From eed3bb6c48563b865be5560448577e7cfe4ce443 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Wed, 23 Aug 2006 20:25:09 +0000 Subject: - Updated to new upstream version. --- CHANGES | 16 +- Makefile.ver | 2 +- debian/changelog | 6 + doc/draft-richardson-ipsec-opportunistic.txt | 2688 ++++++++++++++++++++ doc/draft-richardson-ipsec-rr.txt | 840 ++++++ doc/draft-spencer-ipsec-ike-implementation.nr | 1203 +++++++++ doc/draft-spencer-ipsec-ike-implementation.txt | 1232 +++++++++ doc/src/draft-richardson-ipsec-opportunistic.html | 2456 ++++++++++++++++++ doc/src/draft-richardson-ipsec-opportunistic.xml | 2519 ++++++++++++++++++ doc/src/draft-richardson-ipsec-rr.html | 659 +++++ doc/src/draft-richardson-ipsec-rr.xml | 560 ++++ lib/libfreeswan/Makefile | 6 +- programs/Makefile.program | 4 + programs/pluto/Makefile | 6 +- programs/pluto/alg_info.c | 10 +- programs/pluto/connections.c | 11 +- programs/pluto/keys.c | 10 +- programs/pluto/vendor.c | 6 +- programs/pluto/vendor.h | 4 +- testing/INSTALL | 6 +- testing/testing.conf | 6 +- testing/tests/alg-sha-equals-sha1/description.txt | 5 + testing/tests/alg-sha-equals-sha1/evaltest.dat | 9 + .../alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf | 26 + .../alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf | 26 + testing/tests/alg-sha-equals-sha1/posttest.dat | 2 + testing/tests/alg-sha-equals-sha1/pretest.dat | 5 + testing/tests/alg-sha-equals-sha1/test.conf | 22 + 28 files changed, 12315 insertions(+), 30 deletions(-) create mode 100644 doc/draft-richardson-ipsec-opportunistic.txt create mode 100644 doc/draft-richardson-ipsec-rr.txt create mode 100644 doc/draft-spencer-ipsec-ike-implementation.nr create mode 100644 doc/draft-spencer-ipsec-ike-implementation.txt create mode 100644 doc/src/draft-richardson-ipsec-opportunistic.html create mode 100644 doc/src/draft-richardson-ipsec-opportunistic.xml create mode 100644 doc/src/draft-richardson-ipsec-rr.html create mode 100644 doc/src/draft-richardson-ipsec-rr.xml create mode 100644 testing/tests/alg-sha-equals-sha1/description.txt create mode 100644 testing/tests/alg-sha-equals-sha1/evaltest.dat create mode 100755 testing/tests/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/alg-sha-equals-sha1/posttest.dat create mode 100644 testing/tests/alg-sha-equals-sha1/pretest.dat create mode 100644 testing/tests/alg-sha-equals-sha1/test.conf diff --git a/CHANGES b/CHANGES index 4feaa188d..3d92f229a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,15 @@ +strongswan-2.7.3 +---------------- + +- "sha" and "sha1" are now treated as synonyms in the ike= and esp= + algorithm configuration statements. + +- Fixed possible segmentation faults in the eroute, klipsdebug, and + other KLIPS-related auxiliary functions by making the USE_NAT_TRAVERSAL + compile-time condition defined in Makefile.inc known in + programs/Makefile.program. + + strongswan-2.7.2 ---------------- @@ -9,8 +21,8 @@ strongswan-2.7.2 the state pointer before logging current state information, causing an immediate crash of the pluto keying daemon due to a NULL pointer. - We strongly recommend to update to the 2.7.2 released which fixes this - vulnerability to malformed proposal payload that could otherwise be + We strongly recommend to update to the 2.7.2 release which fixes this + vulnerability to malformed proposal payloads that could otherwise be exploited by Denial-of-Service attacks. diff --git a/Makefile.ver b/Makefile.ver index 252fc3bf4..b8f0d8ffd 100644 --- a/Makefile.ver +++ b/Makefile.ver @@ -1 +1 @@ -IPSECVERSION=2.7.2 +IPSECVERSION=2.7.3 diff --git a/debian/changelog b/debian/changelog index 1fae5162d..f27c56fd1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +strongswan (2.7.3-1) UNRELEASED; urgency=low + + * (NOT RELEASED YET) New upstream release + + -- Rene Mayrhofer Wed, 23 Aug 2006 21:23:36 +0100 + strongswan (2.7.2+dfsg-1) unstable; urgency=low * First upload to the main Debian archive. This does no longer build diff --git a/doc/draft-richardson-ipsec-opportunistic.txt b/doc/draft-richardson-ipsec-opportunistic.txt new file mode 100644 index 000000000..4c87d857a --- /dev/null +++ b/doc/draft-richardson-ipsec-opportunistic.txt @@ -0,0 +1,2688 @@ + + +Independent submission M. Richardson +Internet-Draft SSW +Expires: November 19, 2003 D. Redelmeier + Mimosa + May 21, 2003 + + + Opportunistic Encryption using The Internet Key Exchange (IKE) + draft-richardson-ipsec-opportunistic-11.txt + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on November 19, 2003. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + This document describes opportunistic encryption (OE) using the + Internet Key Exchange (IKE) and IPsec. Each system administrator + adds new resource records to his or her Domain Name System (DNS) to + support opportunistic encryption. The objective is to allow + encryption for secure communication without any pre-arrangement + specific to the pair of systems involved. + + DNS is used to distribute the public keys of each system involved. + This is resistant to passive attacks. The use of DNS Security + (DNSSEC) secures this system against active attackers as well. + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 1] + +Internet-Draft opportunistic May 2003 + + + As a result, the administrative overhead is reduced from the square + of the number of systems to a linear dependence, and it becomes + possible to make secure communication the default even when the + partner is not known in advance. + + This document is offered up as an Informational RFC. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 10 + 4. Impacts on IKE . . . . . . . . . . . . . . . . . . . . . . . . 21 + 5. DNS issues . . . . . . . . . . . . . . . . . . . . . . . . . . 24 + 6. Network address translation interaction . . . . . . . . . . . 28 + 7. Host implementations . . . . . . . . . . . . . . . . . . . . . 29 + 8. Multi-homing . . . . . . . . . . . . . . . . . . . . . . . . . 30 + 9. Failure modes . . . . . . . . . . . . . . . . . . . . . . . . 32 + 10. Unresolved issues . . . . . . . . . . . . . . . . . . . . . . 34 + 11. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 + 12. Security considerations . . . . . . . . . . . . . . . . . . . 42 + 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 + 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 45 + Normative references . . . . . . . . . . . . . . . . . . . . . 46 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 47 + Full Copyright Statement . . . . . . . . . . . . . . . . . . . 48 + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 2] + +Internet-Draft opportunistic May 2003 + + +1. Introduction + +1.1 Motivation + + The objective of opportunistic encryption is to allow encryption + without any pre-arrangement specific to the pair of systems involved. + Each system administrator adds public key information to DNS records + to support opportunistic encryption and then enables this feature in + the nodes' IPsec stack. Once this is done, any two such nodes can + communicate securely. + + This document describes opportunistic encryption as designed and + mostly implemented by the Linux FreeS/WAN project. For project + information, see http://www.freeswan.org. + + The Internet Architecture Board (IAB) and Internet Engineering + Steering Group (IESG) have taken a strong stand that the Internet + should use powerful encryption to provide security and privacy [4]. + The Linux FreeS/WAN project attempts to provide a practical means to + implement this policy. + + The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC protocols + because they are standardized, widely available and can often be + deployed very easily without changing hardware or software or + retraining users. + + The extensions to support opportunistic encryption are simple. No + changes to any on-the-wire formats are needed. The only changes are + to the policy decision making system. This means that opportunistic + encryption can be implemented with very minimal changes to an + existing IPsec implementation. + + Opportunistic encryption creates a "fax effect". The proliferation + of the fax machine was possible because it did not require that + everyone buy one overnight. Instead, as each person installed one, + the value of having one increased - as there were more people that + could receive faxes. Once opportunistic encryption is installed it + automatically recognizes other boxes using opportunistic encryption, + without any further configuration by the network administrator. So, + as opportunistic encryption software is installed on more boxes, its + value as a tool increases. + + This document describes the infrastructure to permit deployment of + Opportunistic Encryption. + + The term S/WAN is a trademark of RSA Data Systems, and is used with + permission by this project. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 3] + +Internet-Draft opportunistic May 2003 + + +1.2 Types of network traffic + + To aid in understanding the relationship between security processing + and IPsec we divide network traffic into four categories: + + * Deny: networks to which traffic is always forbidden. + + * Permit: networks to which traffic in the clear is permitted. + + * Opportunistic tunnel: networks to which traffic is encrypted if + possible, but otherwise is in the clear or fails depending on the + default policy in place. + + * Configured tunnel: networks to which traffic must be encrypted, and + traffic in the clear is never permitted. + + Traditional firewall devices handle the first two categories. No + authentication is required. The permit policy is currently the + default on the Internet. + + This document describes the third category - opportunistic tunnel, + which is proposed as the new default for the Internet. + + Category four, encrypt traffic or drop it, requires authentication of + the end points. As the number of end points is typically bounded and + is typically under a single authority, arranging for distribution of + authentication material, while difficult, does not require any new + technology. The mechanism described here provides an additional way + to distribute the authentication materials, that of a public key + method that does not require deployment of an X.509 based + infrastructure. + + Current Virtual Private Networks can often be replaced by an "OE + paranoid" policy as described herein. + +1.3 Peer authentication in opportunistic encryption + + Opportunistic encryption creates tunnels between nodes that are + essentially strangers. This is done without any prior bilateral + arrangement. There is, therefore, the difficult question of how one + knows to whom one is talking. + + One possible answer is that since no useful authentication can be + done, none should be tried. This mode of operation is named + "anonymous encryption". An active man-in-the-middle attack can be + used to thwart the privacy of this type of communication. Without + peer authentication, there is no way to prevent this kind of attack. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 4] + +Internet-Draft opportunistic May 2003 + + + Although a useful mode, anonymous encryption is not the goal of this + project. Simpler methods are available that can achieve anonymous + encryption only, but authentication of the peer is a desireable goal. + The latter is achieved through key distribution in DNS, leveraging + upon the authentication of the DNS in DNSSEC. + + Peers are, therefore, authenticated with DNSSEC when available. + Local policy determines how much trust to extend when DNSSEC is not + available. + + However, an essential premise of building private connections with + strangers is that datagrams received through opportunistic tunnels + are no more special than datagrams that arrive in the clear. Unlike + in a VPN, these datagrams should not be given any special exceptions + when it comes to auditing, further authentication or firewalling. + + When initiating outbound opportunistic encryption, local + configuration determines what happens if tunnel setup fails. It may + be that the packet goes out in the clear, or it may be dropped. + +1.4 Use of RFC2119 terms + + The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, + SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this + document, are to be interpreted as described in [5] + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 5] + +Internet-Draft opportunistic May 2003 + + +2. Overview + +2.1 Reference diagram + + --------------------------------------------------------------------- + + The following network diagram is used in the rest of this document as + the canonical diagram: + + [Q] [R] + . . AS2 + [A]----+----[SG-A].......+....+.......[SG-B]-------[B] + | ...... + AS1 | ..PI.. + | ...... + [D]----+----[SG-D].......+....+.......[C] AS3 + + + + Figure 1: Reference Network Diagram + + --------------------------------------------------------------------- + + In this diagram, there are four end-nodes: A, B, C and D. There are + three gateways, SG-A, SG-B, SG-D. A, D, SG-A and SG-D are part of + the same administrative authority, AS1. SG-A and SG-D are on two + different exit paths from organization 1. SG-B/B is an independent + organization, AS2. Nodes Q and R are nodes on the Internet. PI is + the Public Internet ("The Wild"). + +2.2 Terminology + + The following terminology is used in this document: + + Security gateway: a system that performs IPsec tunnel mode + encapsulation/decapsulation. [SG-x] in the diagram. + + Alice: node [A] in the diagram. When an IP address is needed, this + is 192.1.0.65. + + Bob: node [B] in the diagram. When an IP address is needed, this is + 192.2.0.66. + + Carol: node [C] in the diagram. When an IP address is needed, this + is 192.1.1.67. + + Dave: node [D] in the diagram. When an IP address is needed, this is + 192.3.0.68. + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 6] + +Internet-Draft opportunistic May 2003 + + + SG-A: Alice's security gateway. Internally it is 192.1.0.1, + externally it is 192.1.1.4. + + SG-B: Bob's security gateway. Internally it is 192.2.0.1, externally + it is 192.1.1.5. + + SG-D: Dave's security gateway. Also Alice's backup security gateway. + Internally it is 192.3.0.1, externally it is 192.1.1.6. + + - A single dash represents clear-text datagrams. + + = An equals sign represents phase 2 (IPsec) cipher-text datagrams. + + ~ A single tilde represents clear-text phase 1 datagrams. + + # A hash sign represents phase 1 (IKE) cipher-text datagrams. + + . A period represents an untrusted network of unknown type. + + Configured tunnel: a tunnel that is directly and deliberately hand + configured on participating gateways. Configured tunnels are + typically given a higher level of trust than opportunistic + tunnels. + + Road warrior tunnel: a configured tunnel connecting one node with a + fixed IP address and one node with a variable IP address. A road + warrior (RW) connection must be initiated by the variable node, + since the fixed node cannot know the current address for the road + warrior. + + Anonymous encryption: the process of encrypting a session without any + knowledge of who the other parties are. No authentication of + identities is done. + + Opportunistic encryption: the process of encrypting a session with + authenticated knowledge of who the other parties are. + + Lifetime: the period in seconds (bytes or datagrams) for which a + security association will remain alive before needing to be re- + keyed. + + Lifespan: the effective time for which a security association remains + useful. A security association with a lifespan shorter than its + lifetime would be removed when no longer needed. A security + association with a lifespan longer than its lifetime would need to + be re-keyed one or more times. + + Phase 1 SA: an ISAKMP/IKE security association sometimes referred to + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 7] + +Internet-Draft opportunistic May 2003 + + + as a keying channel. + + Phase 2 SA: an IPsec security association. + + Tunnel: another term for a set of phase 2 SA (one in each direction). + + NAT: Network Address Translation (see [20]). + + NAPT: Network Address and Port Translation (see [20]). + + AS: an autonomous system (AS) is a group of systems (a network) that + are under the administrative control of a single organization. + + Default-free zone: a set of routers that maintain a complete set of + routes to all currently reachable destinations. Having such a + list, these routers never make use of a default route. A datagram + with a destination address not matching any route will be dropped + by such a router. + + +2.3 Model of operation + + The opportunistic encryption security gateway (OE gateway) is a + regular gateway node as described in [2] section 2.4 and [3] with the + additional capabilities described here and in [7]. The algorithm + described here provides a way to determine, for each datagram, + whether or not to encrypt and tunnel the datagram. Two important + things that must be determined are whether or not to encrypt and + tunnel and, if so, the destination address or name of the tunnel end + point which should be used. + +2.3.1 Tunnel authorization + + The OE gateway determines whether or not to create a tunnel based on + the destination address of each packet. Upon receiving a packet with + a destination address not recently seen, the OE gateway performs a + lookup in DNS for an authorization resource record (see Section 5.2). + The record is located using the IP address to perform a search in the + in-addr.arpa (IPv4) or ip6.arpa (IPv6) maps. If an authorization + record is found, the OE gateway interprets this as a request for a + tunnel to be formed. + +2.3.2 Tunnel end-point discovery + + The authorization resource record also provides the address or name + of the tunnel end point which should be used. + + The record may also provide the public RSA key of the tunnel end + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 8] + +Internet-Draft opportunistic May 2003 + + + point itself. This is provided for efficiency only. If the public + RSA key is not present, the OE gateway performs a second lookup to + find a KEY resource record for the end point address or name. + + Origin and integrity protection of the resource records is provided + by DNSSEC ([16]). Section 3.2.4.1 documents an optional restriction + on the tunnel end point if DNSSEC signatures are not available for + the relevant records. + +2.3.3 Caching of authorization results + + The OE gateway maintains a cache, in the forwarding plane, of source/ + destination pairs for which opportunistic encryption has been + attempted. This cache maintains a record of whether or not OE was + successful so that subsequent datagrams can be forwarded properly + without additional delay. + + Successful negotiation of OE instantiates a new security association. + Failure to negotiate OE results in creation of a forwarding policy + entry either to drop or transmit in the clear future datagrams. This + negative cache is necessary to avoid the possibly lengthy process of + repeatedly looking up the same information. + + The cache is timed out periodically, as described in Section 3.4. + This removes entries that are no longer being used and permits the + discovery of changes in authorization policy. + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 9] + +Internet-Draft opportunistic May 2003 + + +3. Specification + + The OE gateway is modeled to have a forwarding plane and a control + plane. A control channel, such as PF_KEY, connects the two planes. + (See [6].) The forwarding plane performs per datagram operations. + The control plane contains a keying daemon, such as ISAKMP/IKE, and + performs all authorization, peer authentication and key derivation + functions. + +3.1 Datagram state machine + + Let the OE gateway maintain a collection of objects -- a superset of + the security policy database (SPD) specified in [7]. For each + combination of source and destination address, an SPD object exists + in one of five following states. Prior to forwarding each datagram, + the responder uses the source and destination addresses to pick an + entry from the SPD. The SPD then determines if and how the packet is + forwarded. + +3.1.1 Non-existent policy + + If the responder does not find an entry, then this policy applies. + The responder creates an entry with an initial state of "hold policy" + and requests keying material from the keying daemon. The responder + does not forward the datagram, rather it attaches the datagram to the + SPD entry as the "first" datagram and retains it for eventual + transmission in a new state. + +3.1.2 Hold policy + + The responder requests keying material. If the interface to the + keying system is lossy (PF_KEY, for instance, can be), the + implementation SHOULD include a mechanism to retransmit the keying + request at a rate limited to less than 1 request per second. The + responder does not forward the datagram. It attaches the datagram to + the SPD entry as the "last" datagram where it is retained for + eventual transmission. If there is a datagram already so stored, + then that already stored datagram is discarded. + + Because the "first" datagram is probably a TCP SYN packet, the + responder retains the "first" datagram in an attempt to avoid waiting + for a TCP retransmit. The responder retains the "last" datagram in + deference to streaming protocols that find it useful to know how much + data has been lost. These are recommendations to decrease latency. + There are no operational requirements for this. + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 10] + +Internet-Draft opportunistic May 2003 + + +3.1.3 Pass-through policy + + The responder forwards the datagram using the normal forwarding + table. The responder enters this state only by command from the + keying daemon, and upon entering this state, also forwards the + "first" and "last" datagrams. + +3.1.4 Deny policy + + The responder discards the datagram. The responder enters this state + only by command from the keying daemon, and upon entering this state, + discards the "first" and "last" datagrams. Local administration + decides if further datagrams cause ICMP messages to be generated + (i.e. ICMP Destination Unreachable, Communication Administratively + Prohibited. type=3, code=13). + +3.1.5 Encrypt policy + + The responder encrypts the datagram using the indicated security + association database (SAD) entry. The responder enters this state + only by command from the keying daemon, and upon entering this state, + releases and forwards the "first" and "last" datagrams using the new + encrypt policy. + + If the associated SAD entry expires because of byte, packet or time + limits, then the entry returns to the Hold policy, and an expire + message is sent to the keying daemon. + + All states may be created directly by the keying daemon while acting + as a responder. + +3.2 Keying state machine - initiator + + Let the keying daemon maintain a collection of objects. Let them be + called "connections" or "conn"s. There are two categories of + connection objects: classes and instances. A class represents an + abstract policy - what could be. An instance represents an actual + connection - what is implemented at the time. + + Let there be two further subtypes of connections: keying channels + (Phase 1 SAs) and data channels (Phase 2 SAs). Each data channel + object may have a corresponding SPD and SAD entry maintained by the + datagram state machine. + + For the purposes of opportunistic encryption, there MUST, at least, + be connection classes known as "deny", "always-clear-text", "OE- + permissive", and "OE-paranoid". The latter two connection classes + define a set of source and/or destination addresses for which + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 11] + +Internet-Draft opportunistic May 2003 + + + opportunistic encryption will be attempted. The administrator MAY + set policy options in a number of additional places. An + implementation MAY create additional connection classes to further + refine these policies. + + The simplest system may need only the "OE-permissive" connection, and + would list its own (single) IP address as the source address of this + policy and the wild-card address 0.0.0.0/0 as the destination IPv4 + address. That is, the simplest policy is to try opportunistic + encryption with all destinations. + + The distinction between permissive and paranoid OE use will become + clear in the state transition differences. In general a permissive + OE will, on failure, install a pass-through policy, while a paranoid + OE will, on failure, install a drop policy. + + In this description of the keying machine's state transitions, the + states associated with the keying system itself are omitted because + they are best documented in the keying system ([8], [9] and [10] for + ISAKMP/IKE), and the details are keying system specific. + Opportunistic encryption is not dependent upon any specific keying + protocol, but this document does provide requirements for those using + ISAKMP/IKE to assure that implementations inter-operate. + + The state transitions that may be involved in communicating with the + forwarding plane are omitted. PF_KEY and similar protocols have + their own set of states required for message sends and completion + notifications. + + Finally, the retransmits and recursive lookups that are normal for + DNS are not included in this description of the state machine. + +3.2.1 Nonexistent connection + + There is no connection instance for a given source/destination + address pair. Upon receipt of a request for keying material for this + source/destination pair, the initiator searches through the + connection classes to determine the most appropriate policy. Upon + determining an appropriate connection class, an instance object is + created of that type. Both of the OE types result in a potential OE + connection. + + Failure to find an appropriate connection class results in an + administrator defined default. + + In each case, when the initiator finds an appropriate class for the + new flow, an instance connection is made of the class which matched. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 12] + +Internet-Draft opportunistic May 2003 + + +3.2.2 Clear-text connection + + The non-existent connection makes a transition to this state when an + always-clear-text class is instantiated, or when an OE-permissive + connection fails. During the transition, the initiator creates a + pass-through policy object in the forwarding plane for the + appropriate flow. + + Timing out is the only way to leave this state (see Section 3.2.7). + +3.2.3 Deny connection + + The empty connection makes a transition to this state when a deny + class is instantiated, or when an OE-paranoid connection fails. + During the transition, the initiator creates a deny policy object in + the forwarding plane for the appropriate flow. + + Timing out is the only way to leave this state (see Section 3.2.7). + +3.2.4 Potential OE connection + + The empty connection makes a transition to this state when one of + either OE class is instantiated. During the transition to this + state, the initiator creates a hold policy object in the forwarding + plane for the appropriate flow. + + In addition, when making a transition into this state, DNS lookup is + done in the reverse-map for a TXT delegation resource record (see + Section 5.2). The lookup key is the destination address of the flow. + + There are three ways to exit this state: + + 1. DNS lookup finds a TXT delegation resource record. + + 2. DNS lookup does not find a TXT delegation resource record. + + 3. DNS lookup times out. + + Based upon the results of the DNS lookup, the potential OE connection + makes a transition to the pending OE connection state. The + conditions for a successful DNS look are: + + 1. DNS finds an appropriate resource record + + 2. It is properly formatted according to Section 5.2 + + 3. if DNSSEC is enabled, then the signature has been vouched for. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 13] + +Internet-Draft opportunistic May 2003 + + + Note that if the initiator does not find the public key present in + the TXT delegation record, then the public key must be looked up as a + sub-state. Only successful completion of all the DNS lookups is + considered a success. + + If DNS lookup does not find a resource record or DNS times out, then + the initiator considers the receiver not OE capable. If this is an + OE-paranoid instance, then the potential OE connection makes a + transition to the deny connection state. If this is an OE-permissive + instance, then the potential OE connection makes a transition to the + clear-text connection state. + + If the initiator finds a resource record but it is not properly + formatted, or if DNSSEC is enabled and reports a failure to + authenticate, then the potential OE connection should make a + transition to the deny connection state. This action SHOULD be + logged. If the administrator wishes to override this transition + between states, then an always-clear class can be installed for this + flow. An implementation MAY make this situation a new class. + +3.2.4.1 Restriction on unauthenticated TXT delegation records + + An implementation SHOULD also provide an additional administrative + control on delegation records and DNSSEC. This control would apply + to delegation records (the TXT records in the reverse-map) that are + not protected by DNSSEC. Records of this type are only permitted to + delegate to their own address as a gateway. When this option is + enabled, an active attack on DNS will be unable to redirect packets + to other than the original destination. + +3.2.5 Pending OE connection + + The potential OE connection makes a transition to this state when the + initiator determines that all the information required from the DNS + lookup is present. Upon entering this state, the initiator attempts + to initiate keying to the gateway provided. + + Exit from this state occurs either with a successfully created IPsec + SA, or with a failure of some kind. Successful SA creation results + in a transition to the key connection state. + + Three failures have caused significant problems. They are clearly + not the only possible failures from keying. + + Note that if there are multiple gateways available in the TXT + delegation records, then a failure can only be declared after all + have been tried. Further, creation of a phase 1 SA does not + constitute success. A set of phase 2 SAs (a tunnel) is considered + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 14] + +Internet-Draft opportunistic May 2003 + + + success. + + The first failure occurs when an ICMP port unreachable is + consistently received without any other communication, or when there + is silence from the remote end. This usually means that either the + gateway is not alive, or the keying daemon is not functional. For an + OE-permissive connection, the initiator makes a transition to the + clear-text connection but with a low lifespan. For an OE-pessimistic + connection, the initiator makes a transition to the deny connection + again with a low lifespan. The lifespan in both cases is kept low + because the remote gateway may be in the process of rebooting or be + otherwise temporarily unavailable. + + The length of time to wait for the remote keying daemon to wake up is + a matter of some debate. If there is a routing failure, 5 minutes is + usually long enough for the network to re-converge. Many systems can + reboot in that amount of time as well. However, 5 minutes is far too + long for most users to wait to hear that they can not connect using + OE. Implementations SHOULD make this a tunable parameter. + + The second failure occurs after a phase 1 SA has been created, but + there is either no response to the phase 2 proposal, or the initiator + receives a negative notify (the notify must be authenticated). The + remote gateway is not prepared to do OE at this time. As before, the + initiator makes a transition to the clear-text or the deny connection + based upon connection class, but this time with a normal lifespan. + + The third failure occurs when there is signature failure while + authenticating the remote gateway. This can occur when there has + been a key roll-over, but DNS has not caught up. In this case again, + the initiator makes a transition to the clear-text or the deny + connection based upon the connection class. However, the lifespan + depends upon the remaining time to live in the DNS. (Note that + DNSSEC signed resource records have a different expiry time than non- + signed records.) + +3.2.6 Keyed connection + + The pending OE connection makes a transition to this state when + session keying material (the phase 2 SAs) is derived. The initiator + creates an encrypt policy in the forwarding plane for this flow. + + There are three ways to exit this state. The first is by receipt of + an authenticated delete message (via the keying channel) from the + peer. This is normal teardown and results in a transition to the + expired connection state. + + The second exit is by expiry of the forwarding plane keying material. + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 15] + +Internet-Draft opportunistic May 2003 + + + This starts a re-key operation with a transition back to pending OE + connection. In general, the soft expiry occurs with sufficient time + left to continue to use the keys. A re-key can fail, which may + result in the connection failing to clear-text or deny as + appropriate. In the event of a failure, the forwarding plane policy + does not change until the phase 2 SA (IPsec SA) reaches its hard + expiry. + + The third exit is in response to a negotiation from a remote gateway. + If the forwarding plane signals the control plane that it has + received an unknown SPI from the remote gateway, or an ICMP is + received from the remote gateway indicating an unknown SPI, the + initiator should consider that the remote gateway has rebooted or + restarted. Since these indications are easily forged, the + implementation must exercise care. The initiator should make a + cautious (rate-limited) attempt to re-key the connection. + +3.2.7 Expiring connection + + The initiator will periodically place each of the deny, clear-text, + and keyed connections into this sub-state. See Section 3.4 for more + details of how often this occurs. The initiator queries the + forwarding plane for last use time of the appropriate policy. If the + last use time is relatively recent, then the connection returns to + the previous deny, clear-text or keyed connection state. If not, + then the connection enters the expired connection state. + + The DNS query and answer that lead to the expiring connection state + are also examined. The DNS query may become stale. (A negative, + i.e. no such record, answer is valid for the period of time given by + the MINIMUM field in an attached SOA record. See [12] section + 4.3.4.) If the DNS query is stale, then a new query is made. If the + results change, then the connection makes a transition to a new state + as described in potential OE connection state. + + Note that when considering how stale a connection is, both outgoing + SPD and incoming SAD must be queried as some flows may be + unidirectional for some time. + + Also note that the policy at the forwarding plane is not updated + unless there is a conclusion that there should be a change. + +3.2.8 Expired connection + + Entry to this state occurs when no datagrams have been forwarded + recently via the appropriate SPD and SAD objects. The objects in the + forwarding plane are removed (logging any final byte and packet + counts if appropriate) and the connection instance in the keying + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 16] + +Internet-Draft opportunistic May 2003 + + + plane is deleted. + + The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs + as described in Section 3.4. + + Whether or not to delete the phase 1 SAs at this time is left as a + local implementation issue. Implementations that do delete the phase + 1 SAs MUST send authenticated delete messages to indicate that they + are doing so. There is an advantage to keeping the phase 1 SAs until + they expire - they may prove useful again in the near future. + +3.3 Keying state machine - responder + + The responder has a set of objects identical to those of the + initiator. + + The responder receives an invitation to create a keying channel from + an initiator. + +3.3.1 Unauthenticated OE peer + + Upon entering this state, the responder starts a DNS lookup for a KEY + record for the initiator. The responder looks in the reverse-map for + a KEY record for the initiator if the initiator has offered an + ID_IPV4_ADDR, and in the forward map if the initiator has offered an + ID_FQDN type. (See [8] section 4.6.2.1.) + + The responder exits this state upon successful receipt of a KEY from + DNS, and use of the key to verify the signature of the initiator. + + Successful authentication of the peer results in a transition to the + authenticated OE Peer state. + + Note that the unauthenticated OE peer state generally occurs in the + middle of the key negotiation protocol. It is really a form of + pseudo-state. + +3.3.2 Authenticated OE Peer + + The peer will eventually propose one or more phase 2 SAs. The + responder uses the source and destination address in the proposal to + finish instantiating the connection state using the connection class + table. The responder MUST search for an identical connection object + at this point. + + If an identical connection is found, then the responder deletes the + old instance, and the new object makes a transition to the pending OE + connection state. This means that new ISAKMP connections with a + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 17] + +Internet-Draft opportunistic May 2003 + + + given peer will always use the latest instance, which is the correct + one if the peer has rebooted in the interim. + + If an identical connection is not found, then the responder makes the + transition according to the rules given for the initiator. + + Note that if the initiator is in OE-paranoid mode and the responder + is in either always-clear-text or deny, then no communication is + possible according to policy. An implementation is permitted to + create new types of policies such as "accept OE but do not initiate + it". This is a local matter. + +3.4 Renewal and teardown + +3.4.1 Aging + + A potentially unlimited number of tunnels may exist. In practice, + only a few tunnels are used during a period of time. Unused tunnels + MUST, therefore, be torn down. Detecting when tunnels are no longer + in use is the subject of this section. + + There are two methods for removing tunnels: explicit deletion or + expiry. + + Explicit deletion requires an IKE delete message. As the deletes + MUST be authenticated, both ends of the tunnel must maintain the key + channel (phase 1 ISAKMP SA). An implementation which refuses to + either maintain or recreate the keying channel SA will be unable to + use this method. + + The tunnel expiry method, simply allows the IKE daemon to expire + normally without attempting to re-key it. + + Regardless of which method is used to remove tunnels, the + implementation requires a method to determine if the tunnel is still + in use. The specifics are a local matter, but the FreeS/WAN project + uses the following criteria. These criteria are currently + implemented in the key management daemon, but could also be + implemented at the SPD layer using an idle timer. + + Set a short initial (soft) lifespan of 1 minute since many net flows + last only a few seconds. + + At the end of the lifespan, check to see if the tunnel was used by + traffic in either direction during the last 30 seconds. If so, + assign a longer tentative lifespan of 20 minutes after which, look + again. If the tunnel is not in use, then close the tunnel. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 18] + +Internet-Draft opportunistic May 2003 + + + The expiring state in the key management system (see Section 3.2.7) + implements these timeouts. The timer above may be in the forwarding + plane, but then it must be re-settable. + + The tentative lifespan is independent of re-keying; it is just the + time when the tunnel's future is next considered. (The term lifespan + is used here rather than lifetime for this reason.) Unlike re-keying, + this tunnel use check is not costly and should happen reasonably + frequently. + + A multi-step back-off algorithm is not considered worth the effort + here. + + If the security gateway and the client host are the same and not a + Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel teardown + decisions MAY pay attention to TCP connection status as reported by + the local TCP layer. A still-open TCP connection is almost a + guarantee that more traffic is expected. Closing of the only TCP + connection through a tunnel is a strong hint that no more traffic is + expected. + +3.4.2 Teardown and cleanup + + Teardown should always be coordinated between the two ends of the + tunnel by interpreting and sending delete notifications. There is a + detailed sub-state in the expired connection state of the key manager + that relates to retransmits of the delete notifications, but this is + considered to be a keying system detail. + + On receiving a delete for the outbound SAs of a tunnel (or some + subset of them), tear down the inbound ones also and notify the + remote end with a delete. If the local system receives a delete for + a tunnel which is no longer in existence, then two delete messages + have crossed paths. Ignore the delete. The operation has already + been completed. Do not generate any messages in this situation. + + Tunnels are to be considered as bidirectional entities, even though + the low-level protocols don't treat them this way. + + When the deletion is initiated locally, rather than as a response to + a received delete, send a delete for (all) the inbound SAs of a + tunnel. If the local system does not receive a responding delete for + the outbound SAs, try re-sending the original delete. Three tries + spaced 10 seconds apart seems a reasonable level of effort. A + failure of the other end to respond after 3 attempts, indicates that + the possibility of further communication is unlikely. Remove the + outgoing SAs. (The remote system may be a mobile node that is no + longer present or powered on.) + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 19] + +Internet-Draft opportunistic May 2003 + + + After re-keying, transmission should switch to using the new outgoing + SAs (ISAKMP or IPsec) immediately, and the old leftover outgoing SAs + should be cleared out promptly (delete should be sent for the + outgoing SAs) rather than waiting for them to expire. This reduces + clutter and minimizes confusion for the operator doing diagnostics. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 20] + +Internet-Draft opportunistic May 2003 + + +4. Impacts on IKE + +4.1 ISAKMP/IKE protocol + + The IKE wire protocol needs no modifications. The major changes are + implementation issues relating to how the proposals are interpreted, + and from whom they may come. + + As opportunistic encryption is designed to be useful between peers + without prior operator configuration, an IKE daemon must be prepared + to negotiate phase 1 SAs with any node. This may require a large + amount of resources to maintain cookie state, as well as large + amounts of entropy for nonces, cookies and so on. + + The major changes to support opportunistic encryption are at the IKE + daemon level. These changes relate to handling of key acquisition + requests, lookup of public keys and TXT records, and interactions + with firewalls and other security facilities that may be co-resident + on the same gateway. + +4.2 Gateway discovery process + + In a typical configured tunnel, the address of SG-B is provided via + configuration. Furthermore, the mapping of an SPD entry to a gateway + is typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique + is used, then the mapping to a gateway is determined by the reverse + DNS records. + + The need to do a DNS lookup and wait for a reply will typically + introduce a new state and a new event source (DNS replies) to IKE. + Although a synchronous DNS request can be implemented for proof of + concept, experience is that it can cause very high latencies when a + queue of queries must all timeout in series. + + Use of an asynchronous DNS lookup will also permit overlap of DNS + lookups with some of the protocol steps. + +4.3 Self identification + + SG-A will have to establish its identity. Use an IPv4 ID in phase 1. + + There are many situations where the administrator of SG-A may not be + able to control the reverse DNS records for SG-A's public IP address. + Typical situations include dialup connections and most residential- + type broadband Internet access (ADSL, cable-modem) connections. In + these situations, a fully qualified domain name that is under the + control of SG-A's administrator may be used when acting as an + initiator only. The FQDN ID should be used in phase 1. See Section + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 21] + +Internet-Draft opportunistic May 2003 + + + 5.3 for more details and restrictions. + +4.4 Public key retrieval process + + Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID + or an FQDN ID, an IKE daemon needs to examine local caches and + configuration files to determine if this is part of a configured + tunnel. If no configured tunnels are found, then the implementation + should attempt to retrieve a KEY record from the reverse DNS in the + case of an IPv4/IPv6 ID, or from the forward DNS in the case of FQDN + ID. + + It is reasonable that if other non-local sources of policy are used + (COPS, LDAP), they be consulted concurrently but some clear ordering + of policy be provided. Note that due to variances in latency, + implementations must wait for positive or negative replies from all + sources of policy before making any decisions. + +4.5 Interactions with DNSSEC + + The implementation described (1.98) neither uses DNSSEC directly to + explicitly verify the authenticity of zone information, nor uses the + NXT records to provide authentication of the absence of a TXT or KEY + record. Rather, this implementation uses a trusted path to a DNSSEC + capable caching resolver. + + To distinguish between an authenticated and an unauthenticated DNS + resource record, a stub resolver capable of returning DNSSEC + information MUST be used. + +4.6 Required proposal types + +4.6.1 Phase 1 parameters + + Main mode MUST be used. + + The initiator MUST offer at least one proposal using some combination + of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be + proposed first. [11] + + The initiator MAY offer additional proposals, but the cipher MUST not + be weaker than 3DES. The initiator SHOULD limit the number of + proposals such that the IKE datagrams do not need to be fragmented. + + The responder MUST accept one of the proposals. If any configuration + of the responder is required then the responder is not acting in an + opportunistic way. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 22] + +Internet-Draft opportunistic May 2003 + + + SG-A SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the + external interface of SG-A for phase 1. (There is an exception, see + Section 5.3.) The authentication method MUST be RSA public key + signatures. The RSA key for SG-A SHOULD be placed into a DNS KEY + record in the reverse space of SG-A (i.e. using in-addr.arpa). + +4.6.2 Phase 2 parameters + + SG-A MUST propose a tunnel between Alice and Bob, using 3DES-CBC + mode, MD5 or SHA1 authentication. Perfect Forward Secrecy MUST be + specified. + + Tunnel mode MUST be used. + + Identities MUST be ID_IPV4_ADDR_SUBNET with the mask being /32. + + Authorization for SG-A to act on Alice's behalf is determined by + looking for a TXT record in the reverse-map at Alice's address. + + Compression SHOULD NOT be mandatory. It may be offered as an option. