volume-based expiry
+ has not been an interoperability problem so far.
+
+ Volume-based expiry does add some minor complications. In
+ particular, it makes explicit Delete of now-disused SAs more
+
+
+
+Spencer & Redelmeier [Page 9]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ important, because once an SA stops being used, it might not expire
+ on its own. We believe this lacks robustness and is generally
+ unwise, especially given the lack of a reliable Delete, and expect to
+ use volume-based expiry only as a supplement to time-based expiry.
+ However, Delete support (see section 5) does seem advisable for use
+ with volume-based expiry.
+
+ We do not believe that volume-based expiry alters the desirability of
+ switching immediately to the new SAs after rekeying. Rekeying
+ margins are normally a small fraction of the total life of an SA, so
+ we feel there is no great need to "use it all up".
+
+4.5. Rekeying ISAKMP SAs
+
+ The above discussion has focused on rekeying for IPsec SAs, but
+ FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs,
+ with similar success.
+
+ One issue which we have noticed, but not explicitly dealt with, is
+ that difficulties may ensue if an IPsec-SA rekeying negotiation is in
+ progress at the time when the relevant ISAKMP SA gets rekeyed. The
+ IKE specification [IKE] hints, but does not actually say, that a
+ Quick Mode negotiation should remain on a single ISAKMP SA
+ throughout.
+
+ A reasonable rekeying margin will generally prevent the old ISAKMP SA
+ from actually expiring during a negotiation. Some attention may be
+ needed to prevent in-progress negotiations from being switched to the
+ new ISAKMP SA. Any attempt at pre-expiry deletion of the ISAKMP SA
+ must be postponed until after such dangling negotiations are
+ completed, and there should be enough delay between ISAKMP-SA
+ rekeying and a deletion attempt to (more or less) ensure that there
+ are no negotiation-starting packets still in transit from before the
+ rekeying.
+
+ At present, FreeS/WAN does none of this, and we don't KNOW of any
+ resulting trouble. With normal lifetimes, the problem should be
+ uncommon, and we speculate that an occasional disrupted negotiation
+ simply gets retried.
+
+4.6. Bulk Negotiation
+
+ Quick Mode nominally provides for negotiating possibly-large numbers
+ of similar but unrelated IPsec SAs simultaneously [IKE, section 9].
+ Nobody appears to do this. FreeS/WAN does not support it, and its
+ absence has caused no problems.
+
+
+
+
+
+Spencer & Redelmeier [Page 10]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+5. Deletions, Teardowns, Crashes
+
+ FreeS/WAN currently ignores all Notifications and Deletes, and never
+ generates them. This has caused little difficulty in
+ interoperability, which shouldn't be surprising (since Notification
+ and Delete support is officially entirely optional) but does seem to
+ surprise some people. Nevertheless, we do plan some changes to this
+ approach based on past experience.
+
+5.1. Deletions
+
+ As hinted at above, we plan to implement Delete support, done as
+ follows. Shortly after rekeying of IPsec SAs, the Responder issues a
+ Delete for its old inbound SAs (but does not actually delete them
+ yet). The Responder initiates this because the Initiator started
+ using the new SAs on sending QM3, while the Responder started using
+ them only on (or somewhat after) receiving QM3, so there is less
+ chance of old-SA packets still being in transit from the Initiator.
+ The Initiator issues an unsolicited Delete only if it does not hear
+ one from the Responder after a longer delay.
+
+ Either party, on receiving a Delete for one or more of the old
+ outbound SAs of a connection, deletes ALL the connection's SAs, and
+ acknowledges with a Delete for the old inbound SAs. A Delete for
+ nonexistent SAs (e.g., SAs which have already been expired or
+ deleted) is ignored. There is no retransmission of unacknowledged
+ Deletes.
+
+ In the normal case, with prompt reliable transmission (except
+ possibly for loss of the Responder's initial Delete) and conforming
+ implementations on both ends, this results in three Deletes being
+ transmitted, resembling the classic three-way handshake. Loss of a
+ Delete after the first, or multiple losses, will cause the SAs not to
+ be deleted on at least one end. It appears difficult to do much
+ better without at least a distinction between request and
+ acknowledgement.
+
+ RFC 2409 section 9 "strongly suggests" that there be no response to
+ informational messages such as Deletes, but the only rationale
+ offered is prevention of infinite loops endlessly exchanging "I don't
+ understand you" informationals. Since Deletes cannot lead to such a
+ loop (and in any case, the nonexistent-SA rule prevents more than one
+ acknowledgement for the same connection), we believe this
+ recommendation is inapplicable here.
+
+ As noted in section 4.3, these Deletes are intended for resource
+ cleanup, not to control switching between SAs. But we expect that
+ they will improve interoperability with some broken implementations.
+
+
+
+Spencer & Redelmeier [Page 11]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ We believe strongly that connections need to be considered as a
+ whole, rather than treating each SA as an independent entity. We
+ will issue Deletes only for the full set of inbound SAs of a
+ connection, and will treat a Delete for any outbound SA as equivalent
+ to deletion of all the outbound SAs for the associated connection.
+
+ The above is phrased in terms of IPsec SAs, but essentially the same
+ approach can be applied to ISAKMP SAs (the Deletes for the old ISAKMP
+ SA should be sent via the new one).
+
+5.2. Teardowns and Shutdowns
+
+ When a connection is not intended to be up permanently, there is a
+ need to coordinate teardown, so that both ends are aware that the
+ connection is down. This is both for recovery of resources, and to
+ avoid routing packets through dangling SAs which can no longer
+ deliver them.
+
+ Connection teardown will use the same bidirectional exchange of
+ Deletes as discussed in section 5.1: a Delete received for current
+ IPsec SAs (not yet obsoleted by rekeying) indicates that the other
+ host wishes to tear down the associated connection.
+
+ A Delete received for a current ISAKMP SA indicates that the other
+ host wishes to tear down not only the ISAKMP SA but also all IPsec
+ SAs currently under the supervision of that ISAKMP SA. The 5.1
+ bidirectional exchange might seem impossible in this case, since
+ reception of an ISAKMP-SA Delete indicates that the other end will
+ ignore further traffic on that ISAKMP SA. We suggest using the same
+ tactic discussed in 5.1 for IPsec SAs: the first Delete is sent
+ without actually doing the deletion, and the response to receiving a
+ Delete is to do the deletion and reply with another Delete. If there
+ is no response to the first Delete, retry a small number of times and
+ then give up and do the deletion; apart from being robust against
+ packet loss, this also maximizes the probability that an
+ implementation which does not do the bidirectional Delete will
+ receive at least one of the Deletes.
+
+ When a host with current connections knows that it is about to shut
+ down, it will issue Deletes for all SAs involved (both IPsec and
+ ISAKMP), advising its peers (as per the meaning of Delete [ISAKMP,
+ section 3.15]) that the SAs have become useless. It will ignore
+ attempts at rekeying or connection startup thereafter, until it shuts
+ down.
+
+ It would be better to have a Final-Contact notification, analogous to
+ Initial-Contact but indicating that no new negotiations should be
+ attempted until further notice. Initial-Contact actually could be
+
+
+
+Spencer & Redelmeier [Page 12]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ used for shutdown notification (!), but in networks where connections
+ are intended to exist permanently, it seems likely to provoke
+ unwanted attempts to renegotiate the lost connections.
+
+5.3. Crashes
+
+ Systems sometimes crash. Coping with the resulting loss of
+ information is easily the most difficult problem we have found in
+ implementing robust IPsec systems.
+
+ When connections are intended to be permanent, it is simple to
+ specify renegotiation on reboot. With our approach to SA selection
+ (see section 4.3), this handles such cases robustly and well. We do
+ have to tell users that BOTH hosts should be set this way. In cases
+ where crashes are synchronized (e.g. by power interruptions), this
+ may result in simultaneous negotiations at reboot. We currently
+ allow both negotiations to proceed to completion, but our use-newest
+ selection method effectively ignores one connection or the other, and
+ when one of them rekeys, we notice that the new SAs replace those of
+ both old connections, and we then refrain from rekeying the other.
+ (This duplicate detection is desirable in any event, for robustness,
+ to ensure that the system converges on a reasonable state eventually
+ after it is perturbed by difficulties or bugs.)
+
+ When connections are not permanent, the situation is less happy. One
+ particular situation in which we see problems is when a number of
+ "Road Warrior" hosts occasionally call in to a central server. The
+ server is normally configured not to initiate such connections, since
+ it does not know when the Road Warrior is available (or what IP
+ address it is using). Unfortunately, if the server crashes and
+ reboots, any Road Warriors then connected have a problem: they don't
+ know that the server has crashed, so they can't renegotiate, and the
+ server has forgotten both the connections and their (transient) IP
+ addresses, so it cannot renegotiate.
+
+ We believe that the simplest answer to this problem is what John
+ Denker has dubbed "address inertia": the server makes a best-effort
+ attempt to remember (in nonvolatile storage) which connections were
+ active and what the far-end addresses were (and what the successful
+ proposal's parameters were), so that it can attempt renegotiation on
+ reboot. We have not implemented this yet, but intend to; Denker has
+ implemented it himself, although in a somewhat messy way, and reports
+ excellent results.
+
+5.4. Network Partitions
+
+ A network partition, making the two ends unable to reach each other,
+ has many of the same characteristics as having the other end crash...
+
+
+
+Spencer & Redelmeier [Page 13]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ until the network reconnects. It is desirable that recovery from
+ this be automatic.
+
+ If the network reconnects before any rekeying attempts or other IKE
+ activities occurred, recovery is fully transparent, because the IKEs
+ have no idea that there was any problem. (Complaints such as ICMP
+ Host Unreachable messages are unauthenticated and hence cannot be
+ given much weight.) This fits the general mold of TCP/IP: if nobody
+ wanted to send any traffic, a network outage doesn't matter.
+
+ If IKE activity did occur, the IKE implementation will discover that
+ the other end doesn't seem to be responding. The preferred response
+ to this depends on the nature of the connection. If it was intended
+ to be ephemeral (e.g. opportunistic encryption [OE]), closing it down
+ after a few retries is reasonable. If the other end is expected to
+ sometimes drop the connection without warning, it may not be
+ desirable to retry at all. (We support both these forms of
+ configurability, and indeed we also have a configuration option to
+ suppress rekeying entirely on one end.)
+
+ If the connection was intended to be permanent, however, then
+ persistent attempts to re-establish it are appropriate. Some degree
+ of backoff is appropriate here, so that retries get less frequent as
+ the outage gets prolonged. Backoff should be limited, so that re-
+ established connectivity is not followed by a long delay before a
+ retry. Finally, after many retries (say 24 hours' worth), it may be
+ preferable to just declare the connection down and rely on manual
+ intervention to re-establish it, should this be desirable. We do not
+ yet fully support all this.
+
+5.5. Unknown SAs
+
+ A more complete solution to crashes would be for an IPsec host to
+ note the arrival of ESP packets on an unknown IPsec SA, and report it
+ somehow to the other host, which can then decide to renegotiate.
+ This arguably might be preferable in any case--if the non-rebooted
+ host has no traffic to send, it does not care whether the connection
+ is intact--but delays and packet loss will be reduced if the
+ connection is renegotiated BEFORE there is traffic for it. So
+ unknown-SA detection is best reserved as a fallback method, with
+ address inertia used to deal with most such cases.
+
+ A difficulty with unknown-SA detection is, just HOW should the other
+ host be notified? IKE provides no good way to do the notification:
+ Notification payloads (e.g., Initial-Contact) are unauthenticated
+ unless they are sent under protection of an ISAKMP SA. A "Security
+ Failures - Bad SPI" ICMP message [SECFAIL] is an interesting
+ alternative, but has the disadvantage of likewise being
+
+
+
+Spencer & Redelmeier [Page 14]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ unauthenticated. It's fundamentally unlikely that there is a simple
+ solution to this, given that almost any way of arranging or checking
+ authentication for such a notification is costly.
+
+ We think the best answer to this is a two-step approach. An
+ unauthenticated Initial-Contact or Security Failures - Bad SPI cannot
+ be taken as a reliable report of a problem, but can be taken as a
+ hint that a problem MIGHT exist. Then there needs to be some
+ reliable way of checking such hints, subject to rate limiting since
+ the checks are likely to be costly (and checking the same connection
+ repeatedly at short intervals is unlikely to be worthwhile anyway).
+ So the rebooted host sends the notification, and the non-rebooted
+ host--which still thinks it has a connection--checks whether the
+ connection still works, and renegotiates if not.
+
+ Also, if an IPsec host which believes it has a connection to another
+ host sees an unsuccessful attempt by that host to negotiate a new
+ one, that is also a hint of possible problems, justifying a check and
+ possible renegotiation. ("Unsuccessful" here means a negotiation
+ failure due to lack of a satisfactory proposal. A failure due to
+ authentication failure suggests a denial-of-service attack by a third
+ party, rather than a genuine problem on the legitimate other end.)
+ As noted in section 4.2, it is possible for negotiations to succeed
+ or fail based on which end initiates them, and some robustness
+ against that is desirable.
+
+ We have not yet decided what form the notification should take. IKE
+ Initial-Contact is an obvious possibility, but has some
+ disadvantages. It does not specify which connection has had
+ difficulties. Also, the specification [IKE section 4.6.3.3] refers
+ to "remote system" and "sending system" without clearly specifying
+ just what "system" means; in the case of a multi-homed host using
+ multiple forms of identification, the question is not trivial.
+ Initial-Contact does have the fairly-decisive advantage that it is
+ likely to convey the right general meaning even to an implementation
+ which does not do things exactly the way ours does.
+
+ A more fundamental difficulty is what form the reliable check takes.
+ What is wanted is an "IKE ping", verifying that the ISAKMP SA is
+ still intact (it being unlikely that IPsec SAs have been lost while
+ the ISAKMP SA has not). The lack of such a facility is a serious
+ failing of IKE. An acknowledged Notification of some sort would be
+ ideal, but there is none at present. Some existing implementations
+ are known to use the private Notification values 30000 as ping and
+ 30002 as ping reply, and that seems the most attractive choice at
+ present. If it is not recognized, there will probably be no reply,
+ and the result will be an unnecessary renegotiation, so this needs
+ strict rate limiting. (Also, when a new connection is set up, it's
+
+
+
+Spencer & Redelmeier [Page 15]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ probably worth determining by experiment whether the other end
+ supports IKE ping, and remembering that.)
+
+ While we think this facility is desirable, and is about the best that
+ can be done with the poor tools available, we have not gotten very
+ far in implementation and cannot comment intelligently about how well
+ it works or interoperates.
+
+6. Misc. IKE Issues
+
+6.1. Groups 1 and 5
+
+ We have dropped support for the first Oakley Group (group 1), despite
+ it being officially mandatory, on the grounds that it is grossly too
+ weak to provide enough randomness for 3DES. There have been some
+ interoperability problems, mostly quite minor: ALMOST everyone
+ supports group 2 as well, although sometimes it has to be explicitly
+ configured.
+
+ We also support the quasi-standard group 5 [GROUPS]. This has not
+ been seriously exercised yet, because historically we offered group 2
+ first and almost everyone accepted it. We have recently changed to
+ offering group 5 first, and no difficulties have been reported.
+
+6.2. To PFS Or Not To PFS
+
+ A persistent small interoperability problem is that the presence or
+ absence of PFS (for keys [IKE, section 5.5]) is neither negotiated
+ nor announced. We have it enabled by default, and successful
+ interoperation often requires having the other end turn it on in
+ their implementation, or having the FreeS/WAN end disable it. Almost
+ everyone supports it, but it's usually not the default, and
+ interoperability is often impossible unless the two ends somehow
+ reach prior agreement on it.
+
+ We do not explicitly support the other flavor of PFS, for identities
+ [IKE, section 8], and this has caused no interoperability problems.
+
+6.3. Debugging Tools, Lack Thereof
+
+ We find IKE lacking in basic debugging tools. Section 5.4, above,
+ notes that an IKE ping would be useful for connectivity verification.
+ It would also be extremely helpful for determining that UDP/500
+ packets get back and forth successfully between the two ends, which
+ is often an important first step in debugging.
+
+ It's also quite common to have IKE negotiate a connection
+ successfully, but to have some firewall along the way blocking ESP.
+
+
+
+Spencer & Redelmeier [Page 16]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ Users find this mysterious and difficult to diagnose. We have no
+ immediate suggestions on what could be done about it.
+
+6.4. Terminology, Vagueness Thereof
+
+ The terminology of IPsec needs work. We feel that both the
+ specifications and user-oriented documentation would be greatly
+ clarified by concise, intelligible names for certain concepts.
+
+ We semi-consistently use "group" for the set of IPsec SAs which are
+ established in one direction by a single Quick Mode negotiation and
+ are used together to process a packet (e.g., an ESP SA plus an AH
+ SA), "connection" for the logical packet path provided by a
+ succession of pairs of groups (each rekeying providing a new pair,
+ one group in each direction), and "keying channel" for the
+ corresponding supervisory path provided by a sequence of ISAKMP SAs.
+
+ We think it's a botch that "PFS" is used to refer to two very
+ different things, but we have no specific new terms to suggest, since
+ we only implement one kind of PFS and thus can just ignore the other.
+
+6.5. A Question of Identity
+
+ One specification problem deserves note: exactly when can an existing
+ phase 1 negotiation be re-used for a new phase 2 negotiation, as IKE
+ [IKE, section 4] specifies? Presumably, when it connects the same
+ two "parties"... but exactly what is a "party"?
