headers
Michael Richardson | 3 Apr 2007 23:36
Picon
Gravatar

Re: IPsec as a standard

Tero Kivinen wrote:
> Michael Richardson writes:
>> Lars D. Noodén wrote:
>>> That clears up a bit.  How can I follow the process IPsec is taking from 
>>> proposed standard to draft standard?
>>    It is a good question.
>>    Russ, I think that RFC430x has been out long enough to consider this.
> 
> We simply need to update 54 other documents to draft standard before
> that... (and I ignored the around 40 more proposed standard documents
> which are referenced through RFCs before normative / informational
> references split). 

There was talk, which I don't recall if it finished or not, about
permitting downward references.
Permalink | Reply | 1 comment |
headers
Michael Richardson | 3 Apr 2007 23:38
Picon
Gravatar

Re: IPsec mailing list archives

M Krishna wrote:
> Hi,
>  
> I am new to this list. I searched for a while and failing to find a way 
> to download the archives of this mailing list. Could someone please let 
> me know how to download the archives?

I should update my archive at: http://www.sandelman.ca/ipsec/
Google can see them, but I no longer have a local search working.
Permalink | Reply | 0 comments |
headers
Russ Housley | 4 Apr 2007 14:19

Re: IPsec as a standard

See http://www.ietf.org/internet-drafts/draft-klensin-norm-ref-04.txt

This document is on the IESG Telechat agenda for tomorrow.  There was 
a long and active Last Call.

Russ

At 05:36 PM 4/3/2007, Michael Richardson wrote:
>Tero Kivinen wrote:
>>Michael Richardson writes:
>>>Lars D. Noodén wrote:
>>>>That clears up a bit.  How can I follow the process IPsec is 
>>>>taking from proposed standard to draft standard?
>>>    It is a good question.
>>>    Russ, I think that RFC430x has been out long enough to consider this.
>>We simply need to update 54 other documents to draft standard before
>>that... (and I ignored the around 40 more proposed standard documents
>>which are referenced through RFCs before normative / informational
>>references split).
>
>There was talk, which I don't recall if it finished or not, about
>permitting downward references.
>
>
>_______________________________________________
>Ipsec mailing list
>Ipsec <at> ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mahendra | 11 Apr 2007 13:35
Favicon

ICV calculation

Hi,

       If we have only EOL (end of option list) in the IP packet, then there will be a padding of 3 bytes. Should this padding be considered while calculating ICV?

 

Regards,

Mahendra

***************************************************************************************

This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! 

 

_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
Permalink | Reply | 3 comments |
headers
Mahendra | 11 Apr 2007 14:45
Favicon

RE: ICV calculation

Hi,

    I think I haven't described my prob correctly.

 I am speaking about AH protocol in which it authenticates the outer

IP header also. In this outer IP header if we have IP option as EOL, then

there will be a padding of 3 bytes in the IP header itself. Should

this padding in the IP header should be considered while calculating

ICV?

 

Regards,

Mahendra

 

From: Mahendra [mailto:mahendramp <at> huawei.com]
Sent: Wednesday, April 11, 2007 5:05 PM
To: ipsec <at> lists.ietf.org
Subject: [Ipsec] ICV calculation

 

Hi,

       If we have only EOL (end of option list) in the IP packet, then there will be a padding of 3 bytes. Should this padding be considered while calculating ICV?

Regards,

Mahendra 

_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
Permalink | Reply | 2 comments |
headers
Dan McDonald | 11 Apr 2007 15:07
Picon

Re: ICV calculation

On Wed, Apr 11, 2007 at 06:15:51PM +0530, Mahendra wrote:
> Hi,
> 
>     I think I haven't described my prob correctly.
> 
>  I am speaking about AH protocol in which it authenticates the outer IP
> header also. In this outer IP header if we have IP option as EOL, then
> there will be a padding of 3 bytes in the IP header itself. Should this
> padding in the IP header should be considered while calculating ICV?

4302 and its predecessor describe this case:

3.3.3.1.1.2.  Options

   For IPv4 (unlike IPv6), there is no mechanism for tagging options as
   mutable in transit.  Hence the IPv4 options are explicitly listed in
   Appendix A and classified as immutable, mutable but predictable, or
   mutable.  For IPv4, the entire option is viewed as a unit; so even
   though the type and length fields within most options are immutable
   in transit, if an option is classified as mutable, the entire option
   is zeroed for ICV computation purposes.

A1.  IPv4 Options

   This table shows how the IPv4 options are classified with regard to
   "mutability".  Where two references are provided, the second one
   supercedes the first.  This table is based in part on information
   provided in RFC 1700, "ASSIGNED NUMBERS", (October 1994).

