_______________________________________________ Ipsec mailing list Ipsec <at> ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
Even with the clarification draft the real world use of traffic selectors with ICMP type/code or MH (Mobile IPv6 Header message) type is not very clear: - IKEv2 (and IKEv1) establishes SAs by pairs, so if traffic from the initiator matches TSi -> TSr then is protected, the traffic from the responder which matches TSr -> TSi is protected too. - applied to ICMP does this mean that the selected type(s)/code(s) is/are protected in both way? (I think so according to the RFC 2401bis 4.4.1 about SPD-S directionality) - the MH type is in the local "port" selector. What is the "local" TS, TSi only, or MH type and ICMP type/code are "aligned" (and how)? Regards Francis.Dupont <at> enst-bretagne.fr PS: ipsec-tools seems to put the type in the source port and the code in the destination port. The RFC 2401bis SPD syntax has 0, 1 or 2 upper layer protocol items with at most one for ICMP, MH and ICMPv6.
> From: Francis Dupont <Francis.Dupont <at> enst-bretagne.fr> > Even with the clarification draft the real world use of traffic selectors > with ICMP type/code or MH (Mobile IPv6 Header message) type is not > very clear: > - IKEv2 (and IKEv1) establishes SAs by pairs, so if traffic from > the initiator matches TSi -> TSr then is protected, the traffic > from the responder which matches TSr -> TSi is protected too. > - applied to ICMP does this mean that the selected type(s)/code(s) is/are > protected in both way? (I think so according to the RFC 2401bis 4.4.1 > about SPD-S directionality) > - the MH type is in the local "port" selector. What is the "local" TS, > TSi only, or MH type and ICMP type/code are "aligned" (and how)? I'm starting to lean on solution, where ICMP/MH type/code's in SA's TS would always be in both local/remote port (or src/dst port). This way, even multicast SA's would work without any special handling (an MC SA that would be used for both receiving and sending).
In your previous mail you wrote: > - the MH type is in the local "port" selector. What is the "local" TS, > TSi only, or MH type and ICMP type/code are "aligned" (and how)? I'm starting to lean on solution, where ICMP/MH type/code's in SA's TS would always be in both local/remote port (or src/dst port). This way, even multicast SA's would work without any special handling (an MC SA that would be used for both receiving and sending). => I agree this solution seems good but it was only suggested and only for ICMP in the clarifications I-D. Thanks Francis.Dupont <at> enst-bretagne.fr
Francis Dupont wrote: > In your previous mail you wrote: > > > - the MH type is in the local "port" selector. What is > > the "local" TS, TSi only, or MH type and ICMP type/code > > are "aligned" (and how)? > > I'm starting to lean on solution, where ICMP/MH type/code's > in SA's TS would always be in both local/remote port (or < src/dst port). This way, even multicast SA's would work > without any special handling (an MC SA that would be used > for both receiving and sending). > > => I agree this solution seems good but it was only suggested and > only for ICMP in the clarifications I-D. I agree, this solution seems to apply both to ICMP and MH. We'll add some text about this in the next version of the clarifications I-D (hopefully appearing before the Toronto IPsec/IKEv2 interop). Best regards, Pasi
At 8:01 PM +0300 9/5/05, Pasi.Eronen <at> nokia.com wrote: >Francis Dupont wrote: >> In your previous mail you wrote: >> >> > - the MH type is in the local "port" selector. What is >> > the "local" TS, TSi only, or MH type and ICMP type/code >> > are "aligned" (and how)? >> >> I'm starting to lean on solution, where ICMP/MH type/code's >> in SA's TS would always be in both local/remote port (or >< src/dst port). This way, even multicast SA's would work >> without any special handling (an MC SA that would be used >> for both receiving and sending). >> >> => I agree this solution seems good but it was only suggested and >> only for ICMP in the clarifications I-D. > >I agree, this solution seems to apply both to ICMP and MH. We'll >add some text about this in the next version of the clarifications >I-D (hopefully appearing before the Toronto IPsec/IKEv2 interop). > >Best regards, >Pasi Guys, We specifically allow asymmetry for ICMP traffic for an SA, e.g., so that one can send but not accept traffic for a given ICMP message type for an SA. I believe we discussed this issue on the list at the time the decision was made, so please do not plan to just change by treating it as a clarification. 2401-bis would also have to change, not just IKEv2. Steve
Stephen Kent wrote:
> Guys,
>
> We specifically allow asymmetry for ICMP traffic for an SA,
> e.g., so that one can send but not accept traffic for a given
> ICMP message type for an SA. I believe we discussed this issue
> on the list at the time the decision was made, so please do
> not plan to just change by treating it as a clarification.