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 23] + +Internet-Draft opportunistic May 2003 + + +5. DNS issues + +5.1 Use of KEY record + + In order to establish their own identities, SG-A and SG-B SHOULD + publish their public keys in their reverse DNS via DNSSEC's KEY + record. See section 3 of RFC 2535 [16]. + + For example: + + KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8 + + 0x4200: The flag bits, indicating that this key is prohibited for + confidentiality use (it authenticates the peer only, a separate + Diffie-Hellman exchange is used for confidentiality), and that + this key is associated with the non-zone entity whose name is the + RR owner name. No other flags are set. + + 4: This indicates that this key is for use by IPsec. + + 1: An RSA key is present. + + AQNJjkKlIk9...nYyUkKK8: The public key of the host as described in + [17]. + + Use of several KEY records allows for key rollover. The SIG Payload + in IKE phase 1 SHOULD be accepted if the public key given by any KEY + RR validates it. + +5.2 Use of TXT delegation record + + Alice publishes a TXT record to provide authorization for SG-A to act + on Alice's behalf. Bob publishes a TXT record to provide + authorization for SG-B to act on Bob's behalf. These records are + located in the reverse DNS (in-addr.arpa) for their respective IP + addresses. The reverse DNS SHOULD be secured by DNSSEC, when it is + deployed. DNSSEC is required to defend against active attacks. + + If Alice's address is P.Q.R.S, then she can authorize another node to + act on her behalf by publishing records at: + + S.R.Q.P.in-addr.arpa + + The contents of the resource record are expected to be a string that + uses the following syntax, as suggested in [15]. (Note that the + reply to query may include other TXT resource records used by other + applications.) + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 24] + +Internet-Draft opportunistic May 2003 + + + --------------------------------------------------------------------- + + + X-IPsec-Server(P)=A.B.C.D KEY + + Figure 2: Format of reverse delegation record + + --------------------------------------------------------------------- + + P: Specifies a precedence for this record. This is similar to MX + record preferences. Lower numbers have stronger preference. + + A.B.C.D: Specifies the IP address of the Security Gateway for this + client machine. + + KEY: Is the encoded RSA Public key of the Security Gateway. The key + is provided here to avoid a second DNS lookup. If this field is + absent, then a KEY resource record should be looked up in the + reverse-map of A.B.C.D. The key is transmitted in base64 format. + + The pieces of the record are separated by any whitespace (space, tab, + newline, carriage return). An ASCII space SHOULD be used. + + In the case where Alice is located at a public address behind a + security gateway that has no fixed address (or no control over its + reverse-map), then Alice may delegate to a public key by domain name. + + --------------------------------------------------------------------- + + + X-IPsec-Server(P)=@FQDN KEY + + Figure 3: Format of reverse delegation record (FQDN version) + + --------------------------------------------------------------------- + + P: Is as above. + + FQDN: Specifies the FQDN that the Security Gateway will identify + itself with. + + KEY: Is the encoded RSA Public key of the Security Gateway. + + If there is more than one such TXT record with strongest (lowest + numbered) precedence, one Security Gateway is picked arbitrarily from + those specified in the strongest-preference records. + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 25] + +Internet-Draft opportunistic May 2003 + + +5.2.1 Long TXT records + + When packed into transport format, TXT records which are longer than + 255 characters are divided into smaller . (See + [13] section 3.3 and 3.3.14.) These MUST be reassembled into a single + string for processing. Whitespace characters in the base64 encoding + are to be ignored. + +5.2.2 Choice of TXT record + + It has been suggested to use the KEY, OPT, CERT, or KX records + instead of a TXT record. None is satisfactory. + + The KEY RR has a protocol field which could be used to indicate a new + protocol, and an algorithm field which could be used to indicate + different contents in the key data. However, the KEY record is + clearly not intended for storing what are really authorizations, it + is just for identities. Other uses have been discouraged. + + OPT resource records, as defined in [14] are not intended to be used + for storage of information. They are not to be loaded, cached or + forwarded. They are, therefore, inappropriate for use here. + + CERT records [18] can encode almost any set of information. A custom + type code could be used permitting any suitable encoding to be + stored, not just X.509. According to the RFC, the certificate RRs + are to be signed internally which may add undesirable and unnecessary + bulk. Larger DNS records may require TCP instead of UDP transfers. + + At the time of protocol design, the CERT RR was not widely deployed + and could not be counted upon. Use of CERT records will be + investigated, and may be proposed in a future revision of this + document. + + KX records are ideally suited for use instead of TXT records, but had + not been deployed at the time of implementation. + +5.3 Use of FQDN IDs + + Unfortunately, not every administrator has control over the contents + of the reverse-map. Where the initiator (SG-A) has no suitable + reverse-map, the authorization record present in the reverse-map of + Alice may refer to a FQDN instead of an IP address. + + In this case, the client's TXT record gives the fully qualified + domain name (FQDN) in place of its security gateway's IP address. + The initiator should use the ID_FQDN ID-payload in phase 1. A + forward lookup for a KEY record on the FQDN must yield the + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 26] + +Internet-Draft opportunistic May 2003 + + + initiator's public key. + + This method can also be used when the external address of SG-A is + dynamic. + + If SG-A is acting on behalf of Alice, then Alice must still delegate + authority for SG-A to do so in her reverse-map. When Alice and SG-A + are one and the same (i.e. Alice is acting as an end-node) then + there is no need for this when initiating only. + + However, Alice must still delegate to herself if she wishes others + to initiate OE to her. See Figure 3. + +5.4 Key roll-over + + Good cryptographic hygiene says that one should replace public/ + private key pairs periodically. Some administrators may wish to do + this as often as daily. Typical DNS propagation delays are + determined by the SOA Resource Record MINIMUM parameter, which + controls how long DNS replies may be cached. For reasonable + operation of DNS servers, administrators usually want this value to + be at least several hours, sometimes as a long as a day. This + presents a problem - a new key MUST not be used prior to it + propagating through DNS. + + This problem is dealt with by having the Security Gateway generate a + new public/private key pair at least MINIMUM seconds in advance of + using it. It then adds this key to the DNS (both as a second KEY + record and in additional TXT delegation records) at key generation + time. Note: only one key is allowed in each TXT record. + + When authenticating, all gateways MUST have available all public keys + that are found in DNS for this entity. This permits the + authenticating end to check both the key for "today" and the key for + "tomorrow". Note that it is the end which is creating the signature + (possesses the private key) that determines which key is to be used. + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 27] + +Internet-Draft opportunistic May 2003 + + +6. Network address translation interaction + + There are no fundamentally new issues for implementing opportunistic + encryption in the presence of network address translation. Rather + there are only the regular IPsec issues with NAT traversal. + + There are several situations to consider for NAT. + +6.1 Co-located NAT/NAPT + + If SG-A is also performing network address translation on behalf of + Alice, then the packet should be translated prior to being subjected + to opportunistic encryption. This is in contrast to typically + configured tunnels which often exist to bridge islands of private + network address space. SG-A will use the translated source address + for phase 2, and so SG-B will look up that address to confirm SG-A's + authorization. + + In the case of NAT (1:1), the address space into which the + translation is done MUST be globally unique, and control over the + reverse-map is assumed. Placing of TXT records is possible. + + In the case of NAPT (m:1), the address will be SG-A. The ability to + get KEY and TXT records in place will again depend upon whether or + not there is administrative control over the reverse-map. This is + identical to situations involving a single host acting on behalf of + itself. FQDN style can be used to get around a lack of a reverse-map + for initiators only. + +6.2 SG-A behind NAT/NAPT + + If there is a NAT or NAPT between SG-A and SG-B, then normal IPsec + NAT traversal rules apply. In addition to the transport problem + which may be solved by other mechanisms, there is the issue of what + phase 1 and phase 2 IDs to use. While FQDN could be used during + phase 1 for SG-A, there is no appropriate ID for phase 2 that permits + SG-B to determine that SG-A is in fact authorized to speak for Alice. + +6.3 Bob is behind a NAT/NAPT + + If Bob is behind a NAT (perhaps SG-B), then there is, in fact, no way + for Alice to address a packet to Bob. Not only is opportunistic + encryption impossible, but it is also impossible for Alice to + initiate any communication to Bob. It may be possible for Bob to + initiate in such a situation. This creates an asymmetry, but this is + common for NAPT. + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 28] + +Internet-Draft opportunistic May 2003 + + +7. Host implementations + + When Alice and SG-A are components of the same system, they are + considered to be a host implementation. The packet sequence scenario + remains unchanged. + + Components marked Alice are the upper layers (TCP, UDP, the + application), and SG-A is the IP layer. + + Note that tunnel mode is still required. + + As Alice and SG-A are acting on behalf of themselves, no TXT based + delegation record is necessary for Alice to initiate. She can rely + on FQDN in a forward map. This is particularly attractive to mobile + nodes such as notebook computers at conferences. To respond, Alice/ + SG-A will still need an entry in Alice's reverse-map. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 29] + +Internet-Draft opportunistic May 2003 + + +8. Multi-homing + + If there are multiple paths between Alice and Bob (as illustrated in + the diagram with SG-D), then additional DNS records are required to + establish authorization. + + In Figure 1, Alice has two ways to exit her network: SG-A and SG-D. + Previously SG-D has been ignored. Postulate that there are routers + between Alice and her set of security gateways (denoted by the + + signs and the marking of an autonomous system number for Alice's + network). Datagrams may, therefore, travel to either SG-A or SG-D en + route to Bob. + + As long as all network connections are in good order, it does not + matter how datagrams exit Alice's network. When they reach either + security gateway, the security gateway will find the TXT delegation + record in Bob's reverse-map, and establish an SA with SG-B. + + SG-B has no problem establishing that either of SG-A or SG-D may + speak for Alice, because Alice has published two equally weighted TXT + delegation records: + + --------------------------------------------------------------------- + + + X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q== + X-IPsec-Server(10)=192.1.1.6 AAJN...j8r9== + + Figure 4: Multiple gateway delegation example for Alice + + --------------------------------------------------------------------- + + Alice's routers can now do any kind of load sharing needed. Both SG- + A and SG-D send datagrams addressed to Bob through their tunnel to + SG-B. + + Alice's use of non-equal weight delegation records to show preference + of one gateway over another, has relevance only when SG-B is + initiating to Alice. + + If the precedences are the same, then SG-B has a more difficult time. + It must decide which of the two tunnels to use. SG-B has no + information about which link is less loaded, nor which security + gateway has more cryptographic resources available. SG-B, in fact, + has no knowledge of whether both gateways are even reachable. + + The Public Internet's default-free zone may well know a good route to + Alice, but the datagrams that SG-B creates must be addressed to + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 30] + +Internet-Draft opportunistic May 2003 + + + either SG-A or SG-D; they can not be addressed to Alice directly. + + SG-B may make a number of choices: + + 1. It can ignore the problem and round robin among the tunnels. + This causes losses during times when one or the other security + gateway is unreachable. If this worries Alice, she can change + the weights in her TXT delegation records. + + 2. It can send to the gateway from which it most recently received + datagrams. This assumes that routing and reachability are + symmetrical. + + 3. It can listen to BGP information from the Internet to decide + which system is currently up. This is clearly much more + complicated, but if SG-B is already participating in the BGP + peering system to announce Bob, the results data may already be + available to it. + + 4. It can refuse to negotiate the second tunnel. (It is unclear + whether or not this is even an option.) + + 5. It can silently replace the outgoing portion of the first tunnel + with the second one while still retaining the incoming portions + of both. SG-B can, thus, accept datagrams from either SG-A or + SG-D, but send only to the gateway that most recently re-keyed + with it. + + Local policy determines which choice SG-B makes. Note that even if + SG-B has perfect knowledge about the reachability of SG-A and SG-D, + Alice may not be reachable from either of these security gateways + because of internal reachability issues. + + FreeS/WAN implements option 5. Implementing a different option is + being considered. The multi-homing aspects of OE are not well + developed and may be the subject of a future document. + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 31] + +Internet-Draft opportunistic May 2003 + + +9. Failure modes + +9.1 DNS failures + + If a DNS server fails to respond, local policy decides whether or not + to permit communication in the clear as embodied in the connection + classes in Section 3.2. It is easy to mount a denial of service + attack on the DNS server responsible for a particular network's + reverse-map. Such an attack may cause all communication with that + network to go in the clear if the policy is permissive, or fail + completely if the policy is paranoid. Please note that this is an + active attack. + + There are still many networks that do not have properly configured + reverse-maps. Further, if the policy is not to communicate, the + above denial of service attack isolates the target network. + Therefore, the decision of whether or not to permit communication in + the clear MUST be a matter of local policy. + +9.2 DNS configured, IKE failures + + DNS records claim that opportunistic encryption should occur, but the + target gateway either does not respond on port 500, or refuses the + proposal. This may be because of a crash or reboot, a faulty + configuration, or a firewall filtering port 500. + + The receipt of ICMP port, host or network unreachable messages + indicates a potential problem, but MUST NOT cause communication to + fail immediately. ICMP messages are easily forged by attackers. If + such a forgery caused immediate failure, then an active attacker + could easily prevent any encryption from ever occurring, possibly + preventing all communication. + + In these situations a clear log should be produced and local policy + should dictate if communication is then permitted in the clear. + +9.3 System reboots + + Tunnels sometimes go down because the remote end crashes, + disconnects, or has a network link break. In general there is no + notification of this. Even in the event of a crash and successful + reboot, other SGs don't hear about it unless the rebooted SG has + specific reason to talk to them immediately. Over-quick response to + temporary network outages is undesirable. Note that a tunnel can be + torn down and then re-established without any effect visible to the + user except a pause in traffic. On the other hand, if one end + reboots, the other end can't get datagrams to it at all (except via + IKE) until the situation is noticed. So a bias toward quick response + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 32] + +Internet-Draft opportunistic May 2003 + + + is appropriate even at the cost of occasional false alarms. + + A mechanism for recovery after reboot is a topic of current research + and is not specified in this document. + + A deliberate shutdown should include an attempt, using deletes, to + notify all other SGs currently connected by phase 1 SAs that + communication is about to fail. Again, a remote SG will assume this + is a teardown. Attempts by the remote SGs to negotiate new tunnels + as replacements should be ignored. When possible, SGs should attempt + to preserve information about currently-connected SGs in non-volatile + storage, so that after a crash, an Initial-Contact can be sent to + previous partners to indicate loss of all previously established + connections. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 33] + +Internet-Draft opportunistic May 2003 + + +10. Unresolved issues + +10.1 Control of reverse DNS + + The method of obtaining information by reverse DNS lookup causes + problems for people who cannot control their reverse DNS bindings. + This is an unresolved problem in this version, and is out of scope. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 34] + +Internet-Draft opportunistic May 2003 + + +11. Examples + +11.1 Clear-text usage (permit policy) + + Two example scenarios follow. In the first example GW-A (Gateway A) + and GW-B (Gateway B) have always-clear-text policies, and in the + second example they have an OE policy. + + --------------------------------------------------------------------- + + + Alice SG-A DNS SG-B Bob + (1) + ------(2)--------------> + <-----(3)--------------- + (4)----(5)-----> + ----------(6)------> + ------(7)-----> + <------(8)------ + <----------(9)------ + <----(10)----- + (11)-----------> + ----------(12)-----> + --------------> + <--------------- + <------------------- + <------------- + + Figure 5: Timing of regular transaction + + --------------------------------------------------------------------- + + Alice wants to communicate with Bob. Perhaps she wants to retrieve a + web page from Bob's web server. In the absence of opportunistic + encryptors, the following events occur: + + (1) Human or application 'clicks' with a name. + + (2) Application looks up name in DNS to get IP address. + + (3) Resolver returns A record to application. + + (4) Application starts a TCP session or UDP session and OS sends + datagram. + + (5) Datagram is seen at first gateway from Alice (SG-A). (SG-A makes + a transition through Empty connection to always-clear connection + and instantiates a pass-through policy at the forwarding plane.) + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 35] + +Internet-Draft opportunistic May 2003 + + + (6) Datagram is seen at last gateway before Bob (SG-B). + + (7) First datagram from Alice is seen by Bob. + + (8) First return datagram is sent by Bob. + + (9) Datagram is seen at Bob's gateway. (SG-B makes a transition + through Empty connection to always-clear connection and + instantiates a pass-through policy at the forwarding plane.) + + (10) Datagram is seen at Alice's gateway. + + (11) OS hands datagram to application. Alice sends another datagram. + + (12) A second datagram traverses the Internet. + + +11.2 Opportunistic encryption + + In the presence of properly configured opportunistic encryptors, the + event list is extended. + + --------------------------------------------------------------------- + + + Alice SG-A DNS SG-B Bob + (1) + ------(2)--------------> + <-----(3)--------------- + (4)----(5)----->+ + ----(5B)-> + <---(5C)-- + ~~~~~~~~~~~~~(5D)~~~> + <~~~~~~~~~~~~(5E1)~~~ + ~~~~~~~~~~~~~(5E2)~~> + <~~~~~~~~~~~~(5E3)~~~ + #############(5E4)##> + <############(5E5)### + <----(5F1)-- + -----(5F2)-> + #############(5G1)##> + <----(5H1)-- + -----(5H2)-> + <############(5G2)### + #############(5G3)##> + ============(6)====> + ------(7)-----> + <------(8)------ + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 36] + +Internet-Draft opportunistic May 2003 + + + <==========(9)====== + <-----(10)---- + (11)-----------> + ==========(12)=====> + --------------> + <--------------- + <=================== + <------------- + + Figure 6: Timing of opportunistic encryption transaction + + --------------------------------------------------------------------- + + (1) Human or application clicks with a name. + + (2) Application initiates DNS mapping. + + (3) Resolver returns A record to application. + + (4) Application starts a TCP session or UDP. + + (5) SG-A (host or SG) sees datagram to target, and buffers it. + + (5B) SG-A asks DNS for TXT record. + + (5C) DNS returns TXT record(s). + + (5D) Initial IKE Main Mode Packet goes out. + + (5E) IKE ISAKMP phase 1 succeeds. + + (5F) SG-B asks DNS for TXT record to prove SG-A is an agent for + Alice. + + (5G) IKE phase 2 negotiation. + + (5H) DNS lookup by responder (SG-B). + + (6) Buffered datagram is sent by SG-A. + + (7) Datagram is received by SG-B, decrypted, and sent to Bob. + + (8) Bob replies, and datagram is seen by SG-B. + + (9) SG-B already has tunnel up with SG-A, and uses it. + + (10) SG-A decrypts datagram and gives it to Alice. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 37] + +Internet-Draft opportunistic May 2003 + + + (11) Alice receives datagram. Sends new packet to Bob. + + (12) SG-A gets second datagram, sees that tunnel is up, and uses it. + + For the purposes of this section, we will describe only the changes + that occur between Figure 5 and Figure 6. This corresponds to time + points 5, 6, 7, 9 and 10 on the list above. + +11.2.1 (5) IPsec datagram interception + + At point (5), SG-A intercepts the datagram because this source/ + destination pair lacks a policy (the non-existent policy state). SG- + A creates a hold policy, and buffers the datagram. SG-A requests + keys from the keying daemon. + +11.2.2 (5B) DNS lookup for TXT record + + SG-A's IKE daemon, having looked up the source/destination pair in + the connection class list, creates a new Potential OE connection + instance. SG-A starts DNS queries. + +11.2.3 (5C) DNS returns TXT record(s) + + DNS returns properly formed TXT delegation records, and SG-A's IKE + daemon causes this instance to make a transition from Potential OE + connection to Pending OE connection. + + Using the example above, the returned record might contain: + + --------------------------------------------------------------------- + + + X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q== + + Figure 7: Example of reverse delegation record for Bob + + --------------------------------------------------------------------- + + with SG-B's IP address and public key listed. + +11.2.4 (5D) Initial IKE main mode packet goes out + + Upon entering Pending OE connection, SG-A sends the initial ISAKMP + message with proposals. See Section 4.6.1. + +11.2.5 (5E1) Message 2 of phase 1 exchange + + SG-B receives the message. A new connection instance is created in + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 38] + +Internet-Draft opportunistic May 2003 + + + the unauthenticated OE peer state. + +11.2.6 (5E2) Message 3 of phase 1 exchange + + SG-A sends a Diffie-Hellman exponent. This is an internal state of + the keying daemon. + +11.2.7 (5E3) Message 4 of phase 1 exchange + + SG-B responds with a Diffie-Hellman exponent. This is an internal + state of the keying protocol. + +11.2.8 (5E4) Message 5 of phase 1 exchange + + SG-A uses the phase 1 SA to send its identity under encryption. The + choice of identity is discussed in Section 4.6.1. This is an + internal state of the keying protocol. + +11.2.9 (5F1) Responder lookup of initiator key + + SG-B asks DNS for the public key of the initiator. DNS looks for a + KEY record by IP address in the reverse-map. That is, a KEY resource + record is queried for 4.1.1.192.in-addr.arpa (recall that SG-A's + external address is 192.1.1.4). SG-B uses the resulting public key + to authenticate the initiator. See Section 5.1 for further details. + +11.2.10 (5F2) DNS replies with public key of initiator + + Upon successfully authenticating the peer, the connection instance + makes a transition to authenticated OE peer on SG-B. + + The format of the TXT record returned is described in Section 5.2. + +11.2.11 (5E5) Responder replies with ID and authentication + + SG-B sends its ID along with authentication material. This is an + internal state for the keying protocol. + +11.2.12 (5G) IKE phase 2 + +11.2.12.1 (5G1) Initiator proposes tunnel + + Having established mutually agreeable authentications (via KEY) and + authorizations (via TXT), SG-A proposes to create an IPsec tunnel for + datagrams transiting from Alice to Bob. This tunnel is established + only for the Alice/Bob combination, not for any subnets that may be + behind SG-A and SG-B. + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 39] + +Internet-Draft opportunistic May 2003 + + +11.2.12.2 (5H1) Responder determines initiator's authority + + While the identity of SG-A has been established, its authority to + speak for Alice has not yet been confirmed. SG-B does a reverse + lookup on Alice's address for a TXT record. + + Upon receiving this specific proposal, SG-B's connection instance + makes a transition into the potential OE connection state. SG-B may + already have an instance, and the check is made as described above. + +11.2.12.3 (5H2) DNS replies with TXT record(s) + + The returned key and IP address should match that of SG-A. + +11.2.12.4 (5G2) Responder agrees to proposal + + Should additional communication occur between, for instance, Dave and + Bob using SG-A and SG-B, a new tunnel (phase 2 SA) would be + established. The phase 1 SA may be reusable. + + SG-A, having successfully keyed the tunnel, now makes a transition + from Pending OE connection to Keyed OE connection. + + The responder MUST setup the inbound IPsec SAs before sending its + reply. + +11.2.12.5 (5G3) Final acknowledgment from initiator + + The initiator agrees with the responder's choice and sets up the + tunnel. The initiator sets up the inbound and outbound IPsec SAs. + + The proper authorization returned with keys prompts SG-B to make a + transition to the keyed OE connection state. + + Upon receipt of this message, the responder may now setup the + outbound IPsec SAs. + +11.2.13 (6) IPsec succeeds, and sets up tunnel for communication between + Alice and Bob + + SG-A sends the datagram saved at step (5) through the newly created + tunnel to SG-B, where it gets decrypted and forwarded. Bob receives + it at (7) and replies at (8). + +11.2.14 (9) SG-B already has tunnel up with G1 and uses it + + At (9), SG-B has already established an SPD entry mapping Bob->Alice + via a tunnel, so this tunnel is simply applied. The datagram is + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 40] + +Internet-Draft opportunistic May 2003 + + + encrypted to SG-A, decrypted by SG-A and passed to Alice at (10). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 41] + +Internet-Draft opportunistic May 2003 + + +12. Security considerations + +12.1 Configured vs opportunistic tunnels + + Configured tunnels are those which are setup using bilateral + mechanisms: exchanging public keys (raw RSA, DSA, PKIX), pre-shared + secrets, or by referencing keys that are in known places + (distinguished name from LDAP, DNS). These keys are then used to + configure a specific tunnel. + + A pre-configured tunnel may be on all the time, or may be keyed only + when needed. The end points of the tunnel are not necessarily + static: many mobile applications (road warrior) are considered to be + configured tunnels. + + The primary characteristic is that configured tunnels are assigned + specific security properties. They may be trusted in different ways + relating to exceptions to firewall rules, exceptions to NAT + processing, and to bandwidth or other quality of service + restrictions. + + Opportunistic tunnels are not inherently trusted in any strong way. + They are created without prior arrangement. As the two parties are + strangers, there MUST be no confusion of datagrams that arrive from + opportunistic peers and those that arrive from configured tunnels. A + security gateway MUST take care that an opportunistic peer can not + impersonate a configured peer. + + Ingress filtering MUST be used to make sure that only datagrams + authorized by negotiation (and the concomitant authentication and + authorization) are accepted from a tunnel. This is to prevent one + peer from impersonating another. + + An implementation suggestion is to treat opportunistic tunnel + datagrams as if they arrive on a logical interface distinct from + other configured tunnels. As the number of opportunistic tunnels + that may be created automatically on a system is potentially very + high, careful attention to scaling should be taken into account. + + As with any IKE negotiation, opportunistic encryption cannot be + secure without authentication. Opportunistic encryption relies on + DNS for its authentication information and, therefore, cannot be + fully secure without a secure DNS. Without secure DNS, opportunistic + encryption can protect against passive eavesdropping but not against + active man-in-the-middle attacks. + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 42] + +Internet-Draft opportunistic May 2003 + + +12.2 Firewalls versus Opportunistic Tunnels + + Typical usage of per datagram access control lists is to implement + various kinds of security gateways. These are typically called + "firewalls". + + Typical usage of a virtual private network (VPN) within a firewall is + to bypass all or part of the access controls between two networks. + Additional trust (as outlined in the previous section) is given to + datagrams that arrive in the VPN. + + Datagrams that arrive via opportunistically configured tunnels MUST + not be trusted. Any security policy that would apply to a datagram + arriving in the clear SHOULD also be applied to datagrams arriving + opportunistically. + +12.3 Denial of service + + There are several different forms of denial of service that an + implementor should concern themselves with. Most of these problems + are shared with security gateways that have large numbers of mobile + peers (road warriors). + + The design of ISAKMP/IKE, and its use of cookies, defend against many + kinds of denial of service. Opportunism changes the assumption that + if the phase 1 (ISAKMP) SA is authenticated, that it was worthwhile + creating. Because the gateway will communicate with any machine, it + is possible to form phase 1 SAs with any machine on the Internet. + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 43] + +Internet-Draft opportunistic May 2003 + + +13. IANA Considerations + + There are no known numbers which IANA will need to manage. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 44] + +Internet-Draft opportunistic May 2003 + + +14. Acknowledgments + + Substantive portions of this document are based upon previous work by + Henry Spencer. + + Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert + Moskowitz, Jakob Schlyter, Bill Sommerfeld, John Gilmore and John + Denker for their comments and constructive criticism. + + Sandra Hoffman and Bill Dickie did the detailed proof reading and + editing. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 45] + +Internet-Draft opportunistic May 2003 + + +Normative references + + [1] Redelmeier, D. and H. Spencer, "Opportunistic Encryption", + paper http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/ + opportunism.spec, May 2001. + + [2] Defense Advanced Research Projects Agency (DARPA), Information + Processing Techniques Office and University of Southern + California (USC)/Information Sciences Institute, "Internet + Protocol", STD 5, RFC 791, September 1981. + + [3] Braden, R. and J. Postel, "Requirements for Internet gateways", + RFC 1009, June 1987. + + [4] IAB, IESG, Carpenter, B. and F. Baker, "IAB and IESG Statement + on Cryptographic Technology and the Internet", RFC 1984, August + 1996. + + [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [6] McDonald, D., Metz, C. and B. Phan, "PF_KEY Key Management API, + Version 2", RFC 2367, July 1998. + + [7] Kent, S. and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [8] Piper, D., "The Internet IP Security Domain of Interpretation + for ISAKMP", RFC 2407, November 1998. + + [9] Maughan, D., Schneider, M. and M. Schertler, "Internet Security + Association and Key Management Protocol (ISAKMP)", RFC 2408, + November 1998. + + [10] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", + RFC 2409, November 1998. + + [11] Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman groups for + IKE", RFC 3526, March 2003. + + [12] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [13] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [14] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, + August 1999. + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 46] + +Internet-Draft opportunistic May 2003 + + + [15] Rosenbaum, R., "Using the Domain Name System To Store Arbitrary + String Attributes", RFC 1464, May 1993. + + [16] Eastlake, D., "Domain Name System Security Extensions", RFC + 2535, March 1999. + + [17] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name + System (DNS)", RFC 3110, May 2001. + + [18] Eastlake, D. and O. Gudmundsson, "Storing Certificates in the + Domain Name System (DNS)", RFC 2538, March 1999. + + [19] Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, R. and A. + Sastry, "The COPS (Common Open Policy Service) Protocol", RFC + 2748, January 2000. + + [20] Srisuresh, P. and M. Holdrege, "IP Network Address Translator + (NAT) Terminology and Considerations", RFC 2663, August 1999. + + +Authors' Addresses + + Michael C. Richardson + Sandelman Software Works + 470 Dawson Avenue + Ottawa, ON K1Z 5V7 + CA + + EMail: mcr@sandelman.ottawa.on.ca + URI: http://www.sandelman.ottawa.on.ca/ + + + D. Hugh Redelmeier + Mimosa + Toronto, ON + CA + + EMail: hugh@mimosa.com + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 47] + +Internet-Draft opportunistic May 2003 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Richardson & Redelmeier Expires November 19, 2003 [Page 48] + diff --git a/doc/draft-richardson-ipsec-rr.txt b/doc/draft-richardson-ipsec-rr.txt new file mode 100644 index 000000000..7c229b8e1 --- /dev/null +++ b/doc/draft-richardson-ipsec-rr.txt @@ -0,0 +1,840 @@ + + +IPSECKEY WG M. Richardson +Internet-Draft SSW +Expires: March 4, 2004 September 4, 2003 + + + A method for storing IPsec keying material in DNS. + draft-ietf-ipseckey-rr-07.txt + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on March 4, 2004. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + This document describes a new resource record for DNS. This record + may be used to store public keys for use in IPsec systems. + + This record replaces the functionality of the sub-type #1 of the KEY + Resource Record, which has been obsoleted by RFC3445. + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 1] + +Internet-Draft ipsecrr September 2003 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.2 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Storage formats . . . . . . . . . . . . . . . . . . . . . . . 4 + 2.1 IPSECKEY RDATA format . . . . . . . . . . . . . . . . . . . . 4 + 2.2 RDATA format - precedence . . . . . . . . . . . . . . . . . . 4 + 2.3 RDATA format - algorithm type . . . . . . . . . . . . . . . . 4 + 2.4 RDATA format - gateway type . . . . . . . . . . . . . . . . . 4 + 2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . . 5 + 2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . . 5 + 3. Presentation formats . . . . . . . . . . . . . . . . . . . . . 7 + 3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . . 7 + 3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 + 4.1 Active attacks against unsecured IPSECKEY resource records . . 9 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 + Normative references . . . . . . . . . . . . . . . . . . . . . 13 + Non-normative references . . . . . . . . . . . . . . . . . . . 14 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . 14 + Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15 + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 2] + +Internet-Draft ipsecrr September 2003 + + +1. Introduction + + The type number for the IPSECKEY RR is TBD. + +1.1 Overview + + The IPSECKEY resource record (RR) is used to publish a public key + that is to be associated with a Domain Name System (DNS) name for use + with the IPsec protocol suite. This can be the public key of a + host, network, or application (in the case of per-port keying). + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC2119 [8]. + +1.2 Usage Criteria + + An IPSECKEY resource record SHOULD be used in combination with DNSSEC + unless some other means of authenticating the IPSECKEY resource + record is available. + + It is expected that there will often be multiple IPSECKEY resource + records at the same name. This will be due to the presence of + multiple gateways and the need to rollover keys. + + This resource record is class independent. + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 3] + +Internet-Draft ipsecrr September 2003 + + +2. Storage formats + +2.1 IPSECKEY RDATA format + + The RDATA for an IPSECKEY RR consists of a precedence value, a public + key, algorithm type, and an optional gateway address. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | precedence | gateway type | algorithm | gateway | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ + + ~ gateway ~ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | / + / public key / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + + +2.2 RDATA format - precedence + + This is an 8-bit precedence for this record. This is interpreted in + the same way as the PREFERENCE field described in section 3.3.9 of + RFC1035 [2]. + + Gateways listed in IPSECKEY records with lower precedence are to be + attempted first. Where there is a tie in precedence, the order + should be non-deterministic. + +2.3 RDATA format - algorithm type + + The algorithm type field identifies the public key's cryptographic + algorithm and determines the format of the public key field. + + A value of 0 indicates that no key is present. + + The following values are defined: + + 1 A DSA key is present, in the format defined in RFC2536 [11] + + 2 A RSA key is present, in the format defined in RFC3110 [12] + + +2.4 RDATA format - gateway type + + The gateway type field indicates the format of the information that + is stored in the gateway field. + + + +Richardson Expires March 4, 2004 [Page 4] + +Internet-Draft ipsecrr September 2003 + + + The following values are defined: + + 0 No gateway is present + + 1 A 4-byte IPv4 address is present + + 2 A 16-byte IPv6 address is present + + 3 A wire-encoded domain name is present. The wire-encoded format is + self-describing, so the length is implicit. The domain name MUST + NOT be compressed. + + +2.5 RDATA format - gateway + + The gateway field indicates a gateway to which an IPsec tunnel may be + created in order to reach the entity named by this resource record. + + There are three formats: + + A 32-bit IPv4 address is present in the gateway field. The data + portion is an IPv4 address as described in section 3.4.1 of RFC1035 + [2]. This is a 32-bit number in network byte order. + + A 128-bit IPv6 address is present in the gateway field. The data + portion is an IPv6 address as described in section 2.2 of RFC1886 + [7]. This is a 128-bit number in network byte order. + + The gateway field is a normal wire-encoded domain name, as described + in section 3.3 of RFC1035 [2]. Compression MUST NOT be used. + +2.6 RDATA format - public keys + + Both of the public key types defined in this document (RSA and DSA) + inherit their public key formats from the corresponding KEY RR + formats. Specifically, the public key field contains the algorithm- + specific portion of the KEY RR RDATA, which is all of the KEY RR DATA + after the first four octets. This is the same portion of the KEY RR + that must be specified by documents that define a DNSSEC algorithm. + Those documents also specify a message digest to be used for + generation of SIG RRs; that specification is not relevant for + IPSECKEY RR. + + Future algorithms, if they are to be used by both DNSSEC (in the KEY + RR) and IPSECKEY, are likely to use the same public key encodings in + both records. Unless otherwise specified, the IPSECKEY public key + field will contain the algorithm-specific portion of the KEY RR RDATA + for the corresponding algorithm. The algorithm must still be + + + +Richardson Expires March 4, 2004 [Page 5] + +Internet-Draft ipsecrr September 2003 + + + designated for use by IPSECKEY, and an IPSECKEY algorithm type number + (which might be different than the DNSSEC algorithm number) must be + assigned to it. + + The DSA key format is defined in RFC2536 [11] + + The RSA key format is defined in RFC3110 [12], with the following + changes: + + The earlier definition of RSA/MD5 in RFC2065 limited the exponent and + modulus to 2552 bits in length. RFC3110 extended that limit to 4096 + bits for RSA/SHA1 keys. The IPSECKEY RR imposes no length limit on + RSA public keys, other than the 65535 octet limit imposed by the two- + octet length encoding. This length extension is applicable only to + IPSECKEY and not to KEY RRs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 6] + +Internet-Draft ipsecrr September 2003 + + +3. Presentation formats + +3.1 Representation of IPSECKEY RRs + + IPSECKEY RRs may appear in a zone data master file. The precedence, + gateway type and algorithm and gateway fields are REQUIRED. The + base64 encoded public key block is OPTIONAL; if not present, then the + public key field of the resource record MUST be construed as being + zero octets in length. + + The algorithm field is an unsigned integer. No mnemonics are + defined. + + If no gateway is to be indicated, then the gateway type field MUST be + zero, and the gateway field MUST be "." + + The Public Key field is represented as a Base64 encoding of the + Public Key. Whitespace is allowed within the Base64 text. For a + definition of Base64 encoding, see RFC1521 [3] Section 5.2. + + The general presentation for the record as as follows: + + IN IPSECKEY ( precedence gateway-type algorithm + gateway base64-encoded-public-key ) + + +3.2 Examples + + An example of a node 192.0.2.38 that will accept IPsec tunnels on its + own behalf. + + 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2 + 192.0.2.38 + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + + An example of a node, 192.0.2.38 that has published its key only. + + 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 0 2 + . + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + + An example of a node, 192.0.2.38 that has delegated authority to the + node 192.0.2.3. + + 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2 + 192.0.2.3 + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + + + + +Richardson Expires March 4, 2004 [Page 7] + +Internet-Draft ipsecrr September 2003 + + + An example of a node, 192.0.1.38 that has delegated authority to the + node with the identity "mygateway.example.com". + + 38.1.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 3 2 + mygateway.example.com. + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + + An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has + delegated authority to the node 2001:0DB8:c000:0200:2::1 + + $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.int. + 0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN IPSECKEY ( 10 2 2 + 2001:0DB8:0:8002::2000:1 + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 8] + +Internet-Draft ipsecrr September 2003 + + +4. Security Considerations + + This entire memo pertains to the provision of public keying material + for use by key management protocols such as ISAKMP/IKE (RFC2407) [9]. + + The IPSECKEY resource record contains information that SHOULD be + communicated to the end client in an integral fashion - i.e. free + from modification. The form of this channel is up to the consumer of + the data - there must be a trust relationship between the end + consumer of this resource record and the server. This relationship + may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to + another secure source, a secure local channel on the host, or some + combination of the above. + + The keying material provided by the IPSECKEY resource record is not + sensitive to passive attacks. The keying material may be freely + disclosed to any party without any impact on the security properties + of the resulting IPsec session: IPsec and IKE provide for defense + against both active and passive attacks. + + Any user of this resource record MUST carefully document their trust + model, and why the trust model of DNSSEC is appropriate, if that is + the secure channel used. + +4.1 Active attacks against unsecured IPSECKEY resource records + + This section deals with active attacks against the DNS. These + attacks require that DNS requests and responses be intercepted and + changed. DNSSEC is designed to defend against attacks of this kind. + + The first kind of active attack is when the attacker replaces the + keying material with either a key under its control or with garbage. + + If the attacker is not able to mount a subsequent man-in-the-middle + attack on the IKE negotiation after replacing the public key, then + this will result in a denial of service, as the authenticator used by + IKE would fail. + + If the attacker is able to both to mount active attacks against DNS + and is also in a position to perform a man-in-the-middle attack on + IKE and IPsec negotiations, then the attacker will be in a position + to compromise the resulting IPsec channel. Note that an attacker + must be able to perform active DNS attacks on both sides of the IKE + negotiation in order for this to succeed. + + The second kind of active attack is one in which the attacker + replaces the the gateway address to point to a node under the + attacker's control. The attacker can then either replace the public + + + +Richardson Expires March 4, 2004 [Page 9] + +Internet-Draft ipsecrr September 2003 + + + key or remove it, thus providing an IPSECKEY record of its own to + match the gateway address. + + This later form creates a simple man-in-the-middle since the attacker + can then create a second tunnel to the real destination. Note that, + as before, this requires that the attacker also mount an active + attack against the responder. + + Note that the man-in-the-middle can not just forward cleartext + packets to the original destination. While the destination may be + willing to speak in the clear, replying to the original sender, the + sender will have already created a policy expecting ciphertext. + Thus, the attacker will need to intercept traffic from both sides. + In some cases, the attacker may be able to accomplish the full + intercept by use of Network Addresss/Port Translation (NAT/NAPT) + technology. + + Note that the danger here only applies to cases where the gateway + field of the IPSECKEY RR indicates a different entity than the owner + name of the IPSECKEY RR. In cases where the end-to-end integrity of + the IPSECKEY RR is suspect, the end client MUST restrict its use of + the IPSECKEY RR to cases where the RR owner name matches the content + of the gateway field. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 10] + +Internet-Draft ipsecrr September 2003 + + +5. IANA Considerations + + This document updates the IANA Registry for DNS Resource Record Types + by assigning type X to the IPSECKEY record. + + This document creates an IANA registry for the algorithm type field. + + Values 0, 1 and 2 are defined in Section 2.3. Algorithm numbers 3 + through 255 can be assigned by IETF Consensus (see RFC2434 [6]). + + This document creates an IANA registry for the gateway type field. + + Values 0, 1, 2 and 3 are defined in Section 2.4. Algorithm numbers 4 + through 255 can be assigned by Standards Action (see RFC2434 [6]). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 11] + +Internet-Draft ipsecrr September 2003 + + +6. Acknowledgments + + My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob + Austein, and Olafur Gurmundsson who reviewed this document carefully. + Additional thanks to Olafur Gurmundsson for a reference + implementation. