[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[saag] IPsec spec problems

From: Pekka Savola <pekkas at netcore.fi>
To: Tero Kivinen <kivinen at iki.fi>
Cc: saag at mit.edu, Jari Arkko <jari.arkko at piuha.net>, Sam Hartman <hartmans-ietf at mit.edu>
Date: Tue, 25 Apr 2006 15:50:38 +0300 (EEST)
In-reply-to: <17486.1608.716952.420411 at fireball.kivinen.iki.fi>
References: <7.0.0.16.2.20060420095609.06191b18 at vigilsec.com> <p06230905c06d4928d1b1 at [10.1.38.141]> <tslbquta41m.fsf at cz.mit.edu> <444DD2AB.2070606 at piuha.net> <tslfyk2geix.fsf at cz.mit.edu> <17486.1608.716952.420411 at fireball.kivinen.iki.fi>

On Tue, 25 Apr 2006, Tero Kivinen wrote:

So is the draft-bonica-tcp-auth is already implemented by routers
without any extra effort then?


It is not generally implemented.

IPsec for control plane protection has been implemented (e.g., forOSPFv3 protection), but I'm not sure how widely.


Below is a digress on IPsec spec shortcomings..

If it requires new implementations to support draft-bonica-tcp-auth
then I think it would be more beneficial to fix their IPsec
implementations to support protecting control traffic. There are
implementations out there that can do that, there are toolkits out
there to do that, I would guess it would be much faster to take
existing implementation and fix that, or replace the implementation
with one that support protecting control traffic, than to implement
completely new protocol.


How about "fix the IPsec spec"? :-)

I actually read RFC 4301 for the first time on a plane (for therecord, I had not read any IPsec RFCs previously). The situation wasmuch worse than I thought. One could say that the IPsec spec is notoptimized for control plane protection with all of its crazy talkabout protected/unprotected interfaces, non-native implementations,etc.

My perception is that IPsec spec tries to address too many problems(minimal firewall policing through SPDs; control traffic protection;VPN protection), and the result is too complex that it isn't usefulfor anything except VPNs, and even that's pretty complicated due toall the baggage.

I was also boggled by the notion that an IPsec implementation at arouter would have to inspect ALL packets it forwards (whether IPsec ornot) against SPD. That means IPsec would need to be implemented onall the linecards even if all you wanted is to protect the controlplane.

Saner alternative: whether to look for SPDs for particular packetshould be keyed off from the routing table entries. That way IPsec isonly consulted when it needs to be consulted.


--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: [saag] IPsec spec problems
  - From: Nicolas Williams
- Re: [saag] IPsec spec problems
  - From: Pasi.Eronen
- [saag] IPsec spec problems
  - From: Tero Kivinen

References:
- [saag] Fwd: draft-bonica-tcp-auth
  - From: Russ Housley
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Stephen Kent
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Sam Hartman
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Jari Arkko
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Sam Hartman
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Tero Kivinen

Prev by Date: Re: [saag] Fwd: draft-bonica-tcp-auth
Next by Date: [saag] IPsec spec problems
Previous by thread: Re: [saag] Fwd: draft-bonica-tcp-auth
Next by thread: [saag] IPsec spec problems
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.