>
> 2401-bis would also have to change, not just IKEv2.
I agree that having this kind of asymmetry makes sense in some
situations (and is very easy to accomplish in 2401-bis). However,
it's not clear whether IKEv2 can actually negotiate such SAs,
since it assumes SAs are created in (roughly) symmetrical pairs.
(I don't see this as a big problem, though; e.g. 2401-bis allows
asymmetrical SAs for UDP traffic as well, and IKEv2 doesn't seem
to support that either.)
What we're trying to clarify is what exactly the TSi/TSr
payloads in CREATE_CHILD_SA exchange should contain even in the
(presumably simpler) case where you want symmetrical treatment
for ICMP.
The reason some kind of clarification is needed is that in
2401-bis, an SPD entry for ICMP has only one "port" field
("OneNextLayerProtocol" element in ASN.1 code of Appendix C).
But in IKEv2, both TSi and TSr payloads have port fields, so if
we have only one value (ICMP type/code or MH type), what to do.
The obvious solutions seem to be (1) put the one value in TSi
payload and leave the port in TSr as zero, (2) vice versa, or
(3) put the same value both to TSi and TSr payloads. IKEv2 spec
doesn't say which was intended, so some kind of clarification is
needed (and currently we're leaning towards option 3, although
the choice doesn't really matter as long as all implementors
agree which it is).
Best regards,
Pasi
In your previous mail you wrote:
I agree that having this kind of asymmetry makes sense in some
situations (and is very easy to accomplish in 2401-bis). However,
it's not clear whether IKEv2 can actually negotiate such SAs,
since it assumes SAs are created in (roughly) symmetrical pairs.
=> in fact there is a real issue about what means symmetrical in
this context...
(I don't see this as a big problem, though; e.g. 2401-bis allows
asymmetrical SAs for UDP traffic as well, and IKEv2 doesn't seem
to support that either.)
=> where is it in the 2401-bis?
What we're trying to clarify is what exactly the TSi/TSr
payloads in CREATE_CHILD_SA exchange should contain even in the
(presumably simpler) case where you want symmetrical treatment
for ICMP.
=> I agree but if we can solve the asymmetrical case too...
The reason some kind of clarification is needed is that in
2401-bis, an SPD entry for ICMP has only one "port" field
("OneNextLayerProtocol" element in ASN.1 code of Appendix C).
=> IMHO this OneNextLayerProtocol specifies explicitely symmetrical case.
But in IKEv2, both TSi and TSr payloads have port fields, so if
we have only one value (ICMP type/code or MH type), what to do.
The obvious solutions seem to be (1) put the one value in TSi
payload and leave the port in TSr as zero, (2) vice versa, or
(3) put the same value both to TSi and TSr payloads. IKEv2 spec
doesn't say which was intended, so some kind of clarification is
needed (and currently we're leaning towards option 3, although
the choice doesn't really matter as long as all implementors
agree which it is).
=> for the asymmetrical case we can imagine a (4) with the value for
traffic from local to remote in the local port and the value for
the other way in the remote port. This makes more sense for Mobility
where traffics are known to be always asymmetrical!
Thanks
Francis.Dupont <at> enst-bretagne.fr
PS: BTW both IKEv2 and RFC 2401bis should be updated about this point.
Francis Dupont wrote:
>
> In your previous mail you wrote:
>
> I agree that having this kind of asymmetry makes sense in some
> situations (and is very easy to accomplish in 2401-bis). However,
> it's not clear whether IKEv2 can actually negotiate such SAs,
> since it assumes SAs are created in (roughly) symmetrical pairs.
>
> => in fact there is a real issue about what means symmetrical in
> this context...
Yes, there are probably several possible meanings.
I meant a situation where, say, ICMP type 8 from host A to B is
protected one way (say, ESP with AES), but ICMP type 8 in the
other direction (B to A) is done some other way (say, no IPsec
processing at all, or AH only).
> (I don't see this as a big problem, though; e.g. 2401-bis allows
> asymmetrical SAs for UDP traffic as well, and IKEv2 doesn't seem
> to support that either.)
>
> => where is it in the 2401-bis?
It's probably not explicitly mentioned, but it's easy to get that
situation if you configure your SPD/SAD manually.
> What we're trying to clarify is what exactly the TSi/TSr
> payloads in CREATE_CHILD_SA exchange should contain even in the
> (presumably simpler) case where you want symmetrical treatment
> for ICMP.
>
> => I agree but if we can solve the asymmetrical case too...
>
> The reason some kind of clarification is needed is that in
> 2401-bis, an SPD entry for ICMP has only one "port" field
> ("OneNextLayerProtocol" element in ASN.1 code of Appendix C).