+
+ As noted in section 5.4, in cases involving multi-homing and multiple
+ identities, it's not clear exactly what criteria are used for
+ deciding whether the intended far end for a new negotiation is the
+ same one as for a previous negotiation. Is it by Identification
+ Payload? By IP address? Or what?
+
+ We currently use a somewhat-vague notion of "identity", basically
+ what gets sent in Identification Payloads, for this, and this seems
+ to be successful, but we think this needs better specification.
+
+6.6. Opportunistic Encryption
+
+ Further IKE challenges appear in the context of Opportunistic
+ Encryption [OE], but operational experience with it is too limited as
+ yet for us to comment usefully right now.
+
+6.7. Authentication and RSA Keys
+
+ We provide two IKE authentication methods: shared secrets ("pre-
+ shared keys") and RSA digital signatures. (A user-provided add-on
+
+
+
+Spencer & Redelmeier [Page 17]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ package generalizes the latter to limited support for certificates;
+ we have not worked extensively with it ourselves yet and cannot
+ comment on it yet.)
+
+ Shared secrets, despite their administrative difficulties, see
+ considerable use, and are also the method of last resort for
+ interoperability problems.
+
+ For digital signatures, we have taken the somewhat unorthodox
+ approach of using "bare" RSA public keys, either supplied in
+ configuration files or fetched from DNS, rather than getting involved
+ in the complexity of certificates. We encode our RSA public keys
+ using the DNS KEY encoding [DNSRSA] (aka "RFC 2537", although that
+ RFC is now outdated), which has given us no difficulties and which we
+ highly recommend. We have seen two difficulties in connection with
+ RSA keys, however.
+
+ First, while a number of IPsec implementations are able to take
+ "bare" RSA public keys, each one seems to have its own idea of what
+ format should be used for transporting them. We've had little
+ success with interoperability here, mostly because of key-format
+ issues; the implementations generally WILL interoperate successfully
+ if you can somehow get an RSA key into them at all, but that's hard.
+ X.509 certificates seem to be the lowest (!) common denominator for
+ key transfer.
+
+ Second, although the content of RSA public keys has been stable,
+ there has been a small but subtle change over time in the content of
+ RSA private keys. The "internal modulus", used to compute the
+ private exponent "d" from the public exponent "e" (or vice-versa) was
+ originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1),
+ where p and q are the two primes. However, more recent definitions
+ [PKCS1v2] call it "lambda(n)" and define it to be lcm(p-1, q-1); this
+ appears to be a minor optimization. The result is that private keys
+ generated with the new definition often fail consistency checks in
+ implementations using the old definition. Fortunately, it is seldom
+ necessary to move private keys around. Our software now consistently
+ uses the new definition (and thus will accept keys generated with
+ either definition), but our key generator also has an option to
+ generate old-definition keys, for the benefit of users who upgrade
+ their networks incrementally.
+
+6.8. Misc. Snags
+
+ Nonce size is another characteristic that is neither negotiated nor
+ announced but that the two ends must somehow be able to agree on.
+ Our software accepts anything between 8 and 256, and defaults to 16.
+ These numbers were chosen rather arbitrarily, but we have seen no
+
+
+
+Spencer & Redelmeier [Page 18]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ interoperability failures here.
+
+ Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says
+ explicitly that a normal Message ID must be non-zero, but a zero
+ Message ID in fact causes failures.
+
+ Similarly, there is nothing in the specs which says that ISAKMP
+ cookies must be non-zero, but zero cookies will in fact cause
+ trouble.
+
+7. Security Considerations
+
+ Since this document discusses aspects of building robust and
+ interoperable IPsec implementations, security considerations permeate
+ it.
+
+8. References
+
+ [AH] Kent, S., and Atkinson, R., "IP Authentication Header",
+ RFC 2402, Nov 1998.
+
+ [CIPHERS] Pereira, R., and Adams, R., "The ESP CBC-Mode Cipher
+ Algorithms", RFC 2451, Nov 1998.
+
+ [CRACK] Electronic Frontier Foundation, "Cracking DES: Secrets of
+ Encryption Research, Wiretap Politics and Chip Design",
+ O'Reilly 1998, ISBN 1-56592-520-3.
+
+ [DES] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher
+ Algorithm", RFC 2405, Nov 1998.
+
+ [DNSRSA] D. Eastlake 3rd, "RSA/SHA-1 SIGs and RSA KEYs in the
+ Domain Name System (DNS)", RFC 3110, May 2001.
+
+ [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, Nov 1998.
+
+ [GROUPS] Kivinen, T., and Kojo, M., "More MODP Diffie-Hellman
+ groups for IKE", , 13 Dec 2001 (work in progress).
+
+ [IKE] Harkins, D., and Carrel, D., "The Internet Key Exchange
+ (IKE)", RFC 2409, Nov 1998.
+
+ [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
+ Internet Protocol", RFC 2401, Nov 1998.
+
+
+
+
+
+Spencer & Redelmeier [Page 19]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ [ISAKMP] Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
+ "Internet Security Association and Key Management Protocol
+ (ISAKMP)", RFC 2408, Nov 1998.
+
+ [OE] Richardson, M., Redelmeier, D. H., and Spencer, H., "A
+ method for doing opportunistic encryption with IKE",
+ , 21 Feb 2002
+ (work in progress).
+
+ [PKCS1v1] Kaliski, B., "PKCS #1: RSA Encryption, Version 1.5", RFC
+ 2313, March 1998.
+
+ [PKCS1v2] Kaliski, B., and Staddon, J., "PKCS #1: RSA Cryptography
+ Specifications, Version 2.0", RFC 2437, Oct 1998.
+
+ [PFKEY] McDonald, D., Metz, C., and Phan, B., "PF_KEY Key
+ Management API, Version 2", RFC 2367, July 1998.
+
+ [REKEY] Tim Jenkins, "IPsec Re-keying Issues", , 2 May 2000 (draft expired, work no
+ longer in progress).
+
+ [REPLAY] Krywaniuk, A., "Using Isakmp Message Ids for Replay
+ Protection", , 9
+ July 2001 (work in progress).
+
+ [RSA] Rivest, R.L., Shamir, A., and Adleman, L., "A Method for
+ Obtaining Digital Signatures and Public-Key
+ Cryptosystems", Communications of the ACM v21n2, Feb 1978,
+ p. 120.
+
+ [SCHNEIER] Bruce Schneier, "Applied Cryptography", 2nd ed., Wiley
+ 1996, ISBN 0-471-11709-9.
+
+ [SECFAIL] Karn, P., and Simpson, W., "ICMP Security Failures
+ Messages", RFC 2521, March 1999.
+
+Authors' Addresses
+
+ Henry Spencer
+ SP Systems
+ Box 280 Stn. A
+ Toronto, Ont. M5W1B2
+ Canada
+
+ henry@spsystems.net
+ 416-690-6561
+
+
+
+
+Spencer & Redelmeier [Page 20]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+ D. Hugh Redelmeier
+ Mimosa Systems Inc.
+ 29 Donino Ave.
+ Toronto, Ont. M4N2W6
+ Canada
+
+ hugh@mimosa.com
+ 416-482-8253
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Spencer & Redelmeier [Page 21]
+
+Internet Draft IKE Implementation Issues 26 Feb 2002
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society 2002. All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implmentation may be prepared, copied, published and
+ distributed, in whole or in part, without restriction of any kind,
+ provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Spencer & Redelmeier [Page 22]
+
diff --git a/doc/src/draft-richardson-ipsec-opportunistic.html b/doc/src/draft-richardson-ipsec-opportunistic.html
new file mode 100644
index 000000000..87a13365a
--- /dev/null
+++ b/doc/src/draft-richardson-ipsec-opportunistic.html
@@ -0,0 +1,2456 @@
+Opportunistic Encryption using The Internet Key Exchange (IKE)
+
+
+
+
Opportunistic Encryption using The Internet Key Exchange (IKE)
+
draft-richardson-ipsec-opportunistic-11.txt
+
+
+
Status of this Memo
+
+This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.
+
+Internet-Drafts are working documents of the Internet Engineering
+Task Force (IETF), its areas, and its working groups.
+Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any time.
+It is inappropriate to use Internet-Drafts as reference material or to cite
+them other than as "work in progress."
+This Internet-Draft will expire on November 19, 2003.
+
+
Copyright Notice
+
+Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+
Abstract
+
+
+This document describes opportunistic encryption (OE) using the Internet Key
+Exchange (IKE) and IPsec.
+Each system administrator adds new
+resource records to his or her Domain Name System (DNS) to support
+opportunistic encryption. The objective is to allow encryption for secure communication without
+any pre-arrangement specific to the pair of systems involved.
+
+
+
+DNS is used to distribute the public keys of each
+system involved. This is resistant to passive attacks. The use of DNS
+Security (DNSSEC) secures this system against active attackers as well.
+
+
+
+As a result, the administrative overhead is reduced
+from the square of the number of systems to a linear dependence, and it becomes
+possible to make secure communication the default even
+when the partner is not known in advance.
+
+
+
+This document is offered up as an Informational RFC.
+
+
+The objective of opportunistic encryption is to allow encryption without
+any pre-arrangement specific to the pair of systems involved. Each
+system administrator adds
+public key information to DNS records to support opportunistic
+encryption and then enables this feature in the nodes' IPsec stack.
+Once this is done, any two such nodes can communicate securely.
+
+
+
+This document describes opportunistic encryption as designed and
+mostly implemented by the Linux FreeS/WAN project.
+For project information, see http://www.freeswan.org.
+
+
+
+The Internet Architecture Board (IAB) and Internet Engineering
+Steering Group (IESG) have taken a strong stand that the Internet
+should use powerful encryption to provide security and
+privacy [4].
+The Linux FreeS/WAN project attempts to provide a practical means to implement this policy.
+
+
+
+The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC
+protocols because they are
+standardized, widely available and can often be deployed very easily
+without changing hardware or software or retraining users.
+
+
+
+The extensions to support opportunistic encryption are simple. No
+changes to any on-the-wire formats are needed. The only changes are to
+the policy decision making system. This means that opportunistic
+encryption can be implemented with very minimal changes to an existing
+IPsec implementation.
+
+
+
+Opportunistic encryption creates a "fax effect". The proliferation
+of the fax machine was possible because it did not require that everyone
+buy one overnight. Instead, as each person installed one, the value
+of having one increased - as there were more people that could receive faxes.
+Once opportunistic encryption is installed it
+automatically recognizes
+other boxes using opportunistic encryption, without any further configuration
+by the network
+administrator. So, as opportunistic encryption software is installed on more
+boxes, its value
+as a tool increases.
+
+
+
+This document describes the infrastructure to permit deployment of
+Opportunistic Encryption.
+
+
+
+The term S/WAN is a trademark of RSA Data Systems, and is used with permission
+by this project.
+
+
+ To aid in understanding the relationship between security processing and IPsec
+ we divide network traffic into four categories:
+
+
+
* Deny:
+
networks to which traffic is always forbidden.
+
+
* Permit:
+
networks to which traffic in the clear is permitted.
+
+
* Opportunistic tunnel:
+
networks to which traffic is encrypted if possible, but otherwise is in the clear
+ or fails depending on the default policy in place.
+
+
+
* Configured tunnel:
+
networks to which traffic must be encrypted, and traffic in the clear is never permitted.
+
+
+
+
+Traditional firewall devices handle the first two categories. No authentication is required.
+The permit policy is currently the default on the Internet.
+
+
+
+This document describes the third category - opportunistic tunnel, which is
+proposed as the new default for the Internet.
+
+
+
+ Category four, encrypt traffic or drop it, requires authentication of the
+ end points. As the number of end points is typically bounded and is typically
+ under a single authority, arranging for distribution of
+ authentication material, while difficult, does not require any new
+ technology. The mechanism described here provides an additional way to
+ distribute the authentication materials, that of a public key method that does not
+ require deployment of an X.509 based infrastructure.
+
+
+
+Current Virtual Private Networks can often be replaced by an "OE paranoid"
+policy as described herein.
+
+
+
1.3 Peer authentication in opportunistic encryption
+
+
+ Opportunistic encryption creates tunnels between nodes that
+ are essentially strangers. This is done without any prior bilateral
+ arrangement.
+ There is, therefore, the difficult question of how one knows to whom one is
+ talking.
+
+
+
+ One possible answer is that since no useful
+ authentication can be done, none should be tried. This mode of operation is
+ named "anonymous encryption". An active man-in-the-middle attack can be
+ used to thwart the privacy of this type of communication.
+ Without peer authentication, there is no way to prevent this kind of attack.
+
+
+
+Although a useful mode, anonymous encryption is not the goal of this
+project. Simpler methods are available that can achieve anonymous
+encryption only, but authentication of the peer is a desireable goal.
+The latter is achieved through key distribution in DNS, leveraging upon
+the authentication of the DNS in DNSSEC.
+
+
+
+ Peers are, therefore, authenticated with DNSSEC when available. Local policy
+determines how much trust to extend when DNSSEC is not available.
+
+
+
+ However, an essential premise of building private connections with
+ strangers is that datagrams received through opportunistic tunnels
+ are no more special than datagrams that arrive in the clear.
+ Unlike in a VPN, these datagrams should not be given any special
+ exceptions when it comes to auditing, further authentication or
+ firewalling.
+
+
+
+ When initiating outbound opportunistic encryption, local
+ configuration determines what happens if tunnel setup fails. It may be that
+ the packet goes out in the clear, or it may be dropped.
+
+
+ The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
+ SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
+ document, are to be interpreted as described in [5]
+
+ In this diagram, there are four end-nodes: A, B, C and D.
+ There are three gateways, SG-A, SG-B, SG-D. A, D, SG-A and SG-D are part
+ of the same administrative authority, AS1. SG-A and SG-D are on two different exit
+ paths from organization 1. SG-B/B is an independent organization, AS2.
+ Nodes Q and R are nodes on the Internet. PI is the Public
+ Internet ("The Wild").
+
+
A period represents an untrusted network of unknown
+ type.
+
+
Configured tunnel:
+
a tunnel that
+ is directly and deliberately hand configured on participating gateways.
+ Configured tunnels are typically given a higher level of
+ trust than opportunistic tunnels.
+
+
Road warrior tunnel:
+
a configured tunnel connecting one
+ node with a fixed IP address and one node with a variable IP address.
+ A road warrior (RW) connection must be initiated by the
+ variable node, since the fixed node cannot know the
+ current address for the road warrior.
+
+
Anonymous encryption:
+
+ the process of encrypting a session without any knowledge of who the
+ other parties are. No authentication of identities is done.
+
+
Opportunistic encryption:
+
+ the process of encrypting a session with authenticated knowledge of
+ who the other parties are.
+
+
Lifetime:
+
+ the period in seconds (bytes or datagrams) for which a security
+ association will remain alive before needing to be re-keyed.
+
+
Lifespan:
+
+ the effective time for which a security association remains useful. A
+ security association with a lifespan shorter than its lifetime would
+ be removed when no longer needed. A security association with a
+ lifespan longer than its lifetime would need to be re-keyed one or
+ more times.
+
+
Phase 1 SA:
+
an ISAKMP/IKE security association sometimes
+ referred to as a keying channel.
+
+
Phase 2 SA:
+
an IPsec security association.
+
+
Tunnel:
+
another term for a set of phase 2 SA (one in each direction).
+
Network Address and Port Translation
+ (see [20]).
+
+
AS:
+
an autonomous system (AS) is a group of systems (a network) that
+ are under the administrative control of a single organization.
+
+
Default-free zone:
+
+ a set of routers that maintain a complete set of routes to
+ all currently reachable destinations. Having such a list, these routers
+ never make use of a default route. A datagram with a destination address
+ not matching any route will be dropped by such a router.
+
+
+The opportunistic encryption security gateway (OE gateway) is a regular
+gateway node as described in [2] section 2.4 and
+[3] with the additional capabilities described here and
+in [7].
+The algorithm described here provides a way to determine, for each datagram,
+whether or not to encrypt and tunnel the datagram. Two important things
+that must be determined are whether or not to encrypt and tunnel and, if
+so, the destination address or name of the tunnel end point which should be used.
+
+
+The OE gateway determines whether or not to create a tunnel based on
+the destination address of each packet. Upon receiving a packet with a destination
+address not recently seen, the OE gateway performs a lookup in DNS for an
+authorization resource record (see Use of TXT delegation record). The record is located using
+the IP address to perform a search in the in-addr.arpa (IPv4) or ip6.arpa
+(IPv6) maps. If an authorization record is found, the OE gateway
+interprets this as a request for a tunnel to be formed.
+
+
+The authorization resource record also provides the address or name of the tunnel
+end point which should be used.
+
+
+
+The record may also provide the public RSA key of the tunnel end point
+itself. This is provided for efficiency only. If the public RSA key is not
+present, the OE gateway performs a second lookup to find a KEY
+resource record for the end point address or name.
+
+
+
+Origin and integrity protection of the resource records is provided by
+DNSSEC ([16]). Restriction on unauthenticated TXT delegation records
+documents an optional restriction on the tunnel end point if DNSSEC signatures
+are not available for the relevant records.
+
+
+The OE gateway maintains a cache, in the forwarding plane, of
+source/destination pairs for which opportunistic encryption has been
+attempted. This cache maintains a record of whether or not OE was
+successful so that subsequent datagrams can be forwarded properly
+without additional delay.