               Opt.
    Copy Class  #   Name                       Reference
    ---- ----- ---  -------------------------  --------
    IMMUTABLE -- included in ICV calculation
      0   0     0   End of Options List        [RFC791]
      0   0     1   No Operation               [RFC791]
      1   0     2   Security                   [RFC1108] (historic but
                                               in use)
      1   0     5   Extended Security          [RFC1108] (historic but
                                               in use)

The "padding" you describe is either a No Operation or (per RFC 791):

  Padding:  variable

    The internet header padding is used to ensure that the internet
    header ends on a 32 bit boundary.  The padding is zero.

And that padding is IMMUTABLE, therefore it must be included in the ICV.
Besides, even if it was mutable, it's all zeroes anyway.

Dan
Permalink | Reply | 1 comment |
headers
R&C Finn | 12 Apr 2007 04:54
Favicon

Re: ICV calculation

>From previous experience in this area, there should be some nomenclature 
indicating that all bytes that will be used by the ICV calculation procedure 
bet set to known or default values including any padding bytes.

----- Original Message ----- 
From: "Dan McDonald" <danmcd <at> sun.com>
To: "Mahendra" <mahendramp <at> huawei.com>
Cc: <ipsec <at> lists.ietf.org>
Sent: Wednesday, April 11, 2007 8:07 AM
Subject: Re: [Ipsec] ICV calculation

> On Wed, Apr 11, 2007 at 06:15:51PM +0530, Mahendra wrote:
>> Hi,
>>
>>     I think I haven't described my prob correctly.
>>
>>  I am speaking about AH protocol in which it authenticates the outer IP
>> header also. In this outer IP header if we have IP option as EOL, then
>> there will be a padding of 3 bytes in the IP header itself. Should this
>> padding in the IP header should be considered while calculating ICV?
>
> 4302 and its predecessor describe this case:
>
> 3.3.3.1.1.2.  Options
>
>   For IPv4 (unlike IPv6), there is no mechanism for tagging options as
>   mutable in transit.  Hence the IPv4 options are explicitly listed in
>   Appendix A and classified as immutable, mutable but predictable, or
>   mutable.  For IPv4, the entire option is viewed as a unit; so even
>   though the type and length fields within most options are immutable
>   in transit, if an option is classified as mutable, the entire option
>   is zeroed for ICV computation purposes.
>
> A1.  IPv4 Options
>
>   This table shows how the IPv4 options are classified with regard to
>   "mutability".  Where two references are provided, the second one
>   supercedes the first.  This table is based in part on information
>   provided in RFC 1700, "ASSIGNED NUMBERS", (October 1994).
>
>               Opt.
>    Copy Class  #   Name                       Reference
>    ---- ----- ---  -------------------------  --------
>    IMMUTABLE -- included in ICV calculation
>      0   0     0   End of Options List        [RFC791]
>      0   0     1   No Operation               [RFC791]
>      1   0     2   Security                   [RFC1108] (historic but
>                                               in use)
>      1   0     5   Extended Security          [RFC1108] (historic but
>                                               in use)
>
> The "padding" you describe is either a No Operation or (per RFC 791):
>
>  Padding:  variable
>
>    The internet header padding is used to ensure that the internet
>    header ends on a 32 bit boundary.  The padding is zero.
>
> And that padding is IMMUTABLE, therefore it must be included in the ICV.
> Besides, even if it was mutable, it's all zeroes anyway.
>
> Dan
>
> _______________________________________________
> Ipsec mailing list
> Ipsec <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
>
Permalink | Reply | 0 comments |
headers
Scott C Moonen | 12 Apr 2007 20:56
Picon
Favicon

RFC 4301 and stateful fragment checking


In section 7.3, RFC 4301 indicates that "An implementation MAY support some form of stateful fragment checking for a tunnel mode SA with non-trivial port (or ICMP type/code or MH type) field values (not ANY or OPAQUE)."  Later, in section 7.4, the RFC indicates that "All implementations MUST support stateful fragment checking to accommodate BYPASS traffic for which a non-trivial port range is specified."

