Paul,

> between wanting to help the peer to diagnose a problem and thust

s/thust/thus/

> wanting to avoid being part a denial of service attack

Suggest either "being part *of* a" or "being a willing participant in a".

> <t>NOTE FOR WG DISCUSSION: Having other payloads in the message is
> allowed but there are none suggested. One WG member mentioned the
> possibility of adding a DELETE payload when the error is sent in a
> separate INFORMATIONAL exchange. Do we want to allow such additional
> payloads that have operational semantics?</t>

I think you are asking specifically about the IKE_AUTH response?  If so, I 
agree that DELETE does not make sense in the IKE_AUTH response, and 
N(AUTHENTICATION_FAILED), for example, is sufficient to delete the IKE SA. 
 I think we can forbid DELETE in the IKE_AUTH response.  However, because 
a separate INFORMATIONAL exchange cannot be definitively correlated to the 
IKE_AUTH exchange, I'd like to retain the option of sending both DELETE 
and N(AUTHENTICATION_FAILED) (for example) in a separate INFO exchange.


Scott Moonen (smoo...@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://scott.andstuff.org/
http://www.linkedin.com/in/smoonen



From:
Paul Hoffman <paul.hoff...@vpnc.org>
To:
Tero Kivinen <kivi...@iki.fi>, Yoav Nir <y...@checkpoint.com>
Cc:
"ipsec@ietf.org WG" <ipsec@ietf.org>
Date:
09/19/2009 06:49 PM
Subject:
Re: [IPsec] Issue #26: Missing treatment of error cases



Here is the edited text. Please make sure it still is correct.

<section anchor='sect-2.21' title='Error Handling'>

<t>There are many kinds of errors that can occur during IKE
processing. The general rule is that if a request is received that is
badly formatted, or unacceptable for reasons of policy (such as no
matching cryptographic algorithms), the response contains a Notify
payload indicating the error. The decision whether or not to send
such a response depends whether or not there is an authenticated IKE
SA.</t>

<t>If there is an error parsing or processing a response packet, the
general rule is to not send bac any error message because responses
should not generate new requests (and a new request would be the only
way to send back an error message). Such errors in parsing or
processing response packets should still cause the recipient to clean
up the IKE state (for example, by sending a DELETE for a bad SA).</t>

<t>Only authentication failures (AUTHENTICATION_FAILED) and malformed
messages (INVALID_SYNTAX) lead to a deletion of the IKE SA without
requiring an explicit INFORMATIONAL exchange carrying a DELETE
payload. Other error conditions MAY require such an exchange if
policy dictates that this is needed.</t>

<section anchor='sect-2.21.1' title='Error Handling in IKE_SA_INIT'>

<t>Errors that occur before a cryptographically protected IKE SA is
established need to be handled very carefully. There is a trade-off
between wanting to help the peer to diagnose a problem and thust
responding to the error, and wanting to avoid being part a denial of
service attack based on forged messages.</t>

<t>In an IKE_SA_INIT exchange, any error notification causes the
exchange to fail. Note that some error notifications such as COOKIE,
INVALID_KE_PAYLOAD or INVALID_MAJOR_VERSION may lead to a subsequent
successful exchange. Because all error notifications are completely
unauthenticated, the recipient should continue trying for some time
before giving up but not immediately act based on the error
notification unless corrective actions are defined in this
specification, such as for COOKIE, INVALID_KE_PAYLOAD, and
INVALID_MAJOR_VERSION.</t>

</section>

<section anchor='sect-2.21.2' title='Error Handling in IKE_AUTH'>

<t>All errors that occur in an IKE_AUTH exchange, causing the
authentication to fail for whatever reason (invalid shared secret,
invalid ID, untrusted certificate issuer, revoked or expired
certificate, etc.) SHOULD result in an AUTHENTICATION_FAILED
notification. If the error occurred on the responder, the
notification is returned in the protected response, and is usually
the only payload in that response. Although the IKE_AUTH messages are
encrypted and integrity protected, if the peer receiving this
notification has not authenticated the other end yet, that peer needs
to treat the information with caution.</t>

<t>If the error occurs on the initiator, the notification MAY be
returned in a separate INFORMATIONAL exchange, usually with no other
payloads. This is exception for the general rule of not starting new
exchanges based on errors in responses.</t>

<t>Note, however, that request messages that contain an unsupported
critical payload, or where the whole message is malformed (rather
than just bad payload contents), MUST be rejected in their entirety,
and MUST only lead to an UNSUPPORTED_CRITICAL_PAYLOAD or
INVALID_SYNTAX Notification sent as response. The receiver should not
verify the payloads related to authentication in this case.</t>