+
+
+
+Successful negotiation of OE instantiates a new security association.
+Failure to negotiate OE results in creation of a
+forwarding policy entry either to drop or transmit in the clear future
+datagrams. This negative cache is necessary to avoid the possibly lengthy process of repeatedly looking
+up the same information.
+
+
+
+The cache is timed out periodically, as described in Renewal and teardown.
+This removes entries that are no longer
+being used and permits the discovery of changes in authorization policy.
+
+
+The OE gateway is modeled to have a forwarding plane and a control
+plane. A control channel, such as PF_KEY, connects the two planes.
+(See [6].)
+The forwarding plane performs per datagram operations. The control plane
+contains a keying
+daemon, such as ISAKMP/IKE, and performs all authorization, peer authentication and
+key derivation functions.
+
+
+Let the OE gateway maintain a collection of objects -- a superset of the
+security policy database (SPD) specified in [7]. For
+each combination of source and destination address, an SPD
+object exists in one of five following states.
+Prior to forwarding each datagram, the
+responder uses the source and destination addresses to pick an entry from the SPD.
+The SPD then determines if and how the packet is forwarded.
+
+
+If the responder does not find an entry, then this policy applies.
+The responder creates an entry with an initial state of "hold policy" and requests
+keying material from the keying daemon. The responder does not forward the datagram,
+rather it attaches the datagram to the SPD entry as the "first" datagram and retains it
+for eventual transmission in a new state.
+
+
+
+The responder requests keying material. If the interface to the keying
+system is lossy (PF_KEY, for instance, can be), the implementation
+SHOULD include a mechanism to retransmit the
+keying request at a rate limited to less than 1 request per second.
+The responder does not forward the datagram. It attaches the
+datagram to the SPD entry as the "last" datagram where it is retained
+for eventual transmission. If there is
+a datagram already so stored, then that already stored datagram is discarded.
+
+
+
+Because the "first" datagram is probably a TCP SYN packet, the
+responder retains the "first" datagram in an attempt to avoid waiting for a
+TCP retransmit. The responder retains the "last"
+datagram in deference to streaming protocols that find it useful to know
+how much data has been lost. These are recommendations to
+decrease latency. There are no operational requirements for this.
+
+
+The responder forwards the datagram using the normal forwarding table.
+The responder enters this state only by command from the keying daemon,
+and upon entering this state, also forwards the "first" and "last" datagrams.
+
+
+The responder discards the datagram. The responder enters this state only by
+command
+from the keying daemon, and upon entering this state, discards the "first"
+and "last" datagrams.
+Local administration decides if further datagrams cause ICMP messages
+to be generated (i.e. ICMP Destination Unreachable, Communication
+Administratively Prohibited. type=3, code=13).
+
+
+The responder encrypts the datagram using the indicated security association database
+(SAD) entry. The responder enters this state only by command from the keying daemon, and upon entering
+this state, releases and forwards the "first" and "last" datagrams using the
+new encrypt policy.
+
+
+
+If the associated SAD entry expires because of byte, packet or time limits, then
+the entry returns to the Hold policy, and an expire message is sent to the keying daemon.
+
+
+
+All states may be created directly by the keying daemon while acting as a
+responder.
+
+
+Let the keying daemon maintain a collection of objects. Let them be
+called "connections" or "conn"s. There are two categories of
+connection objects: classes and instances. A class represents an
+abstract policy - what could be. An instance represents an actual connection -
+what is implemented at the time.
+
+
+
+Let there be two further subtypes of connections: keying channels (Phase
+1 SAs) and data channels (Phase 2 SAs). Each data channel object may have
+a corresponding SPD and SAD entry maintained by the datagram state machine.
+
+
+
+For the purposes of opportunistic encryption, there MUST, at least, be
+connection classes known as "deny", "always-clear-text", "OE-permissive", and
+"OE-paranoid".
+The latter two connection classes define a set of source and/or destination
+addresses for which opportunistic encryption will be attempted. The administrator MAY set policy
+options in a number of additional places. An implementation MAY create additional connection classes to further refine
+these policies.
+
+
+
+The simplest system may need only the "OE-permissive" connection, and would
+list its own (single) IP address as the source address of this policy and
+the wild-card address 0.0.0.0/0 as the destination IPv4 address. That is, the
+simplest policy is to try opportunistic encryption with all destinations.
+
+
+
+The distinction between permissive and paranoid OE use will become clear
+in the state transition differences. In general a permissive OE will, on
+failure, install a pass-through policy, while a paranoid OE will, on failure,
+install a drop policy.
+
+
+
+In this description of the keying machine's state transitions, the states
+associated with the keying system itself are omitted because they are best documented in the keying system
+([8],
+[9] and [10] for ISAKMP/IKE),
+and the details are keying system specific. Opportunistic encryption is not
+dependent upon any specific keying protocol, but this document does provide
+requirements for those using ISAKMP/IKE to assure that implementations inter-operate.
+
+
+
+The state transitions that may be involved in communicating with the
+forwarding plane are omitted. PF_KEY and similar protocols have their own
+set of states required for message sends and completion notifications.
+
+
+
+Finally, the retransmits and recursive lookups that are normal for DNS are
+not included in this description of the state machine.
+
+
+There is no connection instance for a given source/destination address pair.
+Upon receipt of a request for keying material for this
+source/destination pair, the initiator searches through the connection classes to
+determine the most appropriate policy. Upon determining an appropriate
+connection class, an instance object is created of that type.
+Both of the OE types result in a potential OE connection.
+
+
+
Failure to find an appropriate connection class results in an
+administrator defined default.
+
+
+
+In each case, when the initiator finds an appropriate class for the new flow,
+an instance connection is made of the class which matched.
+
+
+The non-existent connection makes a transition to this state when an
+always-clear-text class is instantiated, or when an OE-permissive
+connection fails. During the transition, the initiator creates a pass-through
+policy object in the forwarding plane for the appropriate flow.
+
+
+
+Timing out is the only way to leave this state
+(see Expiring connection).
+
+
+The empty connection makes a transition to this state when a
+deny class is instantiated, or when an OE-paranoid connection fails.
+During the transition, the initiator creates a deny policy object in the forwarding plane
+for the appropriate flow.
+
+
+
+Timing out is the only way to leave this state
+(see Expiring connection).
+
+
+The empty connection makes a transition to this state when one of either OE class is instantiated.
+During the transition to this state, the initiator creates a hold policy object in the
+forwarding plane for the appropriate flow.
+
+
+
+In addition, when making a transition into this state, DNS lookup is done in
+the reverse-map for a TXT delegation resource record (see Use of TXT delegation record).
+The lookup key is the destination address of the flow.
+
+
+
+There are three ways to exit this state:
+
+
+
DNS lookup finds a TXT delegation resource record.
+
+
DNS lookup does not find a TXT delegation resource record.
+
+
DNS lookup times out.
+
+
+
+
+Based upon the results of the DNS lookup, the potential OE connection makes a
+transition to the pending OE connection state. The conditions for a
+successful DNS look are:
+
+
if DNSSEC is enabled, then the signature has been vouched for.
+
+
+
+Note that if the initiator does not find the public key
+present in the TXT delegation record, then the public key must
+be looked up as a sub-state. Only successful completion of all the
+DNS lookups is considered a success.
+
+
+
+If DNS lookup does not find a resource record or DNS times out, then the
+initiator considers the receiver not OE capable. If this is an OE-paranoid instance,
+then the potential OE connection makes a transition to the deny connection state.
+If this is an OE-permissive instance, then the potential OE connection makes a transition to the
+clear-text connection state.
+
+
+
+If the initiator finds a resource record but it is not properly formatted, or
+if DNSSEC is
+enabled and reports a failure to authenticate, then the potential OE
+connection should make a
+transition to the deny connection state. This action SHOULD be logged. If the
+administrator wishes to override this transition between states, then an
+always-clear class can be installed for this flow. An implementation MAY make
+this situation a new class.
+
+
+
3.2.4.1 Restriction on unauthenticated TXT delegation records
+
+
+An implementation SHOULD also provide an additional administrative control
+on delegation records and DNSSEC. This control would apply to delegation
+records (the TXT records in the reverse-map) that are not protected by
+DNSSEC.
+Records of this type are only permitted to delegate to their own address as
+a gateway. When this option is enabled, an active attack on DNS will be
+unable to redirect packets to other than the original destination.
+
+
+The potential OE connection makes a transition to this state when
+the initiator determines that all the information required from the DNS lookup is present.
+Upon entering this state, the initiator attempts to initiate keying to the gateway
+provided.
+
+
+
+Exit from this state occurs either with a successfully created IPsec SA, or
+with a failure of some kind. Successful SA creation results in a transition
+to the key connection state.
+
+
+
+Three failures have caused significant problems. They are clearly not the
+only possible failures from keying.
+
+
+
+Note that if there are multiple gateways available in the TXT delegation
+records, then a failure can only be declared after all have been
+tried. Further, creation of a phase 1 SA does not constitute success. A set
+of phase 2 SAs (a tunnel) is considered success.
+
+
+
+The first failure occurs when an ICMP port unreachable is consistently received
+without any other communication, or when there is silence from the remote
+end. This usually means that either the gateway is not alive, or the
+keying daemon is not functional. For an OE-permissive connection, the initiator makes a transition
+to the clear-text connection but with a low lifespan. For an OE-pessimistic connection,
+the initiator makes a transition to the deny connection again with a low lifespan. The lifespan in both
+cases is kept low because the remote gateway may
+be in the process of rebooting or be otherwise temporarily unavailable.
+
+
+
+The length of time to wait for the remote keying daemon to wake up is
+a matter of some debate. If there is a routing failure, 5 minutes is usually long enough for the network to
+re-converge. Many systems can reboot in that amount of
+time as well. However, 5 minutes is far too long for most users to wait to
+hear that they can not connect using OE. Implementations SHOULD make this a
+tunable parameter.
+
+
+
+The second failure occurs after a phase 1 SA has been created, but there is
+either no response to the phase 2 proposal, or the initiator receives a
+negative notify (the notify must be
+authenticated). The remote gateway is not prepared to do OE at this time.
+As before, the initiator makes a transition to the clear-text or the deny
+connection based upon connection class, but this
+time with a normal lifespan.
+
+
+
+The third failure occurs when there is signature failure while authenticating
+the remote gateway. This can occur when there has been a
+key roll-over, but DNS has not caught up. In this case again, the initiator makes a
+transition to the clear-text or the deny connection based
+upon the connection class. However, the lifespan depends upon the remaining
+time to live in the DNS. (Note that DNSSEC signed resource records have a different
+expiry time than non-signed records.)
+
+
+The pending OE connection makes a transition to this state when
+session keying material (the phase 2 SAs) is derived. The initiator creates an encrypt
+policy in the forwarding plane for this flow.
+
+
+
+There are three ways to exit this state. The first is by receipt of an
+authenticated delete message (via the keying channel) from the peer. This is
+normal teardown and results in a transition to the expired connection state.
+
+
+
+The second exit is by expiry of the forwarding plane keying material. This
+starts a re-key operation with a transition back to pending OE
+connection. In general, the soft expiry occurs with sufficient time left
+to continue to use the keys. A re-key can fail, which may
+result in the connection failing to clear-text or deny as
+appropriate. In the event of a failure, the forwarding plane
+policy does not change until the phase 2 SA (IPsec SA) reaches its
+hard expiry.
+
+
+
+The third exit is in response to a negotiation from a remote
+gateway. If the forwarding plane signals the control plane that it has received an
+unknown SPI from the remote gateway, or an ICMP is received from the remote gateway
+indicating an unknown SPI, the initiator should consider that
+the remote gateway has rebooted or restarted. Since these
+indications are easily forged, the implementation must
+exercise care. The initiator should make a cautious
+(rate-limited) attempt to re-key the connection.
+
+
+The initiator will periodically place each of the deny, clear-text, and keyed
+connections into this
+sub-state. See Renewal and teardown for more details of how often this
+occurs.
+The initiator queries the forwarding plane for last use time of the
+appropriate
+policy. If the last use time is relatively recent, then the connection
+returns to the
+previous deny, clear-text or keyed connection state. If not, then the
+connection enters
+the expired connection state.
+
+
+
+The DNS query and answer that lead to the expiring connection state are also
+examined. The DNS query may become stale. (A negative, i.e. no such record, answer
+is valid for the period of time given by the MINIMUM field in an attached SOA
+record. See [12] section 4.3.4.)
+If the DNS query is stale, then a new query is made. If the results change, then the connection
+makes a transition to a new state as described in potential OE connection state.
+
+
+
+Note that when considering how stale a connection is, both outgoing SPD and
+incoming SAD must be queried as some flows may be unidirectional for some time.
+
+
+
+Also note that the policy at the forwarding plane is not updated unless there
+is a conclusion that there should be a change.
+
+
+Entry to this state occurs when no datagrams have been forwarded recently via the
+appropriate SPD and SAD objects. The objects in the forwarding plane are
+removed (logging any final byte and packet counts if appropriate) and the
+connection instance in the keying plane is deleted.
+
+
+
+The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs as described in
+Renewal and teardown.
+
+
+
+Whether or not to delete the phase 1 SAs
+at this time is left as a local implementation issue. Implementations
+that do delete the phase 1 SAs MUST send authenticated delete messages to
+indicate that they are doing so. There is an advantage to keeping
+the phase 1 SAs until they expire - they may prove useful again in the
+near future.
+
+
+Upon entering this state, the responder starts a DNS lookup for a KEY record for the
+initiator.
+The responder looks in the reverse-map for a KEY record for the initiator if the
+initiator has offered an ID_IPV4_ADDR, and in the forward map if the
+initiator has offered an ID_FQDN type. (See [8] section
+4.6.2.1.)
+
+
+
+The responder exits this state upon successful receipt of a KEY from DNS, and use of the key
+to verify the signature of the initiator.
+
+
+
+Successful authentication of the peer results in a transition to the
+authenticated OE Peer state.
+
+
+
+Note that the unauthenticated OE peer state generally occurs in the middle of the key negotiation
+protocol. It is really a form of pseudo-state.
+
+
+The peer will eventually propose one or more phase 2 SAs. The responder uses the source and
+destination address in the proposal to
+finish instantiating the connection state
+using the connection class table.
+The responder MUST search for an identical connection object at this point.
+
+
+
+If an identical connection is found, then the responder deletes the old instance,
+and the new object makes a transition to the pending OE connection state. This means
+that new ISAKMP connections with a given peer will always use the latest
+instance, which is the correct one if the peer has rebooted in the interim.
+
+
+
+If an identical connection is not found, then the responder makes the transition according to the
+rules given for the initiator.
+
+
+
+Note that if the initiator is in OE-paranoid mode and the responder is in
+either always-clear-text or deny, then no communication is possible according
+to policy. An implementation is permitted to create new types of policies
+such as "accept OE but do not initiate it". This is a local matter.
+
+
+A potentially unlimited number of tunnels may exist. In practice, only a few
+tunnels are used during a period of time. Unused tunnels MUST, therefore, be
+torn down. Detecting when tunnels are no longer in use is the subject of this section.
+
+
+
+There are two methods for removing tunnels: explicit deletion or expiry.
+
+
+
+Explicit deletion requires an IKE delete message. As the deletes
+MUST be authenticated, both ends of the tunnel must maintain the
+key channel (phase 1 ISAKMP SA). An implementation which refuses to either maintain or
+recreate the keying channel SA will be unable to use this method.
+
+
+
+The tunnel expiry method, simply allows the IKE daemon to
+expire normally without attempting to re-key it.
+
+
+
+Regardless of which method is used to remove tunnels, the implementation requires
+a method to determine if the tunnel is still in use. The specifics are a
+local matter, but the FreeS/WAN project uses the following criteria. These
+criteria are currently implemented in the key management daemon, but could
+also be implemented at the SPD layer using an idle timer.
+
+
+
+Set a short initial (soft) lifespan of 1 minute since many net flows last
+only a few seconds.
+
+
+
+At the end of the lifespan, check to see if the tunnel was used by
+traffic in either direction during the last 30 seconds. If so, assign a
+longer tentative lifespan of 20 minutes after which, look again. If the
+tunnel is not in use, then close the tunnel.
+
+
+
+The expiring state in the key management
+system (see Expiring connection) implements these timeouts.
+The timer above may be in the forwarding plane,
+but then it must be re-settable.
+
+
+
+The tentative lifespan is independent of re-keying; it is just the time when
+the tunnel's future is next considered.
+(The term lifespan is used here rather than lifetime for this reason.)
+Unlike re-keying, this tunnel use check is not costly and should happen
+reasonably frequently.
+
+
+
+A multi-step back-off algorithm is not considered worth the effort here.
+
+
+
+If the security gateway and the client host are the
+same and not a Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel
+teardown decisions MAY pay attention to TCP connection status as reported
+by the local TCP layer. A still-open TCP connection is almost a guarantee that more traffic is
+expected. Closing of the only TCP connection through a tunnel is a
+strong hint that no more traffic is expected.
+
+
+Teardown should always be coordinated between the two ends of the tunnel by
+interpreting and sending delete notifications. There is a
+detailed sub-state in the expired connection state of the key manager that
+relates to retransmits of the delete notifications, but this is considered to
+be a keying system detail.
+
+
+
+On receiving a delete for the outbound SAs of a tunnel (or some subset of
+them), tear down the inbound ones also and notify the remote end with a
+delete. If the local system receives a delete for a tunnel which is no longer in
+existence, then two delete messages have crossed paths. Ignore the delete.