Section 7.4 justifies the MUST as follows:

<quote>The concern is that BYPASS of a cleartext, non-initial fragment arriving at an IPsec implementation could undermine the security afforded IPsec-protected traffic directed to the same destination.  For example, consider an IPsec implementation configured with an SPD entry that calls for IPsec protection of traffic between a specific source/destination address pair, and for a specific protocol and destination port, e.g., TCP traffic on port 23 (Telnet).  Assume that the implementation also allows BYPASS of traffic from the same source/destination address pair and protocol, but for a different destination port, e.g., port 119 (NNTP).  An attacker could send a non-initial fragment (with a forged source address) that, if bypassed, could overlap with IPsec-protected traffic from the same source and thus violate the integrity of the IPsec-protected traffic.  Requiring stateful fragment checking for BYPASS entries with non-trivial port ranges prevents attacks of this sort.  As noted above, in network configurations where fragments of a packet might be sent or received via different security gateways or BITW implementations, stateful strategies for tracking fragments may fail.</quote>

Given my understanding of the use of OPAQUE selectors, it seems to me that the concern here is unwarranted.  The non-initial fragments will not normally match either the TCP port 23 SPD entry or the TCP port 119 SPD entry, since their port value is indeterminate (per section 4.4.1.1: "If a port selector specifies a value other than ANY or OPAQUE, it cannot match packets that are non-initial fragments.").  Either stateful fragment checking may be performed to ensure that the fragments match the appropriate SPD entry, or an OPAQUE SPD entry may be configured to force equivalent IPsec protection for all fragments.

Because the fragments will not match the port-119 BYPASS rule, and because the use of OPAQUE selectors prevents the attacker from injecting fragments into the IPsec-protected traffic, it seems to me that the RFC's concern can be addressed without stateful fragment checking, and therefore the MUST above is unwarranted.  Can anyone comment on this?

Thanks in advance,


Scott Moonen (smoonen <at> us.ibm.com)
Attachment (smime.p7s): application/x-pkcs7-signature, 7621 bytes
_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
Permalink | Reply | 2 comments |
headers
Tero Kivinen | 13 Apr 2007 12:47
Picon
Picon
Favicon

RFC 4301 and stateful fragment checking

Scott C Moonen writes:
> Because the fragments will not match the port-119 BYPASS rule, and because 
> the use of OPAQUE selectors prevents the attacker from injecting fragments 
> into the IPsec-protected traffic, it seems to me that the RFC's concern 
> can be addressed without stateful fragment checking, and therefore the 
> MUST above is unwarranted.  Can anyone comment on this?

If that MUST is not followed then all fragmented packets using port
119 will be dropped, thus causing the BYPASS rule not work (note, that
packets might leave the sending host as one packet, and they might get
fragmented in the network, thus in the sending host it uses the BYPASS
rule, but on the receiving end it used BYPASS and non-first fragments
rule).

The RFC4301 tries to make solutions which allows fragmented packets to
be used, thus it enforces solutions which allows using fragments, not
solutions which prevent using them. Because of this there is this MUST
which makes sure fragmented bypassed traffic will work regardless what
other rules there are. 
--

-- 
kivinen <at> safenet-inc.com
Permalink | Reply | 1 comment |
headers
Scott C Moonen | 13 Apr 2007 14:02
Picon
Favicon

Re: RFC 4301 and stateful fragment checking


Thank you, Tero!  You've cut right to the heart of my misunderstanding.  I was thinking that with a suitably matched policy between sender and receiver everything would work fine.  I'm accustomed to the fact that IPv6 fragmentation will not occur in the network, but it slipped my mind that IPv4 fragmentation may occur in the network without the knowledge of the sender.


Scott Moonen (smoonen <at> us.ibm.com)



Tero Kivinen <kivinen <at> iki.fi>

04/13/2007 06:47 AM

To
 Scott C Moonen/Raleigh/IBM <at> IBMUS
cc
 ipsec <at> ietf.org
Subject
 [Ipsec] RFC 4301 and stateful fragment checking





Scott C Moonen writes:
> Because the fragments will not match the port-119 BYPASS rule, and because
> the use of OPAQUE selectors prevents the attacker from injecting fragments
> into the IPsec-protected traffic, it seems to me that the RFC's concern
> can be addressed without stateful fragment checking, and therefore the
> MUST above is unwarranted.  Can anyone comment on this?

If that MUST is not followed then all fragmented packets using port
119 will be dropped, thus causing the BYPASS rule not work (note, that
packets might leave the sending host as one packet, and they might get
fragmented in the network, thus in the sending host it uses the BYPASS
rule, but on the receiving end it used BYPASS and non-first fragments
rule).

The RFC4301 tries to make solutions which allows fragmented packets to
be used, thus it enforces solutions which allows using fragments, not
solutions which prevent using them. Because of this there is this MUST
which makes sure fragmented bypassed traffic will work regardless what
other rules there are.
--
kivinen <at> safenet-inc.com

Attachment (smime.p7s): application/x-pkcs7-signature, 7621 bytes
_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
Permalink | Reply | 0 comments |

Gmane