>
> => IMHO this OneNextLayerProtocol specifies explicitely
> symmetrical case.
Depends on what exactly is meant by "symmetrical", I guess.
It's not symmetrical in the sense that it allows the situation I
described above (traffic in different directions get different
treatment).
> But in IKEv2, both TSi and TSr payloads have port fields, so if
> we have only one value (ICMP type/code or MH type), what to do.
>
> The obvious solutions seem to be (1) put the one value in TSi
> payload and leave the port in TSr as zero, (2) vice versa, or
> (3) put the same value both to TSi and TSr payloads. IKEv2 spec
> doesn't say which was intended, so some kind of clarification is
> needed (and currently we're leaning towards option 3, although
> the choice doesn't really matter as long as all implementors
> agree which it is).
>
> => for the asymmetrical case we can imagine a (4) with the value for
> traffic from local to remote in the local port and the value for the
> other way in the remote port. This makes more sense for Mobility
> where traffics are known to be always asymmetrical!
<snip>
> PS: BTW both IKEv2 and RFC 2401bis should be updated about this point.
I don't see why 2401bis would need any updates. And I'm definitely
against adding any new functionality to IKEv2 at this stage.
Best regards,
Pasi
Stephen Kent wrote:
> Guys,
>
> We specifically allow asymmetry for ICMP traffic for an SA,
> e.g., so that one can send but not accept traffic for a given
> ICMP message type for an SA. I believe we discussed this issue
> on the list at the time the decision was made, so please do
> not plan to just change by treating it as a clarification.
>
> 2401-bis would also have to change, not just IKEv2.
I agree that having this kind of asymmetry makes sense in some
situations (and is very easy to accomplish in 2401-bis). However,
it's not clear whether IKEv2 can actually negotiate such SAs,
since it assumes SAs are created in (roughly) symmetrical pairs.
(I don't see this as a big problem, though; e.g. 2401-bis allows
asymmetrical SAs for UDP traffic as well, and IKEv2 doesn't seem
to support that either.)
What we're trying to clarify is what exactly the TSi/TSr
payloads in CREATE_CHILD_SA exchange should contain even in the
(presumably simpler) case where you want symmetrical treatment
for ICMP.
The reason some kind of clarification is needed is that in
2401-bis, an SPD entry for ICMP has only one "port" field
("OneNextLayerProtocol" element in ASN.1 code of Appendix C).
But in IKEv2, both TSi and TSr payloads have port fields, so if
we have only one value (ICMP type/code or MH type), what to do.
The obvious solutions seem to be (1) put the one value in TSi
payload and leave the port in TSr as zero, (2) vice versa, or
(3) put the same value both to TSi and TSr payloads. IKEv2 spec
doesn't say which was intended, so some kind of clarification is
needed (and currently we're leaning towards option 3, although
the choice doesn't really matter as long as all implementors
agree which it is).
_______________________________________________ Ipsec mailing list Ipsec <at> ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
RSS Feed22 | |
|---|---|
33 | |
91 | |
66 | |
3 | |
29 | |
85 | |
83 | |
69 | |
27 | |
14 | |
92 | |
54 | |
38 | |
29 | |
146 | |
55 | |
114 | |
43 | |
186 | |
70 | |
13 | |
40 | |
29 | |
10 | |
38 | |
56 | |
34 | |
44 | |
43 | |
20 | |
41 | |
71 | |
76 | |
41 | |
42 | |
43 | |
73 | |
77 | |
177 | |
108 | |
363 | |
298 | |
210 | |
92 | |
153 | |
94 | |
131 | |
51 | |
212 | |
156 | |
139 | |
124 | |
144 | |
164 | |
100 | |
100 | |
169 | |
100 | |
63 | |
73 | |
80 | |
57 | |
20 | |
24 | |
13 | |
10 | |
77 | |
69 | |
41 | |
42 | |
22 | |
36 | |
26 | |
10 | |
16 | |
14 | |
30 | |
27 | |
16 | |
30 | |
26 | |
4 | |
10 | |
44 | |
24 | |
41 | |
16 | |
24 | |
47 | |
70 | |
29 | |
61 | |
114 | |
28 | |
29 | |
52 | |
61 | |
85 | |
123 | |
126 | |
81 | |
57 | |
135 | |
121 | |
174 | |
110 | |
93 | |
102 | |
121 | |
222 | |
193 | |
166 | |
126 | |
58 | |
60 | |
206 | |
139 | |
160 | |
139 | |
308 | |
194 | |
315 | |
370 | |
316 | |
207 | |
270 | |
324 | |
69 | |
99 | |
197 | |
279 | |
369 | |
208 | |
206 | |
1 |