+The operation has already been completed. Do not generate any messages in this
+situation.
+
+
+
+Tunnels are to be considered as bidirectional entities, even though the
+low-level protocols don't treat them this way.
+
+
+
+When the deletion is initiated locally, rather than as a
+response to a received delete, send a delete for (all) the
+inbound SAs of a tunnel. If the local system does not receive a responding delete
+for the outbound SAs, try re-sending the original
+delete. Three tries spaced 10 seconds apart seems a reasonable
+level of effort. A failure of the other end to respond after 3 attempts,
+indicates that the possibility of further communication is unlikely. Remove the outgoing SAs.
+(The remote system may be a mobile node that is no longer present or powered on.)
+
+
+
+After re-keying, transmission should switch to using the new
+outgoing SAs (ISAKMP or IPsec) immediately, and the old leftover
+outgoing SAs should be cleared out promptly (delete should be sent
+for the outgoing SAs) rather than waiting for them to expire. This
+reduces clutter and minimizes confusion for the operator doing diagnostics.
+
+
+ The IKE wire protocol needs no modifications. The major changes are
+ implementation issues relating to how the proposals are interpreted, and from
+ whom they may come.
+
+
+
+ As opportunistic encryption is designed to be useful between peers without
+ prior operator configuration, an IKE daemon must be prepared to negotiate
+ phase 1 SAs with any node. This may require a large amount of resources to
+ maintain cookie state, as well as large amounts of entropy for nonces,
+ cookies and so on.
+
+
+
+ The major changes to support opportunistic encryption are at the IKE daemon
+ level. These changes relate to handling of key acquisition requests, lookup
+ of public keys and TXT records, and interactions with firewalls and other
+ security facilities that may be co-resident on the same gateway.
+
+
+ In a typical configured tunnel, the address of SG-B is provided
+ via configuration. Furthermore, the mapping of an SPD entry to a gateway is
+ typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique is used, then
+ the mapping to a gateway is determined by the reverse DNS records.
+
+
+
+ The need to do a DNS lookup and wait for a reply will typically introduce a
+ new state and a new event source (DNS replies) to IKE. Although a
+synchronous DNS request can be implemented for proof of concept, experience
+is that it can cause very high latencies when a queue of queries must
+all timeout in series.
+
+
+
+ Use of an asynchronous DNS lookup will also permit overlap of DNS lookups with
+ some of the protocol steps.
+
+
+ SG-A will have to establish its identity. Use an
+ IPv4 ID in phase 1.
+
+
+
There are many situations where the administrator of SG-A may not be
+ able to control the reverse DNS records for SG-A's public IP address.
+ Typical situations include dialup connections and most residential-type broadband Internet access
+ (ADSL, cable-modem) connections. In these situations, a fully qualified domain
+ name that is under the control of SG-A's administrator may be used
+ when acting as an initiator only.
+ The FQDN ID should be used in phase 1. See Use of FQDN IDs
+ for more details and restrictions.
+
+
+ Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID or
+ an FQDN ID, an IKE daemon needs to examine local caches and
+ configuration files to determine if this is part of a configured tunnel.
+ If no configured tunnels are found, then the implementation should attempt to retrieve
+ a KEY record from the reverse DNS in the case of an IPv4/IPv6 ID, or
+ from the forward DNS in the case of FQDN ID.
+
+
+
+ It is reasonable that if other non-local sources of policy are used
+ (COPS, LDAP), they be consulted concurrently but some
+ clear ordering of policy be provided. Note that due to variances in
+ latency, implementations must wait for positive or negative replies from all sources
+ of policy before making any decisions.
+
+
+ The implementation described (1.98) neither uses DNSSEC directly to
+ explicitly verify the authenticity of zone information, nor uses the NXT
+ records to provide authentication of the absence of a TXT or KEY
+ record. Rather, this implementation uses a trusted path to a DNSSEC
+ capable caching resolver.
+
+
+
+ To distinguish between an authenticated and an unauthenticated DNS
+ resource record, a stub resolver capable of returning DNSSEC
+ information MUST be used.
+
+
+ The initiator MUST offer at least one proposal using some combination
+ of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be
+ proposed first.
+ [11]
+
+
+ The initiator MAY offer additional proposals, but the cipher MUST not
+ be weaker than 3DES. The initiator SHOULD limit the number of proposals
+ such that the IKE datagrams do not need to be fragmented.
+
+
+
+ The responder MUST accept one of the proposals. If any configuration
+ of the responder is required then the responder is not acting in an
+ opportunistic way.
+
+
+
+ SG-A SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the external
+ interface of SG-A for phase 1. (There is an exception, see Use of FQDN IDs.) The authentication method MUST be RSA public key signatures.
+ The RSA key for SG-A SHOULD be placed into a DNS KEY record in
+ the reverse space of SG-A (i.e. using in-addr.arpa).
+
+
+ In order to establish their own identities, SG-A and SG-B SHOULD publish
+ their public keys in their reverse DNS via
+ DNSSEC's KEY record.
+ See section 3 of RFC 2535[16].
+
+
+
+
For example:
+
+KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
+
+
+
0x4200:
+
The flag bits, indicating that this key is prohibited
+ for confidentiality use (it authenticates the peer only, a separate
+ Diffie-Hellman exchange is used for
+ confidentiality), and that this key is associated with the non-zone entity
+ whose name is the RR owner name. No other flags are set.
+
+
4:
+
This indicates that this key is for use by IPsec.
+
+
1:
+
An RSA key is present.
+
+
AQNJjkKlIk9...nYyUkKK8:
+
The public key of the host as described in [17].
+
+
+
+
Use of several KEY records allows for key rollover. The SIG Payload in
+ IKE phase 1 SHOULD be accepted if the public key given by any KEY RR
+ validates it.
+
+
+Alice publishes a TXT record to provide authorization for SG-A to act on
+Alice's behalf.
+
+Bob publishes a TXT record to provide authorization for SG-B to act on Bob's
+behalf.
+
+These records are located in the reverse DNS (in-addr.arpa) for their
+respective IP addresses. The reverse DNS SHOULD be secured by DNSSEC, when
+it is deployed. DNSSEC is required to defend against active attacks.
+
+
+
+ If Alice's address is P.Q.R.S, then she can authorize another node to
+ act on her behalf by publishing records at:
+
+
+S.R.Q.P.in-addr.arpa
+
+
+
+
+
+ The contents of the resource record are expected to be a string that
+ uses the following syntax, as suggested in [15].
+ (Note that the reply to query may include other TXT resource
+ records used by other applications.)
+
+
+
+
+
+X-IPsec-Server(P)=A.B.C.D KEY
+
+
+
Format of reverse delegation record
+
+
+
+
P:
+
Specifies a precedence for this record. This is
+ similar to MX record preferences. Lower numbers have stronger
+ preference.
+
+
+
A.B.C.D:
+
Specifies the IP address of the Security Gateway
+ for this client machine.
+
+
+
KEY:
+
Is the encoded RSA Public key of the Security
+ Gateway. The key is provided here to avoid a second DNS lookup. If this
+ field is absent, then a KEY resource record should be looked up in the
+ reverse-map of A.B.C.D. The key is transmitted in base64 format.
+
+
+
+
+ The pieces of the record are separated by any whitespace
+ (space, tab, newline, carriage return). An ASCII space SHOULD
+ be used.
+
+
+
+ In the case where Alice is located at a public address behind a
+ security gateway that has no fixed address (or no control over its
+ reverse-map), then Alice may delegate to a public key by domain name.
+
+
+
+
+
+X-IPsec-Server(P)=@FQDN KEY
+
+
+
Format of reverse delegation record (FQDN version)
+
+
+
+
P:
+
Is as above.
+
+
+
FQDN:
+
Specifies the FQDN that the Security Gateway
+ will identify itself with.
+
+
+
KEY:
+
Is the encoded RSA Public key of the Security
+ Gateway.
+
+
+
+ If there is more than one such TXT record with strongest (lowest
+ numbered) precedence, one Security Gateway is picked arbitrarily from
+ those specified in the strongest-preference records.
+
+
+ When packed into transport format, TXT records which are longer than 255
+ characters are divided into smaller <character-strings>.
+ (See [13] section 3.3 and 3.3.14.) These MUST
+ be reassembled into a single string for processing.
+ Whitespace characters in the base64 encoding are to be ignored.
+
+
+ It has been suggested to use the KEY, OPT, CERT, or KX records
+ instead of a TXT record. None is satisfactory.
+
+
+
The KEY RR has a protocol field which could be used to indicate a new protocol,
+and an algorithm field which could be used to
+ indicate different contents in the key data. However, the KEY record
+ is clearly not intended for storing what are really authorizations,
+ it is just for identities. Other uses have been discouraged.
+
+
+
OPT resource records, as defined in [14] are not
+ intended to be used for storage of information. They are not to be loaded,
+ cached or forwarded. They are, therefore, inappropriate for use here.
+
+
+
+ CERT records [18] can encode almost any set of
+ information. A custom type code could be used permitting any suitable
+ encoding to be stored, not just X.509. According to
+ the RFC, the certificate RRs are to be signed internally which may add undesirable
+and unnecessary bulk. Larger DNS records may require TCP instead of UDP transfers.
+
+
+
+ At the time of protocol design, the CERT RR was not widely deployed and
+ could not be counted upon. Use of CERT records will be investigated,
+ and may be proposed in a future revision of this document.
+
+
+
+ KX records are ideally suited for use instead of TXT records, but had not been deployed at
+ the time of implementation.
+
+
+ Unfortunately, not every administrator has control over the contents
+ of the reverse-map. Where the initiator (SG-A) has no suitable reverse-map, the
+ authorization record present in the reverse-map of Alice may refer to a
+ FQDN instead of an IP address.
+
+
+
+ In this case, the client's TXT record gives the fully qualified domain
+ name (FQDN) in place of its security gateway's IP address.
+ The initiator should use the ID_FQDN ID-payload in phase 1.
+ A forward lookup for a KEY record on the FQDN must yield the
+ initiator's public key.
+
+
+
+ This method can also be used when the external address of SG-A is
+ dynamic.
+
+
+
+ If SG-A is acting on behalf of Alice, then Alice must still delegate
+ authority for SG-A to do so in her reverse-map. When Alice and SG-A
+ are one and the same (i.e. Alice is acting as an end-node) then there
+ is no need for this when initiating only.
+
+Good cryptographic hygiene says that one should replace public/private key pairs
+periodically. Some administrators may wish to do this as often as daily. Typical DNS
+propagation delays are determined by the SOA Resource Record MINIMUM
+parameter, which controls how long DNS replies may be cached. For reasonable
+operation of DNS servers, administrators usually want this value to be at least several
+hours, sometimes as a long as a day. This presents a problem - a new key MUST
+not be used prior to it propagating through DNS.
+
+
+
+This problem is dealt with by having the Security Gateway generate a new
+public/private key pair at least MINIMUM seconds in advance of using it. It
+then adds this key to the DNS (both as a second KEY record and in additional TXT
+delegation records) at key generation time. Note: only one key is allowed in
+each TXT record.
+
+
+
+When authenticating, all gateways MUST have available all public keys
+that are found in DNS for this entity. This permits the authenticating end
+to check both the key for "today" and the key for "tomorrow". Note that it is
+the end which is creating the signature (possesses the private key) that
+determines which key is to be used.
+
+
+ There are no fundamentally new issues for implementing opportunistic encryption
+ in the presence of network address translation. Rather there are
+ only the regular IPsec issues with NAT traversal.
+
+
+
+ There are several situations to consider for NAT.
+
+
+ If SG-A is also performing network address translation on
+ behalf of Alice, then the packet should be translated prior to
+ being subjected to opportunistic encryption. This is in contrast to
+ typically configured tunnels which often exist to bridge islands of
+ private network address space. SG-A will use the translated source
+ address for phase 2, and so SG-B will look up that address to
+ confirm SG-A's authorization.
+
+
+
In the case of NAT (1:1), the address space into which the
+ translation is done MUST be globally unique, and control over the
+ reverse-map is assumed.
+ Placing of TXT records is possible.
+
+
+
In the case of NAPT (m:1), the address will be SG-A. The ability to get
+ KEY and TXT records in place will again depend upon whether or not
+ there is administrative control over the reverse-map. This is
+ identical to situations involving a single host acting on behalf of
+ itself.
+
+ FQDN style can be used to get around a lack of a reverse-map for
+ initiators only.
+
+
+ If there is a NAT or NAPT between SG-A and SG-B, then normal IPsec
+ NAT traversal rules apply. In addition to the transport problem
+ which may be solved by other mechanisms, there
+ is the issue of what phase 1 and phase 2 IDs to use. While FQDN could
+ be used during phase 1 for SG-A, there is no appropriate ID for phase 2
+ that permits SG-B to determine that SG-A is in fact authorized to speak for Alice.
+
+
+ If Bob is behind a NAT (perhaps SG-B), then there is, in fact, no way for
+ Alice to address a packet to Bob. Not only is opportunistic encryption
+ impossible, but it is also impossible for Alice to initiate any
+ communication to Bob. It may be possible for Bob to initiate in such
+ a situation. This creates an asymmetry, but this is common for
+ NAPT.
+
+
+ When Alice and SG-A are components of the same system, they are
+ considered to be a host implementation. The packet sequence scenario remains unchanged.
+
+
+
+ Components marked Alice are the upper layers (TCP, UDP, the
+ application), and SG-A is the IP layer.
+
+
+
+ Note that tunnel mode is still required.
+
+
+
+ As Alice and SG-A are acting on behalf of themselves, no TXT based delegation
+ record is necessary for Alice to initiate. She can rely on FQDN in a
+ forward map. This is particularly attractive to mobile nodes such as
+ notebook computers at conferences.
+ To respond, Alice/SG-A will still need an entry in Alice's reverse-map.
+
+
+If there are multiple paths between Alice and Bob (as illustrated in
+the diagram with SG-D), then additional DNS records are required to establish
+authorization.
+
+
+
+In Reference Network Diagram, Alice has two ways to
+exit her network: SG-A and SG-D. Previously SG-D has been ignored. Postulate
+that there are routers between Alice and her set of security gateways
+(denoted by the + signs and the marking of an autonomous system number for
+Alice's network). Datagrams may, therefore, travel to either SG-A or SG-D en
+route to Bob.
+
+
+
+As long as all network connections are in good order, it does not matter how
+datagrams exit Alice's network. When they reach either security gateway, the
+security gateway will find the TXT delegation record in Bob's reverse-map,
+and establish an SA with SG-B.
+
+
+
+SG-B has no problem establishing that either of SG-A or SG-D may speak for
+Alice, because Alice has published two equally weighted TXT delegation records:
+
+Alice's routers can now do any kind of load sharing needed. Both SG-A and SG-D send datagrams addressed to Bob through
+their tunnel to SG-B.
+
+
+
+Alice's use of non-equal weight delegation records to show preference of one gateway over another, has relevance only when SG-B
+is initiating to Alice.
+
+
+
+If the precedences are the same, then SG-B has a more difficult time. It
+must decide which of the two tunnels to use. SG-B has no information about
+which link is less loaded, nor which security gateway has more cryptographic
+resources available. SG-B, in fact, has no knowledge of whether both gateways
+are even reachable.
+
+
+
+The Public Internet's default-free zone may well know a good route to Alice,
+but the datagrams that SG-B creates must be addressed to either SG-A or SG-D;
+they can not be addressed to Alice directly.
+
+
+
+SG-B may make a number of choices:
+
+
+
It can ignore the problem and round robin among the tunnels. This
+ causes losses during times when one or the other security gateway is
+ unreachable. If this worries Alice, she can change the weights in her
+ TXT delegation records.
+
+
It can send to the gateway from which it most recently received datagrams.
+ This assumes that routing and reachability are symmetrical.
+
+
It can listen to BGP information from the Internet to decide which
+ system is currently up. This is clearly much more complicated, but if SG-B is already participating
+ in the BGP peering system to announce Bob, the results data may already
+ be available to it.
+
+
It can refuse to negotiate the second tunnel. (It is unclear whether or
+not this is even an option.)
+
+
It can silently replace the outgoing portion of the first tunnel with the
+second one while still retaining the incoming portions of both. SG-B can,
+thus, accept datagrams from either SG-A or SG-D, but
+send only to the gateway that most recently re-keyed with it.
+
+
+
+
+Local policy determines which choice SG-B makes. Note that even if SG-B has perfect
+knowledge about the reachability of SG-A and SG-D, Alice may not be reachable
+from either of these security gateways because of internal reachability
+issues.
+
+
+
+FreeS/WAN implements option 5. Implementing a different option is
+being considered. The multi-homing aspects of OE are not well developed and may
+be the subject of a future document.
+
+
+ If a DNS server fails to respond, local policy decides
+ whether or not to permit communication in the clear as embodied in
+ the connection classes in Keying state machine - initiator.
+ It is easy to mount a denial of service attack on the DNS server
+ responsible for a particular network's reverse-map.
+ Such an attack may cause all communication with that network to go in
+ the clear if the policy is permissive, or fail completely
+ if the policy is paranoid. Please note that this is an active attack.
+
+
+
+ There are still many networks
+ that do not have properly configured reverse-maps. Further, if the policy is not to communicate,
+ the above denial of service attack isolates the target network. Therefore, the decision of whether
+or not to permit communication in the clear MUST be a matter of local policy.