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 12] + +Internet-Draft ipsecrr September 2003 + + +Normative references + + [1] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [2] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [3] Borenstein, N. and N. Freed, "MIME (Multipurpose Internet Mail + Extensions) Part One: Mechanisms for Specifying and Describing + the Format of Internet Message Bodies", RFC 1521, September + 1993. + + [4] Bradner, S., "The Internet Standards Process -- Revision 3", BCP + 9, RFC 2026, October 1996. + + [5] Eastlake, D. and C. Kaufman, "Domain Name System Security + Extensions", RFC 2065, January 1997. + + [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 13] + +Internet-Draft ipsecrr September 2003 + + +Non-normative references + + [7] Thomson, S. and C. Huitema, "DNS Extensions to support IP + version 6", RFC 1886, December 1995. + + [8] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [9] Piper, D., "The Internet IP Security Domain of Interpretation + for ISAKMP", RFC 2407, November 1998. + + [10] Eastlake, D., "Domain Name System Security Extensions", RFC + 2535, March 1999. + + [11] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System + (DNS)", RFC 2536, March 1999. + + [12] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name + System (DNS)", RFC 3110, May 2001. + + [13] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource + Record (RR)", RFC 3445, December 2002. + + +Author's Address + + Michael C. Richardson + Sandelman Software Works + 470 Dawson Avenue + Ottawa, ON K1Z 5V7 + CA + + EMail: mcr@sandelman.ottawa.on.ca + URI: http://www.sandelman.ottawa.on.ca/ + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 14] + +Internet-Draft ipsecrr September 2003 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Richardson Expires March 4, 2004 [Page 15] + diff --git a/doc/draft-spencer-ipsec-ike-implementation.nr b/doc/draft-spencer-ipsec-ike-implementation.nr new file mode 100644 index 000000000..5b5776e22 --- /dev/null +++ b/doc/draft-spencer-ipsec-ike-implementation.nr @@ -0,0 +1,1203 @@ +.\" date, expiry date, copyright year, and revision +.DA "26 Feb 2002" +.ds e "26 Aug 2002 +.ds c 2002 +.ds r 02 +.\" boilerplate +.pl 10i +.nr PL 10i +.po 0 +.nr PO 0 +.ll 7.2i +.nr LL 7.2i +.lt 7.2i +.nr LT 7.2i +.hy 0 +.nr HY 0 +.ad l +.nr PD 1v +.\" macros for paragraph, section header, reference, TOC +.de P +.br +.LP +.in 3 +.. +.de H +.br +.ne 5 +.LP +.in 0 +.. +.de R +.IP " [\\$1]" 14 +.. +.de T +.ie \\$1=1 \{\ +.nf +.ta \n(LLu-3nR +.\} +.el \{\ +.fi +.\} +.. +.de S +.ie '\\$1'' \\$2 \a \\$3 +.el \\$1. \\$2 \a \\$3 +.. +.\" headers/footers +.ds LH "Internet Draft +.ds CH "IKE Implementation Issues +.ds RH "\*(DY +.ds LF "Spencer & Redelmeier +.ds CF " +.ds RF "[Page %] +.\" and let's get started +.RT +.nf +.tl 'Network Working Group''Henry Spencer' +.tl 'Internet Draft''SP Systems' +.tl 'Expires: \*e''D. Hugh Redelmeier' +.tl '''Mimosa Systems' +.tl '''\*(DY' +.sp +.ce 99 +IKE Implementation Issues + +.ce 0 +.H +Status of this Memo +.P +This document is an Internet-Draft and is in full conformance with +all provisions of Section 10 of RFC2026. +.P +(If approved as an Informational RFC...) +This memo provides information for the Internet community. +This memo does not specify an Internet standard of any kind. +.P +Distribution of this memo is unlimited. +.P +Internet-Drafts are working documents of the Internet Engineering +Task Force (IETF), its areas, and its working groups. +Note that +other groups may also distribute working documents as Internet-Drafts. +.P +Internet-Drafts are draft documents valid for a maximum of six months +and may be updated, replaced, or obsoleted by other documents at any +time. +It is inappropriate to use Internet-Drafts as reference +material or to cite them other than as "work in progress." +.P +The list of current Internet-Drafts can be accessed at +http://www.ietf.org/ietf/1id-abstracts.txt. +.P +The list of Internet-Draft Shadow Directories can be accessed at +http://www.ietf.org/shadow.html. +.P +This Internet-Draft will expire on \*e. +.H +Copyright Notice +.P +Copyright (C) The Internet Society \*c. All Rights Reserved. +.bp +.H +Table of Contents +.P +.T 1 +.S "1" "Introduction" "3" +.S "2" "Lower-level Background and Notes" "4" +.S "2.1" "Packet Handling" "4" +.S "2.2" "Ciphers" "5" +.S "2.3" "Interfaces" "5" +.S "3" "IKE Infrastructural Issues" "5" +.S "3.1" "Continuous Channel" "5" +.S "3.2" "Retransmission" "5" +.S "3.3" "Replay Prevention" "6" +.S "4" "Basic Keying and Rekeying" "7" +.S "4.1" "When to Create SAs" "7" +.S "4.2" "When to Rekey" "8" +.S "4.3" "Choosing an SA" "9" +.S "4.4" "Why to Rekey" "9" +.S "4.5" "Rekeying ISAKMP SAs" "10" +.S "4.6" "Bulk Negotiation" "10" +.S "5" "Deletions, Teardowns, Crashes" "11" +.S "5.1" "Deletions" "11" +.S "5.2" "Teardowns and Shutdowns" "12" +.S "5.3" "Crashes" "13" +.S "5.4" "Network Partitions" "13" +.S "5.5" "Unknown SAs" "14" +.S "6" "Misc. IKE Issues" "16" +.S "6.1" "Groups 1 and 5" "16" +.S "6.2" "To PFS Or Not To PFS" "16" +.S "6.3" "Debugging Tools, Lack Thereof" "16" +.S "6.4" "Terminology, Vagueness Thereof" "17" +.S "6.5" "A Question of Identity" "17" +.S "6.6" "Opportunistic Encryption" "17" +.S "6.7" "Authentication and RSA Keys" "17" +.S "6.8" "Misc. Snags" "18" +.S "7" "Security Considerations" "19" +.S "8" "References" "19" +.S "" "Authors' Addresses" "20" +.S "" "Full Copyright Statement" "21" +.T 0 +.bp +.H +Abstract +.P +The current IPsec specifications for key exchange and connection management, +RFCs 2408 [ISAKMP] and 2409 [IKE], +leave many aspects of connection management unspecified, +most prominently rekeying practices. +Pending clarifications in future revisions of the specifications, +this document sets down some successful experiences, +to minimize the extent to which new implementors have to rely +on unwritten folklore. +.P +The Linux FreeS/WAN implementation of IPsec interoperates +with almost every other IPsec implementation. +This document describes how the FreeS/WAN project has resolved +some of the gaps in the IPsec specifications +(and plans to resolve some others), +and what difficulties have been encountered, +in hopes that this generally-successful experience +might be informative to new implementors. +.P +This is offered as an Informational RFC. +.P +This -\*r revision mainly: +discusses ISAKMP SA expiry during IPsec-SA rekeying (4.5), +revises the discussion of bidirectional Deletes (5.1), +suggests remembering the parameters of successful negotiations +for later use (4.2, 5.3), +notes an unsuccessful negotiation from the other end as a hint of a possibly +broken connection (5.5), +and adds sections on network partitions (5.4), +authentication methods and the subtleties of RSA public keys (6.7), +and miscellaneous interoperability concerns (6.8). +.H +1. Introduction +.P +The current IPsec specifications for key exchange and connection management, +RFCs 2408 [ISAKMP] and 2409 [IKE], +leave many aspects of connection management unspecified, +most prominently rekeying practices. +This is a cryptic puzzle which +each group of implementors has to struggle with, +and differences in how the ambiguities and gaps are resolved are +potentially a fruitful source of interoperability problems. +We can hope that future revisions of the specifications will clear this up. +Meanwhile, it seems useful to set down some successful experiences, +to minimize the extent to which new implementors have to rely +on unwritten folklore. +.P +The Linux FreeS/WAN implementation of IPsec interoperates +with almost every other IPsec implementation, +and because of its free nature, +it also sees some use as a reference implementation by other implementors. +The high degree of interoperability is noteworthy +given its organizers' strong minimalist bias, +which has caused them to implement only +a small subset of the full glory of IPsec. +This document describes how the FreeS/WAN project has resolved +some of the gaps in the IPsec specifications +(and plans to resolve some others), +and what difficulties have been encountered, +in hopes that this generally-successful experience +might be informative to new implementors. +.P +One small caution about applicability: +this experience may not be relevant +to severely resource-constrained implementations. +FreeS/WAN's target environment is previous-generation PCs, +now available at trivial cost (often, +within an organization, at no cost), +which have quite impressive CPU power and memory by the standards +of only a few years ago. +Some of the approaches discussed here may be inapplicable to +implementations with severe external constraints which prevent them +from taking advantage of modern hardware technology. +.H +2. Lower-level Background and Notes +.H +2.1. Packet Handling +.P +FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly, +although AH sees little use among our users. +Our ESP/AH implementation cannot currently handle packets +with IP options; +somewhat surprisingly, this has caused little difficulty. +We insist on encryption and do not support authentication-only +connections, and this has not caused significant difficulty either. +.P +MTU and fragmentation issues, by contrast, have been a constant headache. +We will not describe the details of our current approach to them, +because it still needs work. +One difficulty we have encountered is that many combinations of +packet source and packet destination +apparently cannot cope with an "interior minimum" in the path MTU, +e.g. where an IPsec tunnel intervenes and its headers reduce the MTU +for an intermediate link. +This is particularly prevalent when using common PC software to +connect to large well-known web sites; +we think it is largely due to +misconfigured firewalls which do not pass ICMP +Fragmentation Required messages. +The only solution we have yet found is to lie about the MTU of the tunnel, +accepting the (undesirable) fragmentation of the ESP packets +for the sake of preserving connectivity. +.P +We currently zero out the TOS field of ESP packets, +rather than copying it from the inner header, +on the grounds that it lends itself too well to traffic analysis +and covert channels. +We provide an option to restore RFC 2401 [IPSEC] copying behavior, +but this appears to see little use. +.H +2.2. Ciphers +.P +We initially implemented both DES [DES] and 3DES [CIPHERS] for both +IKE and ESP, +but after the Deep Crack effort [CRACK] demonstrated its inherent insecurity, +we dropped support for DES. +Somewhat surprisingly, +our insistence on 3DES has caused almost no interoperability problems, +despite DES being officially mandatory. +A very few other systems either do not support 3DES or support it only +as an optional upgrade, +which inconveniences a few would-be users. +There have also been one or two cases of systems +which don't quite seem to know the difference! +.P +See also section 6.1 for a consequence of our insistence on 3DES. +.H +2.3. Interfaces +.P +We currently employ PF_KEY version 2 [PFKEY], +plus various non-standard extensions, +as our interface between keying and ESP. +This has not proven entirely satisfactory. +Our feeling now is that keying issues and policy issues +do not really lend +themselves to the clean separation that PF_KEY envisions. +.H +3. IKE Infrastructural Issues +.P +A number of problems in IPsec connection management become easier if +some attention is first paid to providing an infrastructure +to support solving them. +.H +3.1. Continuous Channel +.P +FreeS/WAN uses an approximation to the "continuous channel" model, +in which ISAKMP SAs are maintained between IKEs +so long as any IPsec SAs are open between the two systems. +The resource consumption of this is minor: +the only substantial overhead is occasional rekeying. +IPsec SA management becomes significantly simpler if there is always +a channel for transmission of control messages. +We suggest (although we do not yet fully implement this) that +inability to maintain (e.g., to rekey) this control path +should be grounds for tearing down the IPsec SAs as well. +.P +As a corollary of this, +there is one and only one ISAKMP SA maintained between a pair of IKEs +(although see sections 5.3 and 6.5 for minor complications). +.H +3.2. Retransmission +.P +The unreliable nature of UDP transmission is a nuisance. +IKE implementations should always be prepared to retransmit the most recent +message they sent on an ISAKMP SA, +since there is some possibility that the other end did not get it. +This means, in particular, +that the system sending the supposedly-last message of an exchange +cannot relax and assume that the exchange is complete, +at least not until a significant timeout has elapsed. +.P +Systems must also retain information about the message most recently received +in an exchange, +so that a duplicate of it can be detected +(and possibly interpreted as a NACK for the response). +.P +The retransmission rules FreeS/WAN follows are: +(1) if a reply is expected, retransmit only if it does not appear +before a timeout; +and (2) if a reply is not expected (last message of the exchange), +retransmit only on receiving a retransmission of the previous message. +Notably, in case (1) we do NOT retransmit on receiving a retransmission, +which avoids possible congestion problems arising from packet duplication, +at the price of slowing response to packet loss. +The timeout for case (1) is 10 seconds for the first retry, +20 seconds for the second, and 40 seconds for all subsequent +retries (normally only one, +except when +configuration settings call for persistence and the message is +the first message of Main Mode with a new peer). +These retransmission rules have been entirely successful. +.P +(Michael Thomas of Cisco has pointed out that the retry timeouts should +include some random jitter, to de-synchronize hosts which are +initially synchronized by, e.g., a power outage. +We already jitter our rekeying times, +as noted in section 4.2, +but that does not help with initial startup. +We're implementing jittered retries, +but cannot yet report on experience with this.) +.P +There is a deeper problem, of course, when an entire "exchange" consists +of a single message, +e.g. the ISAKMP Informational Exchange. +Then there is no way to decide whether or when a retransmission is +warranted at all. +This seems like poor design, to put it mildly +(and there is now talk of fixing it). +We have no experience in dealing with this problem at this time, +although it is part of the reason why we have delayed implementing +Notification messages. +.H +3.3. Replay Prevention +.P +The unsequenced nature of UDP transmission is also troublesome, +because it means that higher levels must consider the possibility +of replay attacks. +FreeS/WAN takes the position that systematically eliminating this +possibility at a low level is strongly preferable to forcing careful +consideration of possible impacts at every step of an exchange. +RFC 2408 [ISAKMP] section 3.1 states that the Message ID of an +ISAKMP message must be "unique". +FreeS/WAN interprets this literally, +as forbidding duplication of Message IDs +within the set of all messages sent via a single ISAKMP SA. +.P +This requires remembering all Message IDs until the ISAKMP SA is +superseded by rekeying, +but that is not costly (four bytes per sent or received message), +and it ELIMINATES replay attacks from consideration; +we believe this investment of resources is well worthwhile. +If the resource consumption becomes excessive\(emin our experience +it has not\(emthe ISAKMP SA can be rekeyed early to collect the garbage. +.P +There is theoretically an interoperability problem when talking to +implementations which interpret "unique" more loosely +and may re-use Message IDs, +but it has not been encountered in practice. +This approach appears to be completely interoperable. +.P +The proposal by +Andrew Krywaniuk [REPLAY], +which advocates turning the Message ID into an anti-replay counter, +would achieve the same goal without the minor per-message memory overhead. +This may be preferable, +although it means an actual protocol change and more study is needed. +.H +4. Basic Keying and Rekeying +.H +4.1. When to Create SAs +.P +As Tim Jenkins [REKEY] pointed out, +there is a potential race condition in Quick Mode: +a fast lightly-loaded Initiator might start using IPsec SAs very +shortly after sending QM3 (the third and last message of Quick Mode), +while a slow heavily-loaded Responder might +not be ready to receive them until after spending +a significant amount of time creating its inbound SAs. +The problem is even worse if QM3 gets delayed or lost. +.P +FreeS/WAN's approach to this is what Jenkins called "Responder Pre-Setup": +the Responder creates its inbound IPsec SAs before it sends QM2, +so they are always ready and waiting +when the Initiator sends QM3 and begins sending traffic. +This approach is simple and reliable, +and in our experience it interoperates with everybody. +(There is potentially still a problem if FreeS/WAN is the Initiator +and the Responder does not use Responder Pre-Setup, +but no such problems have been seen.) +The only real weakness of Responder Pre-Setup +is the possibility of replay attacks, +which we have eliminated by other means (see section 3.3). +.P +With this approach, the Commit Bit is useless, +and we ignore it. +In fact, until quite recently we discarded any IKE message containing it, +and this caused surprisingly few interoperability problems; +apparently it is not widely used. +We have recently been persuaded that simply ignoring it is preferable; +preliminary experience with this indicates that the result is successful +interoperation with implementations which set it. +.H +4.2. When to Rekey +.P +To preserve connectivity for user traffic, +rekeying of a connection +(that is, creation of new IPsec SAs to supersede the current ones) +must begin before its current IPsec SAs expire. +Preferably one end should predictably start rekeying negotiations first, +to avoid the extra overhead of two simultaneous negotiations, +although either end should be prepared to rekey if the other does not. +There is also a problem with "convoys" of keying negotiations: +for example, a "hub" gateway with many IPsec connections +can be inundated with rekeying negotiations +exactly one connection-expiry time after it reboots, +and the massive overload this induces tends to make this +situation self-perpetuating, +so it recurs regularly. +(Convoys can also evolve gradually from initially-unsynchronized negotiations.) +.P +FreeS/WAN has the concept of a "rekeying margin", measured in seconds. +If FreeS/WAN was the Initiator for the previous rekeying +(or the startup, if none) of the connection, +it nominally starts rekeying negotiations at expiry time +minus one rekeying margin. +Some random jitter is added to break up convoys: +rather than starting rekeying exactly at minus one margin, +it starts at a random time between minus one margin +and minus two margins. +(The randomness here need not be cryptographic in quality, +so long as it varies over time and between hosts. +We use an ordinary PRNG seeded with a few bytes from a cryptographic +randomness source. +The seeding mostly just ensures that the PRNG sequence is different +for different hosts, even if they start up simultaneously.) +.P +If FreeS/WAN was the Responder for the previous rekeying/startup, +and nothing has been heard from the previous Initiator +at expiry time minus one-half the rekeying margin, +FreeS/WAN will initiate rekeying negotiations. +No jitter is applied; +we now believe that it should be jittered, +say between minus one-half margin and minus one-quarter margin. +.P +Having the Initiator lead the way is an obvious way of deciding +who should speak first, +since there is already an Initiator/Responder asymmetry in the connection. +Moreover, our experience has been that Initiator lead gives a significantly +higher probability of successful negotiation! +The negotiation process itself is asymmetric, +because the Initiator must make a few specific proposals which the Responder +can only accept or reject, +so the Initiator must try to guess where its "acceptable" region +(in parameter space) +might overlap with the Responder's. +We have seen situations where negotiations would succeed or fail +depending on which end initiated them, +because one end was making better guesses. +Given an existing connection, +we KNOW that the previous Initiator WAS able to initiate a successful +negotiation, +so it should (if at all possible) take the lead again. +Also, the Responder should remember the Initiator's successful proposal, +and start from that +rather than from his own default proposals if he must take the lead; +we don't currently implement this completely but plan to. +.P +FreeS/WAN defaults the rekeying margin to 9 minutes, +although this can be changed by configuration. +There is also +a configuration option to alter the permissible range of jitter. +The defaults were chosen somewhat arbitrarily, +but they work extremely well +and the configuration options are rarely used. +.H +4.3. Choosing an SA +.P +Once rekeying has occurred, +both old and new IPsec SAs for the connection exist, +at least momentarily. +FreeS/WAN accepts incoming traffic +on either old or new inbound SAs, +but sends outgoing traffic only on the new outbound ones. +This approach appears to be significantly more robust than +using the old ones until they expire, +notably in cases where renegotiation has occurred because something has +gone wrong on the other end. +It avoids having to pay meticulous attention to the state of the other end, +state which is difficult to learn reliably given the limitations of IKE. +.P +This approach has interoperated successfully with ALMOST all other +implementations. +The only (well-characterized) problem cases have been implementations +which rely on receiving a Delete message for the old SAs to tell them +to switch over to the new ones. +Since delivery of Delete is unreliable, +and support for Delete is optional, +this reliance seems like a serious mistake. +This is all the more true because Delete +announces that the deletion has +already occurred [ISAKMP, section 3.15], not that it is about to occur, +so packets already in transit in the other direction could be lost. +Delete should be used for resource cleanup, not for switchover control. +(These matters are discussed further in section 5.) +.H +4.4. Why to Rekey +.P +FreeS/WAN currently implements only time-based expiry (life in seconds), +although we are working toward +supporting volume-based expiry (life in kilobytes) as well. +The lack of volume-based expiry has not been an interoperability +problem so far. +.P +Volume-based expiry does add some minor complications. +In particular, it makes explicit Delete of now-disused SAs more important, +because once an SA stops being used, +it might not expire on its own. +We believe this lacks robustness and is generally unwise, +especially given the lack of a reliable Delete, +and expect to use volume-based expiry only as a supplement +to time-based expiry. +However, Delete support (see section 5) does seem advisable +for use with volume-based expiry. +.P +We do not believe that volume-based expiry alters the desirability +of switching immediately to the new SAs after rekeying. +Rekeying margins are normally a small fraction of the total life of an SA, +so we feel there is no great need to "use it all up". +.H +4.5. Rekeying ISAKMP SAs +.P +The above discussion has focused on rekeying for IPsec SAs, +but FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs, +with similar success. +.P +One issue which we have noticed, but not explicitly dealt with, +is that difficulties may ensue if an IPsec-SA rekeying negotiation +is in progress at the time when the relevant ISAKMP SA gets rekeyed. +The IKE specification [IKE] hints, but does not actually say, +that a Quick Mode negotiation should remain on a single ISAKMP SA throughout. +.P +A reasonable rekeying margin will generally +prevent the old ISAKMP SA from actually expiring during a negotiation. +Some attention may be needed to prevent in-progress negotiations from +being switched to the new ISAKMP SA. +Any attempt at pre-expiry deletion of the ISAKMP SA must be postponed +until after such dangling negotiations are completed, +and there should be enough delay between ISAKMP-SA rekeying and a +deletion attempt to (more or less) +ensure that there are no negotiation-starting packets still in transit +from before the rekeying. +.P +At present, FreeS/WAN does none of this, +and we don't KNOW of any resulting trouble. +With normal lifetimes, the problem should be uncommon, +and we speculate that an occasional disrupted negotiation simply gets retried. +.H +4.6. Bulk Negotiation +.P +Quick Mode nominally provides for negotiating possibly-large numbers of +similar but unrelated IPsec SAs simultaneously +[IKE, section 9]. +Nobody appears to do this. +FreeS/WAN does not support it, and its absence has caused no problems. +.H +5. Deletions, Teardowns, Crashes +.P +FreeS/WAN currently ignores all Notifications and Deletes, +and never generates them. +This has caused little difficulty in interoperability, +which shouldn't be surprising (since Notification and Delete support is +officially entirely optional) but does seem to surprise some people. +Nevertheless, we do plan some changes to this approach +based on past experience. +.H +5.1. Deletions +.P +As hinted at above, +we plan to implement Delete support, done as follows. +Shortly after rekeying of IPsec SAs, +the Responder issues a Delete for its old inbound SAs +(but does not actually delete them yet). +The Responder initiates this because the Initiator started using the +new SAs on sending QM3, while the Responder started using them only +on (or somewhat after) receiving QM3, +so there is less chance of old-SA packets still being in transit from +the Initiator. +The Initiator issues an unsolicited Delete only if it does not hear one +from the Responder after a longer delay. +.P +Either party, on receiving a Delete +for one or more of the old outbound SAs of a connection, +deletes ALL the connection's SAs, +and acknowledges with a Delete for the old inbound SAs. +A Delete for nonexistent SAs +(e.g., SAs which have already been expired or deleted) is ignored. +There is no retransmission of unacknowledged Deletes. +.P +In the normal case, +with prompt reliable transmission (except possibly for loss of the +Responder's initial Delete) +and conforming implementations +on both ends, this results in three Deletes being transmitted, +resembling the classic three-way handshake. +Loss of a Delete after the first, or multiple losses, +will cause the SAs not to be deleted on at least one end. +It appears difficult to do much better without at least +a distinction between request and acknowledgement. +.P +RFC 2409 section 9 "strongly suggests" that there be no response to +informational messages such as Deletes, +but the only rationale offered is prevention of infinite loops +endlessly exchanging "I don't understand you" informationals. +Since Deletes cannot lead to such a loop +(and in any case, the nonexistent-SA rule prevents more than one +acknowledgement for the same connection), +we believe this recommendation is inapplicable here. +.P +As noted in section 4.3, these Deletes are intended for +resource cleanup, not to control switching between SAs. +But we expect that they will improve interoperability +with some broken implementations. +.P +We believe strongly that connections need to be considered as a whole, +rather than treating each SA as an independent entity. +We will issue Deletes only for the full set of inbound SAs of +a connection, +and will treat a Delete for any outbound SA as equivalent to deletion +of all the outbound SAs for the associated connection. +.P +The above is phrased in terms of IPsec SAs, +but essentially the same approach can be applied to ISAKMP SAs +(the Deletes for the old ISAKMP SA should be sent via the new one). +.H +5.2. Teardowns and Shutdowns +.P +When a connection is not intended to be up permanently, +there is a need to coordinate teardown, +so that both ends are aware that the connection is down. +This is both for recovery of resources, +and to avoid routing packets through +dangling SAs which can no longer deliver them. +.P +Connection teardown will use the same bidirectional exchange of Deletes +as discussed in section 5.1: +a Delete received for current IPsec SAs (not yet obsoleted by rekeying) +indicates that the other host wishes to tear down the associated connection. +.P +A Delete received for a current ISAKMP SA indicates that the other host +wishes to tear down not only the ISAKMP SA but also all IPsec SAs +currently under the supervision of that ISAKMP SA. +The 5.1 bidirectional exchange might seem impossible in this case, +since reception of an ISAKMP-SA Delete indicates that the other end +will ignore further traffic on that ISAKMP SA. +We suggest using the same tactic discussed in 5.1 for IPsec SAs: +the first Delete is sent without actually doing the deletion, +and the response to receiving a Delete is to do the deletion and reply +with another Delete. +If there is no response to the first Delete, +retry a small number of times and then give up and do the deletion; +apart from being robust against packet loss, +this also maximizes the probability that an implementation which does +not do the bidirectional Delete will receive at least one of the Deletes. +.P +When a host with current connections knows that it is about to shut down, +it will issue Deletes for all SAs involved (both IPsec and ISAKMP), +advising its peers (as per the meaning of Delete [ISAKMP, section 3.15]) +that the SAs have become useless. +It will ignore attempts at rekeying or connection startup thereafter, +until it shuts down. +.P +It would be better to have a Final-Contact notification, +analogous to Initial-Contact but indicating that no new negotiations +should be attempted until further notice. +Initial-Contact actually could be used for shutdown notification (!), +but in networks where connections are intended to exist permanently, +it seems likely to provoke unwanted attempts +to renegotiate the lost connections. +.H +5.3. Crashes +.P +Systems sometimes crash. +Coping with the resulting loss of information is easily the most +difficult problem we have found in implementing robust IPsec systems. +.P +When connections are intended to be permanent, +it is simple to specify renegotiation on reboot. +With our approach to SA selection (see section 4.3), +this handles such cases robustly and well. +We do have to tell users that BOTH hosts should be set this way. +In cases where crashes are synchronized (e.g. by power interruptions), +this may result in simultaneous negotiations at reboot. +We currently allow both negotiations to proceed to completion, +but our use-newest selection method +effectively ignores one connection or the other, +and when one of them rekeys, +we notice that the new SAs replace those of both old connections, +and we then refrain from rekeying the other. +(This duplicate detection is desirable in any event, for robustness, +to ensure that the system converges on a reasonable state eventually +after it is perturbed by difficulties or bugs.) +.P +When connections are not permanent, the situation is less happy. +One particular situation in which we see problems is when a number of +"Road Warrior" hosts occasionally call in to a central server. +The server is normally configured not to initiate such connections, +since it does not know when the Road Warrior is available (or what IP +address it is using). +Unfortunately, if the server crashes and reboots, +any Road Warriors then connected have a problem: +they don't know that the server has crashed, +so they can't renegotiate, +and the server has forgotten both the connections and +their (transient) IP addresses, +so it cannot renegotiate. +.P +We believe that the simplest answer to this problem is what John Denker +has dubbed "address inertia": +the server makes a best-effort attempt to remember (in nonvolatile storage) +which connections were active and what the far-end addresses were +(and what the successful proposal's parameters were), +so that it can attempt renegotiation on reboot. +We have not implemented this yet, but intend to; +Denker has implemented it himself, +although in a somewhat messy way, +and reports excellent results. +.H +5.4. Network Partitions +.P +A network partition, making the two ends unable to reach each other, +has many of the same characteristics as having the other end crash... until +the network reconnects. +It is desirable that recovery from this be automatic. +.P +If the network reconnects before any rekeying attempts +or other IKE activities occurred, +recovery is fully transparent, +because the IKEs have no idea that there was any problem. +(Complaints such as ICMP Host Unreachable messages are unauthenticated +and hence cannot be given much weight.) +This fits the general mold of TCP/IP: +if nobody wanted to send any traffic, a network outage doesn't matter. +.P +If IKE activity did occur, +the IKE implementation will discover that the other end doesn't seem +to be responding. +The preferred response to this depends on the nature of the connection. +If it was intended to be ephemeral (e.g. opportunistic encryption [OE]), +closing it down after a few retries is reasonable. +If the other end is expected to sometimes drop the connection without +warning, it may not be desirable to retry at all. +(We support both these forms of configurability, +and indeed we also have a configuration option to suppress +rekeying entirely on one end.) +.P +If the connection was intended to be permanent, however, +then persistent attempts to re-establish it are appropriate. +Some degree of backoff is appropriate here, +so that retries get less frequent as the outage gets prolonged. +Backoff should be limited, +so that re-established connectivity is not followed by a long delay +before a retry. +Finally, after many retries (say 24 hours' worth), +it may be preferable to just declare the connection down and rely +on manual intervention to re-establish it, +should this be desirable. +We do not yet fully support all this. +.H +5.5. Unknown SAs +.P +A more complete solution to crashes +would be for an IPsec host to note the arrival +of ESP packets on an unknown IPsec SA, +and report it somehow to the other host, which can then decide to renegotiate. +This arguably might be preferable in any case\(emif +the non-rebooted host has no traffic to send, +it does not care whether the connection is intact\(embut +delays and packet loss will be reduced +if the connection is renegotiated BEFORE there is traffic for it. +So unknown-SA detection is best reserved as a fallback method, +with address inertia used to deal with most such cases. +.P +A difficulty with unknown-SA detection is, +just HOW should the other host be notified? +IKE provides no good way to do the notification: +Notification payloads (e.g., Initial-Contact) are unauthenticated +unless they are sent under protection of an ISAKMP SA. +A "Security Failures - Bad SPI" ICMP message [SECFAIL] +is an interesting alternative, +but has the disadvantage of likewise being unauthenticated. +It's fundamentally unlikely that there is a simple solution to this, +given that almost any way of arranging or checking authentication for such a +notification is costly. +.P +We think the best answer to this is a two-step approach. +An unauthenticated Initial-Contact or +Security Failures - Bad SPI cannot be taken as a reliable +report of a problem, +but can be taken as a hint that a problem MIGHT exist. +Then there needs to be some reliable way of checking such hints, +subject to rate limiting since the checks are likely to be costly +(and checking the same connection repeatedly at short intervals is unlikely +to be worthwhile anyway). +So the rebooted host sends the notification, +and the non-rebooted host\(emwhich still thinks it has a connection\(emchecks +whether the connection still works, +and renegotiates if not. +.P +Also, if an IPsec host which believes it has a connection to another host +sees an unsuccessful attempt by that host to negotiate a new one, +that is also a hint of possible problems, +justifying a check and possible renegotiation. +("Unsuccessful" here means a negotiation failure due to lack of a +satisfactory proposal. +A failure due to authentication failure +suggests a denial-of-service attack by a third party, +rather than a genuine problem on the legitimate other end.) +As noted in section 4.2, +it is possible for negotiations to succeed or fail based on which +end initiates them, and some robustness against that is desirable. +.P +We have not yet decided what form the notification should take. +IKE Initial-Contact is an obvious possibility, +but has some disadvantages. +It does not specify which connection has had difficulties. +Also, the specification [IKE section 4.6.3.3] +refers to "remote system" and "sending system" +without clearly specifying just what "system" means; +in the case of a multi-homed host using multiple forms of identification, +the question is not trivial. +Initial-Contact does have the fairly-decisive advantage +that it is likely to convey the right general +meaning even to an implementation which does not do things +exactly the way ours does. +.P +A more fundamental difficulty is what form the reliable check takes. +What is wanted is an "IKE ping", +verifying that the ISAKMP SA is still intact +(it being unlikely that IPsec SAs have been lost while the ISAKMP SA has not). +The lack of such a facility is a serious failing of IKE. +An acknowledged Notification of some sort would be ideal, +but there is none at present. +Some existing implementations are known +to use the private Notification values 30000 as ping +and 30002 as ping reply, +and that seems the most attractive choice at present. +If it is not recognized, there will probably be no reply, +and the result will be an unnecessary renegotiation, +so this needs strict rate limiting. +(Also, when a new connection is set up, +it's probably worth determining by experiment whether the other end +supports IKE ping, and remembering that.) +.P +While we think this facility is desirable, +and is about the best that can be done with the poor tools available, +we have not gotten very far in implementation and cannot comment +intelligently about how well it works or interoperates. +.H +6. Misc. IKE Issues +.H +6.1. Groups 1 and 5 +.P +We have dropped support for the first Oakley Group (group 1), +despite it being officially mandatory, +on the grounds that it is +grossly too weak to provide enough randomness for 3DES. +There have been some interoperability problems, +mostly quite minor: +ALMOST everyone supports group 2 as well, +although sometimes it has to be explicitly configured. +.P +We also support the quasi-standard group 5 [GROUPS]. +This has not been seriously exercised yet, +because historically +we offered group 2 first and almost everyone accepted it. +We have recently changed to offering group 5 first, +and no difficulties have been reported. +.H +6.2. To PFS Or Not To PFS +.P +A persistent small interoperability problem is that +the presence or absence of PFS (for keys [IKE, section 5.5]) +is neither negotiated nor announced. +We have it enabled by default, +and successful interoperation often requires having +the other end turn it on in their implementation, +or having the FreeS/WAN end disable it. +Almost everyone supports it, but it's usually not the default, +and interoperability is often impossible unless the two ends +somehow reach prior agreement on it. +.P +We do not explicitly support the other flavor of PFS, +for identities [IKE, section 8], +and this has caused no interoperability problems. +.H +6.3. Debugging Tools, Lack Thereof +.P +We find IKE lacking in basic debugging tools. +Section 5.4, above, +notes that an IKE ping would be useful for connectivity verification. +It would also be extremely helpful for determining that UDP/500 +packets get back and forth successfully between the two ends, +which is often an important first step in debugging. +.P +It's also quite common to have IKE negotiate a connection successfully, +but to have some firewall along the way blocking ESP. +Users find this mysterious and difficult to diagnose. +We have no immediate suggestions on what could be done about it. +.H +6.4. Terminology, Vagueness Thereof +.P +The terminology of IPsec needs work. +We feel that both the specifications and user-oriented +documentation would be greatly clarified by concise, intelligible names for +certain concepts. +.P +We semi-consistently use "group" for the set of IPsec SAs which are +established in one direction +by a single Quick Mode negotiation and are used together +to process a packet (e.g., an ESP SA plus an AH SA), +"connection" for the logical packet path provided +by a succession of pairs of groups +(each rekeying providing a new pair, one group in each direction), +and "keying channel" for the corresponding supervisory path provided +by a sequence of ISAKMP SAs. +.P +We think it's a botch that "PFS" is used to refer to two very different things, +but we have no specific new terms to suggest, since we only implement +one kind of PFS and thus can just ignore the other. +.H +6.5. A Question of Identity +.P +One specification problem deserves note: +exactly when can an existing phase 1 negotiation +be re-used for a new phase 2 negotiation, +as IKE [IKE, section 4] specifies? +Presumably, +when it connects the same two "parties"... but exactly what is a "party"? +.P +As noted in section 5.4, +in cases involving multi-homing and multiple identities, +it's not clear exactly what criteria are used for deciding +whether the intended far end for a new negotiation is the same one +as for a previous negotiation. +Is it by Identification Payload? +By IP address? +Or what? +.P +We currently use a somewhat-vague notion of "identity", +basically what gets sent in Identification Payloads, +for this, and this seems to be successful, +but we think this needs better specification. +.H +6.6. Opportunistic Encryption +.P +Further IKE challenges appear in the context of Opportunistic Encryption +[OE], +but operational experience with it is too limited as yet for us +to comment usefully right now. +.H +6.7. Authentication and RSA Keys +.P +We provide two IKE authentication methods: +shared secrets ("pre-shared keys") +and RSA digital signatures. +(A user-provided add-on package generalizes the latter to limited +support for certificates; +we have not worked extensively with it ourselves yet and cannot comment +on it yet.) +.P +Shared secrets, despite their administrative difficulties, +see considerable use, +and are also the method of last resort for interoperability problems. +.P +For digital signatures, +we have taken the somewhat unorthodox approach of using "bare" RSA public keys, +either supplied in configuration files or fetched from DNS, +rather than getting involved in the complexity of certificates. +We encode our RSA public keys using the DNS KEY encoding [DNSRSA] +(aka "RFC 2537", although that RFC is now outdated), +which has given us no difficulties and which we highly recommend. +We have seen two difficulties in connection with RSA keys, however. +.P +First, +while a number of IPsec implementations are able to take "bare" RSA public keys, +each one seems to have its own idea of what format should be used +for transporting them. +We've had little success with interoperability here, +mostly because of key-format issues; +the implementations generally WILL interoperate successfully if you can +somehow get an RSA key into them at all, but that's hard. +X.509 certificates seem to be the lowest (!) +common denominator for key transfer. +.P +Second, +although the content of RSA public keys has been stable, +there has been a small but subtle change over time in the content +of RSA private keys. +The "internal modulus", +used to compute the private exponent "d" from the public exponent "e" +(or vice-versa) +was originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1), +where p and q are the two primes. +However, more recent definitions [PKCS1v2] call it +"lambda(n)" and define it to be lcm(p-1,\ q-1); +this appears to be a minor optimization. +The result is that private keys generated with the new definition +often fail consistency checks in implementations using the old definition. +Fortunately, it is seldom necessary to move private keys around. +Our software now consistently uses the new definition +(and thus will accept keys generated with either definition), +but our key generator also has an option to generate old-definition keys, +for the benefit of users who upgrade their networks incrementally. +.H +6.8. Misc. Snags +.P +Nonce size is another characteristic that is neither negotiated nor announced +but that the two ends must somehow be able to agree on. +Our software accepts anything between 8 and 256, and defaults to 16. +These numbers were chosen rather arbitrarily, +but we have seen no interoperability failures here. +.P +Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says +explicitly that a normal Message ID must be non-zero, +but a zero Message ID in fact causes failures. +.P +Similarly, there is nothing in the specs which says that ISAKMP cookies +must be non-zero, but zero cookies will in fact cause trouble. +.H +7. Security Considerations +.P +Since this document discusses aspects of building robust and +interoperable IPsec implementations, +security considerations permeate it. +.H +8. References +.R AH +Kent, S., and Atkinson, R., +"IP Authentication Header", +RFC 2402, +Nov 1998. +.R CIPHERS +Pereira, R., and Adams, R., +"The ESP CBC-Mode Cipher Algorithms", +RFC 2451, +Nov 1998. +.R CRACK +Electronic Frontier Foundation, +"Cracking DES: +Secrets of Encryption Research, Wiretap Politics and Chip Design", +O'Reilly 1998, +ISBN 1-56592-520-3. +.R DES +Madson, C., and Doraswamy, N., +"The ESP DES-CBC Cipher Algorithm", +RFC 2405, +Nov 1998. +.R DNSRSA +D. Eastlake 3rd, +"RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", +RFC 3110, +May 2001. +.R ESP +Kent, S., and Atkinson, R., +"IP Encapsulating Security Payload (ESP)", +RFC 2406, +Nov 1998. +.R GROUPS +Kivinen, T., and Kojo, M., +"More MODP Diffie-Hellman groups for IKE", +, +13 Dec 2001 (work in progress). +.R IKE +Harkins, D., and Carrel, D., +"The Internet Key Exchange (IKE)", +RFC 2409, Nov 1998. +.R IPSEC +Kent, S., and Atkinson, R., +"Security Architecture for the Internet Protocol", +RFC 2401, Nov 1998. +.R ISAKMP +Maughan, D., Schertler, M., Schneider, M., and Turner, J., +"Internet Security Association and Key Management Protocol (ISAKMP)", +RFC 2408, Nov 1998. +.R OE +Richardson, M., Redelmeier, D. H., and Spencer, H., +"A method for doing opportunistic encryption with IKE", +, +21 Feb 2002 (work in progress). +.R PKCS1v1 +Kaliski, B., +"PKCS #1: RSA Encryption, Version 1.5", +RFC 2313, March 1998. +.R PKCS1v2 +Kaliski, B., and Staddon, J., +"PKCS #1: RSA Cryptography Specifications, Version 2.0", +RFC 2437, Oct 1998. +.R PFKEY +McDonald, D., Metz, C., and Phan, B., +"PF_KEY Key Management API, Version 2", +RFC 2367, July 1998. +.R REKEY +Tim Jenkins, "IPsec Re-keying Issues", +, +2 May 2000 (draft expired, work no longer in progress). +.R REPLAY +Krywaniuk, A., +"Using Isakmp Message Ids for Replay Protection", +, +9 July 2001 +(work in progress). +.R RSA +Rivest, R.L., Shamir, A., and Adleman, L., +"A Method for Obtaining Digital Signatures and Public-Key +Cryptosystems", +Communications of the ACM v21n2, Feb 1978, p. 120. +.R SCHNEIER +Bruce Schneier, "Applied Cryptography", 2nd ed., +Wiley 1996, ISBN 0-471-11709-9. +.R SECFAIL +Karn, P., and Simpson, W., +"ICMP Security Failures Messages", +RFC 2521, +March 1999. +.H +Authors' Addresses +.P +.nf +.ne 8 +Henry Spencer +SP Systems +Box 280 Stn. A +Toronto, Ont. M5W1B2 +Canada + +henry@spsystems.net +416-690-6561 +.ne 8 +.sp 2 +D. Hugh Redelmeier +Mimosa Systems Inc. +29 Donino Ave. +Toronto, Ont. M4N2W6 +Canada + +hugh@mimosa.com +416-482-8253 +.bp +.H +Full Copyright Statement +.P +Copyright (C) The Internet Society \*c. All Rights +Reserved. + +This document and translations of it may be copied and +furnished to others, and derivative works that comment on or +otherwise explain it or assist in its implmentation may be +prepared, copied, published and distributed, in whole or in +part, without restriction of any kind, provided that the above +copyright notice and this paragraph are included on all such +copies and derivative works. However, this document itself may +not be modified in any way, such as by removing the copyright +notice or references to the Internet Society or other Internet +organizations, except as needed for the purpose of developing +Internet standards in which case the procedures for copyrights +defined in the Internet Standards process must be followed, or +as required to translate it into languages other than English. + +The limited permissions granted above are perpetual and will +not be revoked by the Internet Society or its successors or +assigns. + +This document and the information contained herein is provided +on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET +ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE +OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY +IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A +PARTICULAR PURPOSE. diff --git a/doc/draft-spencer-ipsec-ike-implementation.txt b/doc/draft-spencer-ipsec-ike-implementation.txt new file mode 100644 index 000000000..145c00ba8 --- /dev/null +++ b/doc/draft-spencer-ipsec-ike-implementation.txt @@ -0,0 +1,1232 @@ + + + +Network Working Group Henry Spencer +Internet Draft SP Systems +Expires: 26 Aug 2002 D. Hugh Redelmeier + Mimosa Systems + 26 Feb 2002 + + IKE Implementation Issues + + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + (If approved as an Informational RFC...) This memo provides + information for the Internet community. This memo does not specify + an Internet standard of any kind. + + Distribution of this memo is unlimited. