RE: [IPsec] Use of SPD in verifying incoming packets

From: <Inger.Bohlbro_at_nospam>
Date: Wed Nov 28 2007 - 12:05:07 GMT
To: <ipsec@ietf.org>

Hi,

The text in RFC4301 page 24-26 regarding IKE negotiation is not clear to me. It says

"For example, suppose one starts
with an entry A (from an ordered SPD) that when decorrelated, yields entries A1, A2, and A3. When a packet comes along that matches, say A2, and triggers the creation of an SA, the SA management protocol (e.g., IKEv2) negotiates A." ...
"Alternatively, the original entry from the (correlated) SPD may
be retained and passed to the SA management protocol." I read this as IKE is allowed as an initiator to propose A in a negotiation.

However RFC4718 page 21 (section 4.12):

"the initiator should not propose traffic selectors that violate
its own policy. If this rule is not followed, valid traffic may be dropped."

Is RFC4718 overruling RFC4301 on this point ? Saying that A should never be proposed, but "only" A1, A2, A3 proposed.

If this is the case then I understand that inbound traffic arriving on an SA need only be validated against the SA and need not be verified against the access control policy expressed in the (ordered) SPD.

Regards
Inger Bohlbro

From: Stephen Kent [mailto:kent@bbn.com] Sent: 9. november 2007 23:29
To: Joy Latten
Cc: ipsec@ietf.org; Dan McDonald
Subject: Re: [IPsec] Use of SPD in verifying incoming packets

Joy,

The inbound processing diagram (Figue 3) shows how to process traffic in the context of a decorrelated SPD. That is a major improvement that we made in going from 2401 to 4301. For traffic not protected by IPsec, there is an SPD-I cache that either allows traffic to bypass IPsec, or discards the traffic. For traffic that arrives via an SA, the diagram shows an SAD check in the lower right corner. That check replaces the SPD search that was described in 2301. Step 4 of the inbound processing description calls for IPsec traffic to be checked against the SAD entry for the SA via which the traffic was processed. The traffic selectors here should be the ones negotiated for the SA, whether the SPD was de-correlated or not.

I fear the text you cited on page 25-26 (not 24-25) is in error. If one looks at the whole paragraph is says:

In all cases, when a decorrelated SPD is available, the decorrelated entries are used to populate the SPD-S cache. If the SPD is not decorrelated, caching is not allowed and an ordered search of SPD MUST be performed to verify that inbound traffic arriving on an SA is consistent with the access control policy expressed in the SPD.

Note that his text refers to the SPD-S cache, a cache that is used only for outbound traffic, not inbound traffic. So the last sentence is a carryover from the old, 2401 inbound processing description, which we know to be deficient.

Sorry 'bout that.

Steve

IPsec mailing list
IPsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

This message: [ Message body ]
Next message: Yoav Nir: "Re: [IPsec] IKEv2 - possible attack from legitimate node(s)?"
Previous message: Hisyam F.: "[IPsec] IKEv2 - possible attack from legitimate node(s)?"
In reply to: Stephen Kent: "Re: [IPsec] Use of SPD in verifying incoming packets"
Next in thread: Stephen Kent: "RE: [IPsec] Use of SPD in verifying incoming packets"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]