+
+
+ DNS records claim that opportunistic encryption should
+ occur, but the target gateway either does not respond on port 500, or
+ refuses the proposal. This may be because of a crash or reboot, a
+ faulty configuration, or a firewall filtering port 500.
+
+
+
+ The receipt of ICMP port, host or network unreachable
+ messages indicates a potential problem, but MUST NOT cause communication
+ to fail
+ immediately. ICMP messages are easily forged by attackers. If such a
+ forgery caused immediate failure, then an active attacker could easily
+ prevent any
+ encryption from ever occurring, possibly preventing all communication.
+
+
+
+ In these situations a clear log should be produced
+ and local policy should dictate if communication is then
+ permitted in the clear.
+
+
+Tunnels sometimes go down because the remote end crashes,
+disconnects, or has a network link break. In general there is no
+notification of this. Even in the event of a crash and successful reboot,
+other SGs don't hear about it unless the rebooted SG has specific
+reason to talk to them immediately. Over-quick response to temporary
+network outages is undesirable. Note that a tunnel can be torn
+down and then re-established without any effect visible to the user
+except a pause in traffic. On the other hand, if one end reboots,
+the other end can't get datagrams to it at all (except via
+IKE) until the situation is noticed. So a bias toward quick
+response is appropriate even at the cost of occasional
+false alarms.
+
+
+
+A mechanism for recovery after reboot is a topic of current research and is not specified in this
+document.
+
+
+
+A deliberate shutdown should include an attempt, using deletes, to notify all other SGs
+currently connected by phase 1 SAs that communication is
+about to fail. Again, a remote SG will assume this is a teardown. Attempts by the
+remote SGs to negotiate new tunnels as replacements should be ignored. When possible,
+SGs should attempt to preserve information about currently-connected SGs in non-volatile storage, so
+that after a crash, an Initial-Contact can be sent to previous partners to
+indicate loss of all previously established connections.
+
+
+ The method of obtaining information by reverse DNS lookup causes
+ problems for people who cannot control their reverse DNS
+ bindings. This is an unresolved problem in this version, and is out
+ of scope.
+
+
+Two example scenarios follow. In the first example GW-A
+(Gateway A) and GW-B (Gateway B) have always-clear-text policies, and in the second example they have an OE
+policy.
+
+
+Alice wants to communicate with Bob. Perhaps she wants to retrieve a
+web page from Bob's web server. In the absence of opportunistic
+encryptors, the following events occur:
+
+
+
(1)
+
Human or application 'clicks' with a name.
+
+
(2)
+
Application looks up name in DNS to get IP address.
+
+
(3)
+
Resolver returns A record to application.
+
+
(4)
+
Application starts a TCP session or UDP session and OS sends datagram.
+
+
(5)
+
Datagram is seen at first gateway from Alice (SG-A). (SG-A
+makes a transition through Empty connection to always-clear connection and
+instantiates a pass-through policy at the forwarding plane.)
+
+
(6)
+
Datagram is seen at last gateway before Bob (SG-B).
+
+
(7)
+
First datagram from Alice is seen by Bob.
+
+
(8)
+
First return datagram is sent by Bob.
+
+
(9)
+
Datagram is seen at Bob's gateway. (SG-B makes a transition through
+Empty connection to always-clear connection and instantiates a pass-through
+policy at the forwarding plane.)
+
+
(10)
+
Datagram is seen at Alice's gateway.
+
+
(11)
+
OS hands datagram to application. Alice sends another datagram.
+
+ At point (5), SG-A intercepts the datagram because this source/destination pair lacks a policy
+(the non-existent policy state). SG-A creates a hold policy, and buffers the datagram. SG-A requests keys from the keying daemon.
+
+
+ SG-A's IKE daemon, having looked up the source/destination pair in the connection
+ class list, creates a new Potential OE connection instance. SG-A starts DNS
+ queries.
+
+
+ DNS returns properly formed TXT delegation records, and SG-A's IKE daemon
+ causes this instance to make a transition from Potential OE connection to Pending OE
+ connection.
+
+
+
+ Using the example above, the returned record might contain:
+
+
+
+
+
+X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
+
+
+
Example of reverse delegation record for Bob
+
+ with SG-B's IP address and public key listed.
+
+
+
+ SG-A uses the phase 1 SA to send its identity under encryption.
+ The choice of identity is discussed in Phase 1 parameters.
+ This is an internal state of the keying protocol.
+
+
+ SG-B asks DNS for the public key of the initiator.
+ DNS looks for a KEY record by IP address in the reverse-map.
+ That is, a KEY resource record is queried for 4.1.1.192.in-addr.arpa
+ (recall that SG-A's external address is 192.1.1.4).
+ SG-B uses the resulting public key to authenticate the initiator. See Use of KEY record for further details.
+
+
+
11.2.10 (5F2) DNS replies with public key of initiator
+
+
+Upon successfully authenticating the peer, the connection instance makes a
+transition to authenticated OE peer on SG-B.
+
+
+ Having established mutually agreeable authentications (via KEY) and
+ authorizations (via TXT), SG-A proposes to create an IPsec tunnel for
+ datagrams transiting from Alice to Bob. This tunnel is established only for
+ the Alice/Bob combination, not for any subnets that may be behind SG-A and SG-B.
+
+
+ While the identity of SG-A has been established, its authority to
+ speak for Alice has not yet been confirmed. SG-B does a reverse
+ lookup on Alice's address for a TXT record.
+
+
+
Upon receiving this specific proposal, SG-B's connection instance
+ makes a transition into the potential OE connection state. SG-B may already have an
+ instance, and the check is made as described above.
+
+ Should additional communication occur between, for instance, Dave and Bob using
+ SG-A and SG-B, a new tunnel (phase 2 SA) would be established. The phase 1 SA
+ may be reusable.
+
+
+
SG-A, having successfully keyed the tunnel, now makes a transition from
+ Pending OE connection to Keyed OE connection.
+
+
+
The responder MUST setup the inbound IPsec SAs before sending its reply.
+
+
11.2.12.5 (5G3) Final acknowledgment from initiator
+
+
+ The initiator agrees with the responder's choice and sets up the tunnel.
+ The initiator sets up the inbound and outbound IPsec SAs.
+
+
+
+ The proper authorization returned with keys prompts SG-B to make a transition
+ to the keyed OE connection state.
+
+
+
Upon receipt of this message, the responder may now setup the outbound
+ IPsec SAs.
+
+
11.2.13 (6) IPsec succeeds, and sets up tunnel for communication between Alice and Bob
+
+
+ SG-A sends the datagram saved at step (5) through the newly created
+ tunnel to SG-B, where it gets decrypted and forwarded.
+ Bob receives it at (7) and replies at (8).
+
+
+
11.2.14 (9) SG-B already has tunnel up with G1 and uses it
+
+
+ At (9), SG-B has already established an SPD entry mapping Bob->Alice via a
+ tunnel, so this tunnel is simply applied. The datagram is encrypted to SG-A,
+ decrypted by SG-A and passed to Alice at (10).
+
+
+ Configured tunnels are those which are setup using bilateral mechanisms: exchanging
+public keys (raw RSA, DSA, PKIX), pre-shared secrets, or by referencing keys that
+are in known places (distinguished name from LDAP, DNS). These keys are then used to
+configure a specific tunnel.
+
+
+
+A pre-configured tunnel may be on all the time, or may be keyed only when needed.
+The end points of the tunnel are not necessarily static: many mobile
+applications (road warrior) are considered to be configured tunnels.
+
+
+
+The primary characteristic is that configured tunnels are assigned specific
+security properties. They may be trusted in different ways relating to exceptions to
+firewall rules, exceptions to NAT processing, and to bandwidth or other quality of service restrictions.
+
+
+
+Opportunistic tunnels are not inherently trusted in any strong way. They are
+created without prior arrangement. As the two parties are strangers, there
+MUST be no confusion of datagrams that arrive from opportunistic peers and
+those that arrive from configured tunnels. A security gateway MUST take care
+that an opportunistic peer can not impersonate a configured peer.
+
+
+
+Ingress filtering MUST be used to make sure that only datagrams authorized by
+negotiation (and the concomitant authentication and authorization) are
+accepted from a tunnel. This is to prevent one peer from impersonating another.
+
+
+
+An implementation suggestion is to treat opportunistic tunnel
+datagrams as if they arrive on a logical interface distinct from other
+configured tunnels. As the number of opportunistic tunnels that may be
+created automatically on a system is potentially very high, careful attention
+to scaling should be taken into account.
+
+
+
+As with any IKE negotiation, opportunistic encryption cannot be secure
+without authentication. Opportunistic encryption relies on DNS for its
+authentication information and, therefore, cannot be fully secure without
+a secure DNS. Without secure DNS, opportunistic encryption can protect against passive
+eavesdropping but not against active man-in-the-middle attacks.
+
+
+ Typical usage of per datagram access control lists is to implement various
+kinds of security gateways. These are typically called "firewalls".
+
+
+
+ Typical usage of a virtual private network (VPN) within a firewall is to
+bypass all or part of the access controls between two networks. Additional
+trust (as outlined in the previous section) is given to datagrams that arrive
+in the VPN.
+
+
+
+ Datagrams that arrive via opportunistically configured tunnels MUST not be
+trusted. Any security policy that would apply to a datagram arriving in the
+clear SHOULD also be applied to datagrams arriving opportunistically.
+
+
+ There are several different forms of denial of service that an implementor
+ should concern themselves with. Most of these problems are shared with
+ security gateways that have large numbers of mobile peers (road warriors).
+
+
+
+ The design of ISAKMP/IKE, and its use of cookies, defend against many kinds
+ of denial of service. Opportunism changes the assumption that if the phase 1 (ISAKMP)
+ SA is authenticated, that it was worthwhile creating. Because the gateway will communicate with any machine, it is
+ possible to form phase 1 SAs with any machine on the Internet.
+
+
+ Substantive portions of this document are based upon previous work by
+ Henry Spencer.
+
+
+
+ Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert Moskowitz,
+ Jakob Schlyter, Bill Sommerfeld, John Gilmore and John Denker for their
+ comments and constructive criticism.
+
+
+
+ Sandra Hoffman and Bill Dickie did the detailed proof reading and editing.
+
+
Defense Advanced Research Projects Agency (DARPA), Information Processing Techniques Office and University of Southern California (USC)/Information Sciences Institute, "Internet Protocol", STD 5, RFC 791, September 1981.
+Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of
+developing Internet standards in which case the procedures for
+copyrights defined in the Internet Standards process must be
+followed, or as required to translate it into languages other than
+English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
Acknowledgement
+
+Funding for the RFC Editor function is currently provided by the
+Internet Society.
+
diff --git a/doc/src/draft-richardson-ipsec-opportunistic.xml b/doc/src/draft-richardson-ipsec-opportunistic.xml
new file mode 100644
index 000000000..d587df693
--- /dev/null
+++ b/doc/src/draft-richardson-ipsec-opportunistic.xml
@@ -0,0 +1,2519 @@
+
+
+
+
+
+
+
+
+ Security
+ Independent submission
+
+ Opportunistic Encryption using The Internet Key Exchange (IKE)
+
+
+
+ Sandelman Software Works
+
+
+ 470 Dawson Avenue
+ Ottawa
+ ON
+ K1Z 5V7
+ CA
+
+ mcr@sandelman.ottawa.on.ca
+ http://www.sandelman.ottawa.on.ca/
+
+
+
+
+ Mimosa
+
+
+ Toronto
+ ON
+ CA
+
+ hugh@mimosa.com
+
+
+
+
+
+
+
+This document describes opportunistic encryption (OE) using the Internet Key
+Exchange (IKE) and IPsec.
+Each system administrator adds new
+resource records to his or her Domain Name System (DNS) to support
+opportunistic encryption. The objective is to allow encryption for secure communication without
+any pre-arrangement specific to the pair of systems involved.
+
+
+DNS is used to distribute the public keys of each
+system involved. This is resistant to passive attacks. The use of DNS
+Security (DNSSEC) secures this system against active attackers as well.
+
+
+As a result, the administrative overhead is reduced
+from the square of the number of systems to a linear dependence, and it becomes
+possible to make secure communication the default even
+when the partner is not known in advance.
+
+
+This document is offered up as an Informational RFC.
+
+
+
+
+
+
+
+
+
+
+
+
+The objective of opportunistic encryption is to allow encryption without
+any pre-arrangement specific to the pair of systems involved. Each
+system administrator adds
+public key information to DNS records to support opportunistic
+encryption and then enables this feature in the nodes' IPsec stack.
+Once this is done, any two such nodes can communicate securely.
+
+
+
+This document describes opportunistic encryption as designed and
+implemented by the Linux FreeS/WAN project in revisions up and including 2.00.
+Note that 2.01 and beyond implements RFC3445, in a backward compatible way.
+For project information, see http://www.freeswan.org.
+
+
+
+The Internet Architecture Board (IAB) and Internet Engineering
+Steering Group (IESG) have taken a strong stand that the Internet
+should use powerful encryption to provide security and
+privacy .
+The Linux FreeS/WAN project attempts to provide a practical means to implement this policy.
+
+
+
+The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC
+protocols because they are
+standardized, widely available and can often be deployed very easily
+without changing hardware or software or retraining users.
+
+
+
+The extensions to support opportunistic encryption are simple. No
+changes to any on-the-wire formats are needed. The only changes are to
+the policy decision making system. This means that opportunistic
+encryption can be implemented with very minimal changes to an existing
+IPsec implementation.
+
+
+
+Opportunistic encryption creates a "fax effect". The proliferation
+of the fax machine was possible because it did not require that everyone
+buy one overnight. Instead, as each person installed one, the value
+of having one increased - as there were more people that could receive faxes.
+Once opportunistic encryption is installed it
+automatically recognizes
+other boxes using opportunistic encryption, without any further configuration
+by the network
+administrator. So, as opportunistic encryption software is installed on more
+boxes, its value
+as a tool increases.
+
+
+
+This document describes the infrastructure to permit deployment of
+Opportunistic Encryption.
+
+
+
+The term S/WAN is a trademark of RSA Data Systems, and is used with permission
+by this project.
+
+
+
+
+
+
+ To aid in understanding the relationship between security processing and IPsec
+ we divide network traffic into four categories:
+
+ networks to which traffic is always forbidden.
+ networks to which traffic in the clear is permitted.
+ networks to which traffic is encrypted if possible, but otherwise is in the clear
+ or fails depending on the default policy in place.
+
+ networks to which traffic
+must be encrypted, and traffic in the clear is never permitted.
+A Virtual Private Network (VPN) is a form of configured tunnel.
+
+
+
+
+
+Traditional firewall devices handle the first two categories.
+No authentication is required.
+The permit policy is currently the default on the Internet.
+
+
+
+This document describes the third category - opportunistic tunnel, which is
+proposed as the new default for the Internet.
+
+
+
+ Category four, encrypt traffic or drop it, requires authentication of the
+ end points. As the number of end points is typically bounded and is typically
+ under a single authority, arranging for distribution of
+ authentication material, while difficult, does not require any new
+ technology. The mechanism described here provides an additional way to
+ distribute the authentication materials, that of a public key method that does not
+ require deployment of an X.509 based infrastructure.
+
+
+Current Virtual Private Networks can often be replaced by an "OE paranoid"
+policy as described herein.
+
+
+
+
+
+
+ Opportunistic encryption creates tunnels between nodes that
+ are essentially strangers. This is done without any prior bilateral
+ arrangement.
+ There is, therefore, the difficult question of how one knows to whom one is
+ talking.
+
+
+
+ One possible answer is that since no useful
+ authentication can be done, none should be tried. This mode of operation is
+ named "anonymous encryption". An active man-in-the-middle attack can be
+ used to thwart the privacy of this type of communication.
+ Without peer authentication, there is no way to prevent this kind of attack.
+
+
+
+Although a useful mode, anonymous encryption is not the goal of this
+project. Simpler methods are available that can achieve anonymous
+encryption only, but authentication of the peer is a desireable goal.
+The latter is achieved through key distribution in DNS, leveraging upon
+the authentication of the DNS in DNSSEC.
+
+
+
+ Peers are, therefore, authenticated with DNSSEC when available. Local policy
+determines how much trust to extend when DNSSEC is not available.
+
+
+
+ However, an essential premise of building private connections with
+ strangers is that datagrams received through opportunistic tunnels
+ are no more special than datagrams that arrive in the clear.
+ Unlike in a VPN, these datagrams should not be given any special
+ exceptions when it comes to auditing, further authentication or
+ firewalling.
+
+
+
+ When initiating outbound opportunistic encryption, local
+ configuration determines what happens if tunnel setup fails. It may be that
+ the packet goes out in the clear, or it may be dropped.
+
+
+
+
+
+
+ The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
+ SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
+ document, are to be interpreted as described in
+
+
+
+
+
+
+
+
+
+
+
+
+ In this diagram, there are four end-nodes: A, B, C and D.
+ There are three security gateways, SG-A, SG-B, SG-D. A, D, SG-A and
+ SG-D are part
+ of the same administrative authority, AS1. SG-A and SG-D are on two
+ different exit
+ paths from organization 1. SG-B/B is an independent organization, AS2.
+ Nodes Q and R are nodes on the Internet. PI is the Public
+ Internet ("The Wild").
+
+
+
+
+
+
+
+ The following terminology is used in this document:
+
+
+
+ a system that performs IPsec tunnel
+ mode encapsulation/decapsulation. [SG-x] in the diagram.