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on 26 Aug 2002. + +Copyright Notice + + Copyright (C) The Internet Society 2002. All Rights Reserved. + + + + + + + + + + +Spencer & Redelmeier [Page 1] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + +Table of Contents + + 1. Introduction ................................................... 3 + 2. Lower-level Background and Notes ............................... 4 + 2.1. Packet Handling .............................................. 4 + 2.2. Ciphers ...................................................... 5 + 2.3. Interfaces ................................................... 5 + 3. IKE Infrastructural Issues ..................................... 5 + 3.1. Continuous Channel ........................................... 5 + 3.2. Retransmission ............................................... 5 + 3.3. Replay Prevention ............................................ 6 + 4. Basic Keying and Rekeying ...................................... 7 + 4.1. When to Create SAs ........................................... 7 + 4.2. When to Rekey ................................................ 8 + 4.3. Choosing an SA ............................................... 9 + 4.4. Why to Rekey ................................................. 9 + 4.5. Rekeying ISAKMP SAs ......................................... 10 + 4.6. Bulk Negotiation ............................................ 10 + 5. Deletions, Teardowns, Crashes ................................. 11 + 5.1. Deletions ................................................... 11 + 5.2. Teardowns and Shutdowns ..................................... 12 + 5.3. Crashes ..................................................... 13 + 5.4. Network Partitions .......................................... 13 + 5.5. Unknown SAs ................................................. 14 + 6. Misc. IKE Issues .............................................. 16 + 6.1. Groups 1 and 5 .............................................. 16 + 6.2. To PFS Or Not To PFS ........................................ 16 + 6.3. Debugging Tools, Lack Thereof ............................... 16 + 6.4. Terminology, Vagueness Thereof .............................. 17 + 6.5. A Question of Identity ...................................... 17 + 6.6. Opportunistic Encryption .................................... 17 + 6.7. Authentication and RSA Keys ................................. 17 + 6.8. Misc. Snags ................................................. 18 + 7. Security Considerations ....................................... 19 + 8. References .................................................... 19 + Authors' Addresses ............................................... 20 + Full Copyright Statement ......................................... 21 + + + + + + + + + + + + + + +Spencer & Redelmeier [Page 2] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + +Abstract + + The current IPsec specifications for key exchange and connection + management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of + connection management unspecified, most prominently rekeying + practices. Pending clarifications in future revisions of the + specifications, this document sets down some successful experiences, + to minimize the extent to which new implementors have to rely on + unwritten folklore. + + The Linux FreeS/WAN implementation of IPsec interoperates with almost + every other IPsec implementation. This document describes how the + FreeS/WAN project has resolved some of the gaps in the IPsec + specifications (and plans to resolve some others), and what + difficulties have been encountered, in hopes that this generally- + successful experience might be informative to new implementors. + + This is offered as an Informational RFC. + + This -02 revision mainly: discusses ISAKMP SA expiry during IPsec-SA + rekeying (4.5), revises the discussion of bidirectional Deletes + (5.1), suggests remembering the parameters of successful negotiations + for later use (4.2, 5.3), notes an unsuccessful negotiation from the + other end as a hint of a possibly broken connection (5.5), and adds + sections on network partitions (5.4), authentication methods and the + subtleties of RSA public keys (6.7), and miscellaneous + interoperability concerns (6.8). + +1. Introduction + + The current IPsec specifications for key exchange and connection + management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of + connection management unspecified, most prominently rekeying + practices. This is a cryptic puzzle which each group of implementors + has to struggle with, and differences in how the ambiguities and gaps + are resolved are potentially a fruitful source of interoperability + problems. We can hope that future revisions of the specifications + will clear this up. Meanwhile, it seems useful to set down some + successful experiences, to minimize the extent to which new + implementors have to rely on unwritten folklore. + + The Linux FreeS/WAN implementation of IPsec interoperates with almost + every other IPsec implementation, and because of its free nature, it + also sees some use as a reference implementation by other + implementors. The high degree of interoperability is noteworthy + given its organizers' strong minimalist bias, which has caused them + to implement only a small subset of the full glory of IPsec. This + document describes how the FreeS/WAN project has resolved some of the + + + +Spencer & Redelmeier [Page 3] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + gaps in the IPsec specifications (and plans to resolve some others), + and what difficulties have been encountered, in hopes that this + generally-successful experience might be informative to new + implementors. + + One small caution about applicability: this experience may not be + relevant to severely resource-constrained implementations. + FreeS/WAN's target environment is previous-generation PCs, now + available at trivial cost (often, within an organization, at no + cost), which have quite impressive CPU power and memory by the + standards of only a few years ago. Some of the approaches discussed + here may be inapplicable to implementations with severe external + constraints which prevent them from taking advantage of modern + hardware technology. + +2. Lower-level Background and Notes + +2.1. Packet Handling + + FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly, + although AH sees little use among our users. Our ESP/AH + implementation cannot currently handle packets with IP options; + somewhat surprisingly, this has caused little difficulty. We insist + on encryption and do not support authentication-only connections, and + this has not caused significant difficulty either. + + MTU and fragmentation issues, by contrast, have been a constant + headache. We will not describe the details of our current approach + to them, because it still needs work. One difficulty we have + encountered is that many combinations of packet source and packet + destination apparently cannot cope with an "interior minimum" in the + path MTU, e.g. where an IPsec tunnel intervenes and its headers + reduce the MTU for an intermediate link. This is particularly + prevalent when using common PC software to connect to large well- + known web sites; we think it is largely due to misconfigured + firewalls which do not pass ICMP Fragmentation Required messages. + The only solution we have yet found is to lie about the MTU of the + tunnel, accepting the (undesirable) fragmentation of the ESP packets + for the sake of preserving connectivity. + + We currently zero out the TOS field of ESP packets, rather than + copying it from the inner header, on the grounds that it lends itself + too well to traffic analysis and covert channels. We provide an + option to restore RFC 2401 [IPSEC] copying behavior, but this appears + to see little use. + + + + + + +Spencer & Redelmeier [Page 4] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + +2.2. Ciphers + + We initially implemented both DES [DES] and 3DES [CIPHERS] for both + IKE and ESP, but after the Deep Crack effort [CRACK] demonstrated its + inherent insecurity, we dropped support for DES. Somewhat + surprisingly, our insistence on 3DES has caused almost no + interoperability problems, despite DES being officially mandatory. A + very few other systems either do not support 3DES or support it only + as an optional upgrade, which inconveniences a few would-be users. + There have also been one or two cases of systems which don't quite + seem to know the difference! + + See also section 6.1 for a consequence of our insistence on 3DES. + +2.3. Interfaces + + We currently employ PF_KEY version 2 [PFKEY], plus various non- + standard extensions, as our interface between keying and ESP. This + has not proven entirely satisfactory. Our feeling now is that keying + issues and policy issues do not really lend themselves to the clean + separation that PF_KEY envisions. + +3. IKE Infrastructural Issues + + A number of problems in IPsec connection management become easier if + some attention is first paid to providing an infrastructure to + support solving them. + +3.1. Continuous Channel + + FreeS/WAN uses an approximation to the "continuous channel" model, in + which ISAKMP SAs are maintained between IKEs so long as any IPsec SAs + are open between the two systems. The resource consumption of this + is minor: the only substantial overhead is occasional rekeying. + IPsec SA management becomes significantly simpler if there is always + a channel for transmission of control messages. We suggest (although + we do not yet fully implement this) that inability to maintain (e.g., + to rekey) this control path should be grounds for tearing down the + IPsec SAs as well. + + As a corollary of this, there is one and only one ISAKMP SA + maintained between a pair of IKEs (although see sections 5.3 and 6.5 + for minor complications). + +3.2. Retransmission + + The unreliable nature of UDP transmission is a nuisance. IKE + implementations should always be prepared to retransmit the most + + + +Spencer & Redelmeier [Page 5] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + recent message they sent on an ISAKMP SA, since there is some + possibility that the other end did not get it. This means, in + particular, that the system sending the supposedly-last message of an + exchange cannot relax and assume that the exchange is complete, at + least not until a significant timeout has elapsed. + + Systems must also retain information about the message most recently + received in an exchange, so that a duplicate of it can be detected + (and possibly interpreted as a NACK for the response). + + The retransmission rules FreeS/WAN follows are: (1) if a reply is + expected, retransmit only if it does not appear before a timeout; and + (2) if a reply is not expected (last message of the exchange), + retransmit only on receiving a retransmission of the previous + message. Notably, in case (1) we do NOT retransmit on receiving a + retransmission, which avoids possible congestion problems arising + from packet duplication, at the price of slowing response to packet + loss. The timeout for case (1) is 10 seconds for the first retry, 20 + seconds for the second, and 40 seconds for all subsequent retries + (normally only one, except when configuration settings call for + persistence and the message is the first message of Main Mode with a + new peer). These retransmission rules have been entirely successful. + + (Michael Thomas of Cisco has pointed out that the retry timeouts + should include some random jitter, to de-synchronize hosts which are + initially synchronized by, e.g., a power outage. We already jitter + our rekeying times, as noted in section 4.2, but that does not help + with initial startup. We're implementing jittered retries, but + cannot yet report on experience with this.) + + There is a deeper problem, of course, when an entire "exchange" + consists of a single message, e.g. the ISAKMP Informational Exchange. + Then there is no way to decide whether or when a retransmission is + warranted at all. This seems like poor design, to put it mildly (and + there is now talk of fixing it). We have no experience in dealing + with this problem at this time, although it is part of the reason why + we have delayed implementing Notification messages. + +3.3. Replay Prevention + + The unsequenced nature of UDP transmission is also troublesome, + because it means that higher levels must consider the possibility of + replay attacks. FreeS/WAN takes the position that systematically + eliminating this possibility at a low level is strongly preferable to + forcing careful consideration of possible impacts at every step of an + exchange. RFC 2408 [ISAKMP] section 3.1 states that the Message ID + of an ISAKMP message must be "unique". FreeS/WAN interprets this + literally, as forbidding duplication of Message IDs within the set of + + + +Spencer & Redelmeier [Page 6] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + all messages sent via a single ISAKMP SA. + + This requires remembering all Message IDs until the ISAKMP SA is + superseded by rekeying, but that is not costly (four bytes per sent + or received message), and it ELIMINATES replay attacks from + consideration; we believe this investment of resources is well + worthwhile. If the resource consumption becomes excessive--in our + experience it has not--the ISAKMP SA can be rekeyed early to collect + the garbage. + + There is theoretically an interoperability problem when talking to + implementations which interpret "unique" more loosely and may re-use + Message IDs, but it has not been encountered in practice. This + approach appears to be completely interoperable. + + The proposal by Andrew Krywaniuk [REPLAY], which advocates turning + the Message ID into an anti-replay counter, would achieve the same + goal without the minor per-message memory overhead. This may be + preferable, although it means an actual protocol change and more + study is needed. + +4. Basic Keying and Rekeying + +4.1. When to Create SAs + + As Tim Jenkins [REKEY] pointed out, there is a potential race + condition in Quick Mode: a fast lightly-loaded Initiator might start + using IPsec SAs very shortly after sending QM3 (the third and last + message of Quick Mode), while a slow heavily-loaded Responder might + not be ready to receive them until after spending a significant + amount of time creating its inbound SAs. The problem is even worse + if QM3 gets delayed or lost. + + FreeS/WAN's approach to this is what Jenkins called "Responder Pre- + Setup": the Responder creates its inbound IPsec SAs before it sends + QM2, so they are always ready and waiting when the Initiator sends + QM3 and begins sending traffic. This approach is simple and + reliable, and in our experience it interoperates with everybody. + (There is potentially still a problem if FreeS/WAN is the Initiator + and the Responder does not use Responder Pre-Setup, but no such + problems have been seen.) The only real weakness of Responder Pre- + Setup is the possibility of replay attacks, which we have eliminated + by other means (see section 3.3). + + With this approach, the Commit Bit is useless, and we ignore it. In + fact, until quite recently we discarded any IKE message containing + it, and this caused surprisingly few interoperability problems; + apparently it is not widely used. We have recently been persuaded + + + +Spencer & Redelmeier [Page 7] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + that simply ignoring it is preferable; preliminary experience with + this indicates that the result is successful interoperation with + implementations which set it. + +4.2. When to Rekey + + To preserve connectivity for user traffic, rekeying of a connection + (that is, creation of new IPsec SAs to supersede the current ones) + must begin before its current IPsec SAs expire. Preferably one end + should predictably start rekeying negotiations first, to avoid the + extra overhead of two simultaneous negotiations, although either end + should be prepared to rekey if the other does not. There is also a + problem with "convoys" of keying negotiations: for example, a "hub" + gateway with many IPsec connections can be inundated with rekeying + negotiations exactly one connection-expiry time after it reboots, and + the massive overload this induces tends to make this situation self- + perpetuating, so it recurs regularly. (Convoys can also evolve + gradually from initially-unsynchronized negotiations.) + + FreeS/WAN has the concept of a "rekeying margin", measured in + seconds. If FreeS/WAN was the Initiator for the previous rekeying + (or the startup, if none) of the connection, it nominally starts + rekeying negotiations at expiry time minus one rekeying margin. Some + random jitter is added to break up convoys: rather than starting + rekeying exactly at minus one margin, it starts at a random time + between minus one margin and minus two margins. (The randomness here + need not be cryptographic in quality, so long as it varies over time + and between hosts. We use an ordinary PRNG seeded with a few bytes + from a cryptographic randomness source. The seeding mostly just + ensures that the PRNG sequence is different for different hosts, even + if they start up simultaneously.) + + If FreeS/WAN was the Responder for the previous rekeying/startup, and + nothing has been heard from the previous Initiator at expiry time + minus one-half the rekeying margin, FreeS/WAN will initiate rekeying + negotiations. No jitter is applied; we now believe that it should be + jittered, say between minus one-half margin and minus one-quarter + margin. + + Having the Initiator lead the way is an obvious way of deciding who + should speak first, since there is already an Initiator/Responder + asymmetry in the connection. Moreover, our experience has been that + Initiator lead gives a significantly higher probability of successful + negotiation! The negotiation process itself is asymmetric, because + the Initiator must make a few specific proposals which the Responder + can only accept or reject, so the Initiator must try to guess where + its "acceptable" region (in parameter space) might overlap with the + Responder's. We have seen situations where negotiations would + + + +Spencer & Redelmeier [Page 8] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + succeed or fail depending on which end initiated them, because one + end was making better guesses. Given an existing connection, we KNOW + that the previous Initiator WAS able to initiate a successful + negotiation, so it should (if at all possible) take the lead again. + Also, the Responder should remember the Initiator's successful + proposal, and start from that rather than from his own default + proposals if he must take the lead; we don't currently implement this + completely but plan to. + + FreeS/WAN defaults the rekeying margin to 9 minutes, although this + can be changed by configuration. There is also a configuration + option to alter the permissible range of jitter. The defaults were + chosen somewhat arbitrarily, but they work extremely well and the + configuration options are rarely used. + +4.3. Choosing an SA + + Once rekeying has occurred, both old and new IPsec SAs for the + connection exist, at least momentarily. FreeS/WAN accepts incoming + traffic on either old or new inbound SAs, but sends outgoing traffic + only on the new outbound ones. This approach appears to be + significantly more robust than using the old ones until they expire, + notably in cases where renegotiation has occurred because something + has gone wrong on the other end. It avoids having to pay meticulous + attention to the state of the other end, state which is difficult to + learn reliably given the limitations of IKE. + + This approach has interoperated successfully with ALMOST all other + implementations. The only (well-characterized) problem cases have + been implementations which rely on receiving a Delete message for the + old SAs to tell them to switch over to the new ones. Since delivery + of Delete is unreliable, and support for Delete is optional, this + reliance seems like a serious mistake. This is all the more true + because Delete announces that the deletion has already occurred + [ISAKMP, section 3.15], not that it is about to occur, so packets + already in transit in the other direction could be lost. Delete + should be used for resource cleanup, not for switchover control. + (These matters are discussed further in section 5.) + +4.4. Why to Rekey + + FreeS/WAN currently implements only time-based expiry (life in + seconds), although we are working toward supporting volume-based + expiry (life in kilobytes) as well. The lack of volume-based expiry + has not been an interoperability problem so far. + + Volume-based expiry does add some minor complications. In + particular, it makes explicit Delete of now-disused SAs more + + + +Spencer & Redelmeier [Page 9] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + important, because once an SA stops being used, it might not expire + on its own. We believe this lacks robustness and is generally + unwise, especially given the lack of a reliable Delete, and expect to + use volume-based expiry only as a supplement to time-based expiry. + However, Delete support (see section 5) does seem advisable for use + with volume-based expiry. + + We do not believe that volume-based expiry alters the desirability of + switching immediately to the new SAs after rekeying. Rekeying + margins are normally a small fraction of the total life of an SA, so + we feel there is no great need to "use it all up". + +4.5. Rekeying ISAKMP SAs + + The above discussion has focused on rekeying for IPsec SAs, but + FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs, + with similar success. + + One issue which we have noticed, but not explicitly dealt with, is + that difficulties may ensue if an IPsec-SA rekeying negotiation is in + progress at the time when the relevant ISAKMP SA gets rekeyed. The + IKE specification [IKE] hints, but does not actually say, that a + Quick Mode negotiation should remain on a single ISAKMP SA + throughout. + + A reasonable rekeying margin will generally prevent the old ISAKMP SA + from actually expiring during a negotiation. Some attention may be + needed to prevent in-progress negotiations from being switched to the + new ISAKMP SA. Any attempt at pre-expiry deletion of the ISAKMP SA + must be postponed until after such dangling negotiations are + completed, and there should be enough delay between ISAKMP-SA + rekeying and a deletion attempt to (more or less) ensure that there + are no negotiation-starting packets still in transit from before the + rekeying. + + At present, FreeS/WAN does none of this, and we don't KNOW of any + resulting trouble. With normal lifetimes, the problem should be + uncommon, and we speculate that an occasional disrupted negotiation + simply gets retried. + +4.6. Bulk Negotiation + + Quick Mode nominally provides for negotiating possibly-large numbers + of similar but unrelated IPsec SAs simultaneously [IKE, section 9]. + Nobody appears to do this. FreeS/WAN does not support it, and its + absence has caused no problems. + + + + + +Spencer & Redelmeier [Page 10] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + +5. Deletions, Teardowns, Crashes + + FreeS/WAN currently ignores all Notifications and Deletes, and never + generates them. This has caused little difficulty in + interoperability, which shouldn't be surprising (since Notification + and Delete support is officially entirely optional) but does seem to + surprise some people. Nevertheless, we do plan some changes to this + approach based on past experience. + +5.1. Deletions + + As hinted at above, we plan to implement Delete support, done as + follows. Shortly after rekeying of IPsec SAs, the Responder issues a + Delete for its old inbound SAs (but does not actually delete them + yet). The Responder initiates this because the Initiator started + using the new SAs on sending QM3, while the Responder started using + them only on (or somewhat after) receiving QM3, so there is less + chance of old-SA packets still being in transit from the Initiator. + The Initiator issues an unsolicited Delete only if it does not hear + one from the Responder after a longer delay. + + Either party, on receiving a Delete for one or more of the old + outbound SAs of a connection, deletes ALL the connection's SAs, and + acknowledges with a Delete for the old inbound SAs. A Delete for + nonexistent SAs (e.g., SAs which have already been expired or + deleted) is ignored. There is no retransmission of unacknowledged + Deletes. + + In the normal case, with prompt reliable transmission (except + possibly for loss of the Responder's initial Delete) and conforming + implementations on both ends, this results in three Deletes being + transmitted, resembling the classic three-way handshake. Loss of a + Delete after the first, or multiple losses, will cause the SAs not to + be deleted on at least one end. It appears difficult to do much + better without at least a distinction between request and + acknowledgement. + + RFC 2409 section 9 "strongly suggests" that there be no response to + informational messages such as Deletes, but the only rationale + offered is prevention of infinite loops endlessly exchanging "I don't + understand you" informationals. Since Deletes cannot lead to such a + loop (and in any case, the nonexistent-SA rule prevents more than one + acknowledgement for the same connection), we believe this + recommendation is inapplicable here. + + As noted in section 4.3, these Deletes are intended for resource + cleanup, not to control switching between SAs. But we expect that + they will improve interoperability with some broken implementations. + + + +Spencer & Redelmeier [Page 11] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + We believe strongly that connections need to be considered as a + whole, rather than treating each SA as an independent entity. We + will issue Deletes only for the full set of inbound SAs of a + connection, and will treat a Delete for any outbound SA as equivalent + to deletion of all the outbound SAs for the associated connection. + + The above is phrased in terms of IPsec SAs, but essentially the same + approach can be applied to ISAKMP SAs (the Deletes for the old ISAKMP + SA should be sent via the new one). + +5.2. Teardowns and Shutdowns + + When a connection is not intended to be up permanently, there is a + need to coordinate teardown, so that both ends are aware that the + connection is down. This is both for recovery of resources, and to + avoid routing packets through dangling SAs which can no longer + deliver them. + + Connection teardown will use the same bidirectional exchange of + Deletes as discussed in section 5.1: a Delete received for current + IPsec SAs (not yet obsoleted by rekeying) indicates that the other + host wishes to tear down the associated connection. + + A Delete received for a current ISAKMP SA indicates that the other + host wishes to tear down not only the ISAKMP SA but also all IPsec + SAs currently under the supervision of that ISAKMP SA. The 5.1 + bidirectional exchange might seem impossible in this case, since + reception of an ISAKMP-SA Delete indicates that the other end will + ignore further traffic on that ISAKMP SA. We suggest using the same + tactic discussed in 5.1 for IPsec SAs: the first Delete is sent + without actually doing the deletion, and the response to receiving a + Delete is to do the deletion and reply with another Delete. If there + is no response to the first Delete, retry a small number of times and + then give up and do the deletion; apart from being robust against + packet loss, this also maximizes the probability that an + implementation which does not do the bidirectional Delete will + receive at least one of the Deletes. + + When a host with current connections knows that it is about to shut + down, it will issue Deletes for all SAs involved (both IPsec and + ISAKMP), advising its peers (as per the meaning of Delete [ISAKMP, + section 3.15]) that the SAs have become useless. It will ignore + attempts at rekeying or connection startup thereafter, until it shuts + down. + + It would be better to have a Final-Contact notification, analogous to + Initial-Contact but indicating that no new negotiations should be + attempted until further notice. Initial-Contact actually could be + + + +Spencer & Redelmeier [Page 12] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + used for shutdown notification (!), but in networks where connections + are intended to exist permanently, it seems likely to provoke + unwanted attempts to renegotiate the lost connections. + +5.3. Crashes + + Systems sometimes crash. Coping with the resulting loss of + information is easily the most difficult problem we have found in + implementing robust IPsec systems. + + When connections are intended to be permanent, it is simple to + specify renegotiation on reboot. With our approach to SA selection + (see section 4.3), this handles such cases robustly and well. We do + have to tell users that BOTH hosts should be set this way. In cases + where crashes are synchronized (e.g. by power interruptions), this + may result in simultaneous negotiations at reboot. We currently + allow both negotiations to proceed to completion, but our use-newest + selection method effectively ignores one connection or the other, and + when one of them rekeys, we notice that the new SAs replace those of + both old connections, and we then refrain from rekeying the other. + (This duplicate detection is desirable in any event, for robustness, + to ensure that the system converges on a reasonable state eventually + after it is perturbed by difficulties or bugs.) + + When connections are not permanent, the situation is less happy. One + particular situation in which we see problems is when a number of + "Road Warrior" hosts occasionally call in to a central server. The + server is normally configured not to initiate such connections, since + it does not know when the Road Warrior is available (or what IP + address it is using). Unfortunately, if the server crashes and + reboots, any Road Warriors then connected have a problem: they don't + know that the server has crashed, so they can't renegotiate, and the + server has forgotten both the connections and their (transient) IP + addresses, so it cannot renegotiate. + + We believe that the simplest answer to this problem is what John + Denker has dubbed "address inertia": the server makes a best-effort + attempt to remember (in nonvolatile storage) which connections were + active and what the far-end addresses were (and what the successful + proposal's parameters were), so that it can attempt renegotiation on + reboot. We have not implemented this yet, but intend to; Denker has + implemented it himself, although in a somewhat messy way, and reports + excellent results. + +5.4. Network Partitions + + A network partition, making the two ends unable to reach each other, + has many of the same characteristics as having the other end crash... + + + +Spencer & Redelmeier [Page 13] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + until the network reconnects. It is desirable that recovery from + this be automatic. + + If the network reconnects before any rekeying attempts or other IKE + activities occurred, recovery is fully transparent, because the IKEs + have no idea that there was any problem. (Complaints such as ICMP + Host Unreachable messages are unauthenticated and hence cannot be + given much weight.) This fits the general mold of TCP/IP: if nobody + wanted to send any traffic, a network outage doesn't matter. + + If IKE activity did occur, the IKE implementation will discover that + the other end doesn't seem to be responding. The preferred response + to this depends on the nature of the connection. If it was intended + to be ephemeral (e.g. opportunistic encryption [OE]), closing it down + after a few retries is reasonable. If the other end is expected to + sometimes drop the connection without warning, it may not be + desirable to retry at all. (We support both these forms of + configurability, and indeed we also have a configuration option to + suppress rekeying entirely on one end.) + + If the connection was intended to be permanent, however, then + persistent attempts to re-establish it are appropriate. Some degree + of backoff is appropriate here, so that retries get less frequent as + the outage gets prolonged. Backoff should be limited, so that re- + established connectivity is not followed by a long delay before a + retry. Finally, after many retries (say 24 hours' worth), it may be + preferable to just declare the connection down and rely on manual + intervention to re-establish it, should this be desirable. We do not + yet fully support all this. + +5.5. Unknown SAs + + A more complete solution to crashes would be for an IPsec host to + note the arrival of ESP packets on an unknown IPsec SA, and report it + somehow to the other host, which can then decide to renegotiate. + This arguably might be preferable in any case--if the non-rebooted + host has no traffic to send, it does not care whether the connection + is intact--but delays and packet loss will be reduced if the + connection is renegotiated BEFORE there is traffic for it. So + unknown-SA detection is best reserved as a fallback method, with + address inertia used to deal with most such cases. + + A difficulty with unknown-SA detection is, just HOW should the other + host be notified? IKE provides no good way to do the notification: + Notification payloads (e.g., Initial-Contact) are unauthenticated + unless they are sent under protection of an ISAKMP SA. A "Security + Failures - Bad SPI" ICMP message [SECFAIL] is an interesting + alternative, but has the disadvantage of likewise being + + + +Spencer & Redelmeier [Page 14] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + unauthenticated. It's fundamentally unlikely that there is a simple + solution to this, given that almost any way of arranging or checking + authentication for such a notification is costly. + + We think the best answer to this is a two-step approach. An + unauthenticated Initial-Contact or Security Failures - Bad SPI cannot + be taken as a reliable report of a problem, but can be taken as a + hint that a problem MIGHT exist. Then there needs to be some + reliable way of checking such hints, subject to rate limiting since + the checks are likely to be costly (and checking the same connection + repeatedly at short intervals is unlikely to be worthwhile anyway). + So the rebooted host sends the notification, and the non-rebooted + host--which still thinks it has a connection--checks whether the + connection still works, and renegotiates if not. + + Also, if an IPsec host which believes it has a connection to another + host sees an unsuccessful attempt by that host to negotiate a new + one, that is also a hint of possible problems, justifying a check and + possible renegotiation. ("Unsuccessful" here means a negotiation + failure due to lack of a satisfactory proposal. A failure due to + authentication failure suggests a denial-of-service attack by a third + party, rather than a genuine problem on the legitimate other end.) + As noted in section 4.2, it is possible for negotiations to succeed + or fail based on which end initiates them, and some robustness + against that is desirable. + + We have not yet decided what form the notification should take. IKE + Initial-Contact is an obvious possibility, but has some + disadvantages. It does not specify which connection has had + difficulties. Also, the specification [IKE section 4.6.3.3] refers + to "remote system" and "sending system" without clearly specifying + just what "system" means; in the case of a multi-homed host using + multiple forms of identification, the question is not trivial. + Initial-Contact does have the fairly-decisive advantage that it is + likely to convey the right general meaning even to an implementation + which does not do things exactly the way ours does. + + A more fundamental difficulty is what form the reliable check takes. + What is wanted is an "IKE ping", verifying that the ISAKMP SA is + still intact (it being unlikely that IPsec SAs have been lost while + the ISAKMP SA has not). The lack of such a facility is a serious + failing of IKE. An acknowledged Notification of some sort would be + ideal, but there is none at present. Some existing implementations + are known to use the private Notification values 30000 as ping and + 30002 as ping reply, and that seems the most attractive choice at + present. If it is not recognized, there will probably be no reply, + and the result will be an unnecessary renegotiation, so this needs + strict rate limiting. (Also, when a new connection is set up, it's + + + +Spencer & Redelmeier [Page 15] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + probably worth determining by experiment whether the other end + supports IKE ping, and remembering that.) + + While we think this facility is desirable, and is about the best that + can be done with the poor tools available, we have not gotten very + far in implementation and cannot comment intelligently about how well + it works or interoperates. + +6. Misc. IKE Issues + +6.1. Groups 1 and 5 + + We have dropped support for the first Oakley Group (group 1), despite + it being officially mandatory, on the grounds that it is grossly too + weak to provide enough randomness for 3DES. There have been some + interoperability problems, mostly quite minor: ALMOST everyone + supports group 2 as well, although sometimes it has to be explicitly + configured. + + We also support the quasi-standard group 5 [GROUPS]. This has not + been seriously exercised yet, because historically we offered group 2 + first and almost everyone accepted it. We have recently changed to + offering group 5 first, and no difficulties have been reported. + +6.2. To PFS Or Not To PFS + + A persistent small interoperability problem is that the presence or + absence of PFS (for keys [IKE, section 5.5]) is neither negotiated + nor announced. We have it enabled by default, and successful + interoperation often requires having the other end turn it on in + their implementation, or having the FreeS/WAN end disable it. Almost + everyone supports it, but it's usually not the default, and + interoperability is often impossible unless the two ends somehow + reach prior agreement on it. + + We do not explicitly support the other flavor of PFS, for identities + [IKE, section 8], and this has caused no interoperability problems. + +6.3. Debugging Tools, Lack Thereof + + We find IKE lacking in basic debugging tools. Section 5.4, above, + notes that an IKE ping would be useful for connectivity verification. + It would also be extremely helpful for determining that UDP/500 + packets get back and forth successfully between the two ends, which + is often an important first step in debugging. + + It's also quite common to have IKE negotiate a connection + successfully, but to have some firewall along the way blocking ESP. + + + +Spencer & Redelmeier [Page 16] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + Users find this mysterious and difficult to diagnose. We have no + immediate suggestions on what could be done about it. + +6.4. Terminology, Vagueness Thereof + + The terminology of IPsec needs work. We feel that both the + specifications and user-oriented documentation would be greatly + clarified by concise, intelligible names for certain concepts. + + We semi-consistently use "group" for the set of IPsec SAs which are + established in one direction by a single Quick Mode negotiation and + are used together to process a packet (e.g., an ESP SA plus an AH + SA), "connection" for the logical packet path provided by a + succession of pairs of groups (each rekeying providing a new pair, + one group in each direction), and "keying channel" for the + corresponding supervisory path provided by a sequence of ISAKMP SAs. + + We think it's a botch that "PFS" is used to refer to two very + different things, but we have no specific new terms to suggest, since + we only implement one kind of PFS and thus can just ignore the other. + +6.5. A Question of Identity + + One specification problem deserves note: exactly when can an existing + phase 1 negotiation be re-used for a new phase 2 negotiation, as IKE + [IKE, section 4] specifies? Presumably, when it connects the same + two "parties"... but exactly what is a "party"? + + As noted in section 5.4, in cases involving multi-homing and multiple + identities, it's not clear exactly what criteria are used for + deciding whether the intended far end for a new negotiation is the + same one as for a previous negotiation. Is it by Identification + Payload? By IP address? Or what? + + We currently use a somewhat-vague notion of "identity", basically + what gets sent in Identification Payloads, for this, and this seems + to be successful, but we think this needs better specification. + +6.6. Opportunistic Encryption + + Further IKE challenges appear in the context of Opportunistic + Encryption [OE], but operational experience with it is too limited as + yet for us to comment usefully right now. + +6.7. Authentication and RSA Keys + + We provide two IKE authentication methods: shared secrets ("pre- + shared keys") and RSA digital signatures. (A user-provided add-on + + + +Spencer & Redelmeier [Page 17] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + package generalizes the latter to limited support for certificates; + we have not worked extensively with it ourselves yet and cannot + comment on it yet.) + + Shared secrets, despite their administrative difficulties, see + considerable use, and are also the method of last resort for + interoperability problems. + + For digital signatures, we have taken the somewhat unorthodox + approach of using "bare" RSA public keys, either supplied in + configuration files or fetched from DNS, rather than getting involved + in the complexity of certificates. We encode our RSA public keys + using the DNS KEY encoding [DNSRSA] (aka "RFC 2537", although that + RFC is now outdated), which has given us no difficulties and which we + highly recommend. We have seen two difficulties in connection with + RSA keys, however. + + First, while a number of IPsec implementations are able to take + "bare" RSA public keys, each one seems to have its own idea of what + format should be used for transporting them. We've had little + success with interoperability here, mostly because of key-format + issues; the implementations generally WILL interoperate successfully + if you can somehow get an RSA key into them at all, but that's hard. + X.509 certificates seem to be the lowest (!) common denominator for + key transfer. + + Second, although the content of RSA public keys has been stable, + there has been a small but subtle change over time in the content of + RSA private keys. The "internal modulus", used to compute the + private exponent "d" from the public exponent "e" (or vice-versa) was + originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1), + where p and q are the two primes. However, more recent definitions + [PKCS1v2] call it "lambda(n)" and define it to be lcm(p-1, q-1); this + appears to be a minor optimization. The result is that private keys + generated with the new definition often fail consistency checks in + implementations using the old definition. Fortunately, it is seldom + necessary to move private keys around. Our software now consistently + uses the new definition (and thus will accept keys generated with + either definition), but our key generator also has an option to + generate old-definition keys, for the benefit of users who upgrade + their networks incrementally. + +6.8. Misc. Snags + + Nonce size is another characteristic that is neither negotiated nor + announced but that the two ends must somehow be able to agree on. + Our software accepts anything between 8 and 256, and defaults to 16. + These numbers were chosen rather arbitrarily, but we have seen no + + + +Spencer & Redelmeier [Page 18] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + interoperability failures here. + + Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says + explicitly that a normal Message ID must be non-zero, but a zero + Message ID in fact causes failures. + + Similarly, there is nothing in the specs which says that ISAKMP + cookies must be non-zero, but zero cookies will in fact cause + trouble. + +7. Security Considerations + + Since this document discusses aspects of building robust and + interoperable IPsec implementations, security considerations permeate + it. + +8. References + + [AH] Kent, S., and Atkinson, R., "IP Authentication Header", + RFC 2402, Nov 1998. + + [CIPHERS] Pereira, R., and Adams, R., "The ESP CBC-Mode Cipher + Algorithms", RFC 2451, Nov 1998. + + [CRACK] Electronic Frontier Foundation, "Cracking DES: Secrets of + Encryption Research, Wiretap Politics and Chip Design", + O'Reilly 1998, ISBN 1-56592-520-3. + + [DES] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher + Algorithm", RFC 2405, Nov 1998. + + [DNSRSA] D. Eastlake 3rd, "RSA/SHA-1 SIGs and RSA KEYs in the + Domain Name System (DNS)", RFC 3110, May 2001. + + [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security + Payload (ESP)", RFC 2406, Nov 1998. + + [GROUPS] Kivinen, T., and Kojo, M., "More MODP Diffie-Hellman + groups for IKE", , 13 Dec 2001 (work in progress). + + [IKE] Harkins, D., and Carrel, D., "The Internet Key Exchange + (IKE)", RFC 2409, Nov 1998. + + [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the + Internet Protocol", RFC 2401, Nov 1998. + + + + + +Spencer & Redelmeier [Page 19] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + [ISAKMP] Maughan, D., Schertler, M., Schneider, M., and Turner, J., + "Internet Security Association and Key Management Protocol + (ISAKMP)", RFC 2408, Nov 1998. + + [OE] Richardson, M., Redelmeier, D. H., and Spencer, H., "A + method for doing opportunistic encryption with IKE", + , 21 Feb 2002 + (work in progress). + + [PKCS1v1] Kaliski, B., "PKCS #1: RSA Encryption, Version 1.5", RFC + 2313, March 1998. + + [PKCS1v2] Kaliski, B., and Staddon, J., "PKCS #1: RSA Cryptography + Specifications, Version 2.0", RFC 2437, Oct 1998. + + [PFKEY] McDonald, D., Metz, C., and Phan, B., "PF_KEY Key + Management API, Version 2", RFC 2367, July 1998. + + [REKEY] Tim Jenkins, "IPsec Re-keying Issues", , 2 May 2000 (draft expired, work no + longer in progress). + + [REPLAY] Krywaniuk, A., "Using Isakmp Message Ids for Replay + Protection", , 9 + July 2001 (work in progress). + + [RSA] Rivest, R.L., Shamir, A., and Adleman, L., "A Method for + Obtaining Digital Signatures and Public-Key + Cryptosystems", Communications of the ACM v21n2, Feb 1978, + p. 120. + + [SCHNEIER] Bruce Schneier, "Applied Cryptography", 2nd ed., Wiley + 1996, ISBN 0-471-11709-9. + + [SECFAIL] Karn, P., and Simpson, W., "ICMP Security Failures + Messages", RFC 2521, March 1999. + +Authors' Addresses + + Henry Spencer + SP Systems + Box 280 Stn. A + Toronto, Ont. M5W1B2 + Canada + + henry@spsystems.net + 416-690-6561 + + + + +Spencer & Redelmeier [Page 20] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + + D. Hugh Redelmeier + Mimosa Systems Inc. + 29 Donino Ave. + Toronto, Ont. M4N2W6 + Canada + + hugh@mimosa.com + 416-482-8253 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Spencer & Redelmeier [Page 21] + +Internet Draft IKE Implementation Issues 26 Feb 2002 + + +Full Copyright Statement + + Copyright (C) The Internet Society 2002. All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implmentation may be prepared, copied, published and + distributed, in whole or in part, without restriction of any kind, + provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + + + + + + + + + + +Spencer & Redelmeier [Page 22] + diff --git a/doc/src/draft-richardson-ipsec-opportunistic.html b/doc/src/draft-richardson-ipsec-opportunistic.html new file mode 100644 index 000000000..87a13365a --- /dev/null +++ b/doc/src/draft-richardson-ipsec-opportunistic.html @@ -0,0 +1,2456 @@ +Opportunistic Encryption using The Internet Key Exchange (IKE) + + + +
 TOC 
+
+ + + + + +
Independent submissionM. Richardson
Internet-DraftSSW
Expires: November 19, 2003D. Redelmeier
 Mimosa
 May 21, 2003
+

