Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Tue, 05 Jan 2010 13:21:29 -0800 

Gabriel:
My point is that the end system does not need the information in the WESP header to properly handle the packet for the supported application. The additional information is being exposed to allow middle boxes to make various checks. The end system can ensure that the exposed information was correct so that middle boxes were not spoofed. An extended ICV is not necessary to perform this type of check if the information is limited to the payload offset and such. An ICV is only needed if WESP carries information that cannot be easily checked by a process that knows the crypto algorithms that are in use. I'm challenging the need for such information. 

Russ

On 1/5/2010 2:32 PM, gabriel montenegro wrote:

Hi Russ,

I'd like to comment on your assumption below that:


   

...the ICV protection
imposes a requirement that the end system check the WESP information that it
does not need, and then discard the packet if the attacker altered it to the
potential detriment of the middlebox"

     

The underlying assumption seems to be that the end nodes do not need to carry 
out
any consistency checks. This contradicts the operating assumption we've been 
operating
under, as expressed by Steve Kent last May 12:

http://www.ietf.org/mail-archive/web/ipsec/current/msg04359.html:

If we elect to keep the next header field, to help middle boxes quickly locate 
header fields of interest to them, then we MUST require the recipient of each 
message to do a (well-defined) consistency check on the packet, for the reasons 
I cited in SF.

and as discussed in San Francisco minutes at:
http://tools.ietf.org/wg/ipsecme/minutes?item=minutes74.html


One may argue whether that consistency check is best served by extending the 
ICV to include the
WESP header fields (per the current WG consensus as expressed in the existing 
draft), or whether
that is best done by the end nodes checking the fields explicitly.

Gabriel


----- Original Message ----

   

From: Russ Housley<hous...@vigilsec.com>
To: "Bhatia, Manav"<manav.bha...@alcatel-lucent.com>
Cc: ipsec@ietf.org; i...@ietf.org
Sent: Tue, December 29, 2009 6:32:54 AM
Subject: Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Manav:

I am unconvinced.  If a malicious attacker is willing to alter packets to fool

middleboxes, this ICV does not help the middlebox and it harms the end system. 
The middlebox cannot validate the ICV, and the end system does not need the WESP

header information.  The end system does not need the pointer data in the WESP
header to process the packet correctly; it already knows the size of the IV and
other values associated with the algorithms in use.  Thus, the ICV protection
imposes a requirement that the end system check the WESP information that it
does not need, and then discard the packet if the attacker altered it to the
potential detriment of the middlebox.

Russ

At 09:36 PM 12/28/2009, Bhatia, Manav (Manav) wrote:

     

Yes, this was discussed in the WG

       

(http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104) and the idea was this:

     

We could have some malicious entity that could modify the offsets to ensure

       

that the intermediaries don't parse a portion of the payload (which could
contain malicious content) or inspect it differently than what it would have
done otherwise. A way to protect against such attacks is to let the end node
validate the WESP header by including this as a part of the ESP ICV. If the
computed ICV does not match, the packet is dropped (usual IPSec processing).

     

This does not completely eliminate the vulnerability, but it does raise the

       

bar, because now the malicious routers would have to also position themselves
both before and after the middle boxes in order to have a chance to revert the
packet back to its original form before the end node verifies integrity over the
packet.

     

We have also discussed this in the Security Considerations section of the

       

draft.

     

We did informally speak to HW guys who are interested in implementing WESP,

       

and they confirmed that increasing the integrity protection of ESP to now cover
the WESP header is trivial.

     

Cheers, Manav


       

-----Original Message-----
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org]
On Behalf Of Jack Kohn
Sent: Tuesday, December 29, 2009 6.17 AM
To: Stephen Kent
Cc: ipsec@ietf.org; Russ Housley; i...@ietf.org; Dan McDonald
Subject: Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Are you suggesting that ESP ICV should not cover the WESP fields?

I think, and my memory could be failing me, that this was discussed in
the WG before this got added to the draft.

Jack

On Tue, Dec 29, 2009 at 2:15 AM, Stephen Kent wrote:

         

Yaron,

I hate to admit it, but I lost track of the details of WESP

           

as it progressed

         

through WG discussions and briefings at IETF meetings. When

           

I read the I-D

         

in detail, I was very surprised to see that it was no longer a
neatly-layered wrapper, as originally proposed.  The fact

           

that it now calls

         

for the ESP ICV to be computed in a new fashion means that

           

it really is

         

replacing ESP, when used to mark ESP-NULL packets.

 From a protocol design perspective, the current version

           

makes no sense to

         

me. Why keep the ESP header when ESP processing is now changed in a
significant way.  The WESP header cannot be processed

           

(completely) by

         

itself, because of the dependence on the ESP ICV. So it

           

makes little or no

         

sense to retain the ESP header in this context. I see no

           

strong backward

         

compatibility motivation for this format, given that ESP

           

processing must

         

change to accommodate WESP (as defined).

The issue of using WESP for marking encrypted traffic is a

           

separate topic. I

         

believe the rationale you cited was to enable WESP

           

extensions, but I may

         

have missed other arguments put forth for this. Since most

           

of the WESP

         

extension proposals discussed so far have proven to be

           

questionable, I am

         

not enthusiastic about that rationale.  Others have noted

           

that using WESP

         

with encrypted traffic is not consistent with the scope of

           

the WG charter

         

item that authorized work on WESP.  Unless Pasi approves a

           

WESP extension WG

         

item as part of re-chartering, I think it is inappropriate

           

to have a flag to

         

mark a WESP payload as encrypted.

Steve

           



   


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

























					Reply via email to