+ node [A] in the diagram. When an IP address is needed, this is 192.1.0.65.
+ node [B] in the diagram. When an IP address is needed, this is 192.2.0.66.
+ node [C] in the diagram. When an IP address is needed, this is 192.1.1.67.
+ node [D] in the diagram. When an IP address is needed, this is 192.3.0.68.
+ Alice's security gateway. Internally it is 192.1.0.1, externally it is 192.1.1.4.
+ Bob's security gateway. Internally it is 192.2.0.1, externally it is 192.1.1.5.
+ Dave's security gateway. Also Alice's backup security gateway. Internally it is 192.3.0.1, externally it is 192.1.1.6.
+ A period represents an untrusted network of unknown
+ type.
+ a tunnel that
+ is directly and deliberately hand configured on participating gateways.
+ Configured tunnels are typically given a higher level of
+ trust than opportunistic tunnels.
+
+ a configured tunnel connecting one
+ node with a fixed IP address and one node with a variable IP address.
+ A road warrior (RW) connection must be initiated by the
+ variable node, since the fixed node cannot know the
+ current address for the road warrior.
+
+
+ the process of encrypting a session without any knowledge of who the
+ other parties are. No authentication of identities is done.
+
+
+ the process of encrypting a session with authenticated knowledge of
+ who the other party is.
+
+
+ the period in seconds (bytes or datagrams) for which a security
+ association will remain alive before needing to be re-keyed.
+
+
+ the effective time for which a security association remains useful. A
+ security association with a lifespan shorter than its lifetime would
+ be removed when no longer needed. A security association with a
+ lifespan longer than its lifetime would need to be re-keyed one or
+ more times.
+
+ an ISAKMP/IKE security association sometimes
+ referred to as a keying channel.
+
+ an IPsec security association.
+
+ another term for a set of phase 2 SA (one in each direction).
+
+ Network Address Translation
+ (see ).
+
+ Network Address and Port Translation
+ (see ).
+
+ an autonomous system
+
+ Fully-Qualified Domain Name
+
+
+ a set of routers that maintain a complete set of routes to
+ all currently reachable destinations. Having such a list, these routers
+ never make use of a default route. A datagram with a destination address
+ not matching any route will be dropped by such a router.
+
+
+
+
+
+
+
+
+The opportunistic encryption security gateway (OE gateway) is a regular
+gateway node as described in section 2.4 and
+ with the additional capabilities described here and
+in .
+The algorithm described here provides a way to determine, for each datagram,
+whether or not to encrypt and tunnel the datagram. Two important things
+that must be determined are whether or not to encrypt and tunnel and, if
+so, the destination address or name of the tunnel end point which should be used.
+
+
+
+
+The OE gateway determines whether or not to create a tunnel based on
+the destination address of each packet. Upon receiving a packet with a destination
+address not recently seen, the OE gateway performs a lookup in DNS for an
+authorization resource record (see ). The record is located using
+the IP address to perform a search in the in-addr.arpa (IPv4) or ip6.arpa
+(IPv6) maps. If an authorization record is found, the OE gateway
+interprets this as a request for a tunnel to be formed.
+
+
+
+
+
+
+The authorization resource record also provides the address or name of the tunnel
+end point which should be used.
+
+
+The record may also provide the public RSA key of the tunnel end point
+itself. This is provided for efficiency only. If the public RSA key is not
+present, the OE gateway performs a second lookup to find a KEY
+resource record for the end point address or name.
+
+
+Origin and integrity protection of the resource records is provided by
+DNSSEC ().
+documents an optional restriction on the tunnel end point if DNSSEC signatures
+are not available for the relevant records.
+
+
+
+
+
+
+The OE gateway maintains a cache, in the forwarding plane, of
+source/destination pairs for which opportunistic encryption has been
+attempted. This cache maintains a record of whether or not OE was
+successful so that subsequent datagrams can be forwarded properly
+without additional delay.
+
+
+
+Successful negotiation of OE instantiates a new security association.
+Failure to negotiate OE results in creation of a
+forwarding policy entry either to drop or transmit in the clear future
+datagrams. This negative cache is necessary to avoid the possibly lengthy process of repeatedly looking
+up the same information.
+
+
+
+The cache is timed out periodically, as described in .
+This removes entries that are no longer
+being used and permits the discovery of changes in authorization policy.
+
+
+
+
+
+
+
+
+
+
+The OE gateway is modeled to have a forwarding plane and a control
+plane. A control channel, such as PF_KEY, connects the two planes.
+(See .)
+The forwarding plane performs per datagram operations. The control plane
+contains a keying daemon, such as ISAKMP/IKE, and performs all
+authorization, peer authentication and key derivation functions.
+
+
+
+
+
+Let the OE gateway maintain a collection of objects -- a superset of the
+security policy database (SPD) specified in . For
+each combination of source and destination address, an SPD
+object exists in one of five following states.
+Prior to forwarding each datagram, the responder uses the source and
+destination addresses to pick an entry from the SPD.
+The SPD then determines if and how the packet is forwarded.
+
+
+
+
+
+
+
+
+If the gateway does not find an entry, then this policy applies.
+The gateway creates an entry with an initial state of "hold policy" and requests
+keying material from the keying daemon. The gateway does not forward the datagram,
+rather it SHOULD attach the datagram to the SPD entry as the "first" datagram and retain it
+for eventual transmission in a new state.
+
+
+
+
+
+
+The gateway requests keying material. If the interface to the keying
+system is lossy (PF_KEY, for instance, can be), the implementation
+SHOULD include a mechanism to retransmit the
+keying request at a rate limited to less than 1 request per second.
+The gateway does not forward the datagram. The gateway SHOULD attach the
+datagram to the SPD entry as the "last" datagram where it is retained
+for eventual transmission.
+If there is a datagram already so stored, then that already stored datagram is discarded.
+
+
+The rational behind saving the the "first" and "last" datagrams are as follows:
+The "first" datagram is probably a TCP SYN packet. Once there is keying
+established, the gateway will release this datagram, avoiding the need to
+for the end-point to retransmit the datagram. In the case where the connection
+was not a TCP connection, buyt was instead a streaming protocol or a DNS request,
+the "last" datagram that was retained is likely the most recent data. The difference
+between "first" and "last" may also help the end-points determine
+which data awas dropped while negotiation took place.
+
+
+
+
+
+The gateway forwards the datagram using the normal forwarding table.
+The gateway enters this state only by command from the keying daemon,
+and upon entering this state, also forwards the "first" and "last" datagrams.
+
+
+
+
+
+The gateway discards the datagram. The gateway enters this state only by
+command
+from the keying daemon, and upon entering this state, discards the "first"
+and "last" datagrams.
+An implementation MAY provide the administator with a control to determine
+if further datagrams cause ICMP messages
+to be generated (i.e. ICMP Destination Unreachable, Communication
+Administratively Prohibited. type=3, code=13).
+
+
+
+
+
+The gateway encrypts the datagram using the indicated security association database
+(SAD) entry. The gateway enters this state only by command from the keying daemon, and upon entering
+this state, releases and forwards the "first" and "last" datagrams using the
+new encrypt policy.
+
+
+If the associated SAD entry expires because of byte, packet or time limits, then
+the entry returns to the Hold policy, and an expire message is sent to the keying daemon.
+
+
+
+
+All states may be created directly by the keying daemon while acting as a
+gateway.
+
+
+
+
+
+
+
+Let the keying daemon maintain a collection of objects. Let them be
+called "connections" or "conn"s. There are two categories of
+connection objects: classes and instances. A class represents an
+abstract policy - what could be. An instance represents an actual connection -
+what is implemented at the time.
+
+
+
+Let there be two further subtypes of connections: keying channels (Phase
+1 SAs) and data channels (Phase 2 SAs). Each data channel object may have
+a corresponding SPD and SAD entry maintained by the datagram state machine.
+
+
+
+For the purposes of opportunistic encryption, there MUST, at least, be
+connection classes known as "deny", "always-clear-text", "OE-permissive", and
+"OE-paranoid".
+The latter two connection classes define a set of source and/or destination
+addresses for which opportunistic encryption will be attempted.
+The administrator MAY set policy options in a number of additional places.
+An implementation MAY create additional connection classes to further refine
+these policies.
+
+
+
+The simplest system may need only the "OE-permissive" connection, and would
+list its own (single) IP address as the source address of this policy and
+the wild-card address 0.0.0.0/0 as the destination IPv4 address. That is, the
+simplest policy is to try opportunistic encryption with all destinations.
+
+
+
+The distinction between permissive and paranoid OE use will become clear
+in the state transition differences. In general a permissive OE will, on
+failure, install a pass-through policy, while a paranoid OE will, on failure,
+install a drop policy.
+
+
+
+In this description of the keying machine's state transitions, the states
+associated with the keying system itself are omitted because they are best documented in the keying system
+(,
+ and for ISAKMP/IKE),
+and the details are keying system specific. Opportunistic encryption is not
+dependent upon any specific keying protocol, but this document does provide
+requirements for those using ISAKMP/IKE to assure that implementations inter-operate.
+
+
+The state transitions that may be involved in communicating with the
+forwarding plane are omitted. PF_KEY and similar protocols have their own
+set of states required for message sends and completion notifications.
+
+
+Finally, the retransmits and recursive lookups that are normal for DNS are
+not included in this description of the state machine.
+
+
+
+| deny |---> expired
+| connection | | for | connection | connection
+`---------------' | destination `---------------'
+ ^ ^ | ^
+ | | no record | |
+ | | OE-permissive V | no record
+ | | .---------------. | OE-paranoid
+ | `------------| potential OE |---------'
+ | | connection | ^
+ | `---------------' |
+ | | |
+ | | got TXT record | DNSSEC failure
+ | | reply |
+ | V | wrong
+ | .---------------. | failure
+ | | authenticate |---------'
+ | | & parse TXT RR| ^
+ | repeated `---------------' |
+ | ICMP | |
+ | failures | initiate IKE to |
+ | (short-timeout) | responder |
+ | V |
+ | phase-2 .---------------. | failure
+ | failure | pending |---------'
+ | (normal | OE | ^
+ | timeout) | |invalid | phase-2 failure (short-timeout)
+ | | |<--.SPI | ICMP failures (normal timeout)
+ | | | | |
+ | | +=======+ |---' |
+ | | | IKE | | ^ |
+ `--------------| | states|---------------'
+ | +=======+ | |
+ `---------------' |
+ | IPsec SA | invalid SPI
+ | established |
+ V | rekey time
+ .--------------. |
+ | keyed |<---|-------------------------------.
+ | connection |----' |
+ `--------------' |
+ | timer |
+ | |
+ V |
+ .--------------. connection still active |
+ clear-text----->| expired |------------------------------------'
+ deny----->| connection |
+ `--------------'
+ | dead connected - deleted
+ V
+]]>
+
+
+
+
+There is no connection instance for a given source/destination address pair.
+Upon receipt of a request for keying material for this
+source/destination pair, the initiator searches through the connection classes to
+determine the most appropriate policy. Upon determining an appropriate
+connection class, an instance object is created of that type.
+Both of the OE types result in a potential OE connection.
+
+Failure to find an appropriate connection class results in an
+administrator defined default.
+
+
+In each case, when the initiator finds an appropriate class for the new flow,
+an instance connection is made of the class which matched.
+
+
+
+
+
+The non-existent connection makes a transition to this state when an
+always-clear-text class is instantiated, or when an OE-permissive
+connection fails. During the transition, the initiator creates a pass-through
+policy object in the forwarding plane for the appropriate flow.
+
+
+Timing out is the only way to leave this state
+(see ).
+
+
+
+
+
+The empty connection makes a transition to this state when a
+deny class is instantiated, or when an OE-paranoid connection fails.
+During the transition, the initiator creates a deny policy object in the forwarding plane
+for the appropriate flow.
+
+
+Timing out is the only way to leave this state
+(see ).
+
+
+
+
+
+The empty connection makes a transition to this state when one of either OE class is instantiated.
+During the transition to this state, the initiator creates a hold policy object in the
+forwarding plane for the appropriate flow.
+
+
+In addition, when making a transition into this state, DNS lookup is done in
+the reverse-map for a TXT delegation resource record (see ).
+The lookup key is the destination address of the flow.
+
+
+There are three ways to exit this state:
+
+DNS lookup finds a TXT delegation resource record.
+DNS lookup does not find a TXT delegation resource record.
+DNS lookup times out.
+
+
+
+
+Based upon the results of the DNS lookup, the potential OE connection makes a
+transition to the pending OE connection state. The conditions for a
+successful DNS look are:
+
+DNS finds an appropriate resource record
+It is properly formatted according to
+ if DNSSEC is enabled, then the signature has been vouched for.
+
+
+Note that if the initiator does not find the public key
+present in the TXT delegation record, then the public key must
+be looked up as a sub-state. Only successful completion of all the
+DNS lookups is considered a success.
+
+
+If DNS lookup does not find a resource record or DNS times out, then the
+initiator considers the receiver not OE capable. If this is an OE-paranoid instance,
+then the potential OE connection makes a transition to the deny connection state.
+If this is an OE-permissive instance, then the potential OE connection makes a transition to the
+clear-text connection state.
+
+
+If the initiator finds a resource record but it is not properly formatted, or
+if DNSSEC is
+enabled and reports a failure to authenticate, then the potential OE
+connection makes a
+transition to the deny connection state. This action SHOULD be logged. If the
+administrator wishes to override this transition between states, then an
+always-clear class can be installed for this flow. An implementation MAY make
+this situation a new class.
+
+
+
+
+An implementation SHOULD also provide an additional administrative control
+on delegation records and DNSSEC. This control would apply to delegation
+records (the TXT records in the reverse-map) that are not protected by
+DNSSEC.
+Records of this type are only permitted to delegate to their own address as
+a gateway. When this option is enabled, an active attack on DNS will be
+unable to redirect packets to other than the original destination.
+
+
+
+
+
+
+
+The potential OE connection makes a transition to this state when
+the initiator determines that all the information required from the DNS lookup is present.
+Upon entering this state, the initiator attempts to initiate keying to the gateway
+provided.
+
+
+Exit from this state occurs either with a successfully created IPsec SA, or
+with a failure of some kind. Successful SA creation results in a transition
+to the key connection state.
+
+
+Three failures have caused significant problems. They are clearly not the
+only possible failures from keying.
+
+
+Note that if there are multiple gateways available in the TXT delegation
+records, then a failure can only be declared after all have been
+tried. Further, creation of a phase 1 SA does not constitute success. A set
+of phase 2 SAs (a tunnel) is considered success.
+
+
+The first failure occurs when an ICMP port unreachable is consistently received
+without any other communication, or when there is silence from the remote
+end. This usually means that either the gateway is not alive, or the
+keying daemon is not functional. For an OE-permissive connection, the initiator makes a transition
+to the clear-text connection but with a low lifespan. For an OE-pessimistic connection,
+the initiator makes a transition to the deny connection again with a low lifespan. The
+lifespan in both
+cases is kept low because the remote gateway may
+be in the process of rebooting or be otherwise temporarily unavailable.
+
+
+The length of time to wait for the remote keying daemon to wake up is
+a matter of some debate. If there is a routing failure, 5 minutes is usually long
+enough for the network to
+re-converge. Many systems can reboot in that amount of
+time as well. However, 5 minutes is far too long for most users to wait to
+hear that they can not connect using OE. Implementations SHOULD make this a
+tunable parameter.
+
+
+The second failure occurs after a phase 1 SA has been created, but there is
+either no response to the phase 2 proposal, or the initiator receives a
+negative notify (the notify must be
+authenticated). The remote gateway is not prepared to do OE at this time.
+As before, the initiator makes a transition to the clear-text or the deny
+connection based upon connection class, but this
+time with a normal lifespan.
+
+
+The third failure occurs when there is signature failure while authenticating
+the remote gateway. This can occur when there has been a
+key roll-over, but DNS has not caught up. In this case again, the initiator makes a
+transition to the clear-text or the deny connection based
+upon the connection class. However, the lifespan depends upon the remaining
+time to live in the DNS. (Note that DNSSEC signed resource records have a different
+expiry time than non-signed records.)
+
+
+
+
+
+
+
+The pending OE connection makes a transition to this state when
+session keying material (the phase 2 SAs) is derived. The initiator creates an encrypt
+policy in the forwarding plane for this flow.
+
+
+There are three ways to exit this state. The first is by receipt of an
+authenticated delete message (via the keying channel) from the peer. This is
+normal teardown and results in a transition to the expired connection state.
+
+
+The second exit is by expiry of the forwarding plane keying material. This
+starts a re-key operation with a transition back to pending OE
+connection. In general, the soft expiry occurs with sufficient time left
+to continue to use the keys. A re-key can fail, which may
+result in the connection failing to clear-text or deny as
+appropriate. In the event of a failure, the forwarding plane
+policy does not change until the phase 2 SA (IPsec SA) reaches its
+hard expiry.
+
+
+The third exit is in response to a negotiation from a remote
+gateway. If the forwarding plane signals the control plane that it has received an
+unknown SPI from the remote gateway, or an ICMP is received from the remote gateway
+indicating an unknown SPI, the initiator should consider that
+the remote gateway has rebooted or restarted. Since these
+indications are easily forged, the implementation must
+exercise care. The initiator should make a cautious
+(rate-limited) attempt to re-key the connection.