Opportunistic Encryption using The Internet Key Exchange (IKE)
+
draft-richardson-ipsec-opportunistic-11.txt
+ + +

Status of this Memo

+

+This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.

+

+Internet-Drafts are working documents of the Internet Engineering +Task Force (IETF), its areas, and its working groups. +Note that other groups may also distribute working documents as +Internet-Drafts.

+

+Internet-Drafts are draft documents valid for a maximum of six months +and may be updated, replaced, or obsoleted by other documents at any time. +It is inappropriate to use Internet-Drafts as reference material or to cite +them other than as "work in progress."

+

+The list of current Internet-Drafts can be accessed at +http://www.ietf.org/ietf/1id-abstracts.txt.

+

+The list of Internet-Draft Shadow Directories can be accessed at +http://www.ietf.org/shadow.html.

+

+This Internet-Draft will expire on November 19, 2003.

+ +

Copyright Notice

+

+Copyright (C) The Internet Society (2003). All Rights Reserved.

+ +

Abstract

+ +

+This document describes opportunistic encryption (OE) using the Internet Key +Exchange (IKE) and IPsec. +Each system administrator adds new +resource records to his or her Domain Name System (DNS) to support +opportunistic encryption. The objective is to allow encryption for secure communication without +any pre-arrangement specific to the pair of systems involved. + +

+

+DNS is used to distribute the public keys of each +system involved. This is resistant to passive attacks. The use of DNS +Security (DNSSEC) secures this system against active attackers as well. + +

+

+As a result, the administrative overhead is reduced +from the square of the number of systems to a linear dependence, and it becomes +possible to make secure communication the default even +when the partner is not known in advance. + +

+

+This document is offered up as an Informational RFC. + +



+
 TOC 
+

Table of Contents

+
    +1.  +Introduction
    +2.  +Overview
    +3.  +Specification
    +4.  +Impacts on IKE
    +5.  +DNS issues
    +6.  +Network address translation interaction
    +7.  +Host implementations
    +8.  +Multi-homing
    +9.  +Failure modes
    +10.  +Unresolved issues
    +11.  +Examples
    +12.  +Security considerations
    +13.  +IANA Considerations
    +14.  +Acknowledgments
    +§  +Normative references
    +§  +Authors' Addresses
    +§  +Full Copyright Statement
    +
+
+ +

+
 TOC 
+

1. Introduction

+ +

1.1 Motivation

+ +

+The objective of opportunistic encryption is to allow encryption without +any pre-arrangement specific to the pair of systems involved. Each +system administrator adds +public key information to DNS records to support opportunistic +encryption and then enables this feature in the nodes' IPsec stack. +Once this is done, any two such nodes can communicate securely. + +

+

+This document describes opportunistic encryption as designed and +mostly implemented by the Linux FreeS/WAN project. +For project information, see http://www.freeswan.org. + +

+

+The Internet Architecture Board (IAB) and Internet Engineering +Steering Group (IESG) have taken a strong stand that the Internet +should use powerful encryption to provide security and +privacy [4]. +The Linux FreeS/WAN project attempts to provide a practical means to implement this policy. + +

+

+The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC +protocols because they are +standardized, widely available and can often be deployed very easily +without changing hardware or software or retraining users. + +

+

+The extensions to support opportunistic encryption are simple. No +changes to any on-the-wire formats are needed. The only changes are to +the policy decision making system. This means that opportunistic +encryption can be implemented with very minimal changes to an existing +IPsec implementation. + +

+

+Opportunistic encryption creates a "fax effect". The proliferation +of the fax machine was possible because it did not require that everyone +buy one overnight. Instead, as each person installed one, the value +of having one increased - as there were more people that could receive faxes. +Once opportunistic encryption is installed it +automatically recognizes +other boxes using opportunistic encryption, without any further configuration +by the network +administrator. So, as opportunistic encryption software is installed on more +boxes, its value +as a tool increases. + +

+

+This document describes the infrastructure to permit deployment of +Opportunistic Encryption. + +

+

+The term S/WAN is a trademark of RSA Data Systems, and is used with permission +by this project. + +

+

1.2 Types of network traffic

+ +

+ To aid in understanding the relationship between security processing and IPsec + we divide network traffic into four categories: + +

+
* Deny:
+
networks to which traffic is always forbidden. +
+
* Permit:
+
networks to which traffic in the clear is permitted. +
+
* Opportunistic tunnel:
+
networks to which traffic is encrypted if possible, but otherwise is in the clear + or fails depending on the default policy in place. + +
+
* Configured tunnel:
+
networks to which traffic must be encrypted, and traffic in the clear is never permitted. +
+

+

+

+Traditional firewall devices handle the first two categories. No authentication is required. +The permit policy is currently the default on the Internet. + +

+

+This document describes the third category - opportunistic tunnel, which is +proposed as the new default for the Internet. + +

+

+ Category four, encrypt traffic or drop it, requires authentication of the + end points. As the number of end points is typically bounded and is typically + under a single authority, arranging for distribution of + authentication material, while difficult, does not require any new + technology. The mechanism described here provides an additional way to + distribute the authentication materials, that of a public key method that does not + require deployment of an X.509 based infrastructure. + +

+

+Current Virtual Private Networks can often be replaced by an "OE paranoid" +policy as described herein. + +

+

1.3 Peer authentication in opportunistic encryption

+ +

+ Opportunistic encryption creates tunnels between nodes that + are essentially strangers. This is done without any prior bilateral + arrangement. + There is, therefore, the difficult question of how one knows to whom one is + talking. + +

+

+ One possible answer is that since no useful + authentication can be done, none should be tried. This mode of operation is + named "anonymous encryption". An active man-in-the-middle attack can be + used to thwart the privacy of this type of communication. + Without peer authentication, there is no way to prevent this kind of attack. + +

+

+Although a useful mode, anonymous encryption is not the goal of this +project. Simpler methods are available that can achieve anonymous +encryption only, but authentication of the peer is a desireable goal. +The latter is achieved through key distribution in DNS, leveraging upon +the authentication of the DNS in DNSSEC. + +

+

+ Peers are, therefore, authenticated with DNSSEC when available. Local policy +determines how much trust to extend when DNSSEC is not available. + +

+

+ However, an essential premise of building private connections with + strangers is that datagrams received through opportunistic tunnels + are no more special than datagrams that arrive in the clear. + Unlike in a VPN, these datagrams should not be given any special + exceptions when it comes to auditing, further authentication or + firewalling. + +

+

+ When initiating outbound opportunistic encryption, local + configuration determines what happens if tunnel setup fails. It may be that + the packet goes out in the clear, or it may be dropped. + +

+

1.4 Use of RFC2119 terms

+ +

+ The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, + SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this + document, are to be interpreted as described in [5] +

+

+
 TOC 
+

2. Overview

+ +

2.1 Reference diagram

+

+ + +

The following network diagram is used in the rest of + this document as the canonical diagram: +

+                          [Q]  [R]          
+                           .    .              AS2                 
+  [A]----+----[SG-A].......+....+.......[SG-B]-------[B]
+         |                 ......
+     AS1 |                 ..PI..
+         |                 ......
+  [D]----+----[SG-D].......+....+.......[C] AS3
+             
+
+           
+ +

+

 Reference Network Diagram 

+ +

+ In this diagram, there are four end-nodes: A, B, C and D. + There are three gateways, SG-A, SG-B, SG-D. A, D, SG-A and SG-D are part + of the same administrative authority, AS1. SG-A and SG-D are on two different exit + paths from organization 1. SG-B/B is an independent organization, AS2. + Nodes Q and R are nodes on the Internet. PI is the Public + Internet ("The Wild"). + +

+

2.2 Terminology

+ +

+ The following terminology is used in this document: + +

+
+
Security gateway:
+
a system that performs IPsec tunnel + mode encapsulation/decapsulation. [SG-x] in the diagram. +
+
Alice:
+
node [A] in the diagram. When an IP address is needed, this is 192.1.0.65. +
+
Bob:
+
node [B] in the diagram. When an IP address is needed, this is 192.2.0.66. +
+
Carol:
+
node [C] in the diagram. When an IP address is needed, this is 192.1.1.67. +
+
Dave:
+
node [D] in the diagram. When an IP address is needed, this is 192.3.0.68. +
+
SG-A:
+
Alice's security gateway. Internally it is 192.1.0.1, externally it is 192.1.1.4. +
+
SG-B:
+
Bob's security gateway. Internally it is 192.2.0.1, externally it is 192.1.1.5. +
+
SG-D:
+
Dave's security gateway. Also Alice's backup security gateway. Internally it is 192.3.0.1, externally it is 192.1.1.6. +
+
-
+
A single dash represents clear-text datagrams. +
+
=
+
An equals sign represents phase 2 (IPsec) cipher-text + datagrams. +
+
~
+
A single tilde represents clear-text phase 1 datagrams. +
+
#
+
A hash sign represents phase 1 (IKE) cipher-text + datagrams. +
+
.
+
A period represents an untrusted network of unknown + type. +
+
Configured tunnel:
+
a tunnel that + is directly and deliberately hand configured on participating gateways. + Configured tunnels are typically given a higher level of + trust than opportunistic tunnels. +
+
Road warrior tunnel:
+
a configured tunnel connecting one + node with a fixed IP address and one node with a variable IP address. + A road warrior (RW) connection must be initiated by the + variable node, since the fixed node cannot know the + current address for the road warrior. +
+
Anonymous encryption:
+
+ the process of encrypting a session without any knowledge of who the + other parties are. No authentication of identities is done. +
+
Opportunistic encryption:
+
+ the process of encrypting a session with authenticated knowledge of + who the other parties are. +
+
Lifetime:
+
+ the period in seconds (bytes or datagrams) for which a security + association will remain alive before needing to be re-keyed. +
+
Lifespan:
+
+ the effective time for which a security association remains useful. A + security association with a lifespan shorter than its lifetime would + be removed when no longer needed. A security association with a + lifespan longer than its lifetime would need to be re-keyed one or + more times. +
+
Phase 1 SA:
+
an ISAKMP/IKE security association sometimes + referred to as a keying channel. +
+
Phase 2 SA:
+
an IPsec security association. +
+
Tunnel:
+
another term for a set of phase 2 SA (one in each direction). +
+
NAT:
+
Network Address Translation + (see [20]). +
+
NAPT:
+
Network Address and Port Translation + (see [20]). +
+
AS:
+
an autonomous system (AS) is a group of systems (a network) that + are under the administrative control of a single organization. +
+
Default-free zone:
+
+ a set of routers that maintain a complete set of routes to + all currently reachable destinations. Having such a list, these routers + never make use of a default route. A datagram with a destination address + not matching any route will be dropped by such a router. + +
+

+

2.3 Model of operation

+ +

+The opportunistic encryption security gateway (OE gateway) is a regular +gateway node as described in [2] section 2.4 and +[3] with the additional capabilities described here and +in [7]. +The algorithm described here provides a way to determine, for each datagram, +whether or not to encrypt and tunnel the datagram. Two important things +that must be determined are whether or not to encrypt and tunnel and, if +so, the destination address or name of the tunnel end point which should be used. + +

+

2.3.1 Tunnel authorization

+ +

+The OE gateway determines whether or not to create a tunnel based on +the destination address of each packet. Upon receiving a packet with a destination +address not recently seen, the OE gateway performs a lookup in DNS for an +authorization resource record (see Use of TXT delegation record). The record is located using +the IP address to perform a search in the in-addr.arpa (IPv4) or ip6.arpa +(IPv6) maps. If an authorization record is found, the OE gateway +interprets this as a request for a tunnel to be formed. + +

+

2.3.2 Tunnel end-point discovery

+ +

+The authorization resource record also provides the address or name of the tunnel +end point which should be used. + +

+

+The record may also provide the public RSA key of the tunnel end point +itself. This is provided for efficiency only. If the public RSA key is not +present, the OE gateway performs a second lookup to find a KEY +resource record for the end point address or name. + +

+

+Origin and integrity protection of the resource records is provided by +DNSSEC ([16]). Restriction on unauthenticated TXT delegation records +documents an optional restriction on the tunnel end point if DNSSEC signatures +are not available for the relevant records. + +

+

2.3.3 Caching of authorization results

+ +

+The OE gateway maintains a cache, in the forwarding plane, of +source/destination pairs for which opportunistic encryption has been +attempted. This cache maintains a record of whether or not OE was +successful so that subsequent datagrams can be forwarded properly +without additional delay. + +

+

+Successful negotiation of OE instantiates a new security association. +Failure to negotiate OE results in creation of a +forwarding policy entry either to drop or transmit in the clear future +datagrams. This negative cache is necessary to avoid the possibly lengthy process of repeatedly looking +up the same information. + +

+

+The cache is timed out periodically, as described in Renewal and teardown. +This removes entries that are no longer +being used and permits the discovery of changes in authorization policy. + +

+

+
 TOC 
+

3. Specification

+ +

+The OE gateway is modeled to have a forwarding plane and a control +plane. A control channel, such as PF_KEY, connects the two planes. +(See [6].) +The forwarding plane performs per datagram operations. The control plane +contains a keying +daemon, such as ISAKMP/IKE, and performs all authorization, peer authentication and +key derivation functions. + +

+

3.1 Datagram state machine

+ +

+Let the OE gateway maintain a collection of objects -- a superset of the +security policy database (SPD) specified in [7]. For +each combination of source and destination address, an SPD +object exists in one of five following states. +Prior to forwarding each datagram, the +responder uses the source and destination addresses to pick an entry from the SPD. +The SPD then determines if and how the packet is forwarded. + +

+

3.1.1 Non-existent policy

+ +

+If the responder does not find an entry, then this policy applies. +The responder creates an entry with an initial state of "hold policy" and requests +keying material from the keying daemon. The responder does not forward the datagram, +rather it attaches the datagram to the SPD entry as the "first" datagram and retains it +for eventual transmission in a new state. + + +

+

3.1.2 Hold policy

+ +

+The responder requests keying material. If the interface to the keying +system is lossy (PF_KEY, for instance, can be), the implementation +SHOULD include a mechanism to retransmit the +keying request at a rate limited to less than 1 request per second. +The responder does not forward the datagram. It attaches the +datagram to the SPD entry as the "last" datagram where it is retained +for eventual transmission. If there is +a datagram already so stored, then that already stored datagram is discarded. + +

+

+Because the "first" datagram is probably a TCP SYN packet, the +responder retains the "first" datagram in an attempt to avoid waiting for a +TCP retransmit. The responder retains the "last" +datagram in deference to streaming protocols that find it useful to know +how much data has been lost. These are recommendations to +decrease latency. There are no operational requirements for this. + +

+

3.1.3 Pass-through policy

+ +

+The responder forwards the datagram using the normal forwarding table. +The responder enters this state only by command from the keying daemon, +and upon entering this state, also forwards the "first" and "last" datagrams. + +

+

3.1.4 Deny policy

+ +

+The responder discards the datagram. The responder enters this state only by +command +from the keying daemon, and upon entering this state, discards the "first" +and "last" datagrams. +Local administration decides if further datagrams cause ICMP messages +to be generated (i.e. ICMP Destination Unreachable, Communication +Administratively Prohibited. type=3, code=13). + +