<t>If authentication has succeeded in the IKE_AUTH exchange, the IKE
SA is established; however, establishing the Child SA or requesting
configuration information may still fail. This failure does not
automatically cause the IKE SA to be deleted. Specifically, a
responder may include all the payloads associated with authentication
(IDr, Cert and AUTH) while sending error notifications for the
piggybacked exchanges (FAILED_CP_REQUIRED, INVALID_SELECTORS,
NO_PROPOSAL_CHOSEN, and so on), and the initiator MUST NOT fail the
authentication because of this. The initiator MAY, of course, for
reasons of policy later delete such an IKE SA.</t>

<t>In an IKE_AUTH exchange, or in the INFORMATIONAL exchange
immediately following it (in case an error happened in when
processing response to IKE_AUTH), the UNSUPPORTED_CRITICAL_PAYLOAD,
INVALID_SYNTAX, and AUTHENTICATION_FAILED notifications are the only
ones to cause the IKE SA to be deleted or not created, without a
DELETE payload. Extension documents may define new error
notifications with these semantics, but MUST NOT use them unless the
peer has been shown to understand them.</t>

<t>NOTE FOR WG DISCUSSION: Having other payloads in the message is
allowed but there are none suggested. One WG member mentioned the
possibility of adding a DELETE payload when the error is sent in a
separate INFORMATIONAL exchange. Do we want to allow such additional
payloads that have operational semantics?</t>

</section>

<section anchor='sect-2.21.3' title='Error Handling after IKE SA is 
Authenticated'>

<t>After the IKE SA is authenticated all requests having errors MUST
result in response notifying about the error.</t>

<t>In normal situations, there should not be cases where valid
response from one peer results in an error situation in the other
peer, so there should not be any reason for a peer to send error
messages to the other end except as a response. Because sending such
error messages as INFORMATIONAL exchange might lead to further errors
that could cause loops, such errors SHOULD NOT be sent. If errors are
seen that indicate that the peers do not have same state, it might be
good to delete the IKE SA to clean up state and start over.</t>

<t>If a peer parsing a request notices that it is badly formatted
(after it has passed the message authentication code checks and
window checks) and it returns an INVALID_SYNTAX notification, then
this error notification is considered fatal in both peers, meaning
that the IKE SA is deleted without needing an explicit DELETE
payload.</t>

</section>

<section anchor='sect-2.21.4' title='Error Handling Outside IKE SA'>

<t>A node needs to limit the rate at which it will send messages in
response to unprotected messages.</t>

<t>If a node receives a message on UDP port 500 or 4500 outside the
context of an IKE SA known to it (and the message is not a request to
start an IKE SA), this may be the result of a recent crash of the
node. If the message is marked as a response, the node can audit the
suspicious event but MUST NOT respond. If the message is marked as a
request, the node can audit the suspicious event and MAY send a
response. If a response is sent, the response MUST be sent to the IP
address and port from where it came with the same IKE SPIs and the
Message ID copied. The response MUST NOT be cryptographically
protected and MUST contain an INVALID_IKE_SPI Notify payload. The
INVALID_IKE_SPI notification indicates an IKE message was received
with an unrecognized destination SPI; this usually indicates that the
recipient has rebooted and forgotten the existence of an IKE SA.</t>

<t>A peer receiving such an unprotected Notify payload MUST NOT
respond and MUST NOT change the state of any existing SAs. The
message might be a forgery or might be a response that a genuine
correspondent was tricked into sending. A node should treat such a
message (and also a network message like ICMP destination
unreachable) as a hint that there might be problems with SAs to that
IP address and should initiate a liveness check for any such IKE SA.
An implementation SHOULD limit the frequency of such tests to avoid
being tricked into participating in a denial of service attack.</t>

<t>If an error occurs outside the context of an IKE request (e.g.,
the node is getting ESP messages on a nonexistent SPI), the node
SHOULD initiate an INFORMATIONAL exchange with a Notify payload
describing the problem.</t>

<t>A node receiving a suspicious message from an IP address (and
port, if NAT traversal is used) with which it has an IKE SA SHOULD
send an IKE Notify payload in an IKE INFORMATIONAL exchange over that
SA. The recipient MUST NOT change the state of any SAs as a result,
but may wish to audit the event to aid in diagnosing
malfunctions.</t>

</section>

</section>

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to