+
+
+
+
+
+The initiator will periodically place each of the deny, clear-text, and keyed
+connections into this
+sub-state. See for more details of how often this
+occurs.
+The initiator queries the forwarding plane for last use time of the
+appropriate
+policy. If the last use time is relatively recent, then the connection
+returns to the
+previous deny, clear-text or keyed connection state. If not, then the
+connection enters
+the expired connection state.
+
+
+The DNS query and answer that lead to the expiring connection state are also
+examined. The DNS query may become stale. (A negative, i.e. no such record, answer
+is valid for the period of time given by the MINIMUM field in an attached SOA
+record. See section 4.3.4.)
+If the DNS query is stale, then a new query is made. If the results change, then the connection
+makes a transition to a new state as described in potential OE connection state.
+
+
+Note that when considering how stale a connection is, both outgoing SPD and
+incoming SAD must be queried as some flows may be unidirectional for some time.
+
+
+Also note that the policy at the forwarding plane is not updated unless there
+is a conclusion that there should be a change.
+
+
+
+
+
+Entry to this state occurs when no datagrams have been forwarded recently via the
+appropriate SPD and SAD objects. The objects in the forwarding plane are
+removed (logging any final byte and packet counts if appropriate) and the
+connection instance in the keying plane is deleted.
+
+
+The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs as described in
+.
+
+
+Whether or not to delete the phase 1 SAs
+at this time is left as a local implementation issue. Implementations
+that do delete the phase 1 SAs MUST send authenticated delete messages to
+indicate that they are doing so. There is an advantage to keeping
+the phase 1 SAs until they expire - they may prove useful again in the
+near future.
+
+
+
+
+
+
+
+The responder has a set of objects identical to those of the initiator.
+
+
+The responder receives an invitation to create a keying channel from an initiator.
+
+
+
+ log failure
+ | reply |
+ `----+--------+---'
+ phase 2 | \ misformatted
+ proposal | `------------------> log failure
+ V
+ .----------------.
+ | authenticated | identical initiator
+ | OE peer |--------------------> initiator
+ `----------------' connection found state machine
+ |
+ | look for TXT record for initiator
+ |
+ V
+ .---------------.
+ | authorized |---------------------> log failure
+ | OE peer |
+ `---------------'
+ |
+ |
+ V
+ potential OE
+ connection in
+ initiator state
+ machine
+
+
+$Id: draft-richardson-ipsec-opportunistic.xml,v 1.1 2004/03/15 20:35:24 as Exp $
+]]>
+
+
+
+
+Upon entering this state, the responder starts a DNS lookup for a KEY record for the
+initiator.
+The responder looks in the reverse-map for a KEY record for the initiator if the
+initiator has offered an ID_IPV4_ADDR, and in the forward map if the
+initiator has offered an ID_FQDN type. (See section
+4.6.2.1.)
+
+
+The responder exits this state upon successful receipt of a KEY from DNS, and use of the key
+to verify the signature of the initiator.
+
+
+
+
+
+Successful authentication of the peer results in a transition to the
+authenticated OE Peer state.
+
+
+Note that the unauthenticated OE peer state generally occurs in the middle of the key negotiation
+protocol. It is really a form of pseudo-state.
+
+
+
+
+
+The peer will eventually propose one or more phase 2 SAs. The responder uses the source and
+destination address in the proposal to
+finish instantiating the connection state
+using the connection class table.
+The responder MUST search for an identical connection object at this point.
+
+
+If an identical connection is found, then the responder deletes the old instance,
+and the new object makes a transition to the pending OE connection state. This means
+that new ISAKMP connections with a given peer will always use the latest
+instance, which is the correct one if the peer has rebooted in the interim.
+
+
+If an identical connection is not found, then the responder makes the transition according to the
+rules given for the initiator.
+
+
+Note that if the initiator is in OE-paranoid mode and the responder is in
+either always-clear-text or deny, then no communication is possible according
+to policy. An implementation is permitted to create new types of policies
+such as "accept OE but do not initiate it". This is a local matter.
+
+
+
+
+
+
+
+
+A potentially unlimited number of tunnels may exist. In practice, only a few
+tunnels are used during a period of time. Unused tunnels MUST, therefore, be
+torn down. Detecting when tunnels are no longer in use is the subject of this section.
+
+
+
+There are two methods for removing tunnels: explicit deletion or expiry.
+
+
+
+Explicit deletion requires an IKE delete message. As the deletes
+MUST be authenticated, both ends of the tunnel must maintain the
+key channel (phase 1 ISAKMP SA). An implementation which refuses to either maintain or
+recreate the keying channel SA will be unable to use this method.
+
+
+
+The tunnel expiry method simply allows the IKE daemon to
+expire normally without attempting to re-key it.
+
+
+
+Regardless of which method is used to remove tunnels, the implementation MUST
+a method to determine if the tunnel is still in use. The specifics are a
+local matter, but the FreeS/WAN project uses the following criteria. These
+criteria are currently implemented in the key management daemon, but could
+also be implemented at the SPD layer using an idle timer.
+
+
+
+Set a short initial (soft) lifespan of 1 minute since many net flows last
+only a few seconds.
+
+
+
+At the end of the lifespan, check to see if the tunnel was used by
+traffic in either direction during the last 30 seconds. If so, assign a
+longer tentative lifespan of 20 minutes after which, look again. If the
+tunnel is not in use, then close the tunnel.
+
+
+
+The expiring state in the key management
+system (see ) implements these timeouts.
+The timer above may be in the forwarding plane,
+but then it must be re-settable.
+
+
+
+The tentative lifespan is independent of re-keying; it is just the time when
+the tunnel's future is next considered.
+(The term lifespan is used here rather than lifetime for this reason.)
+Unlike re-keying, this tunnel use check is not costly and should happen
+reasonably frequently.
+
+
+
+A multi-step back-off algorithm is not considered worth the effort here.
+
+
+
+If the security gateway and the client host are the
+same and not a Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel
+teardown decisions MAY pay attention to TCP connection status as reported
+by the local TCP layer. A still-open TCP connection is almost a guarantee that more traffic is
+expected. Closing of the only TCP connection through a tunnel is a
+strong hint that no more traffic is expected.
+
+
+
+
+
+
+
+Teardown should always be coordinated between the two ends of the tunnel by
+interpreting and sending delete notifications. There is a
+detailed sub-state in the expired connection state of the key manager that
+relates to retransmits of the delete notifications, but this is considered to
+be a keying system detail.
+
+
+
+On receiving a delete for the outbound SAs of a tunnel (or some subset of
+them), tear down the inbound ones also and notify the remote end with a
+delete. If the local system receives a delete for a tunnel which is no longer in
+existence, then two delete messages have crossed paths. Ignore the delete.
+The operation has already been completed. Do not generate any messages in this
+situation.
+
+
+Tunnels are to be considered as bidirectional entities, even though the
+low-level protocols don't treat them this way.
+
+
+
+When the deletion is initiated locally, rather than as a
+response to a received delete, send a delete for (all) the
+inbound SAs of a tunnel. If the local system does not receive a responding delete
+for the outbound SAs, try re-sending the original
+delete. Three tries spaced 10 seconds apart seems a reasonable
+level of effort. A failure of the other end to respond after 3 attempts,
+indicates that the possibility of further communication is unlikely. Remove the outgoing SAs.
+(The remote system may be a mobile node that is no longer present or powered on.)
+
+
+
+After re-keying, transmission should switch to using the new
+outgoing SAs (ISAKMP or IPsec) immediately, and the old leftover
+outgoing SAs should be cleared out promptly (delete should be sent
+for the outgoing SAs) rather than waiting for them to expire. This
+reduces clutter and minimizes confusion for the operator doing diagnostics.
+
+
+
+
+
+
+
+
+
+
+
+
+ The IKE wire protocol needs no modifications. The major changes are
+ implementation issues relating to how the proposals are interpreted, and from
+ whom they may come.
+
+
+ As opportunistic encryption is designed to be useful between peers without
+ prior operator configuration, an IKE daemon must be prepared to negotiate
+ phase 1 SAs with any node. This may require a large amount of resources to
+ maintain cookie state, as well as large amounts of entropy for nonces,
+ cookies and so on.
+
+
+ The major changes to support opportunistic encryption are at the IKE daemon
+ level. These changes relate to handling of key acquisition requests, lookup
+ of public keys and TXT records, and interactions with firewalls and other
+ security facilities that may be co-resident on the same gateway.
+
+
+
+
+
+ In a typical configured tunnel, the address of SG-B is provided
+ via configuration. Furthermore, the mapping of an SPD entry to a gateway is
+ typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique is used, then
+ the mapping to a gateway is determined by the reverse DNS records.
+
+
+ The need to do a DNS lookup and wait for a reply will typically introduce a
+ new state and a new event source (DNS replies) to IKE. Although a
+synchronous DNS request can be implemented for proof of concept, experience
+is that it can cause very high latencies when a queue of queries must
+all timeout in series.
+
+
+ Use of an asynchronous DNS lookup will also permit overlap of DNS lookups with
+ some of the protocol steps.
+
+
+
+
+
+ SG-A will have to establish its identity. Use an
+ IPv4 ID in phase 1.
+
+ There are many situations where the administrator of SG-A may not be
+ able to control the reverse DNS records for SG-A's public IP address.
+ Typical situations include dialup connections and most residential-type broadband Internet access
+ (ADSL, cable-modem) connections. In these situations, a fully qualified domain
+ name that is under the control of SG-A's administrator may be used
+ when acting as an initiator only.
+ The FQDN ID should be used in phase 1. See
+ for more details and restrictions.
+
+
+
+
+
+ Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID or
+ an FQDN ID, an IKE daemon needs to examine local caches and
+ configuration files to determine if this is part of a configured tunnel.
+ If no configured tunnels are found, then the implementation should attempt to retrieve
+ a KEY record from the reverse DNS in the case of an IPv4/IPv6 ID, or
+ from the forward DNS in the case of FQDN ID.
+
+
+ It is reasonable that if other non-local sources of policy are used
+ (COPS, LDAP), they be consulted concurrently but some
+ clear ordering of policy be provided. Note that due to variances in
+ latency, implementations must wait for positive or negative replies from all sources
+ of policy before making any decisions.
+
+
+
+
+
+ The implementation described (1.98) neither uses DNSSEC directly to
+ explicitly verify the authenticity of zone information, nor uses the NXT
+ records to provide authentication of the absence of a TXT or KEY
+ record. Rather, this implementation uses a trusted path to a DNSSEC
+ capable caching resolver.
+
+
+ To distinguish between an authenticated and an unauthenticated DNS
+ resource record, a stub resolver capable of returning DNSSEC
+ information MUST be used.
+
+
+
+
+
+
+
+
+
+
+ Main mode MUST be used.
+
+
+ The initiator MUST offer at least one proposal using some combination
+ of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be
+ proposed first.
+
+
+
+ The initiator MAY offer additional proposals, but the cipher MUST not
+ be weaker than 3DES. The initiator SHOULD limit the number of proposals
+ such that the IKE datagrams do not need to be fragmented.
+
+
+ The responder MUST accept one of the proposals. If any configuration
+ of the responder is required then the responder is not acting in an
+ opportunistic way.
+
+
+ The initiator SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the external
+ interface of the initiator for phase 1. (There is an exception, see .) The authentication method MUST be RSA public key signatures.
+ The RSA key for the initiator SHOULD be placed into a DNS KEY record in
+ the reverse space of the initiator (i.e. using in-addr.arpa or
+ ip6.arpa).
+
+
+
+
+
+ The initiator MUST propose a tunnel between the ultimate
+ sender ("Alice" or "A") and ultimate recipient ("Bob" or "B")
+ using 3DES-CBC
+ mode, MD5 or SHA1 authentication. Perfect Forward Secrecy MUST be specified.
+
+
+ Tunnel mode MUST be used.
+
+
+ Identities MUST be ID_IPV4_ADDR_SUBNET with the mask being /32.
+
+
+ Authorization for the initiator to act on Alice's behalf is determined by
+ looking for a TXT record in the reverse-map at Alice's IP address.
+
+
+ Compression SHOULD NOT be mandatory. It MAY be offered as an option.
+
+
+
+
+
+
+
+
+
+ In order to establish their own identities, security gateways SHOULD publish
+ their public keys in their reverse DNS via
+ DNSSEC's KEY record.
+ See section 3 of RFC 2535.
+
+
+ For example:
+
+
+
+ The flag bits, indicating that this key is prohibited
+ for confidentiality use (it authenticates the peer only, a separate
+ Diffie-Hellman exchange is used for
+ confidentiality), and that this key is associated with the non-zone entity
+ whose name is the RR owner name. No other flags are set.
+ This indicates that this key is for use by IPsec.
+ An RSA key is present.
+ The public key of the host as described in .
+
+
+ Use of several KEY records allows for key rollover. The SIG Payload in
+ IKE phase 1 SHOULD be accepted if the public key given by any KEY RR
+ validates it.
+
+
+
+
+
+If, for example, machine Alice wishes SG-A to act on her behalf, then
+she publishes a TXT record to provide authorization for SG-A to act on
+Alice's behalf. Similarly for Bob and SG-B.
+
+
+
+These records are located in the reverse DNS (in-addr.arpa or ip6.arpa) for their
+respective IP addresses. The reverse DNS SHOULD be secured by DNSSEC.
+DNSSEC is required to defend against active attacks.
+
+
+ If Alice's address is P.Q.R.S, then she can authorize another node to
+ act on her behalf by publishing records at:
+
+
+
+
+ The contents of the resource record are expected to be a string that
+ uses the following syntax, as suggested in RFC1464.
+ (Note that the reply to query may include other TXT resource
+ records used by other applications.)
+
+
+
+
+ where the record is formed by the following fields:
+
+
+ Specifies a precedence for this record. This is
+ similar to MX record preferences. Lower numbers have stronger
+ preference.
+
+
+ Specifies the IP address of the Security Gateway
+ for this client machine.
+
+
+ Is the encoded RSA Public key of the Security
+ Gateway. The key is provided here to avoid a second DNS lookup. If this
+ field is absent, then a KEY resource record should be looked up in the
+ reverse-map of A.B.C.D. The key is transmitted in base64 format.
+
+
+
+
+ The fields of the record MUST be separated by whitespace. This
+ MAY be: space, tab, newline, or carriage return. A space is preferred.
+
+
+
+ In the case where Alice is located at a public address behind a
+ security gateway that has no fixed address (or no control over its
+ reverse-map), then Alice may delegate to a public key by domain name.
+
+
+
+
+
+ Is as above.
+
+
+ Specifies the FQDN that the Security Gateway
+ will identify itself with.
+
+
+ Is the encoded RSA Public key of the Security
+ Gateway.
+
+
+
+ If there is more than one such TXT record with strongest (lowest
+ numbered) precedence, one Security Gateway is picked arbitrarily from
+ those specified in the strongest-preference records.
+
+
+
+
+ When packed into transport format, TXT records which are longer than 255
+ characters are divided into smaller <character-strings>.
+ (See section 3.3 and 3.3.14.) These MUST
+ be reassembled into a single string for processing.
+ Whitespace characters in the base64 encoding are to be ignored.
+
+
+
+
+
+ It has been suggested to use the KEY, OPT, CERT, or KX records
+ instead of a TXT record. None is satisfactory.
+
+ The KEY RR has a protocol field which could be used to indicate a new protocol,
+and an algorithm field which could be used to
+ indicate different contents in the key data. However, the KEY record
+ is clearly not intended for storing what are really authorizations,
+ it is just for identities. Other uses have been discouraged.
+
+ OPT resource records, as defined in are not
+ intended to be used for storage of information. They are not to be loaded,
+ cached or forwarded. They are, therefore, inappropriate for use here.
+
+
+ CERT records can encode almost any set of
+ information. A custom type code could be used permitting any suitable
+ encoding to be stored, not just X.509. According to
+ the RFC, the certificate RRs are to be signed internally which may add undesirable
+and unnecessary bulk. Larger DNS records may require TCP instead of UDP transfers.
+
+
+ At the time of protocol design, the CERT RR was not widely deployed and
+ could not be counted upon. Use of CERT records will be investigated,
+ and may be proposed in a future revision of this document.
+
+
+ KX records are ideally suited for use instead of TXT records, but had not been deployed at
+ the time of implementation.
+
+
+
+
+
+
+
+ Unfortunately, not every administrator has control over the contents
+ of the reverse-map. Where the initiator (SG-A) has no suitable reverse-map, the
+ authorization record present in the reverse-map of Alice may refer to a
+ FQDN instead of an IP address.
+
+
+ In this case, the client's TXT record gives the fully qualified domain
+ name (FQDN) in place of its security gateway's IP address.
+ The initiator should use the ID_FQDN ID-payload in phase 1.
+ A forward lookup for a KEY record on the FQDN must yield the
+ initiator's public key.
+
+
+ This method can also be used when the external address of SG-A is
+ dynamic.
+
+
+ If SG-A is acting on behalf of Alice, then Alice must still delegate
+ authority for SG-A to do so in her reverse-map. When Alice and SG-A
+ are one and the same (i.e. Alice is acting as an end-node) then there
+ is no need for this when initiating only.
+ However, Alice must still delegate to herself if she wishes others to
+ initiate OE to her. See .