+

3.1.5 Encrypt policy

+ +

+The responder encrypts the datagram using the indicated security association database +(SAD) entry. The responder enters this state only by command from the keying daemon, and upon entering +this state, releases and forwards the "first" and "last" datagrams using the +new encrypt policy. + +

+

+If the associated SAD entry expires because of byte, packet or time limits, then +the entry returns to the Hold policy, and an expire message is sent to the keying daemon. + +

+

+All states may be created directly by the keying daemon while acting as a +responder. + +

+

3.2 Keying state machine - initiator

+ +

+Let the keying daemon maintain a collection of objects. Let them be +called "connections" or "conn"s. There are two categories of +connection objects: classes and instances. A class represents an +abstract policy - what could be. An instance represents an actual connection - +what is implemented at the time. + +

+

+Let there be two further subtypes of connections: keying channels (Phase +1 SAs) and data channels (Phase 2 SAs). Each data channel object may have +a corresponding SPD and SAD entry maintained by the datagram state machine. + +

+

+For the purposes of opportunistic encryption, there MUST, at least, be +connection classes known as "deny", "always-clear-text", "OE-permissive", and +"OE-paranoid". +The latter two connection classes define a set of source and/or destination +addresses for which opportunistic encryption will be attempted. The administrator MAY set policy +options in a number of additional places. An implementation MAY create additional connection classes to further refine +these policies. + +

+

+The simplest system may need only the "OE-permissive" connection, and would +list its own (single) IP address as the source address of this policy and +the wild-card address 0.0.0.0/0 as the destination IPv4 address. That is, the +simplest policy is to try opportunistic encryption with all destinations. + +

+

+The distinction between permissive and paranoid OE use will become clear +in the state transition differences. In general a permissive OE will, on +failure, install a pass-through policy, while a paranoid OE will, on failure, +install a drop policy. + +

+

+In this description of the keying machine's state transitions, the states +associated with the keying system itself are omitted because they are best documented in the keying system +([8], +[9] and [10] for ISAKMP/IKE), +and the details are keying system specific. Opportunistic encryption is not +dependent upon any specific keying protocol, but this document does provide +requirements for those using ISAKMP/IKE to assure that implementations inter-operate. + +

+

+The state transitions that may be involved in communicating with the +forwarding plane are omitted. PF_KEY and similar protocols have their own +set of states required for message sends and completion notifications. + +

+

+Finally, the retransmits and recursive lookups that are normal for DNS are +not included in this description of the state machine. + +

+

3.2.1 Nonexistent connection

+ +

+There is no connection instance for a given source/destination address pair. +Upon receipt of a request for keying material for this +source/destination pair, the initiator searches through the connection classes to +determine the most appropriate policy. Upon determining an appropriate +connection class, an instance object is created of that type. +Both of the OE types result in a potential OE connection. + +

+

Failure to find an appropriate connection class results in an +administrator defined default. + +

+

+In each case, when the initiator finds an appropriate class for the new flow, +an instance connection is made of the class which matched. + +

+

3.2.2 Clear-text connection

+ +

+The non-existent connection makes a transition to this state when an +always-clear-text class is instantiated, or when an OE-permissive +connection fails. During the transition, the initiator creates a pass-through +policy object in the forwarding plane for the appropriate flow. + +

+

+Timing out is the only way to leave this state +(see Expiring connection). + +

+

3.2.3 Deny connection

+ +

+The empty connection makes a transition to this state when a +deny class is instantiated, or when an OE-paranoid connection fails. +During the transition, the initiator creates a deny policy object in the forwarding plane +for the appropriate flow. + +

+

+Timing out is the only way to leave this state +(see Expiring connection). + +

+

3.2.4 Potential OE connection

+ +

+The empty connection makes a transition to this state when one of either OE class is instantiated. +During the transition to this state, the initiator creates a hold policy object in the +forwarding plane for the appropriate flow. + +

+

+In addition, when making a transition into this state, DNS lookup is done in +the reverse-map for a TXT delegation resource record (see Use of TXT delegation record). +The lookup key is the destination address of the flow. + +

+

+There are three ways to exit this state: + +

    +
  1. DNS lookup finds a TXT delegation resource record. +
  2. +
  3. DNS lookup does not find a TXT delegation resource record. +
  4. +
  5. DNS lookup times out. +
  6. +

+

+

+Based upon the results of the DNS lookup, the potential OE connection makes a +transition to the pending OE connection state. The conditions for a +successful DNS look are: + +

    +
  1. DNS finds an appropriate resource record +
  2. +
  3. It is properly formatted according to Use of TXT delegation record +
  4. +
  5. if DNSSEC is enabled, then the signature has been vouched for. +
  6. +

+ +Note that if the initiator does not find the public key +present in the TXT delegation record, then the public key must +be looked up as a sub-state. Only successful completion of all the +DNS lookups is considered a success. + +

+

+If DNS lookup does not find a resource record or DNS times out, then the +initiator considers the receiver not OE capable. If this is an OE-paranoid instance, +then the potential OE connection makes a transition to the deny connection state. +If this is an OE-permissive instance, then the potential OE connection makes a transition to the +clear-text connection state. + +

+

+If the initiator finds a resource record but it is not properly formatted, or +if DNSSEC is +enabled and reports a failure to authenticate, then the potential OE +connection should make a +transition to the deny connection state. This action SHOULD be logged. If the +administrator wishes to override this transition between states, then an +always-clear class can be installed for this flow. An implementation MAY make +this situation a new class. + +

+

3.2.4.1 Restriction on unauthenticated TXT delegation records

+ +

+An implementation SHOULD also provide an additional administrative control +on delegation records and DNSSEC. This control would apply to delegation +records (the TXT records in the reverse-map) that are not protected by +DNSSEC. +Records of this type are only permitted to delegate to their own address as +a gateway. When this option is enabled, an active attack on DNS will be +unable to redirect packets to other than the original destination. + +

+

3.2.5 Pending OE connection

+ +

+The potential OE connection makes a transition to this state when +the initiator determines that all the information required from the DNS lookup is present. +Upon entering this state, the initiator attempts to initiate keying to the gateway +provided. + +

+

+Exit from this state occurs either with a successfully created IPsec SA, or +with a failure of some kind. Successful SA creation results in a transition +to the key connection state. + +

+

+Three failures have caused significant problems. They are clearly not the +only possible failures from keying. + +

+

+Note that if there are multiple gateways available in the TXT delegation +records, then a failure can only be declared after all have been +tried. Further, creation of a phase 1 SA does not constitute success. A set +of phase 2 SAs (a tunnel) is considered success. + +

+

+The first failure occurs when an ICMP port unreachable is consistently received +without any other communication, or when there is silence from the remote +end. This usually means that either the gateway is not alive, or the +keying daemon is not functional. For an OE-permissive connection, the initiator makes a transition +to the clear-text connection but with a low lifespan. For an OE-pessimistic connection, +the initiator makes a transition to the deny connection again with a low lifespan. The lifespan in both +cases is kept low because the remote gateway may +be in the process of rebooting or be otherwise temporarily unavailable. + +

+

+The length of time to wait for the remote keying daemon to wake up is +a matter of some debate. If there is a routing failure, 5 minutes is usually long enough for the network to +re-converge. Many systems can reboot in that amount of +time as well. However, 5 minutes is far too long for most users to wait to +hear that they can not connect using OE. Implementations SHOULD make this a +tunable parameter. + +

+

+The second failure occurs after a phase 1 SA has been created, but there is +either no response to the phase 2 proposal, or the initiator receives a +negative notify (the notify must be +authenticated). The remote gateway is not prepared to do OE at this time. +As before, the initiator makes a transition to the clear-text or the deny +connection based upon connection class, but this +time with a normal lifespan. + +

+

+The third failure occurs when there is signature failure while authenticating +the remote gateway. This can occur when there has been a +key roll-over, but DNS has not caught up. In this case again, the initiator makes a +transition to the clear-text or the deny connection based +upon the connection class. However, the lifespan depends upon the remaining +time to live in the DNS. (Note that DNSSEC signed resource records have a different +expiry time than non-signed records.) + +

+

3.2.6 Keyed connection

+ +

+The pending OE connection makes a transition to this state when +session keying material (the phase 2 SAs) is derived. The initiator creates an encrypt +policy in the forwarding plane for this flow. + +

+

+There are three ways to exit this state. The first is by receipt of an +authenticated delete message (via the keying channel) from the peer. This is +normal teardown and results in a transition to the expired connection state. + +

+

+The second exit is by expiry of the forwarding plane keying material. This +starts a re-key operation with a transition back to pending OE +connection. In general, the soft expiry occurs with sufficient time left +to continue to use the keys. A re-key can fail, which may +result in the connection failing to clear-text or deny as +appropriate. In the event of a failure, the forwarding plane +policy does not change until the phase 2 SA (IPsec SA) reaches its +hard expiry. + +

+

+The third exit is in response to a negotiation from a remote +gateway. If the forwarding plane signals the control plane that it has received an +unknown SPI from the remote gateway, or an ICMP is received from the remote gateway +indicating an unknown SPI, the initiator should consider that +the remote gateway has rebooted or restarted. Since these +indications are easily forged, the implementation must +exercise care. The initiator should make a cautious +(rate-limited) attempt to re-key the connection. + +

+

3.2.7 Expiring connection

+ +

+The initiator will periodically place each of the deny, clear-text, and keyed +connections into this +sub-state. See Renewal and teardown for more details of how often this +occurs. +The initiator queries the forwarding plane for last use time of the +appropriate +policy. If the last use time is relatively recent, then the connection +returns to the +previous deny, clear-text or keyed connection state. If not, then the +connection enters +the expired connection state. + +

+

+The DNS query and answer that lead to the expiring connection state are also +examined. The DNS query may become stale. (A negative, i.e. no such record, answer +is valid for the period of time given by the MINIMUM field in an attached SOA +record. See [12] section 4.3.4.) +If the DNS query is stale, then a new query is made. If the results change, then the connection +makes a transition to a new state as described in potential OE connection state. + +

+

+Note that when considering how stale a connection is, both outgoing SPD and +incoming SAD must be queried as some flows may be unidirectional for some time. + +

+

+Also note that the policy at the forwarding plane is not updated unless there +is a conclusion that there should be a change. + +

+

3.2.8 Expired connection

+ +

+Entry to this state occurs when no datagrams have been forwarded recently via the +appropriate SPD and SAD objects. The objects in the forwarding plane are +removed (logging any final byte and packet counts if appropriate) and the +connection instance in the keying plane is deleted. + +

+

+The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs as described in +Renewal and teardown. + +

+

+Whether or not to delete the phase 1 SAs +at this time is left as a local implementation issue. Implementations +that do delete the phase 1 SAs MUST send authenticated delete messages to +indicate that they are doing so. There is an advantage to keeping +the phase 1 SAs until they expire - they may prove useful again in the +near future. + +

+

3.3 Keying state machine - responder

+ +

+The responder has a set of objects identical to those of the initiator. + +

+

+The responder receives an invitation to create a keying channel from an initiator. + +

+

3.3.1 Unauthenticated OE peer

+ +

+Upon entering this state, the responder starts a DNS lookup for a KEY record for the +initiator. +The responder looks in the reverse-map for a KEY record for the initiator if the +initiator has offered an ID_IPV4_ADDR, and in the forward map if the +initiator has offered an ID_FQDN type. (See [8] section +4.6.2.1.) + +

+

+The responder exits this state upon successful receipt of a KEY from DNS, and use of the key +to verify the signature of the initiator. + +

+

+Successful authentication of the peer results in a transition to the +authenticated OE Peer state. + +

+

+Note that the unauthenticated OE peer state generally occurs in the middle of the key negotiation +protocol. It is really a form of pseudo-state. + +

+

3.3.2 Authenticated OE Peer

+ +

+The peer will eventually propose one or more phase 2 SAs. The responder uses the source and +destination address in the proposal to +finish instantiating the connection state +using the connection class table. +The responder MUST search for an identical connection object at this point. + +

+

+If an identical connection is found, then the responder deletes the old instance, +and the new object makes a transition to the pending OE connection state. This means +that new ISAKMP connections with a given peer will always use the latest +instance, which is the correct one if the peer has rebooted in the interim. + +

+

+If an identical connection is not found, then the responder makes the transition according to the +rules given for the initiator. + +

+

+Note that if the initiator is in OE-paranoid mode and the responder is in +either always-clear-text or deny, then no communication is possible according +to policy. An implementation is permitted to create new types of policies +such as "accept OE but do not initiate it". This is a local matter. + +

+

3.4 Renewal and teardown

+ +

3.4.1 Aging

+ +

+A potentially unlimited number of tunnels may exist. In practice, only a few +tunnels are used during a period of time. Unused tunnels MUST, therefore, be +torn down. Detecting when tunnels are no longer in use is the subject of this section. + +

+

+There are two methods for removing tunnels: explicit deletion or expiry. + +

+

+Explicit deletion requires an IKE delete message. As the deletes +MUST be authenticated, both ends of the tunnel must maintain the +key channel (phase 1 ISAKMP SA). An implementation which refuses to either maintain or +recreate the keying channel SA will be unable to use this method. + +

+

+The tunnel expiry method, simply allows the IKE daemon to +expire normally without attempting to re-key it. + +

+

+Regardless of which method is used to remove tunnels, the implementation requires +a method to determine if the tunnel is still in use. The specifics are a +local matter, but the FreeS/WAN project uses the following criteria. These +criteria are currently implemented in the key management daemon, but could +also be implemented at the SPD layer using an idle timer. + +

+

+Set a short initial (soft) lifespan of 1 minute since many net flows last +only a few seconds. + +

+

+At the end of the lifespan, check to see if the tunnel was used by +traffic in either direction during the last 30 seconds. If so, assign a +longer tentative lifespan of 20 minutes after which, look again. If the +tunnel is not in use, then close the tunnel. + +

+

+The expiring state in the key management +system (see Expiring connection) implements these timeouts. +The timer above may be in the forwarding plane, +but then it must be re-settable. + +

+

+The tentative lifespan is independent of re-keying; it is just the time when +the tunnel's future is next considered. +(The term lifespan is used here rather than lifetime for this reason.) +Unlike re-keying, this tunnel use check is not costly and should happen +reasonably frequently. + +

+

+A multi-step back-off algorithm is not considered worth the effort here. + +

+

+If the security gateway and the client host are the +same and not a Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel +teardown decisions MAY pay attention to TCP connection status as reported +by the local TCP layer. A still-open TCP connection is almost a guarantee that more traffic is +expected. Closing of the only TCP connection through a tunnel is a +strong hint that no more traffic is expected. + +

+

3.4.2 Teardown and cleanup

+ +

+Teardown should always be coordinated between the two ends of the tunnel by +interpreting and sending delete notifications. There is a +detailed sub-state in the expired connection state of the key manager that +relates to retransmits of the delete notifications, but this is considered to +be a keying system detail. + +

+

+On receiving a delete for the outbound SAs of a tunnel (or some subset of +them), tear down the inbound ones also and notify the remote end with a +delete. If the local system receives a delete for a tunnel which is no longer in +existence, then two delete messages have crossed paths. Ignore the delete. +The operation has already been completed. Do not generate any messages in this +situation. + +

+

+Tunnels are to be considered as bidirectional entities, even though the +low-level protocols don't treat them this way. + +

+

+When the deletion is initiated locally, rather than as a +response to a received delete, send a delete for (all) the +inbound SAs of a tunnel. If the local system does not receive a responding delete +for the outbound SAs, try re-sending the original +delete. Three tries spaced 10 seconds apart seems a reasonable +level of effort. A failure of the other end to respond after 3 attempts, +indicates that the possibility of further communication is unlikely. Remove the outgoing SAs. +(The remote system may be a mobile node that is no longer present or powered on.) + +

+

+After re-keying, transmission should switch to using the new +outgoing SAs (ISAKMP or IPsec) immediately, and the old leftover +outgoing SAs should be cleared out promptly (delete should be sent +for the outgoing SAs) rather than waiting for them to expire. This +reduces clutter and minimizes confusion for the operator doing diagnostics. + +

+

+
 TOC 
+

4. Impacts on IKE

+ +

4.1 ISAKMP/IKE protocol

+ +

+ The IKE wire protocol needs no modifications. The major changes are + implementation issues relating to how the proposals are interpreted, and from + whom they may come. + +

+

+ As opportunistic encryption is designed to be useful between peers without + prior operator configuration, an IKE daemon must be prepared to negotiate + phase 1 SAs with any node. This may require a large amount of resources to + maintain cookie state, as well as large amounts of entropy for nonces, + cookies and so on. + +

+

+ The major changes to support opportunistic encryption are at the IKE daemon + level. These changes relate to handling of key acquisition requests, lookup + of public keys and TXT records, and interactions with firewalls and other + security facilities that may be co-resident on the same gateway. + +

+

4.2 Gateway discovery process

+ +

+ In a typical configured tunnel, the address of SG-B is provided + via configuration. Furthermore, the mapping of an SPD entry to a gateway is + typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique is used, then + the mapping to a gateway is determined by the reverse DNS records. + +

+

+ The need to do a DNS lookup and wait for a reply will typically introduce a + new state and a new event source (DNS replies) to IKE. Although a +synchronous DNS request can be implemented for proof of concept, experience +is that it can cause very high latencies when a queue of queries must +all timeout in series. + +

+

+ Use of an asynchronous DNS lookup will also permit overlap of DNS lookups with + some of the protocol steps. + +

+

4.3 Self identification

+ +

+ SG-A will have to establish its identity. Use an + IPv4 ID in phase 1. + +

+

There are many situations where the administrator of SG-A may not be + able to control the reverse DNS records for SG-A's public IP address. + Typical situations include dialup connections and most residential-type broadband Internet access + (ADSL, cable-modem) connections. In these situations, a fully qualified domain + name that is under the control of SG-A's administrator may be used + when acting as an initiator only. + The FQDN ID should be used in phase 1. See Use of FQDN IDs + for more details and restrictions. + +

+

4.4 Public key retrieval process

+ +

+ Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID or + an FQDN ID, an IKE daemon needs to examine local caches and + configuration files to determine if this is part of a configured tunnel. + If no configured tunnels are found, then the implementation should attempt to retrieve + a KEY record from the reverse DNS in the case of an IPv4/IPv6 ID, or + from the forward DNS in the case of FQDN ID. + +

+

+ It is reasonable that if other non-local sources of policy are used + (COPS, LDAP), they be consulted concurrently but some + clear ordering of policy be provided. Note that due to variances in + latency, implementations must wait for positive or negative replies from all sources + of policy before making any decisions. + +

+

4.5 Interactions with DNSSEC

+ +

+ The implementation described (1.98) neither uses DNSSEC directly to + explicitly verify the authenticity of zone information, nor uses the NXT + records to provide authentication of the absence of a TXT or KEY + record. Rather, this implementation uses a trusted path to a DNSSEC + capable caching resolver. + +

+

+ To distinguish between an authenticated and an unauthenticated DNS + resource record, a stub resolver capable of returning DNSSEC + information MUST be used. + +

+

4.6 Required proposal types

+ +

4.6.1 Phase 1 parameters

+ +

+ Main mode MUST be used. + +

+

+ The initiator MUST offer at least one proposal using some combination + of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be + proposed first. + [11] +

+

+ The initiator MAY offer additional proposals, but the cipher MUST not + be weaker than 3DES. The initiator SHOULD limit the number of proposals + such that the IKE datagrams do not need to be fragmented. + +

+

+ The responder MUST accept one of the proposals. If any configuration + of the responder is required then the responder is not acting in an + opportunistic way. + +

+

+ SG-A SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the external + interface of SG-A for phase 1. (There is an exception, see Use of FQDN IDs.) The authentication method MUST be RSA public key signatures. + The RSA key for SG-A SHOULD be placed into a DNS KEY record in + the reverse space of SG-A (i.e. using in-addr.arpa). + +

+

4.6.2 Phase 2 parameters

+ +

+ SG-A MUST propose a tunnel between Alice and Bob, using 3DES-CBC + mode, MD5 or SHA1 authentication. Perfect Forward Secrecy MUST be specified. + +

+

+ Tunnel mode MUST be used. + +

+

+ Identities MUST be ID_IPV4_ADDR_SUBNET with the mask being /32. + +

+

+ Authorization for SG-A to act on Alice's behalf is determined by + looking for a TXT record in the reverse-map at Alice's address. + +

+

+ Compression SHOULD NOT be mandatory. It may be offered as an option. + +

+

+
 TOC 
+

5. DNS issues

+ +

5.1 Use of KEY record

+ +

+ In order to establish their own identities, SG-A and SG-B SHOULD publish + their public keys in their reverse DNS via + DNSSEC's KEY record. + See section 3 of RFC 2535[16]. + +

+

+

For example: +

+KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
+ +
+
0x4200:
+
The flag bits, indicating that this key is prohibited + for confidentiality use (it authenticates the peer only, a separate + Diffie-Hellman exchange is used for + confidentiality), and that this key is associated with the non-zone entity + whose name is the RR owner name. No other flags are set. +
+
4:
+
This indicates that this key is for use by IPsec. +
+
1:
+
An RSA key is present. +
+
AQNJjkKlIk9...nYyUkKK8:
+
The public key of the host as described in [17]. +
+

+

+

Use of several KEY records allows for key rollover. The SIG Payload in + IKE phase 1 SHOULD be accepted if the public key given by any KEY RR + validates it. + +

+

5.2 Use of TXT delegation record

+ +

+Alice publishes a TXT record to provide authorization for SG-A to act on +Alice's behalf. + +Bob publishes a TXT record to provide authorization for SG-B to act on Bob's +behalf. + +These records are located in the reverse DNS (in-addr.arpa) for their +respective IP addresses. The reverse DNS SHOULD be secured by DNSSEC, when +it is deployed. DNSSEC is required to defend against active attacks. + +

+

+ If Alice's address is P.Q.R.S, then she can authorize another node to + act on her behalf by publishing records at: +

+
+S.R.Q.P.in-addr.arpa
+          
+

+ +

+

+ The contents of the resource record are expected to be a string that + uses the following syntax, as suggested in [15]. + (Note that the reply to query may include other TXT resource + records used by other applications.) + +


+ +

+
+X-IPsec-Server(P)=A.B.C.D KEY
+          
+

+
 Format of reverse delegation record 


+ +

+
+
P:
+
Specifies a precedence for this record. This is + similar to MX record preferences. Lower numbers have stronger + preference. + +
+
A.B.C.D:
+
Specifies the IP address of the Security Gateway + for this client machine. + +
+
KEY:
+
Is the encoded RSA Public key of the Security + Gateway. The key is provided here to avoid a second DNS lookup. If this + field is absent, then a KEY resource record should be looked up in the + reverse-map of A.B.C.D. The key is transmitted in base64 format. + +
+

+

+ The pieces of the record are separated by any whitespace + (space, tab, newline, carriage return). An ASCII space SHOULD + be used. + +

+

+ In the case where Alice is located at a public address behind a + security gateway that has no fixed address (or no control over its + reverse-map), then Alice may delegate to a public key by domain name. + +


+ +

+
+X-IPsec-Server(P)=@FQDN KEY
+          
+

+
 Format of reverse delegation record (FQDN version) 


+ +

+
+
P:
+
Is as above. + +
+
FQDN:
+
Specifies the FQDN that the Security Gateway + will identify itself with. + +
+
KEY:
+
Is the encoded RSA Public key of the Security + Gateway. +
+

+

+ If there is more than one such TXT record with strongest (lowest + numbered) precedence, one Security Gateway is picked arbitrarily from + those specified in the strongest-preference records. + +

+

5.2.1 Long TXT records

+ +

+ When packed into transport format, TXT records which are longer than 255 + characters are divided into smaller <character-strings>. + (See [13] section 3.3 and 3.3.14.) These MUST + be reassembled into a single string for processing. + Whitespace characters in the base64 encoding are to be ignored. + +

+

5.2.2 Choice of TXT record

+ +

+ It has been suggested to use the KEY, OPT, CERT, or KX records + instead of a TXT record. None is satisfactory. + +

+

The KEY RR has a protocol field which could be used to indicate a new protocol, +and an algorithm field which could be used to + indicate different contents in the key data. However, the KEY record + is clearly not intended for storing what are really authorizations, + it is just for identities. Other uses have been discouraged. + +

+

OPT resource records, as defined in [14] are not + intended to be used for storage of information. They are not to be loaded, + cached or forwarded. They are, therefore, inappropriate for use here. + +

+

+ CERT records [18] can encode almost any set of + information. A custom type code could be used permitting any suitable + encoding to be stored, not just X.509. According to + the RFC, the certificate RRs are to be signed internally which may add undesirable +and unnecessary bulk. Larger DNS records may require TCP instead of UDP transfers. + +

+

+ At the time of protocol design, the CERT RR was not widely deployed and + could not be counted upon. Use of CERT records will be investigated, + and may be proposed in a future revision of this document. + +

+

+ KX records are ideally suited for use instead of TXT records, but had not been deployed at + the time of implementation. + +

+

5.3 Use of FQDN IDs

+ +

+ Unfortunately, not every administrator has control over the contents + of the reverse-map. Where the initiator (SG-A) has no suitable reverse-map, the + authorization record present in the reverse-map of Alice may refer to a + FQDN instead of an IP address. + +

+

+ In this case, the client's TXT record gives the fully qualified domain + name (FQDN) in place of its security gateway's IP address. + The initiator should use the ID_FQDN ID-payload in phase 1. + A forward lookup for a KEY record on the FQDN must yield the + initiator's public key. + +

+

+ This method can also be used when the external address of SG-A is + dynamic. + +

+

+ If SG-A is acting on behalf of Alice, then Alice must still delegate + authority for SG-A to do so in her reverse-map. When Alice and SG-A + are one and the same (i.e. Alice is acting as an end-node) then there + is no need for this when initiating only. +

+

However, Alice must still delegate to herself if she wishes others to + initiate OE to her. See Format of reverse delegation record (FQDN version). + +

+

5.4 Key roll-over

+ +

+Good cryptographic hygiene says that one should replace public/private key pairs +periodically. Some administrators may wish to do this as often as daily. Typical DNS +propagation delays are determined by the SOA Resource Record MINIMUM +parameter, which controls how long DNS replies may be cached. For reasonable +operation of DNS servers, administrators usually want this value to be at least several +hours, sometimes as a long as a day. This presents a problem - a new key MUST +not be used prior to it propagating through DNS. + +

+

+This problem is dealt with by having the Security Gateway generate a new +public/private key pair at least MINIMUM seconds in advance of using it. It +then adds this key to the DNS (both as a second KEY record and in additional TXT +delegation records) at key generation time. Note: only one key is allowed in +each TXT record. + +

+

+When authenticating, all gateways MUST have available all public keys +that are found in DNS for this entity. This permits the authenticating end +to check both the key for "today" and the key for "tomorrow". Note that it is +the end which is creating the signature (possesses the private key) that +determines which key is to be used. + +

+

+
 TOC 
+

6. Network address translation interaction

+ +

+ There are no fundamentally new issues for implementing opportunistic encryption + in the presence of network address translation. Rather there are + only the regular IPsec issues with NAT traversal. + +

+

+ There are several situations to consider for NAT. + +

+

6.1 Co-located NAT/NAPT

+ +

+ If SG-A is also performing network address translation on + behalf of Alice, then the packet should be translated prior to + being subjected to opportunistic encryption. This is in contrast to + typically configured tunnels which often exist to bridge islands of + private network address space. SG-A will use the translated source + address for phase 2, and so SG-B will look up that address to + confirm SG-A's authorization. + +

+

In the case of NAT (1:1), the address space into which the + translation is done MUST be globally unique, and control over the + reverse-map is assumed. + Placing of TXT records is possible. + +

+

In the case of NAPT (m:1), the address will be SG-A. The ability to get + KEY and TXT records in place will again depend upon whether or not + there is administrative control over the reverse-map. This is + identical to situations involving a single host acting on behalf of + itself. + + FQDN style can be used to get around a lack of a reverse-map for + initiators only. + +

+

6.2 SG-A behind NAT/NAPT

+ +

+ If there is a NAT or NAPT between SG-A and SG-B, then normal IPsec + NAT traversal rules apply. In addition to the transport problem + which may be solved by other mechanisms, there + is the issue of what phase 1 and phase 2 IDs to use. While FQDN could + be used during phase 1 for SG-A, there is no appropriate ID for phase 2 + that permits SG-B to determine that SG-A is in fact authorized to speak for Alice. + +

+

6.3 Bob is behind a NAT/NAPT

+ +

+ If Bob is behind a NAT (perhaps SG-B), then there is, in fact, no way for + Alice to address a packet to Bob. Not only is opportunistic encryption + impossible, but it is also impossible for Alice to initiate any + communication to Bob. It may be possible for Bob to initiate in such + a situation. This creates an asymmetry, but this is common for + NAPT. + +

+

+
 TOC 
+

7. Host implementations

+ +

+ When Alice and SG-A are components of the same system, they are + considered to be a host implementation. The packet sequence scenario remains unchanged. + +

+

+ Components marked Alice are the upper layers (TCP, UDP, the + application), and SG-A is the IP layer. + +

+

+ Note that tunnel mode is still required. + +

+

+ As Alice and SG-A are acting on behalf of themselves, no TXT based delegation + record is necessary for Alice to initiate. She can rely on FQDN in a + forward map. This is particularly attractive to mobile nodes such as + notebook computers at conferences. + To respond, Alice/SG-A will still need an entry in Alice's reverse-map. + +

+

+
 TOC 
+

8. Multi-homing

+ +

+If there are multiple paths between Alice and Bob (as illustrated in +the diagram with SG-D), then additional DNS records are required to establish +authorization. + +

+

+In Reference Network Diagram, Alice has two ways to +exit her network: SG-A and SG-D. Previously SG-D has been ignored. Postulate +that there are routers between Alice and her set of security gateways +(denoted by the + signs and the marking of an autonomous system number for +Alice's network). Datagrams may, therefore, travel to either SG-A or SG-D en +route to Bob. + +

+

+As long as all network connections are in good order, it does not matter how +datagrams exit Alice's network. When they reach either security gateway, the +security gateway will find the TXT delegation record in Bob's reverse-map, +and establish an SA with SG-B. + +

+

+SG-B has no problem establishing that either of SG-A or SG-D may speak for +Alice, because Alice has published two equally weighted TXT delegation records: +


+ +

+
+X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
+X-IPsec-Server(10)=192.1.1.6 AAJN...j8r9==
+          
+

+
 Multiple gateway delegation example for Alice 


+ +

+

+Alice's routers can now do any kind of load sharing needed. Both SG-A and SG-D send datagrams addressed to Bob through +their tunnel to SG-B. + +

+

+Alice's use of non-equal weight delegation records to show preference of one gateway over another, has relevance only when SG-B +is initiating to Alice. + +

+

+If the precedences are the same, then SG-B has a more difficult time. It +must decide which of the two tunnels to use. SG-B has no information about +which link is less loaded, nor which security gateway has more cryptographic +resources available. SG-B, in fact, has no knowledge of whether both gateways +are even reachable. + +

+

+The Public Internet's default-free zone may well know a good route to Alice, +but the datagrams that SG-B creates must be addressed to either SG-A or SG-D; +they can not be addressed to Alice directly. + +

+

+SG-B may make a number of choices: + +

    +
  1. It can ignore the problem and round robin among the tunnels. This + causes losses during times when one or the other security gateway is + unreachable. If this worries Alice, she can change the weights in her + TXT delegation records. +
  2. +
  3. It can send to the gateway from which it most recently received datagrams. + This assumes that routing and reachability are symmetrical. +
  4. +
  5. It can listen to BGP information from the Internet to decide which + system is currently up. This is clearly much more complicated, but if SG-B is already participating + in the BGP peering system to announce Bob, the results data may already + be available to it. +
  6. +
  7. It can refuse to negotiate the second tunnel. (It is unclear whether or +not this is even an option.) +
  8. +
  9. It can silently replace the outgoing portion of the first tunnel with the +second one while still retaining the incoming portions of both. SG-B can, +thus, accept datagrams from either SG-A or SG-D, but +send only to the gateway that most recently re-keyed with it. +
  10. +

+

+

+Local policy determines which choice SG-B makes. Note that even if SG-B has perfect +knowledge about the reachability of SG-A and SG-D, Alice may not be reachable +from either of these security gateways because of internal reachability +issues. + +

+

+FreeS/WAN implements option 5. Implementing a different option is +being considered. The multi-homing aspects of OE are not well developed and may +be the subject of a future document. + +

+

+
 TOC 
+

9. Failure modes

+ +

9.1 DNS failures

+ +

+ If a DNS server fails to respond, local policy decides + whether or not to permit communication in the clear as embodied in + the connection classes in Keying state machine - initiator. + It is easy to mount a denial of service attack on the DNS server + responsible for a particular network's reverse-map. + Such an attack may cause all communication with that network to go in + the clear if the policy is permissive, or fail completely + if the policy is paranoid. Please note that this is an active attack. + +

+

+ There are still many networks + that do not have properly configured reverse-maps. Further, if the policy is not to communicate, + the above denial of service attack isolates the target network. Therefore, the decision of whether +or not to permit communication in the clear MUST be a matter of local policy. + +

+

9.2 DNS configured, IKE failures

+ +

+ DNS records claim that opportunistic encryption should + occur, but the target gateway either does not respond on port 500, or + refuses the proposal. This may be because of a crash or reboot, a + faulty configuration, or a firewall filtering port 500. + +

+

+ The receipt of ICMP port, host or network unreachable + messages indicates a potential problem, but MUST NOT cause communication + to fail + immediately. ICMP messages are easily forged by attackers. If such a + forgery caused immediate failure, then an active attacker could easily + prevent any + encryption from ever occurring, possibly preventing all communication. + +

+

+ In these situations a clear log should be produced + and local policy should dictate if communication is then + permitted in the clear. + +

+

9.3 System reboots

+ +

+Tunnels sometimes go down because the remote end crashes, +disconnects, or has a network link break. In general there is no +notification of this. Even in the event of a crash and successful reboot, +other SGs don't hear about it unless the rebooted SG has specific +reason to talk to them immediately. Over-quick response to temporary +network outages is undesirable. Note that a tunnel can be torn +down and then re-established without any effect visible to the user +except a pause in traffic. On the other hand, if one end reboots, +the other end can't get datagrams to it at all (except via +IKE) until the situation is noticed. So a bias toward quick +response is appropriate even at the cost of occasional +false alarms. + +

+

+A mechanism for recovery after reboot is a topic of current research and is not specified in this +document. + +

+

+A deliberate shutdown should include an attempt, using deletes, to notify all other SGs +currently connected by phase 1 SAs that communication is +about to fail. Again, a remote SG will assume this is a teardown. Attempts by the +remote SGs to negotiate new tunnels as replacements should be ignored. When possible, +SGs should attempt to preserve information about currently-connected SGs in non-volatile storage, so +that after a crash, an Initial-Contact can be sent to previous partners to +indicate loss of all previously established connections. + +

+

+
 TOC 
+

10. Unresolved issues

+ +

10.1 Control of reverse DNS

+ +

+ The method of obtaining information by reverse DNS lookup causes + problems for people who cannot control their reverse DNS + bindings. This is an unresolved problem in this version, and is out + of scope. + +

+

+
 TOC 
+

11. Examples

+ +

11.1 Clear-text usage (permit policy)

+ +

+Two example scenarios follow. In the first example GW-A +(Gateway A) and GW-B (Gateway B) have always-clear-text policies, and in the second example they have an OE +policy. + +



