[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Hipsec] To tunnel or not

To: Robert Moskowitz <rgm at htt-consult.com>, "hipsec at ietf.org" <hipsec at ietf.org>
Subject: Re: [Hipsec] To tunnel or not
From: "Laganier, Julien" <julienl at qualcomm.com>
Date: Thu, 20 Aug 2009 15:42:33 -0700
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: hipsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl at qualcomm.com; q=dns/txt; s=qcdkim; t=1250808163; x=1282344163; h=from:to:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<julienl at qualcomm.com> |To:=20Robert=20Moskowitz=20<rgm at htt-consult.com>,=0D=0A =20=20=20=20=20=20=20=20"hipsec at ietf.org"=0D=0A=09<hipsec @ietf.org>|Date:=20Thu,=2020=20Aug=202009=2015:42:33=20-0 700|Subject:=20RE:=20[Hipsec]=20To=20tunnel=20or=20not |Thread-Topic:=20[Hipsec]=20To=20tunnel=20or=20not |Thread-Index:=20AcohHLh0sx+ps+NMRqydCWv+KMz0IgAxdJNw |Message-ID:=20<BF345F63074F8040B58C00A186FCA57F1C24BE407 F at NALASEXMB04.na.qualcomm.com>|References:=20<4A8C7D0D.70 10708 at htt-consult.com>|In-Reply-To:=20<4A8C7D0D.7010708 at h tt-consult.com>|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 300,2777,5715"=3B=20a=3D"22409517"; bh=GsHt9rMA/c5s5zSvX615u4E9SjHWBPmidc3DQcxq8+c=; b=QykU/fhmu1MGmZe2HuwDxvqsafpOg5wkKpjkXx2PjJkggEblnNdO0qqJ +c1DocKsFWrLMKpp40t+gKH96zEBMcCjITf/K82E3D6bfzMSptqFB4m6U YUzy8HZQDWz8GXs4e9Wt+KzYKojUD2C2y/Nz/zyALBsKsojlrYGpcHUf8 U=;
In-reply-to: <4A8C7D0D.7010708 at htt-consult.com>
List-archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-help: <mailto:hipsec-request@ietf.org?subject=help>
List-id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-post: <mailto:hipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
References: <4A8C7D0D.7010708 at htt-consult.com>
Thread-index: AcohHLh0sx+ps+NMRqydCWv+KMz0IgAxdJNw
Thread-topic: [Hipsec] To tunnel or not

Robert Moskowitz wrote:
> 
> ESP Transport in a bound, end-to-end operation
> 
> or
> 
> ESP Tunnel  with HITS (or LSI?) explicit.
> 
> Developers have reported challenges in using what we have been calling
> BEET mode, and have pointed out that if explicit tunnels were used,
> then the special HIP "optimization"  (? right word) of Transport mode would
> be avoided.

While implementing HIP circa 2002 the only reason I had to start hacking the kernel was that "optimization". Other than that I could run the same daemon on FreeBSD and SunOS, and have the daemon configure IPsec SAs via PF_KEY. 

Thus I do agree that BEET is challenging to the extent that is not part of standards IPsec implementation. Would BEET be a standard part of IPsec the challenge would disappear. Is it likely? I don't think so...

> I have at least two technical problems with use of tunnel mode:
> 
> What is enumerated in the tunnel?  HITs always or HITs for IPv6 apps
> and LSIs for IPv4?  (as we have demonstarted that IPv4 apps work well over
> HIP over IPv6).  If HITs how will this work for IPv4?  I suspect that
> someone can explain how this could 'work'?

The Security Policy Database I had had entries requiring use of ESP tunnel mode for any communication between a local HITs or LSIs and any remote one.

A given communication from a local HIT or LSI to a remote one would thus trigger via PF_KEY the HIP daemon to establish keys. The HIP daemon would in turn insert a specific SPD entries requiring protection of communication between the specific local and remote HIT/LSI via an ESP tunnel mode SA between the local and remote IP addresses (v4 or v6).

Thus for every association there's one or two SPD entries (keyed by local/remote HITs and/or  LSIs), and the protection required by these entries is afforded by a tunnel mode SA between the local and remote IP addresses of the peers.

> Would there be expectations on tunnel behaviour that would have to be
> negotiated?

I'm do not understand what sort of behavioral expectations you're talking about. Can you tell us more..

> My basic philosophy was ESP transport was used as a 'short hand' for
> the HIP connection between two hosts.  That HIP is not a key negotiation
> for ESP, but that ESP is used operationally to simplify HIP (not to develop
> YAP) with SPIs being pointers to the underlying HITs (did I remember
> that right? :) ).

I remember that.

But I'm not sure this is in contradiction with the use of HIP as a key management to setup IPsec tunnel mode security association between pair of HITs (or LSIs.) These are IMHO two views of the same machinery.

> I can see where the process between two hosts is a tunneling process
> and in that HIP is used to secure the tunnel, but here the tunnel is not
> coupled to HIP but rather the process between two hosts that uses HIP.
> Does that make enough sense?

Not sure I'm following you...

--julien

References:
- [Hipsec] To tunnel or not
  - From: Robert Moskowitz

Prev by Date: Re: [Hipsec] Selection of LSI address block
Next by Date: Re: [Hipsec] draft-ietf-hip-native-api-09-pre
Previous by thread: [Hipsec] To tunnel or not
Next by thread: Re: [Hipsec] To tunnel or not
Index(es):
- Date
- Thread