+
+ <
+
+
+
+
+Good cryptographic hygiene says that one should replace public/private key pairs
+periodically. Some administrators may wish to do this as often as daily. Typical DNS
+propagation delays are determined by the SOA Resource Record MINIMUM
+parameter, which controls how long DNS replies may be cached. For reasonable
+operation of DNS servers, administrators usually want this value to be at least several
+hours, sometimes as a long as a day. This presents a problem - a new key MUST
+not be used prior to it propagating through DNS.
+
+
+This problem is dealt with by having the Security Gateway generate a new
+public/private key pair at least MINIMUM seconds in advance of using it. It
+then adds this key to the DNS (both as a second KEY record and in additional TXT
+delegation records) at key generation time. Note: only one key is allowed in
+each TXT record.
+
+
+When authenticating, all gateways MUST have available all public keys
+that are found in DNS for this entity. This permits the authenticating end
+to check both the key for "today" and the key for "tomorrow". Note that it is
+the end which is creating the signature (possesses the private key) that
+determines which key is to be used.
+
+
+
+
+
+
+
+
+ There are no fundamentally new issues for implementing opportunistic encryption
+ in the presence of network address translation. Rather there are
+ only the regular IPsec issues with NAT traversal.
+
+
+ There are several situations to consider for NAT.
+
+
+
+ If a security gateway is also performing network address translation on
+ behalf of an end-system, then the packet should be translated prior to
+ being subjected to opportunistic encryption. This is in contrast to
+ typically configured tunnels which often exist to bridge islands of
+ private network address space. The security gateway will use the translated source
+ address for phase 2, and so the responding security gateway will look up that address to
+ confirm SG-A's authorization.
+
+ In the case of NAT (1:1), the address space into which the
+ translation is done MUST be globally unique, and control over the
+ reverse-map is assumed.
+ Placing of TXT records is possible.
+
+ In the case of NAPT (m:1), the address will be the security
+ gateway itself. The ability to get
+ KEY and TXT records in place will again depend upon whether or not
+ there is administrative control over the reverse-map. This is
+ identical to situations involving a single host acting on behalf of
+ itself.
+
+ FQDN style can be used to get around a lack of a reverse-map for
+ initiators only.
+
+
+
+
+
+ If there is a NAT or NAPT between the security gateways, then normal IPsec
+ NAT traversal problems occur. In addition to the transport problem
+ which may be solved by other mechanisms, there is the issue of
+ what phase 1 and phase 2 IDs to use. While FQDN could
+ be used during phase 1 for the security gateway, there is no appropriate ID for phase 2.
+ Due to the NAT, the end systems live in different IP address spaces.
+
+
+
+
+
+ If the end system is behind a NAT (perhaps SG-B), then there is, in fact, no way for
+ another end system to address a packet to this end system.
+ Not only is opportunistic encryption
+ impossible, but it is also impossible for any communication to
+ be initiate to the end system. It may be possible for this end
+ system to initiate in such communication. This creates an asymmetry, but this is common for
+ NAPT.
+
+
+
+
+
+
+ When Alice and SG-A are components of the same system, they are
+ considered to be a host implementation. The packet sequence scenario remains unchanged.
+
+
+ Components marked Alice are the upper layers (TCP, UDP, the
+ application), and SG-A is the IP layer.
+
+
+ Note that tunnel mode is still required.
+
+
+ As Alice and SG-A are acting on behalf of themselves, no TXT based delegation
+ record is necessary for Alice to initiate. She can rely on FQDN in a
+ forward map. This is particularly attractive to mobile nodes such as
+ notebook computers at conferences.
+ To respond, Alice/SG-A will still need an entry in Alice's reverse-map.
+
+
+
+
+
+If there are multiple paths between Alice and Bob (as illustrated in
+the diagram with SG-D), then additional DNS records are required to establish
+authorization.
+
+
+In , Alice has two ways to
+exit her network: SG-A and SG-D. Previously SG-D has been ignored. Postulate
+that there are routers between Alice and her set of security gateways
+(denoted by the + signs and the marking of an autonomous system number for
+Alice's network). Datagrams may, therefore, travel to either SG-A or SG-D en
+route to Bob.
+
+
+As long as all network connections are in good order, it does not matter how
+datagrams exit Alice's network. When they reach either security gateway, the
+security gateway will find the TXT delegation record in Bob's reverse-map,
+and establish an SA with SG-B.
+
+
+SG-B has no problem establishing that either of SG-A or SG-D may speak for
+Alice, because Alice has published two equally weighted TXT delegation records:
+
+
+
+Alice's routers can now do any kind of load sharing needed. Both SG-A and SG-D send datagrams addressed to Bob through
+their tunnel to SG-B.
+
+
+Alice's use of non-equal weight delegation records to show preference of one gateway over another, has relevance only when SG-B
+is initiating to Alice.
+
+
+If the precedences are the same, then SG-B has a more difficult time. It
+must decide which of the two tunnels to use. SG-B has no information about
+which link is less loaded, nor which security gateway has more cryptographic
+resources available. SG-B, in fact, has no knowledge of whether both gateways
+are even reachable.
+
+
+The Public Internet's default-free zone may well know a good route to Alice,
+but the datagrams that SG-B creates must be addressed to either SG-A or SG-D;
+they can not be addressed to Alice directly.
+
+
+SG-B may make a number of choices:
+
+It can ignore the problem and round robin among the tunnels. This
+ causes losses during times when one or the other security gateway is
+ unreachable. If this worries Alice, she can change the weights in her
+ TXT delegation records.
+
+It can send to the gateway from which it most recently received datagrams.
+ This assumes that routing and reachability are symmetrical.
+
+It can listen to BGP information from the Internet to decide which
+ system is currently up. This is clearly much more complicated, but if SG-B is already participating
+ in the BGP peering system to announce Bob, the results data may already
+ be available to it.
+
+It can refuse to negotiate the second tunnel. (It is unclear whether or
+not this is even an option.)
+
+It can silently replace the outgoing portion of the first tunnel with the
+second one while still retaining the incoming portions of both. SG-B can,
+thus, accept datagrams from either SG-A or SG-D, but
+send only to the gateway that most recently re-keyed with it.
+
+
+
+
+Local policy determines which choice SG-B makes. Note that even if SG-B has perfect
+knowledge about the reachability of SG-A and SG-D, Alice may not be reachable
+from either of these security gateways because of internal reachability
+issues.
+
+
+
+FreeS/WAN implements option 5. Implementing a different option is
+being considered. The multi-homing aspects of OE are not well developed and may
+be the subject of a future document.
+
+
+
+
+
+
+
+ If a DNS server fails to respond, local policy decides
+ whether or not to permit communication in the clear as embodied in
+ the connection classes in .
+ It is easy to mount a denial of service attack on the DNS server
+ responsible for a particular network's reverse-map.
+ Such an attack may cause all communication with that network to go in
+ the clear if the policy is permissive, or fail completely
+ if the policy is paranoid. Please note that this is an active attack.
+
+
+ There are still many networks
+ that do not have properly configured reverse-maps. Further, if the policy is not to communicate,
+ the above denial of service attack isolates the target network. Therefore, the decision of whether
+or not to permit communication in the clear MUST be a matter of local policy.
+
+
+
+
+
+ DNS records claim that opportunistic encryption should
+ occur, but the target gateway either does not respond on port 500, or
+ refuses the proposal. This may be because of a crash or reboot, a
+ faulty configuration, or a firewall filtering port 500.
+
+
+ The receipt of ICMP port, host or network unreachable
+ messages indicates a potential problem, but MUST NOT cause communication
+ to fail
+ immediately. ICMP messages are easily forged by attackers. If such a
+ forgery caused immediate failure, then an active attacker could easily
+ prevent any
+ encryption from ever occurring, possibly preventing all communication.
+
+
+ In these situations a clear log should be produced
+ and local policy should dictate if communication is then
+ permitted in the clear.
+
+
+
+
+
+Tunnels sometimes go down because the remote end crashes,
+disconnects, or has a network link break. In general there is no
+notification of this. Even in the event of a crash and successful reboot,
+other SGs don't hear about it unless the rebooted SG has specific
+reason to talk to them immediately. Over-quick response to temporary
+network outages is undesirable. Note that a tunnel can be torn
+down and then re-established without any effect visible to the user
+except a pause in traffic. On the other hand, if one end reboots,
+the other end can't get datagrams to it at all (except via
+IKE) until the situation is noticed. So a bias toward quick
+response is appropriate even at the cost of occasional
+false alarms.
+
+
+
+A mechanism for recovery after reboot is a topic of current research and is not specified in this
+document.
+
+
+
+A deliberate shutdown should include an attempt, using deletes, to notify all other SGs
+currently connected by phase 1 SAs that communication is
+about to fail. Again, a remote SG will assume this is a teardown. Attempts by the
+remote SGs to negotiate new tunnels as replacements should be ignored. When possible,
+SGs should attempt to preserve information about currently-connected SGs in non-volatile storage, so
+that after a crash, an Initial-Contact can be sent to previous partners to
+indicate loss of all previously established connections.
+
+
+
+
+
+
+
+
+
+
+ The method of obtaining information by reverse DNS lookup causes
+ problems for people who cannot control their reverse DNS
+ bindings. This is an unresolved problem in this version, and is out
+ of scope.
+
+
+
+
+
+
+
+
+
+Two example scenarios follow. In the first example GW-A
+(Gateway A) and GW-B (Gateway B) have always-clear-text policies, and in the second example they have an OE
+policy. The clear-text policy serves as a reference for what occurs in
+TCP/IP in the absence of Opportunistic Encryption.
+
+
+Alice wants to communicate with Bob. Perhaps she wants to retrieve a
+web page from Bob's web server. In the absence of opportunistic
+encryptors, the following events occur:
+
+
+
+
+
+
+
+
+
+
+In the presence of properly configured opportunistic encryptors, the
+event list is extended. Only changes are annotated.
+
+
+The following symbols are used in the time-sequence diagram
+
+
+
+ A single dash represents clear-text datagrams.
+ An equals sign represents phase 2 (IPsec) cipher-text
+ datagrams.
+ A single tilde represents clear-text phase 1 datagrams.
+ A hash sign represents phase 1 (IKE) cipher-text
+ datagrams.
+
+
+
+
+
+
+
+
+
+ For the purposes of this section, we will describe only the changes that
+ occur between and
+ . This corresponds to time points 5, 6, 7, 9 and 10 on the list above.
+
+
+
+
+ At point (5), SG-A intercepts the datagram because this source/destination pair lacks a policy
+(the non-existent policy state). SG-A creates a hold policy, and buffers the datagram. SG-A requests keys from the keying daemon.
+
+
+
+ SG-A's IKE daemon, having looked up the source/destination pair in the connection
+ class list, creates a new Potential OE connection instance. SG-A starts DNS
+ queries.
+
+
+
+
+
+
+ DNS returns properly formed TXT delegation records, and SG-A's IKE daemon
+ causes this instance to make a transition from Potential OE connection to Pending OE
+ connection.
+
+
+
+ Using the example above, the returned record might contain:
+
+
+ with SG-B's IP address and public key listed.
+
+
+
+
+
+ Upon entering Pending OE connection, SG-A sends the initial ISAKMP
+ message with proposals. See .
+
+
+
+
+
+ SG-B receives the message. A new connection instance is created in the
+ unauthenticated OE peer state.
+
+
+
+
+
+ SG-A sends a Diffie-Hellman exponent. This is an internal state of the
+ keying daemon.
+
+
+
+
+
+ SG-B responds with a Diffie-Hellman exponent. This is an internal state of the
+ keying protocol.
+
+
+
+
+
+ SG-A uses the phase 1 SA to send its identity under encryption.
+ The choice of identity is discussed in .
+ This is an internal state of the keying protocol.
+
+
+
+
+
+ SG-B asks DNS for the public key of the initiator.
+ DNS looks for a KEY record by IP address in the reverse-map.
+ That is, a KEY resource record is queried for 4.1.1.192.in-addr.arpa
+ (recall that SG-A's external address is 192.1.1.4).
+ SG-B uses the resulting public key to authenticate the initiator. See for further details.
+
+
+
+
+
+Upon successfully authenticating the peer, the connection instance makes a
+transition to authenticated OE peer on SG-B.
+
+
+The format of the TXT record returned is described in
+.
+
+
+
+
+
+ SG-B sends its ID along with authentication material. This is an internal
+ state for the keying protocol.
+
+
+
+
+
+
+ Having established mutually agreeable authentications (via KEY) and
+ authorizations (via TXT), SG-A proposes to create an IPsec tunnel for
+ datagrams transiting from Alice to Bob. This tunnel is established only for
+ the Alice/Bob combination, not for any subnets that may be behind SG-A and SG-B.
+
+
+
+
+
+ While the identity of SG-A has been established, its authority to
+ speak for Alice has not yet been confirmed. SG-B does a reverse
+ lookup on Alice's address for a TXT record.
+
+ Upon receiving this specific proposal, SG-B's connection instance
+ makes a transition into the potential OE connection state. SG-B may already have an
+ instance, and the check is made as described above.
+
+
+
+
+ The returned key and IP address should match that of SG-A.
+
+
+
+
+
+ Should additional communication occur between, for instance, Dave and Bob using
+ SG-A and SG-B, a new tunnel (phase 2 SA) would be established. The phase 1 SA
+ may be reusable.
+
+ SG-A, having successfully keyed the tunnel, now makes a transition from
+ Pending OE connection to Keyed OE connection.
+
+ The responder MUST setup the inbound IPsec SAs before sending its reply.
+
+
+
+
+ The initiator agrees with the responder's choice and sets up the tunnel.
+ The initiator sets up the inbound and outbound IPsec SAs.
+
+
+ The proper authorization returned with keys prompts SG-B to make a transition
+ to the keyed OE connection state.
+
+ Upon receipt of this message, the responder may now setup the outbound
+ IPsec SAs.
+
+
+
+
+
+ SG-A sends the datagram saved at step (5) through the newly created
+ tunnel to SG-B, where it gets decrypted and forwarded.
+ Bob receives it at (7) and replies at (8).
+
+
+
+
+
+ At (9), SG-B has already established an SPD entry mapping Bob->Alice via a
+ tunnel, so this tunnel is simply applied. The datagram is encrypted to SG-A,
+ decrypted by SG-A and passed to Alice at (10).
+
+
+
+
+
+
+
+
+
+
+
+ Configured tunnels are those which are setup using bilateral mechanisms: exchanging
+public keys (raw RSA, DSA, PKIX), pre-shared secrets, or by referencing keys that
+are in known places (distinguished name from LDAP, DNS). These keys are then used to
+configure a specific tunnel.
+
+
+A pre-configured tunnel may be on all the time, or may be keyed only when needed.
+The end points of the tunnel are not necessarily static: many mobile
+applications (road warrior) are considered to be configured tunnels.
+
+
+The primary characteristic is that configured tunnels are assigned specific
+security properties. They may be trusted in different ways relating to exceptions to
+firewall rules, exceptions to NAT processing, and to bandwidth or other quality of service restrictions.
+
+
+Opportunistic tunnels are not inherently trusted in any strong way. They are
+created without prior arrangement. As the two parties are strangers, there
+MUST be no confusion of datagrams that arrive from opportunistic peers and
+those that arrive from configured tunnels. A security gateway MUST take care
+that an opportunistic peer can not impersonate a configured peer.
+
+
+Ingress filtering MUST be used to make sure that only datagrams authorized by
+negotiation (and the concomitant authentication and authorization) are
+accepted from a tunnel. This is to prevent one peer from impersonating another.
+
+
+An implementation suggestion is to treat opportunistic tunnel
+datagrams as if they arrive on a logical interface distinct from other
+configured tunnels. As the number of opportunistic tunnels that may be
+created automatically on a system is potentially very high, careful attention
+to scaling should be taken into account.
+
+
+As with any IKE negotiation, opportunistic encryption cannot be secure
+without authentication. Opportunistic encryption relies on DNS for its
+authentication information and, therefore, cannot be fully secure without
+a secure DNS. Without secure DNS, opportunistic encryption can protect against passive
+eavesdropping but not against active man-in-the-middle attacks.
+
+
+
+
+
+ Typical usage of per datagram access control lists is to implement various
+kinds of security gateways. These are typically called "firewalls".
+
+
+ Typical usage of a virtual private network (VPN) within a firewall is to
+bypass all or part of the access controls between two networks. Additional
+trust (as outlined in the previous section) is given to datagrams that arrive
+in the VPN.
+
+
+ Datagrams that arrive via opportunistically configured tunnels MUST not be
+trusted. Any security policy that would apply to a datagram arriving in the
+clear SHOULD also be applied to datagrams arriving opportunistically.
+
+
+
+
+
+ There are several different forms of denial of service that an implementor
+ should concern themselves with. Most of these problems are shared with
+ security gateways that have large numbers of mobile peers (road warriors).
+
+
+ The design of ISAKMP/IKE, and its use of cookies, defend against many kinds
+ of denial of service. Opportunism changes the assumption that if the phase 1 (ISAKMP)
+ SA is authenticated, that it was worthwhile creating. Because the gateway will communicate with any machine, it is
+ possible to form phase 1 SAs with any machine on the Internet.
+
+
+
+
+
+
+
+ There are no known numbers which IANA will need to manage.
+
+
+
+
+
+ Substantive portions of this document are based upon previous work by
+ Henry Spencer.
+
+
+ Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert Moskowitz,
+ Jakob Schlyter, Bill Sommerfeld, John Gilmore and John Denker for their
+ comments and constructive criticism.
+
+
+ Sandra Hoffman and Bill Dickie did the detailed proof reading and editing.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+