+ +
+  Alice         SG-A       DNS       SG-B           Bob
+   (1)
+    ------(2)-------------->
+    <-----(3)---------------
+   (4)----(5)----->
+                   ----------(6)------>
+                                       ------(7)----->
+                                      <------(8)------
+                   <----------(9)------
+    <----(10)-----
+   (11)----------->
+                   ----------(12)----->
+                                       -------------->
+                                      <---------------
+                   <-------------------
+    <-------------
+          
+
 Timing of regular transaction 

+ +

+Alice wants to communicate with Bob. Perhaps she wants to retrieve a +web page from Bob's web server. In the absence of opportunistic +encryptors, the following events occur: + +

+
(1)
+
Human or application 'clicks' with a name. +
+
(2)
+
Application looks up name in DNS to get IP address. +
+
(3)
+
Resolver returns A record to application. +
+
(4)
+
Application starts a TCP session or UDP session and OS sends datagram. +
+
(5)
+
Datagram is seen at first gateway from Alice (SG-A). (SG-A +makes a transition through Empty connection to always-clear connection and +instantiates a pass-through policy at the forwarding plane.) +
+
(6)
+
Datagram is seen at last gateway before Bob (SG-B). +
+
(7)
+
First datagram from Alice is seen by Bob. +
+
(8)
+
First return datagram is sent by Bob. +
+
(9)
+
Datagram is seen at Bob's gateway. (SG-B makes a transition through +Empty connection to always-clear connection and instantiates a pass-through +policy at the forwarding plane.) +
+
(10)
+
Datagram is seen at Alice's gateway. +
+
(11)
+
OS hands datagram to application. Alice sends another datagram. +
+
(12)
+
A second datagram traverses the Internet. +
+

+

+

11.2 Opportunistic encryption

+ +

+In the presence of properly configured opportunistic encryptors, the +event list is extended. + +


+ +

+
+  Alice          SG-A      DNS       SG-B           Bob
+   (1)
+    ------(2)-------------->
+    <-----(3)---------------
+   (4)----(5)----->+
+                  ----(5B)->
+                  <---(5C)--
+                  ~~~~~~~~~~~~~(5D)~~~>
+                  <~~~~~~~~~~~~(5E1)~~~
+                  ~~~~~~~~~~~~~(5E2)~~>
+                  <~~~~~~~~~~~~(5E3)~~~
+                  #############(5E4)##>
+                  <############(5E5)###
+                           <----(5F1)--
+                           -----(5F2)->
+                  #############(5G1)##>
+                           <----(5H1)--
+                           -----(5H2)->
+                  <############(5G2)###
+                  #############(5G3)##>
+                   ============(6)====>
+		                       ------(7)----->
+                                      <------(8)------
+                  <==========(9)======
+    <-----(10)----
+   (11)----------->
+                   ==========(12)=====>
+                                       -------------->
+                                      <---------------
+                   <===================
+    <-------------
+          
+

+
 Timing of opportunistic encryption transaction 


+ +
+
(1)
+
Human or application clicks with a name. +
+
(2)
+
Application initiates DNS mapping. +
+
(3)
+
Resolver returns A record to application. +
+
(4)
+
Application starts a TCP session or UDP. +
+
(5)
+
SG-A (host or SG) sees datagram to target, and buffers it. +
+
(5B)
+
SG-A asks DNS for TXT record. +
+
(5C)
+
DNS returns TXT record(s). +
+
(5D)
+
Initial IKE Main Mode Packet goes out. +
+
(5E)
+
IKE ISAKMP phase 1 succeeds. +
+
(5F)
+
SG-B asks DNS for TXT record to prove SG-A is an agent for Alice. +
+
(5G)
+
IKE phase 2 negotiation. +
+
(5H)
+
DNS lookup by responder (SG-B). +
+
(6)
+
Buffered datagram is sent by SG-A. +
+
(7)
+
Datagram is received by SG-B, decrypted, and sent to Bob. +
+
(8)
+
Bob replies, and datagram is seen by SG-B. +
+
(9)
+
SG-B already has tunnel up with SG-A, and uses it. +
+
(10)
+
SG-A decrypts datagram and gives it to Alice. +
+
(11)
+
Alice receives datagram. Sends new packet to Bob. +
+
(12)
+
SG-A gets second datagram, sees that tunnel is up, and uses it. +
+

+

+

+ For the purposes of this section, we will describe only the changes that + occur between Timing of regular transaction and + Timing of opportunistic encryption transaction. This corresponds to time points 5, 6, 7, 9 and 10 on the list above. + +

+

11.2.1 (5) IPsec datagram interception

+ +

+ At point (5), SG-A intercepts the datagram because this source/destination pair lacks a policy +(the non-existent policy state). SG-A creates a hold policy, and buffers the datagram. SG-A requests keys from the keying daemon. + +

+

11.2.2 (5B) DNS lookup for TXT record

+ +

+ SG-A's IKE daemon, having looked up the source/destination pair in the connection + class list, creates a new Potential OE connection instance. SG-A starts DNS + queries. + +

+

11.2.3 (5C) DNS returns TXT record(s)

+ +

+ DNS returns properly formed TXT delegation records, and SG-A's IKE daemon + causes this instance to make a transition from Potential OE connection to Pending OE + connection. + +

+

+ Using the example above, the returned record might contain: + +


+ +

+
+X-IPsec-Server(10)=192.1.1.5 AQMM...3s1Q==
+          
+

+
 Example of reverse delegation record for Bob 


+ + with SG-B's IP address and public key listed. + +

+

11.2.4 (5D) Initial IKE main mode packet goes out

+ +

Upon entering Pending OE connection, SG-A sends the initial ISAKMP + message with proposals. See Phase 1 parameters. + +

+

11.2.5 (5E1) Message 2 of phase 1 exchange

+ +

+ SG-B receives the message. A new connection instance is created in the + unauthenticated OE peer state. + +

+

11.2.6 (5E2) Message 3 of phase 1 exchange

+ +

+ SG-A sends a Diffie-Hellman exponent. This is an internal state of the + keying daemon. + +

+

11.2.7 (5E3) Message 4 of phase 1 exchange

+ +

+ SG-B responds with a Diffie-Hellman exponent. This is an internal state of the + keying protocol. + +

+

11.2.8 (5E4) Message 5 of phase 1 exchange

+ +

+ SG-A uses the phase 1 SA to send its identity under encryption. + The choice of identity is discussed in Phase 1 parameters. + This is an internal state of the keying protocol. + +

+

11.2.9 (5F1) Responder lookup of initiator key

+ +

+ SG-B asks DNS for the public key of the initiator. + DNS looks for a KEY record by IP address in the reverse-map. + That is, a KEY resource record is queried for 4.1.1.192.in-addr.arpa + (recall that SG-A's external address is 192.1.1.4). + SG-B uses the resulting public key to authenticate the initiator. See Use of KEY record for further details. + +

+

11.2.10 (5F2) DNS replies with public key of initiator

+ +

+Upon successfully authenticating the peer, the connection instance makes a +transition to authenticated OE peer on SG-B. + +

+

+The format of the TXT record returned is described in +Use of TXT delegation record. + +

+

11.2.11 (5E5) Responder replies with ID and authentication

+ +

+ SG-B sends its ID along with authentication material. This is an internal + state for the keying protocol. + +

+

11.2.12 (5G) IKE phase 2

+ +

11.2.12.1 (5G1) Initiator proposes tunnel

+ +

+ Having established mutually agreeable authentications (via KEY) and + authorizations (via TXT), SG-A proposes to create an IPsec tunnel for + datagrams transiting from Alice to Bob. This tunnel is established only for + the Alice/Bob combination, not for any subnets that may be behind SG-A and SG-B. + +

+

11.2.12.2 (5H1) Responder determines initiator's authority

+ +

+ While the identity of SG-A has been established, its authority to + speak for Alice has not yet been confirmed. SG-B does a reverse + lookup on Alice's address for a TXT record. + +

+

Upon receiving this specific proposal, SG-B's connection instance + makes a transition into the potential OE connection state. SG-B may already have an + instance, and the check is made as described above. +

+

11.2.12.3 (5H2) DNS replies with TXT record(s)

+ +

+ The returned key and IP address should match that of SG-A. + +

+

11.2.12.4 (5G2) Responder agrees to proposal

+ +

+ Should additional communication occur between, for instance, Dave and Bob using + SG-A and SG-B, a new tunnel (phase 2 SA) would be established. The phase 1 SA + may be reusable. + +

+

SG-A, having successfully keyed the tunnel, now makes a transition from + Pending OE connection to Keyed OE connection. + +

+

The responder MUST setup the inbound IPsec SAs before sending its reply. +

+

11.2.12.5 (5G3) Final acknowledgment from initiator

+ +

+ The initiator agrees with the responder's choice and sets up the tunnel. + The initiator sets up the inbound and outbound IPsec SAs. + +

+

+ The proper authorization returned with keys prompts SG-B to make a transition + to the keyed OE connection state. + +

+

Upon receipt of this message, the responder may now setup the outbound + IPsec SAs. +

+

11.2.13 (6) IPsec succeeds, and sets up tunnel for communication between Alice and Bob

+ +

+ SG-A sends the datagram saved at step (5) through the newly created + tunnel to SG-B, where it gets decrypted and forwarded. + Bob receives it at (7) and replies at (8). + +

+

11.2.14 (9) SG-B already has tunnel up with G1 and uses it

+ +

+ At (9), SG-B has already established an SPD entry mapping Bob->Alice via a + tunnel, so this tunnel is simply applied. The datagram is encrypted to SG-A, + decrypted by SG-A and passed to Alice at (10). + +

+

+
 TOC 
+

12. Security considerations

+ +

12.1 Configured vs opportunistic tunnels

+ +

+ Configured tunnels are those which are setup using bilateral mechanisms: exchanging +public keys (raw RSA, DSA, PKIX), pre-shared secrets, or by referencing keys that +are in known places (distinguished name from LDAP, DNS). These keys are then used to +configure a specific tunnel. + +

+

+A pre-configured tunnel may be on all the time, or may be keyed only when needed. +The end points of the tunnel are not necessarily static: many mobile +applications (road warrior) are considered to be configured tunnels. + +

+

+The primary characteristic is that configured tunnels are assigned specific +security properties. They may be trusted in different ways relating to exceptions to +firewall rules, exceptions to NAT processing, and to bandwidth or other quality of service restrictions. + +

+

+Opportunistic tunnels are not inherently trusted in any strong way. They are +created without prior arrangement. As the two parties are strangers, there +MUST be no confusion of datagrams that arrive from opportunistic peers and +those that arrive from configured tunnels. A security gateway MUST take care +that an opportunistic peer can not impersonate a configured peer. + +

+

+Ingress filtering MUST be used to make sure that only datagrams authorized by +negotiation (and the concomitant authentication and authorization) are +accepted from a tunnel. This is to prevent one peer from impersonating another. + +

+

+An implementation suggestion is to treat opportunistic tunnel +datagrams as if they arrive on a logical interface distinct from other +configured tunnels. As the number of opportunistic tunnels that may be +created automatically on a system is potentially very high, careful attention +to scaling should be taken into account. + +

+

+As with any IKE negotiation, opportunistic encryption cannot be secure +without authentication. Opportunistic encryption relies on DNS for its +authentication information and, therefore, cannot be fully secure without +a secure DNS. Without secure DNS, opportunistic encryption can protect against passive +eavesdropping but not against active man-in-the-middle attacks. + +

+

12.2 Firewalls versus Opportunistic Tunnels

+ +

+ Typical usage of per datagram access control lists is to implement various +kinds of security gateways. These are typically called "firewalls". + +

+

+ Typical usage of a virtual private network (VPN) within a firewall is to +bypass all or part of the access controls between two networks. Additional +trust (as outlined in the previous section) is given to datagrams that arrive +in the VPN. + +

+

+ Datagrams that arrive via opportunistically configured tunnels MUST not be +trusted. Any security policy that would apply to a datagram arriving in the +clear SHOULD also be applied to datagrams arriving opportunistically. + +

+

12.3 Denial of service

+ +

+ There are several different forms of denial of service that an implementor + should concern themselves with. Most of these problems are shared with + security gateways that have large numbers of mobile peers (road warriors). + +

+

+ The design of ISAKMP/IKE, and its use of cookies, defend against many kinds + of denial of service. Opportunism changes the assumption that if the phase 1 (ISAKMP) + SA is authenticated, that it was worthwhile creating. Because the gateway will communicate with any machine, it is + possible to form phase 1 SAs with any machine on the Internet. + +

+

+
 TOC 
+

13. IANA Considerations

+ +

+ There are no known numbers which IANA will need to manage. + +

+

+
 TOC 
+

14. Acknowledgments

+ +

+ Substantive portions of this document are based upon previous work by + Henry Spencer. + +

+

+ Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert Moskowitz, + Jakob Schlyter, Bill Sommerfeld, John Gilmore and John Denker for their + comments and constructive criticism. + +

+

+ Sandra Hoffman and Bill Dickie did the detailed proof reading and editing. + +

+

+
 TOC 
+

Normative references

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
[1]Redelmeier, D. and H. Spencer, "Opportunistic Encryption", paper http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/opportunism.spec, May 2001.
[2]Defense Advanced Research Projects Agency (DARPA), Information Processing Techniques Office and University of Southern California (USC)/Information Sciences Institute, "Internet Protocol", STD 5, RFC 791, September 1981.
[3]Braden, R. and J. Postel, "Requirements for Internet gateways", RFC 1009, June 1987.
[4]IAB, IESG, Carpenter, B. and F. Baker, "IAB and IESG Statement on Cryptographic Technology and the Internet", RFC 1984, August 1996.
[5]Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[6]McDonald, D., Metz, C. and B. Phan, "PF_KEY Key Management API, Version 2", RFC 2367, July 1998.
[7]Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[8]Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998.
[9]Maughan, D., Schneider, M. and M. Schertler, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998.
[10]Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
[11]Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman groups for IKE", RFC 3526, March 2003.
[12]Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.
[13]Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[14]Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August 1999.
[15]Rosenbaum, R., "Using the Domain Name System To Store Arbitrary String Attributes", RFC 1464, May 1993.
[16]Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999.
[17]Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001.
[18]Eastlake, D. and O. Gudmundsson, "Storing Certificates in the Domain Name System (DNS)", RFC 2538, March 1999.
[19]Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, R. and A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000.
[20]Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.
+ +

+
 TOC 
+

Authors' Addresses

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
 Michael C. Richardson
 Sandelman Software Works
 470 Dawson Avenue
 Ottawa, ON K1Z 5V7
 CA
EMail: mcr@sandelman.ottawa.on.ca
URI: http://www.sandelman.ottawa.on.ca/
  
 D. Hugh Redelmeier
 Mimosa
 Toronto, ON
 CA
EMail: hugh@mimosa.com
+

+
 TOC 
+

Full Copyright Statement

+ + + + +

Acknowledgement

+ +
diff --git a/doc/src/draft-richardson-ipsec-opportunistic.xml b/doc/src/draft-richardson-ipsec-opportunistic.xml new file mode 100644 index 000000000..d587df693 --- /dev/null +++ b/doc/src/draft-richardson-ipsec-opportunistic.xml @@ -0,0 +1,2519 @@ + + + + + + + + + Security + Independent submission + + Opportunistic Encryption using The Internet Key Exchange (IKE) + + + + Sandelman Software Works +
+ + 470 Dawson Avenue + Ottawa + ON + K1Z 5V7 + CA + + mcr@sandelman.ottawa.on.ca + http://www.sandelman.ottawa.on.ca/ +
+
+ + + Mimosa +
+ + Toronto + ON + CA + + hugh@mimosa.com +
+
+ + + + + +This document describes opportunistic encryption (OE) using the Internet Key +Exchange (IKE) and IPsec. +Each system administrator adds new +resource records to his or her Domain Name System (DNS) to support +opportunistic encryption. The objective is to allow encryption for secure communication without +any pre-arrangement specific to the pair of systems involved. + + +DNS is used to distribute the public keys of each +system involved. This is resistant to passive attacks. The use of DNS +Security (DNSSEC) secures this system against active attackers as well. + + +As a result, the administrative overhead is reduced +from the square of the number of systems to a linear dependence, and it becomes +possible to make secure communication the default even +when the partner is not known in advance. + + +This document is offered up as an Informational RFC. + + + +
+ + + +
+ +
+ + +The objective of opportunistic encryption is to allow encryption without +any pre-arrangement specific to the pair of systems involved. Each +system administrator adds +public key information to DNS records to support opportunistic +encryption and then enables this feature in the nodes' IPsec stack. +Once this is done, any two such nodes can communicate securely. + + + +This document describes opportunistic encryption as designed and +implemented by the Linux FreeS/WAN project in revisions up and including 2.00. +Note that 2.01 and beyond implements RFC3445, in a backward compatible way. +For project information, see http://www.freeswan.org. + + + +The Internet Architecture Board (IAB) and Internet Engineering +Steering Group (IESG) have taken a strong stand that the Internet +should use powerful encryption to provide security and +privacy . +The Linux FreeS/WAN project attempts to provide a practical means to implement this policy. + + + +The project uses the IPsec, ISAKMP/IKE, DNS and DNSSEC +protocols because they are +standardized, widely available and can often be deployed very easily +without changing hardware or software or retraining users. + + + +The extensions to support opportunistic encryption are simple. No +changes to any on-the-wire formats are needed. The only changes are to +the policy decision making system. This means that opportunistic +encryption can be implemented with very minimal changes to an existing +IPsec implementation. + + + +Opportunistic encryption creates a "fax effect". The proliferation +of the fax machine was possible because it did not require that everyone +buy one overnight. Instead, as each person installed one, the value +of having one increased - as there were more people that could receive faxes. +Once opportunistic encryption is installed it +automatically recognizes +other boxes using opportunistic encryption, without any further configuration +by the network +administrator. So, as opportunistic encryption software is installed on more +boxes, its value +as a tool increases. + + + +This document describes the infrastructure to permit deployment of +Opportunistic Encryption. + + + +The term S/WAN is a trademark of RSA Data Systems, and is used with permission +by this project. + + +
+ +
+ + To aid in understanding the relationship between security processing and IPsec + we divide network traffic into four categories: + + networks to which traffic is always forbidden. + networks to which traffic in the clear is permitted. + networks to which traffic is encrypted if possible, but otherwise is in the clear + or fails depending on the default policy in place. + + networks to which traffic +must be encrypted, and traffic in the clear is never permitted. +A Virtual Private Network (VPN) is a form of configured tunnel. + + + + + +Traditional firewall devices handle the first two categories. +No authentication is required. +The permit policy is currently the default on the Internet. + + + +This document describes the third category - opportunistic tunnel, which is +proposed as the new default for the Internet. + + + + Category four, encrypt traffic or drop it, requires authentication of the + end points. As the number of end points is typically bounded and is typically + under a single authority, arranging for distribution of + authentication material, while difficult, does not require any new + technology. The mechanism described here provides an additional way to + distribute the authentication materials, that of a public key method that does not + require deployment of an X.509 based infrastructure. + + +Current Virtual Private Networks can often be replaced by an "OE paranoid" +policy as described herein. + +
+ +
+ + + Opportunistic encryption creates tunnels between nodes that + are essentially strangers. This is done without any prior bilateral + arrangement. + There is, therefore, the difficult question of how one knows to whom one is + talking. + + + + One possible answer is that since no useful + authentication can be done, none should be tried. This mode of operation is + named "anonymous encryption". An active man-in-the-middle attack can be + used to thwart the privacy of this type of communication. + Without peer authentication, there is no way to prevent this kind of attack. + + + +Although a useful mode, anonymous encryption is not the goal of this +project. Simpler methods are available that can achieve anonymous +encryption only, but authentication of the peer is a desireable goal. +The latter is achieved through key distribution in DNS, leveraging upon +the authentication of the DNS in DNSSEC. + + + + Peers are, therefore, authenticated with DNSSEC when available. Local policy +determines how much trust to extend when DNSSEC is not available. + + + + However, an essential premise of building private connections with + strangers is that datagrams received through opportunistic tunnels + are no more special than datagrams that arrive in the clear. + Unlike in a VPN, these datagrams should not be given any special + exceptions when it comes to auditing, further authentication or + firewalling. + + + + When initiating outbound opportunistic encryption, local + configuration determines what happens if tunnel setup fails. It may be that + the packet goes out in the clear, or it may be dropped. + + +
+ +
+ + The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, + SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this + document, are to be interpreted as described in + +
+ +
+ +
+ +
+ +
+ The following network diagram is used in the rest of + this document as the canonical diagram: + + [Q] [R] + . . AS2 + [A]----+----[SG-A].......+....+.......[SG-B]-------[B] + | ...... + AS1 | ..PI.. + | ...... + [D]----+----[SG-D].......+....+.......[C] AS3 + + + + + +
+ + + In this diagram, there are four end-nodes: A, B, C and D. + There are three security gateways, SG-A, SG-B, SG-D. A, D, SG-A and + SG-D are part + of the same administrative authority, AS1. SG-A and SG-D are on two + different exit + paths from organization 1. SG-B/B is an independent organization, AS2. + Nodes Q and R are nodes on the Internet. PI is the Public + Internet ("The Wild"). + + +
+ +
+ + + The following terminology is used in this document: + + + + a system that performs IPsec tunnel + mode encapsulation/decapsulation. [SG-x] in the diagram. + node [A] in the diagram. When an IP address is needed, this is 192.1.0.65. + node [B] in the diagram. When an IP address is needed, this is 192.2.0.66. + node [C] in the diagram. When an IP address is needed, this is 192.1.1.67. + node [D] in the diagram. When an IP address is needed, this is 192.3.0.68. + Alice's security gateway. Internally it is 192.1.0.1, externally it is 192.1.1.4. + Bob's security gateway. Internally it is 192.2.0.1, externally it is 192.1.1.5. + Dave's security gateway. Also Alice's backup security gateway. Internally it is 192.3.0.1, externally it is 192.1.1.6. + A period represents an untrusted network of unknown + type. + a tunnel that + is directly and deliberately hand configured on participating gateways. + Configured tunnels are typically given a higher level of + trust than opportunistic tunnels. + + a configured tunnel connecting one + node with a fixed IP address and one node with a variable IP address. + A road warrior (RW) connection must be initiated by the + variable node, since the fixed node cannot know the + current address for the road warrior. + + + the process of encrypting a session without any knowledge of who the + other parties are. No authentication of identities is done. + + + the process of encrypting a session with authenticated knowledge of + who the other party is. + + + the period in seconds (bytes or datagrams) for which a security + association will remain alive before needing to be re-keyed. + + + the effective time for which a security association remains useful. A + security association with a lifespan shorter than its lifetime would + be removed when no longer needed. A security association with a + lifespan longer than its lifetime would need to be re-keyed one or + more times. + + an ISAKMP/IKE security association sometimes + referred to as a keying channel. + + an IPsec security association. + + another term for a set of phase 2 SA (one in each direction). + + Network Address Translation + (see ). + + Network Address and Port Translation + (see ). + + an autonomous system + + Fully-Qualified Domain Name + + + a set of routers that maintain a complete set of routes to + all currently reachable destinations. Having such a list, these routers + never make use of a default route. A datagram with a destination address + not matching any route will be dropped by such a router. + + + +
+ +
+ + +The opportunistic encryption security gateway (OE gateway) is a regular +gateway node as described in section 2.4 and + with the additional capabilities described here and +in . +The algorithm described here provides a way to determine, for each datagram, +whether or not to encrypt and tunnel the datagram. Two important things +that must be determined are whether or not to encrypt and tunnel and, if +so, the destination address or name of the tunnel end point which should be used. + + +
+ +The OE gateway determines whether or not to create a tunnel based on +the destination address of each packet. Upon receiving a packet with a destination +address not recently seen, the OE gateway performs a lookup in DNS for an +authorization resource record (see ). The record is located using +the IP address to perform a search in the in-addr.arpa (IPv4) or ip6.arpa +(IPv6) maps. If an authorization record is found, the OE gateway +interprets this as a request for a tunnel to be formed. + +
+ +
+ + +The authorization resource record also provides the address or name of the tunnel +end point which should be used. + + +The record may also provide the public RSA key of the tunnel end point +itself. This is provided for efficiency only. If the public RSA key is not +present, the OE gateway performs a second lookup to find a KEY +resource record for the end point address or name. + + +Origin and integrity protection of the resource records is provided by +DNSSEC (). +documents an optional restriction on the tunnel end point if DNSSEC signatures +are not available for the relevant records. + + +
+ +
+ +The OE gateway maintains a cache, in the forwarding plane, of +source/destination pairs for which opportunistic encryption has been +attempted. This cache maintains a record of whether or not OE was +successful so that subsequent datagrams can be forwarded properly +without additional delay. + + + +Successful negotiation of OE instantiates a new security association. +Failure to negotiate OE results in creation of a +forwarding policy entry either to drop or transmit in the clear future +datagrams. This negative cache is necessary to avoid the possibly lengthy process of repeatedly looking +up the same information. + + + +The cache is timed out periodically, as described in . +This removes entries that are no longer +being used and permits the discovery of changes in authorization policy. + +
+ +
+ +
+ +
+ + +The OE gateway is modeled to have a forwarding plane and a control +plane. A control channel, such as PF_KEY, connects the two planes. +(See .) +The forwarding plane performs per datagram operations. The control plane +contains a keying daemon, such as ISAKMP/IKE, and performs all +authorization, peer authentication and key derivation functions. + + +
+ + +Let the OE gateway maintain a collection of objects -- a superset of the +security policy database (SPD) specified in . For +each combination of source and destination address, an SPD +object exists in one of five following states. +Prior to forwarding each datagram, the responder uses the source and +destination addresses to pick an entry from the SPD. +The SPD then determines if and how the packet is forwarded. + + + + + + +
+ +If the gateway does not find an entry, then this policy applies. +The gateway creates an entry with an initial state of "hold policy" and requests +keying material from the keying daemon. The gateway does not forward the datagram, +rather it SHOULD attach the datagram to the SPD entry as the "first" datagram and retain it +for eventual transmission in a new state. + + +
+ +
+ +The gateway requests keying material. If the interface to the keying +system is lossy (PF_KEY, for instance, can be), the implementation +SHOULD include a mechanism to retransmit the +keying request at a rate limited to less than 1 request per second. +The gateway does not forward the datagram. The gateway SHOULD attach the +datagram to the SPD entry as the "last" datagram where it is retained +for eventual transmission. +If there is a datagram already so stored, then that already stored datagram is discarded. + + +The rational behind saving the the "first" and "last" datagrams are as follows: +The "first" datagram is probably a TCP SYN packet. Once there is keying +established, the gateway will release this datagram, avoiding the need to +for the end-point to retransmit the datagram. In the case where the connection +was not a TCP connection, buyt was instead a streaming protocol or a DNS request, +the "last" datagram that was retained is likely the most recent data. The difference +between "first" and "last" may also help the end-points determine +which data awas dropped while negotiation took place. + +
+ +
+ +The gateway forwards the datagram using the normal forwarding table. +The gateway enters this state only by command from the keying daemon, +and upon entering this state, also forwards the "first" and "last" datagrams. + +
+ +
+ +The gateway discards the datagram. The gateway enters this state only by +command +from the keying daemon, and upon entering this state, discards the "first" +and "last" datagrams. +An implementation MAY provide the administator with a control to determine +if further datagrams cause ICMP messages +to be generated (i.e. ICMP Destination Unreachable, Communication +Administratively Prohibited. type=3, code=13). + +
+ +
+ +The gateway encrypts the datagram using the indicated security association database +(SAD) entry. The gateway enters this state only by command from the keying daemon, and upon entering +this state, releases and forwards the "first" and "last" datagrams using the +new encrypt policy. + + +If the associated SAD entry expires because of byte, packet or time limits, then +the entry returns to the Hold policy, and an expire message is sent to the keying daemon. + +
+ + +All states may be created directly by the keying daemon while acting as a +gateway. + + +
+ + +
+ +Let the keying daemon maintain a collection of objects. Let them be +called "connections" or "conn"s. There are two categories of +connection objects: classes and instances. A class represents an +abstract policy - what could be. An instance represents an actual connection - +what is implemented at the time. + + + +Let there be two further subtypes of connections: keying channels (Phase +1 SAs) and data channels (Phase 2 SAs). Each data channel object may have +a corresponding SPD and SAD entry maintained by the datagram state machine. + + + +For the purposes of opportunistic encryption, there MUST, at least, be +connection classes known as "deny", "always-clear-text", "OE-permissive", and +"OE-paranoid". +The latter two connection classes define a set of source and/or destination +addresses for which opportunistic encryption will be attempted. +The administrator MAY set policy options in a number of additional places. +An implementation MAY create additional connection classes to further refine +these policies. + + + +The simplest system may need only the "OE-permissive" connection, and would +list its own (single) IP address as the source address of this policy and +the wild-card address 0.0.0.0/0 as the destination IPv4 address. That is, the +simplest policy is to try opportunistic encryption with all destinations. + + + +The distinction between permissive and paranoid OE use will become clear +in the state transition differences. In general a permissive OE will, on +failure, install a pass-through policy, while a paranoid OE will, on failure, +install a drop policy. + + + +In this description of the keying machine's state transitions, the states +associated with the keying system itself are omitted because they are best documented in the keying system +(, + and for ISAKMP/IKE), +and the details are keying system specific. Opportunistic encryption is not +dependent upon any specific keying protocol, but this document does provide +requirements for those using ISAKMP/IKE to assure that implementations inter-operate. + + +The state transitions that may be involved in communicating with the +forwarding plane are omitted. PF_KEY and similar protocols have their own +set of states required for message sends and completion notifications. + + +Finally, the retransmits and recursive lookups that are normal for DNS are +not included in this description of the state machine. + + + +| deny |---> expired +| connection | | for | connection | connection +`---------------' | destination `---------------' + ^ ^ | ^ + | | no record | | + | | OE-permissive V | no record + | | .---------------. | OE-paranoid + | `------------| potential OE |---------' + | | connection | ^ + | `---------------' | + | | | + | | got TXT record | DNSSEC failure + | | reply | + | V | wrong + | .---------------. | failure + | | authenticate |---------' + | | & parse TXT RR| ^ + | repeated `---------------' | + | ICMP | | + | failures | initiate IKE to | + | (short-timeout) | responder | + | V | + | phase-2 .---------------. | failure + | failure | pending |---------' + | (normal | OE | ^ + | timeout) | |invalid | phase-2 failure (short-timeout) + | | |<--.SPI | ICMP failures (normal timeout) + | | | | | + | | +=======+ |---' | + | | | IKE | | ^ | + `--------------| | states|---------------' + | +=======+ | | + `---------------' | + | IPsec SA | invalid SPI + | established | + V | rekey time + .--------------. | + | keyed |<---|-------------------------------. + | connection |----' | + `--------------' | + | timer | + | | + V | + .--------------. connection still active | + clear-text----->| expired |------------------------------------' + deny----->| connection | + `--------------' + | dead connected - deleted + V +]]> + + +
+ +There is no connection instance for a given source/destination address pair. +Upon receipt of a request for keying material for this +source/destination pair, the initiator searches through the connection classes to +determine the most appropriate policy. Upon determining an appropriate +connection class, an instance object is created of that type. +Both of the OE types result in a potential OE connection. + +Failure to find an appropriate connection class results in an +administrator defined default. + + +In each case, when the initiator finds an appropriate class for the new flow, +an instance connection is made of the class which matched. + +
+ +
+ +The non-existent connection makes a transition to this state when an +always-clear-text class is instantiated, or when an OE-permissive +connection fails. During the transition, the initiator creates a pass-through +policy object in the forwarding plane for the appropriate flow. + + +Timing out is the only way to leave this state +(see ). + +
+ +
+ +The empty connection makes a transition to this state when a +deny class is instantiated, or when an OE-paranoid connection fails. +During the transition, the initiator creates a deny policy object in the forwarding plane +for the appropriate flow. + + +Timing out is the only way to leave this state +(see ). + +
+ +
+ +The empty connection makes a transition to this state when one of either OE class is instantiated. +During the transition to this state, the initiator creates a hold policy object in the +forwarding plane for the appropriate flow. + + +In addition, when making a transition into this state, DNS lookup is done in +the reverse-map for a TXT delegation resource record (see ). +The lookup key is the destination address of the flow. + + +There are three ways to exit this state: + +DNS lookup finds a TXT delegation resource record. +DNS lookup does not find a TXT delegation resource record. +DNS lookup times out. + + + + +Based upon the results of the DNS lookup, the potential OE connection makes a +transition to the pending OE connection state. The conditions for a +successful DNS look are: + +DNS finds an appropriate resource record +It is properly formatted according to + if DNSSEC is enabled, then the signature has been vouched for. + + +Note that if the initiator does not find the public key +present in the TXT delegation record, then the public key must +be looked up as a sub-state. Only successful completion of all the +DNS lookups is considered a success. + + +If DNS lookup does not find a resource record or DNS times out, then the +initiator considers the receiver not OE capable. If this is an OE-paranoid instance, +then the potential OE connection makes a transition to the deny connection state. +If this is an OE-permissive instance, then the potential OE connection makes a transition to the +clear-text connection state. + + +If the initiator finds a resource record but it is not properly formatted, or +if DNSSEC is +enabled and reports a failure to authenticate, then the potential OE +connection makes a +transition to the deny connection state. This action SHOULD be logged. If the +administrator wishes to override this transition between states, then an +always-clear class can be installed for this flow. An implementation MAY make +this situation a new class. + + +
+ +An implementation SHOULD also provide an additional administrative control +on delegation records and DNSSEC. This control would apply to delegation +records (the TXT records in the reverse-map) that are not protected by +DNSSEC. +Records of this type are only permitted to delegate to their own address as +a gateway. When this option is enabled, an active attack on DNS will be +unable to redirect packets to other than the original destination. + + +
+
+ +
+ +The potential OE connection makes a transition to this state when +the initiator determines that all the information required from the DNS lookup is present. +Upon entering this state, the initiator attempts to initiate keying to the gateway +provided. + + +Exit from this state occurs either with a successfully created IPsec SA, or +with a failure of some kind. Successful SA creation results in a transition +to the key connection state. + + +Three failures have caused significant problems. They are clearly not the +only possible failures from keying. + + +Note that if there are multiple gateways available in the TXT delegation +records, then a failure can only be declared after all have been +tried. Further, creation of a phase 1 SA does not constitute success. A set +of phase 2 SAs (a tunnel) is considered success. + + +The first failure occurs when an ICMP port unreachable is consistently received +without any other communication, or when there is silence from the remote +end. This usually means that either the gateway is not alive, or the +keying daemon is not functional. For an OE-permissive connection, the initiator makes a transition +to the clear-text connection but with a low lifespan. For an OE-pessimistic connection, +the initiator makes a transition to the deny connection again with a low lifespan. The +lifespan in both +cases is kept low because the remote gateway may +be in the process of rebooting or be otherwise temporarily unavailable. + + +The length of time to wait for the remote keying daemon to wake up is +a matter of some debate. If there is a routing failure, 5 minutes is usually long +enough for the network to +re-converge. Many systems can reboot in that amount of +time as well. However, 5 minutes is far too long for most users to wait to +hear that they can not connect using OE. Implementations SHOULD make this a +tunable parameter. + + +The second failure occurs after a phase 1 SA has been created, but there is +either no response to the phase 2 proposal, or the initiator receives a +negative notify (the notify must be +authenticated). The remote gateway is not prepared to do OE at this time. +As before, the initiator makes a transition to the clear-text or the deny +connection based upon connection class, but this +time with a normal lifespan. + + +The third failure occurs when there is signature failure while authenticating +the remote gateway. This can occur when there has been a +key roll-over, but DNS has not caught up. In this case again, the initiator makes a +transition to the clear-text or the deny connection based +upon the connection class. However, the lifespan depends upon the remaining +time to live in the DNS. (Note that DNSSEC signed resource records have a different +expiry time than non-signed records.) + + + +
+ +
+ +The pending OE connection makes a transition to this state when +session keying material (the phase 2 SAs) is derived. The initiator creates an encrypt +policy in the forwarding plane for this flow. + + +There are three ways to exit this state. The first is by receipt of an +authenticated delete message (via the keying channel) from the peer. This is +normal teardown and results in a transition to the expired connection state. + + +The second exit is by expiry of the forwarding plane keying material. This +starts a re-key operation with a transition back to pending OE +connection. In general, the soft expiry occurs with sufficient time left +to continue to use the keys. A re-key can fail, which may +result in the connection failing to clear-text or deny as +appropriate. In the event of a failure, the forwarding plane +policy does not change until the phase 2 SA (IPsec SA) reaches its +hard expiry. + + +The third exit is in response to a negotiation from a remote +gateway. If the forwarding plane signals the control plane that it has received an +unknown SPI from the remote gateway, or an ICMP is received from the remote gateway +indicating an unknown SPI, the initiator should consider that +the remote gateway has rebooted or restarted. Since these +indications are easily forged, the implementation must +exercise care. The initiator should make a cautious +(rate-limited) attempt to re-key the connection. + +
+ +
+ +The initiator will periodically place each of the deny, clear-text, and keyed +connections into this +sub-state. See for more details of how often this +occurs. +The initiator queries the forwarding plane for last use time of the +appropriate +policy. If the last use time is relatively recent, then the connection +returns to the +previous deny, clear-text or keyed connection state. If not, then the +connection enters +the expired connection state. + + +The DNS query and answer that lead to the expiring connection state are also +examined. The DNS query may become stale. (A negative, i.e. no such record, answer +is valid for the period of time given by the MINIMUM field in an attached SOA +record. See section 4.3.4.) +If the DNS query is stale, then a new query is made. If the results change, then the connection +makes a transition to a new state as described in potential OE connection state. + + +Note that when considering how stale a connection is, both outgoing SPD and +incoming SAD must be queried as some flows may be unidirectional for some time. + + +Also note that the policy at the forwarding plane is not updated unless there +is a conclusion that there should be a change. + + +
+
+ +Entry to this state occurs when no datagrams have been forwarded recently via the +appropriate SPD and SAD objects. The objects in the forwarding plane are +removed (logging any final byte and packet counts if appropriate) and the +connection instance in the keying plane is deleted. + + +The initiator sends an ISAKMP/IKE delete to clean up the phase 2 SAs as described in +. + + +Whether or not to delete the phase 1 SAs +at this time is left as a local implementation issue. Implementations +that do delete the phase 1 SAs MUST send authenticated delete messages to +indicate that they are doing so. There is an advantage to keeping +the phase 1 SAs until they expire - they may prove useful again in the +near future. + +
+ +
+ +
+ +The responder has a set of objects identical to those of the initiator. + + +The responder receives an invitation to create a keying channel from an initiator. + + + + log failure + | reply | + `----+--------+---' + phase 2 | \ misformatted + proposal | `------------------> log failure + V + .----------------. + | authenticated | identical initiator + | OE peer |--------------------> initiator + `----------------' connection found state machine + | + | look for TXT record for initiator + | + V + .---------------. + | authorized |---------------------> log failure + | OE peer | + `---------------' + | + | + V + potential OE + connection in + initiator state + machine + + +$Id: draft-richardson-ipsec-opportunistic.xml,v 1.1 2004/03/15 20:35:24 as Exp $ +]]> + + +
+ +Upon entering this state, the responder starts a DNS lookup for a KEY record for the +initiator. +The responder looks in the reverse-map for a KEY record for the initiator if the +initiator has offered an ID_IPV4_ADDR, and in the forward map if the +initiator has offered an ID_FQDN type. (See section +4.6.2.1.) + + +The responder exits this state upon successful receipt of a KEY from DNS, and use of the key +to verify the signature of the initiator. + + + + + +Successful authentication of the peer results in a transition to the +authenticated OE Peer state. + + +Note that the unauthenticated OE peer state generally occurs in the middle of the key negotiation +protocol. It is really a form of pseudo-state. + +
+ +
+ +The peer will eventually propose one or more phase 2 SAs. The responder uses the source and +destination address in the proposal to +finish instantiating the connection state +using the connection class table. +The responder MUST search for an identical connection object at this point. + + +If an identical connection is found, then the responder deletes the old instance, +and the new object makes a transition to the pending OE connection state. This means +that new ISAKMP connections with a given peer will always use the latest +instance, which is the correct one if the peer has rebooted in the interim. + + +If an identical connection is not found, then the responder makes the transition according to the +rules given for the initiator. + + +Note that if the initiator is in OE-paranoid mode and the responder is in +either always-clear-text or deny, then no communication is possible according +to policy. An implementation is permitted to create new types of policies +such as "accept OE but do not initiate it". This is a local matter. + +
+ +
+ +
+
+ +A potentially unlimited number of tunnels may exist. In practice, only a few +tunnels are used during a period of time. Unused tunnels MUST, therefore, be +torn down. Detecting when tunnels are no longer in use is the subject of this section. + + + +There are two methods for removing tunnels: explicit deletion or expiry. + + + +Explicit deletion requires an IKE delete message. As the deletes +MUST be authenticated, both ends of the tunnel must maintain the +key channel (phase 1 ISAKMP SA). An implementation which refuses to either maintain or +recreate the keying channel SA will be unable to use this method. + + + +The tunnel expiry method simply allows the IKE daemon to +expire normally without attempting to re-key it. + + + +Regardless of which method is used to remove tunnels, the implementation MUST +a method to determine if the tunnel is still in use. The specifics are a +local matter, but the FreeS/WAN project uses the following criteria. These +criteria are currently implemented in the key management daemon, but could +also be implemented at the SPD layer using an idle timer. + + + +Set a short initial (soft) lifespan of 1 minute since many net flows last +only a few seconds. + + + +At the end of the lifespan, check to see if the tunnel was used by +traffic in either direction during the last 30 seconds. If so, assign a +longer tentative lifespan of 20 minutes after which, look again. If the +tunnel is not in use, then close the tunnel. + + + +The expiring state in the key management +system (see ) implements these timeouts. +The timer above may be in the forwarding plane, +but then it must be re-settable. + + + +The tentative lifespan is independent of re-keying; it is just the time when +the tunnel's future is next considered. +(The term lifespan is used here rather than lifetime for this reason.) +Unlike re-keying, this tunnel use check is not costly and should happen +reasonably frequently. + + + +A multi-step back-off algorithm is not considered worth the effort here. + + + +If the security gateway and the client host are the +same and not a Bump-in-the-Stack or Bump-in-the-Wire implementation, tunnel +teardown decisions MAY pay attention to TCP connection status as reported +by the local TCP layer. A still-open TCP connection is almost a guarantee that more traffic is +expected. Closing of the only TCP connection through a tunnel is a +strong hint that no more traffic is expected. + + +
+ +
+ + +Teardown should always be coordinated between the two ends of the tunnel by +interpreting and sending delete notifications. There is a +detailed sub-state in the expired connection state of the key manager that +relates to retransmits of the delete notifications, but this is considered to +be a keying system detail. + + + +On receiving a delete for the outbound SAs of a tunnel (or some subset of +them), tear down the inbound ones also and notify the remote end with a +delete. If the local system receives a delete for a tunnel which is no longer in +existence, then two delete messages have crossed paths. Ignore the delete. +The operation has already been completed. Do not generate any messages in this +situation. + + +Tunnels are to be considered as bidirectional entities, even though the +low-level protocols don't treat them this way. + + + +When the deletion is initiated locally, rather than as a +response to a received delete, send a delete for (all) the +inbound SAs of a tunnel. If the local system does not receive a responding delete +for the outbound SAs, try re-sending the original +delete. Three tries spaced 10 seconds apart seems a reasonable +level of effort. A failure of the other end to respond after 3 attempts, +indicates that the possibility of further communication is unlikely. Remove the outgoing SAs. +(The remote system may be a mobile node that is no longer present or powered on.) + + + +After re-keying, transmission should switch to using the new +outgoing SAs (ISAKMP or IPsec) immediately, and the old leftover +outgoing SAs should be cleared out promptly (delete should be sent +for the outgoing SAs) rather than waiting for them to expire. This +reduces clutter and minimizes confusion for the operator doing diagnostics. + + +
+ +
+ +
+ +
+ +
+ + The IKE wire protocol needs no modifications. The major changes are + implementation issues relating to how the proposals are interpreted, and from + whom they may come. + + + As opportunistic encryption is designed to be useful between peers without + prior operator configuration, an IKE daemon must be prepared to negotiate + phase 1 SAs with any node. This may require a large amount of resources to + maintain cookie state, as well as large amounts of entropy for nonces, + cookies and so on. + + + The major changes to support opportunistic encryption are at the IKE daemon + level. These changes relate to handling of key acquisition requests, lookup + of public keys and TXT records, and interactions with firewalls and other + security facilities that may be co-resident on the same gateway. + +
+ +
+ + In a typical configured tunnel, the address of SG-B is provided + via configuration. Furthermore, the mapping of an SPD entry to a gateway is + typically a 1:1 mapping. When the 0.0.0.0/0 SPD entry technique is used, then + the mapping to a gateway is determined by the reverse DNS records. + + + The need to do a DNS lookup and wait for a reply will typically introduce a + new state and a new event source (DNS replies) to IKE. Although a +synchronous DNS request can be implemented for proof of concept, experience +is that it can cause very high latencies when a queue of queries must +all timeout in series. + + + Use of an asynchronous DNS lookup will also permit overlap of DNS lookups with + some of the protocol steps. + +
+ +
+ + SG-A will have to establish its identity. Use an + IPv4 ID in phase 1. + + There are many situations where the administrator of SG-A may not be + able to control the reverse DNS records for SG-A's public IP address. + Typical situations include dialup connections and most residential-type broadband Internet access + (ADSL, cable-modem) connections. In these situations, a fully qualified domain + name that is under the control of SG-A's administrator may be used + when acting as an initiator only. + The FQDN ID should be used in phase 1. See + for more details and restrictions. + +
+ +
+ + Upon receipt of a phase 1 SA proposal with either an IPv4 (IPv6) ID or + an FQDN ID, an IKE daemon needs to examine local caches and + configuration files to determine if this is part of a configured tunnel. + If no configured tunnels are found, then the implementation should attempt to retrieve + a KEY record from the reverse DNS in the case of an IPv4/IPv6 ID, or + from the forward DNS in the case of FQDN ID. + + + It is reasonable that if other non-local sources of policy are used + (COPS, LDAP), they be consulted concurrently but some + clear ordering of policy be provided. Note that due to variances in + latency, implementations must wait for positive or negative replies from all sources + of policy before making any decisions. + +
+ +
+ + The implementation described (1.98) neither uses DNSSEC directly to + explicitly verify the authenticity of zone information, nor uses the NXT + records to provide authentication of the absence of a TXT or KEY + record. Rather, this implementation uses a trusted path to a DNSSEC + capable caching resolver. + + + To distinguish between an authenticated and an unauthenticated DNS + resource record, a stub resolver capable of returning DNSSEC + information MUST be used. + + +
+ + + +
+ +
+ + Main mode MUST be used. + + + The initiator MUST offer at least one proposal using some combination + of: 3DES, HMAC-MD5 or HMAC-SHA1, DH group 2 or 5. Group 5 SHOULD be + proposed first. + + + + The initiator MAY offer additional proposals, but the cipher MUST not + be weaker than 3DES. The initiator SHOULD limit the number of proposals + such that the IKE datagrams do not need to be fragmented. + + + The responder MUST accept one of the proposals. If any configuration + of the responder is required then the responder is not acting in an + opportunistic way. + + + The initiator SHOULD use an ID_IPV4_ADDR (ID_IPV6_ADDR for IPv6) of the external + interface of the initiator for phase 1. (There is an exception, see .) The authentication method MUST be RSA public key signatures. + The RSA key for the initiator SHOULD be placed into a DNS KEY record in + the reverse space of the initiator (i.e. using in-addr.arpa or + ip6.arpa). + +
+ +
+ + The initiator MUST propose a tunnel between the ultimate + sender ("Alice" or "A") and ultimate recipient ("Bob" or "B") + using 3DES-CBC + mode, MD5 or SHA1 authentication. Perfect Forward Secrecy MUST be specified. + + + Tunnel mode MUST be used. + + + Identities MUST be ID_IPV4_ADDR_SUBNET with the mask being /32. + + + Authorization for the initiator to act on Alice's behalf is determined by + looking for a TXT record in the reverse-map at Alice's IP address. + + + Compression SHOULD NOT be mandatory. It MAY be offered as an option. + +
+
+ +
+ +
+
+ + In order to establish their own identities, security gateways SHOULD publish + their public keys in their reverse DNS via + DNSSEC's KEY record. + See section 3 of RFC 2535. + + + For example: + + + + The flag bits, indicating that this key is prohibited + for confidentiality use (it authenticates the peer only, a separate + Diffie-Hellman exchange is used for + confidentiality), and that this key is associated with the non-zone entity + whose name is the RR owner name. No other flags are set. + This indicates that this key is for use by IPsec. + An RSA key is present. + The public key of the host as described in . + + + Use of several KEY records allows for key rollover. The SIG Payload in + IKE phase 1 SHOULD be accepted if the public key given by any KEY RR + validates it. + +
+ +
+ +If, for example, machine Alice wishes SG-A to act on her behalf, then +she publishes a TXT record to provide authorization for SG-A to act on +Alice's behalf. Similarly for Bob and SG-B. + + + +These records are located in the reverse DNS (in-addr.arpa or ip6.arpa) for their +respective IP addresses. The reverse DNS SHOULD be secured by DNSSEC. +DNSSEC is required to defend against active attacks. + + + If Alice's address is P.Q.R.S, then she can authorize another node to + act on her behalf by publishing records at: + + + + + The contents of the resource record are expected to be a string that + uses the following syntax, as suggested in RFC1464. + (Note that the reply to query may include other TXT resource + records used by other applications.) + +
+ +
+
+ + where the record is formed by the following fields: + + + Specifies a precedence for this record. This is + similar to MX record preferences. Lower numbers have stronger + preference. + + + Specifies the IP address of the Security Gateway + for this client machine. + + + Is the encoded RSA Public key of the Security + Gateway. The key is provided here to avoid a second DNS lookup. If this + field is absent, then a KEY resource record should be looked up in the + reverse-map of A.B.C.D. The key is transmitted in base64 format. + + + + + The fields of the record MUST be separated by whitespace. This + MAY be: space, tab, newline, or carriage return. A space is preferred. + + + + In the case where Alice is located at a public address behind a + security gateway that has no fixed address (or no control over its + reverse-map), then Alice may delegate to a public key by domain name. + +
+ +
+
+ + + Is as above. + + + Specifies the FQDN that the Security Gateway + will identify itself with. + + + Is the encoded RSA Public key of the Security + Gateway. + + + + If there is more than one such TXT record with strongest (lowest + numbered) precedence, one Security Gateway is picked arbitrarily from + those specified in the strongest-preference records. + + +
+ + When packed into transport format, TXT records which are longer than 255 + characters are divided into smaller <character-strings>. + (See section 3.3 and 3.3.14.) These MUST + be reassembled into a single string for processing. + Whitespace characters in the base64 encoding are to be ignored. + +
+ +
+ + It has been suggested to use the KEY, OPT, CERT, or KX records + instead of a TXT record. None is satisfactory. + + The KEY RR has a protocol field which could be used to indicate a new protocol, +and an algorithm field which could be used to + indicate different contents in the key data. However, the KEY record + is clearly not intended for storing what are really authorizations, + it is just for identities. Other uses have been discouraged. + + OPT resource records, as defined in are not + intended to be used for storage of information. They are not to be loaded, + cached or forwarded. They are, therefore, inappropriate for use here. + + + CERT records can encode almost any set of + information. A custom type code could be used permitting any suitable + encoding to be stored, not just X.509. According to + the RFC, the certificate RRs are to be signed internally which may add undesirable +and unnecessary bulk. Larger DNS records may require TCP instead of UDP transfers. + + + At the time of protocol design, the CERT RR was not widely deployed and + could not be counted upon. Use of CERT records will be investigated, + and may be proposed in a future revision of this document. + + + KX records are ideally suited for use instead of TXT records, but had not been deployed at + the time of implementation. + + +
+
+ +
+ + Unfortunately, not every administrator has control over the contents + of the reverse-map. Where the initiator (SG-A) has no suitable reverse-map, the + authorization record present in the reverse-map of Alice may refer to a + FQDN instead of an IP address. + + + In this case, the client's TXT record gives the fully qualified domain + name (FQDN) in place of its security gateway's IP address. + The initiator should use the ID_FQDN ID-payload in phase 1. + A forward lookup for a KEY record on the FQDN must yield the + initiator's public key. + + + This method can also be used when the external address of SG-A is + dynamic. + + + If SG-A is acting on behalf of Alice, then Alice must still delegate + authority for SG-A to do so in her reverse-map. When Alice and SG-A + are one and the same (i.e. Alice is acting as an end-node) then there + is no need for this when initiating only. + However, Alice must still delegate to herself if she wishes others to + initiate OE to her. See . + + < +
+ +
+ +Good cryptographic hygiene says that one should replace public/private key pairs +periodically. Some administrators may wish to do this as often as daily. Typical DNS +propagation delays are determined by the SOA Resource Record MINIMUM +parameter, which controls how long DNS replies may be cached. For reasonable +operation of DNS servers, administrators usually want this value to be at least several +hours, sometimes as a long as a day. This presents a problem - a new key MUST +not be used prior to it propagating through DNS. + + +This problem is dealt with by having the Security Gateway generate a new +public/private key pair at least MINIMUM seconds in advance of using it. It +then adds this key to the DNS (both as a second KEY record and in additional TXT +delegation records) at key generation time. Note: only one key is allowed in +each TXT record. + + +When authenticating, all gateways MUST have available all public keys +that are found in DNS for this entity. This permits the authenticating end +to check both the key for "today" and the key for "tomorrow". Note that it is +the end which is creating the signature (possesses the private key) that +determines which key is to be used. + + +
+
+ + +
+ + There are no fundamentally new issues for implementing opportunistic encryption + in the presence of network address translation. Rather there are + only the regular IPsec issues with NAT traversal. + + + There are several situations to consider for NAT. + +
+ + If a security gateway is also performing network address translation on + behalf of an end-system, then the packet should be translated prior to + being subjected to opportunistic encryption. This is in contrast to + typically configured tunnels which often exist to bridge islands of + private network address space. The security gateway will use the translated source + address for phase 2, and so the responding security gateway will look up that address to + confirm SG-A's authorization. + + In the case of NAT (1:1), the address space into which the + translation is done MUST be globally unique, and control over the + reverse-map is assumed. + Placing of TXT records is possible. + + In the case of NAPT (m:1), the address will be the security + gateway itself. The ability to get + KEY and TXT records in place will again depend upon whether or not + there is administrative control over the reverse-map. This is + identical to situations involving a single host acting on behalf of + itself. + + FQDN style can be used to get around a lack of a reverse-map for + initiators only. + +
+ +
+ + If there is a NAT or NAPT between the security gateways, then normal IPsec + NAT traversal problems occur. In addition to the transport problem + which may be solved by other mechanisms, there is the issue of + what phase 1 and phase 2 IDs to use. While FQDN could + be used during phase 1 for the security gateway, there is no appropriate ID for phase 2. + Due to the NAT, the end systems live in different IP address spaces. + +
+ +
+ + If the end system is behind a NAT (perhaps SG-B), then there is, in fact, no way for + another end system to address a packet to this end system. + Not only is opportunistic encryption + impossible, but it is also impossible for any communication to + be initiate to the end system. It may be possible for this end + system to initiate in such communication. This creates an asymmetry, but this is common for + NAPT. + +
+
+ +
+ + When Alice and SG-A are components of the same system, they are + considered to be a host implementation. The packet sequence scenario remains unchanged. + + + Components marked Alice are the upper layers (TCP, UDP, the + application), and SG-A is the IP layer. + + + Note that tunnel mode is still required. + + + As Alice and SG-A are acting on behalf of themselves, no TXT based delegation + record is necessary for Alice to initiate. She can rely on FQDN in a + forward map. This is particularly attractive to mobile nodes such as + notebook computers at conferences. + To respond, Alice/SG-A will still need an entry in Alice's reverse-map. + +
+ +
+ +If there are multiple paths between Alice and Bob (as illustrated in +the diagram with SG-D), then additional DNS records are required to establish +authorization. + + +In , Alice has two ways to +exit her network: SG-A and SG-D. Previously SG-D has been ignored. Postulate +that there are routers between Alice and her set of security gateways +(denoted by the + signs and the marking of an autonomous system number for +Alice's network). Datagrams may, therefore, travel to either SG-A or SG-D en +route to Bob. + + +As long as all network connections are in good order, it does not matter how +datagrams exit Alice's network. When they reach either security gateway, the +security gateway will find the TXT delegation record in Bob's reverse-map, +and establish an SA with SG-B. + + +SG-B has no problem establishing that either of SG-A or SG-D may speak for +Alice, because Alice has published two equally weighted TXT delegation records: +
+ +
+
+ +Alice's routers can now do any kind of load sharing needed. Both SG-A and SG-D send datagrams addressed to Bob through +their tunnel to SG-B. + + +Alice's use of non-equal weight delegation records to show preference of one gateway over another, has relevance only when SG-B +is initiating to Alice. + + +If the precedences are the same, then SG-B has a more difficult time. It +must decide which of the two tunnels to use. SG-B has no information about +which link is less loaded, nor which security gateway has more cryptographic +resources available. SG-B, in fact, has no knowledge of whether both gateways +are even reachable. + + +The Public Internet's default-free zone may well know a good route to Alice, +but the datagrams that SG-B creates must be addressed to either SG-A or SG-D; +they can not be addressed to Alice directly. + + +SG-B may make a number of choices: + +It can ignore the problem and round robin among the tunnels. This + causes losses during times when one or the other security gateway is + unreachable. If this worries Alice, she can change the weights in her + TXT delegation records. + +It can send to the gateway from which it most recently received datagrams. + This assumes that routing and reachability are symmetrical. + +It can listen to BGP information from the Internet to decide which + system is currently up. This is clearly much more complicated, but if SG-B is already participating + in the BGP peering system to announce Bob, the results data may already + be available to it. + +It can refuse to negotiate the second tunnel. (It is unclear whether or +not this is even an option.) + +It can silently replace the outgoing portion of the first tunnel with the +second one while still retaining the incoming portions of both. SG-B can, +thus, accept datagrams from either SG-A or SG-D, but +send only to the gateway that most recently re-keyed with it. + + + + +Local policy determines which choice SG-B makes. Note that even if SG-B has perfect +knowledge about the reachability of SG-A and SG-D, Alice may not be reachable +from either of these security gateways because of internal reachability +issues. + + + +FreeS/WAN implements option 5. Implementing a different option is +being considered. The multi-homing aspects of OE are not well developed and may +be the subject of a future document. + + +
+ +
+
+ + If a DNS server fails to respond, local policy decides + whether or not to permit communication in the clear as embodied in + the connection classes in . + It is easy to mount a denial of service attack on the DNS server + responsible for a particular network's reverse-map. + Such an attack may cause all communication with that network to go in + the clear if the policy is permissive, or fail completely + if the policy is paranoid. Please note that this is an active attack. + + + There are still many networks + that do not have properly configured reverse-maps. Further, if the policy is not to communicate, + the above denial of service attack isolates the target network. Therefore, the decision of whether +or not to permit communication in the clear MUST be a matter of local policy. + +
+ +
+ + DNS records claim that opportunistic encryption should + occur, but the target gateway either does not respond on port 500, or + refuses the proposal. This may be because of a crash or reboot, a + faulty configuration, or a firewall filtering port 500. + + + The receipt of ICMP port, host or network unreachable + messages indicates a potential problem, but MUST NOT cause communication + to fail + immediately. ICMP messages are easily forged by attackers. If such a + forgery caused immediate failure, then an active attacker could easily + prevent any + encryption from ever occurring, possibly preventing all communication. + + + In these situations a clear log should be produced + and local policy should dictate if communication is then + permitted in the clear. + +
+ +
+ +Tunnels sometimes go down because the remote end crashes, +disconnects, or has a network link break. In general there is no +notification of this. Even in the event of a crash and successful reboot, +other SGs don't hear about it unless the rebooted SG has specific +reason to talk to them immediately. Over-quick response to temporary +network outages is undesirable. Note that a tunnel can be torn +down and then re-established without any effect visible to the user +except a pause in traffic. On the other hand, if one end reboots, +the other end can't get datagrams to it at all (except via +IKE) until the situation is noticed. So a bias toward quick +response is appropriate even at the cost of occasional +false alarms. + + + +A mechanism for recovery after reboot is a topic of current research and is not specified in this +document. + + + +A deliberate shutdown should include an attempt, using deletes, to notify all other SGs +currently connected by phase 1 SAs that communication is +about to fail. Again, a remote SG will assume this is a teardown. Attempts by the +remote SGs to negotiate new tunnels as replacements should be ignored. When possible, +SGs should attempt to preserve information about currently-connected SGs in non-volatile storage, so +that after a crash, an Initial-Contact can be sent to previous partners to +indicate loss of all previously established connections. + + +
+
+ + + +
+
+ + The method of obtaining information by reverse DNS lookup causes + problems for people who cannot control their reverse DNS + bindings. This is an unresolved problem in this version, and is out + of scope. + +
+
+ +
+ +
+ + +Two example scenarios follow. In the first example GW-A +(Gateway A) and GW-B (Gateway B) have always-clear-text policies, and in the second example they have an OE +policy. The clear-text policy serves as a reference for what occurs in +TCP/IP in the absence of Opportunistic Encryption. + + +Alice wants to communicate with Bob. Perhaps she wants to retrieve a +web page from Bob's web server. In the absence of opportunistic +encryptors, the following events occur: + + +
+ + Application looks up + name in DNS to get + IP address. + + <-----(3)--------------- + Resolver returns "A" RR + to application with IP + address. + + (4) + Application starts a TCP session + or UDP session and OS sends + first datagram + + ----(5)-----> + Datagram is seen at first gateway + from Alice (SG-A). + + ----------(6)------> + Datagram traverses + network. + + ------(7)-----> + Datagram arrives + at Bob, is provided + to TCP. + + <------(8)------ + A reply is sent. + + <----------(9)------ + Datagram traverses + network. + <----(10)----- + Alice receives + answer. + + (11)-----------> + A second exchange + occurs. + ----------(12)-----> + --------------> + <--------------- + <------------------- + <------------- + ]]> +
+ +
+
+ +
+ + +In the presence of properly configured opportunistic encryptors, the +event list is extended. Only changes are annotated. + + +The following symbols are used in the time-sequence diagram + + + + A single dash represents clear-text datagrams. + An equals sign represents phase 2 (IPsec) cipher-text + datagrams. + A single tilde represents clear-text phase 1 datagrams. + A hash sign represents phase 1 (IKE) cipher-text + datagrams. + + + + +
+ + <-----(3)--------------- + (4)----(5)----->+ + SG-A sees datagram + to new target and + saves it as "first" + + ----(5B)-> + SG-A asks DNS + for TXT RR. + + <---(5C)-- + DNS returns TXT RR. + + ~~~~~~~~~~~~~(5D)~~~> + initial IKE main mode + packet is sent. + + <~~~~~~~~~~~~(5E1)~~~ + ~~~~~~~~~~~~~(5E2)~~> + <~~~~~~~~~~~~(5E3)~~~ + IKE phase 1 - privacy. + + #############(5E4)##> + SG-A sends ID to SG-B + <----(5F1)-- + SG-B asks DNS + for SG-A's public + KEY + -----(5F2)-> + DNS provides KEY RR. + SG-B authenticates SG-A + + <############(5E5)### + IKE phase 1 - complete + + #############(5G1)##> + IKE phase 2 - Alice<->Bob + tunnel is proposed. + + <----(5H1)-- + SG-B asks DNS for + Alice's TXT record. + -----(5H2)-> + DNS replies with TXT + record. SG-B checks + SG-A's authorization. + + <############(5G2)### + SG-B accepts proposal. + + #############(5G3)##> + SG-A confirms. + + ============(6)====> + SG-A sends "first" + packet in new IPsec + SA. + ------(7)-----> + packet is decrypted + and forward to Bob. + <------(8)------ + <==========(9)====== + return packet also + encrypted. + <-----(10)---- + + (11)-----------> + a second packet + is sent by Alice + ==========(12)=====> + existing tunnel is used + --------------> + <--------------- + <=================== + <------------- + ]]> +
+ +
+ + + For the purposes of this section, we will describe only the changes that + occur between and + . This corresponds to time points 5, 6, 7, 9 and 10 on the list above. + + + + + At point (5), SG-A intercepts the datagram because this source/destination pair lacks a policy +(the non-existent policy state). SG-A creates a hold policy, and buffers the datagram. SG-A requests keys from the keying daemon. + + + + SG-A's IKE daemon, having looked up the source/destination pair in the connection + class list, creates a new Potential OE connection instance. SG-A starts DNS + queries. + +
+ +
+ + + DNS returns properly formed TXT delegation records, and SG-A's IKE daemon + causes this instance to make a transition from Potential OE connection to Pending OE + connection. + + + + Using the example above, the returned record might contain: + +
+ +
+ with SG-B's IP address and public key listed. +
+ +
+ +
+ Upon entering Pending OE connection, SG-A sends the initial ISAKMP + message with proposals. See . + +
+ +
+ + SG-B receives the message. A new connection instance is created in the + unauthenticated OE peer state. + +
+ +
+ + SG-A sends a Diffie-Hellman exponent. This is an internal state of the + keying daemon. + +
+ +
+ + SG-B responds with a Diffie-Hellman exponent. This is an internal state of the + keying protocol. + +
+ +
+ + SG-A uses the phase 1 SA to send its identity under encryption. + The choice of identity is discussed in . + This is an internal state of the keying protocol. + +
+ +
+ + SG-B asks DNS for the public key of the initiator. + DNS looks for a KEY record by IP address in the reverse-map. + That is, a KEY resource record is queried for 4.1.1.192.in-addr.arpa + (recall that SG-A's external address is 192.1.1.4). + SG-B uses the resulting public key to authenticate the initiator. See for further details. + +
+ +
+ +Upon successfully authenticating the peer, the connection instance makes a +transition to authenticated OE peer on SG-B. + + +The format of the TXT record returned is described in +. + +
+ +
+ + SG-B sends its ID along with authentication material. This is an internal + state for the keying protocol. + +
+ +
+
+ + Having established mutually agreeable authentications (via KEY) and + authorizations (via TXT), SG-A proposes to create an IPsec tunnel for + datagrams transiting from Alice to Bob. This tunnel is established only for + the Alice/Bob combination, not for any subnets that may be behind SG-A and SG-B. + +
+ +
+ + While the identity of SG-A has been established, its authority to + speak for Alice has not yet been confirmed. SG-B does a reverse + lookup on Alice's address for a TXT record. + + Upon receiving this specific proposal, SG-B's connection instance + makes a transition into the potential OE connection state. SG-B may already have an + instance, and the check is made as described above. +
+ +
+ + The returned key and IP address should match that of SG-A. + +
+ +
+ + Should additional communication occur between, for instance, Dave and Bob using + SG-A and SG-B, a new tunnel (phase 2 SA) would be established. The phase 1 SA + may be reusable. + + SG-A, having successfully keyed the tunnel, now makes a transition from + Pending OE connection to Keyed OE connection. + + The responder MUST setup the inbound IPsec SAs before sending its reply. +
+ +
+ + The initiator agrees with the responder's choice and sets up the tunnel. + The initiator sets up the inbound and outbound IPsec SAs. + + + The proper authorization returned with keys prompts SG-B to make a transition + to the keyed OE connection state. + + Upon receipt of this message, the responder may now setup the outbound + IPsec SAs. +
+
+ +
+ + SG-A sends the datagram saved at step (5) through the newly created + tunnel to SG-B, where it gets decrypted and forwarded. + Bob receives it at (7) and replies at (8). + +
+ +
+ + At (9), SG-B has already established an SPD entry mapping Bob->Alice via a + tunnel, so this tunnel is simply applied. The datagram is encrypted to SG-A, + decrypted by SG-A and passed to Alice at (10). + + +
+
+ + + +
+ +
+ + Configured tunnels are those which are setup using bilateral mechanisms: exchanging +public keys (raw RSA, DSA, PKIX), pre-shared secrets, or by referencing keys that +are in known places (distinguished name from LDAP, DNS). These keys are then used to +configure a specific tunnel. + + +A pre-configured tunnel may be on all the time, or may be keyed only when needed. +The end points of the tunnel are not necessarily static: many mobile +applications (road warrior) are considered to be configured tunnels. + + +The primary characteristic is that configured tunnels are assigned specific +security properties. They may be trusted in different ways relating to exceptions to +firewall rules, exceptions to NAT processing, and to bandwidth or other quality of service restrictions. + + +Opportunistic tunnels are not inherently trusted in any strong way. They are +created without prior arrangement. As the two parties are strangers, there +MUST be no confusion of datagrams that arrive from opportunistic peers and +those that arrive from configured tunnels. A security gateway MUST take care +that an opportunistic peer can not impersonate a configured peer. + + +Ingress filtering MUST be used to make sure that only datagrams authorized by +negotiation (and the concomitant authentication and authorization) are +accepted from a tunnel. This is to prevent one peer from impersonating another. + + +An implementation suggestion is to treat opportunistic tunnel +datagrams as if they arrive on a logical interface distinct from other +configured tunnels. As the number of opportunistic tunnels that may be +created automatically on a system is potentially very high, careful attention +to scaling should be taken into account. + + +As with any IKE negotiation, opportunistic encryption cannot be secure +without authentication. Opportunistic encryption relies on DNS for its +authentication information and, therefore, cannot be fully secure without +a secure DNS. Without secure DNS, opportunistic encryption can protect against passive +eavesdropping but not against active man-in-the-middle attacks. + +
+ +
+ + Typical usage of per datagram access control lists is to implement various +kinds of security gateways. These are typically called "firewalls". + + + Typical usage of a virtual private network (VPN) within a firewall is to +bypass all or part of the access controls between two networks. Additional +trust (as outlined in the previous section) is given to datagrams that arrive +in the VPN. + + + Datagrams that arrive via opportunistically configured tunnels MUST not be +trusted. Any security policy that would apply to a datagram arriving in the +clear SHOULD also be applied to datagrams arriving opportunistically. + +
+ +
+ + There are several different forms of denial of service that an implementor + should concern themselves with. Most of these problems are shared with + security gateways that have large numbers of mobile peers (road warriors). + + + The design of ISAKMP/IKE, and its use of cookies, defend against many kinds + of denial of service. Opportunism changes the assumption that if the phase 1 (ISAKMP) + SA is authenticated, that it was worthwhile creating. Because the gateway will communicate with any machine, it is + possible to form phase 1 SAs with any machine on the Internet. + + +
+
+ +
+ + There are no known numbers which IANA will need to manage. + +
+ +
+ + Substantive portions of this document are based upon previous work by + Henry Spencer. + + + Thanks to Tero Kivinen, Sandy Harris, Wes Hardarker, Robert Moskowitz, + Jakob Schlyter, Bill Sommerfeld, John Gilmore and John Denker for their + comments and constructive criticism. + + + Sandra Hoffman and Bill Dickie did the detailed proof reading and editing. + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + +