| < draft-ietf-ipsecme-ipsec-ha-08.txt | draft-ietf-ipsecme-ipsec-ha-09.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Informational June 28, 2010 | Intended status: Informational July 4, 2010 | |||
| Expires: December 30, 2010 | Expires: January 5, 2011 | |||
| IPsec Cluster Problem Statement | IPsec Cluster Problem Statement | |||
| draft-ietf-ipsecme-ipsec-ha-08 | draft-ietf-ipsecme-ipsec-ha-09 | |||
| Abstract | Abstract | |||
| This document defines terminology, problem statement and requirements | This document defines terminology, problem statement and requirements | |||
| for implementing IKE and IPsec on clusters. It also describes gaps | for implementing IKE and IPsec on clusters. It also describes gaps | |||
| in existing standards and their implementation that need to be | in existing standards and their implementation that need to be | |||
| filled, in order to allow peers to interoperate with clusters from | filled, in order to allow peers to interoperate with clusters from | |||
| different vendors. An agreed terminology, problem statement and | different vendors. An agreed terminology, problem statement and | |||
| requirements will allow the IPSECME WG to consider development of | requirements will allow IETF working gropus to consider development | |||
| IPsec/IKEv2 mechanisms to simplify cluster implementations. | of IPsec/IKEv2 mechanisms to simplify cluster implementations. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 30, 2010. | This Internet-Draft will expire on January 5, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| 3.3. IKE Counters . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. IKE Counters . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.4. Outbound SA Counters . . . . . . . . . . . . . . . . . . . 6 | 3.4. Outbound SA Counters . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.5. Inbound SA Counters . . . . . . . . . . . . . . . . . . . 7 | 3.5. Inbound SA Counters . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.6. Missing Synch Messages . . . . . . . . . . . . . . . . . . 8 | 3.6. Missing Synch Messages . . . . . . . . . . . . . . . . . . 8 | |||
| 3.7. Simultaneous use of IKE and IPsec SAs by Different | 3.7. Simultaneous use of IKE and IPsec SAs by Different | |||
| Members . . . . . . . . . . . . . . . . . . . . . . . . . 8 | Members . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.7.1. Outbound SAs using counter modes . . . . . . . . . . . 9 | 3.7.1. Outbound SAs using counter modes . . . . . . . . . . . 9 | |||
| 3.8. Different IP addresses for IKE and IPsec . . . . . . . . . 9 | 3.8. Different IP addresses for IKE and IPsec . . . . . . . . . 9 | |||
| 3.9. Allocation of SPIs . . . . . . . . . . . . . . . . . . . . 10 | 3.9. Allocation of SPIs . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 12 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| IKEv2, as described in [RFC4306] and [IKEv2bis], and IPsec, as | IKEv2, as described in [RFC4306] and [IKEv2bis], and IPsec, as | |||
| described in [RFC4301] and others, allows deployment of VPNs between | described in [RFC4301] and others, allows deployment of VPNs between | |||
| different sites as well as from VPN clients to protected networks. | different sites as well as from VPN clients to protected networks. | |||
| As VPNs become increasingly important to the organizations deploying | As VPNs become increasingly important to the organizations deploying | |||
| them, there is a demand to make IPsec solutions more scalable and | them, there is a demand to make IPsec solutions more scalable and | |||
| skipping to change at page 5, line 6 ¶ | skipping to change at page 5, line 6 ¶ | |||
| cluster, this usually happens because of a failure of one of the | cluster, this usually happens because of a failure of one of the | |||
| members, but certain load-balancing technologies may allow a | members, but certain load-balancing technologies may allow a | |||
| particular load (such as all the flows associated with a particular | particular load (such as all the flows associated with a particular | |||
| child SA) to move from one member to another to even out the load, | child SA) to move from one member to another to even out the load, | |||
| even without any failures. | even without any failures. | |||
| "Tight Cluster" is a cluster where all the members share an IP | "Tight Cluster" is a cluster where all the members share an IP | |||
| address. This could be accomplished using configured interfaces with | address. This could be accomplished using configured interfaces with | |||
| specialized protocols or hardware, such as VRRP, or through the use | specialized protocols or hardware, such as VRRP, or through the use | |||
| of multicast addresses, but in any case, peers need only be | of multicast addresses, but in any case, peers need only be | |||
| configured with one IP address in the PAD. | configured with one IP address in the Peer Authentication Database. | |||
| "Loose Cluster" is a cluster where each member has a different IP | "Loose Cluster" is a cluster where each member has a different IP | |||
| address. Peers find the correct member using some method such as DNS | address. Peers find the correct member using some method such as DNS | |||
| queries or the IKEv2 redirect mechanism ([RFC5685]). In some cases, | queries or the IKEv2 redirect mechanism ([RFC5685]). In some cases, | |||
| a member's IP address(es) may be allocated to another member at | a member's IP address(es) may be allocated to another member at | |||
| failover. | failover. | |||
| "Synch Channel" is a communications channel among the cluster | "Synch Channel" is a communications channel among the cluster | |||
| members, used to transfer state information. The synch channel may | members, used to transfer state information. The synch channel may | |||
| or may not be IP based, may or may not be encrypted, and may work | or may not be IP based, may or may not be encrypted, and may work | |||
| skipping to change at page 8, line 35 ¶ | skipping to change at page 8, line 35 ¶ | |||
| associated IPsec SAs will get dropped. | associated IPsec SAs will get dropped. | |||
| The above scenario may be rare enough that it is acceptable that on a | The above scenario may be rare enough that it is acceptable that on a | |||
| configuration with thousands of IKE SAs, a few will need to be | configuration with thousands of IKE SAs, a few will need to be | |||
| recreated from scratch or using session resumption techniques. | recreated from scratch or using session resumption techniques. | |||
| However, detecting this may take a long time (several minutes) and | However, detecting this may take a long time (several minutes) and | |||
| this negates the goal of creating a cluster in the first place. | this negates the goal of creating a cluster in the first place. | |||
| 3.7. Simultaneous use of IKE and IPsec SAs by Different Members | 3.7. Simultaneous use of IKE and IPsec SAs by Different Members | |||
| For LS clusters, all active members may need to use the same SAs, | For load sharing clusters, all active members may need to use the | |||
| both IKE and IPsec. This is an even greater problem than in the case | same SAs, both IKE and IPsec. This is an even greater problem than | |||
| of HS clusters, because consecutive packets may need to be sent by | in the case of hot-standby clusters, because consecutive packets may | |||
| different members to the same peer gateway. | need to be sent by different members to the same peer gateway. | |||
| The solution to the IKE SA issue is up to the application. It's | The solution to the IKE SA issue is up to the implementation. It's | |||
| possible to create some locking mechanism over the synch channel, or | possible to create some locking mechanism over the synch channel, or | |||
| else have one member "own" the IKE SA and manage the child SAs for | else have one member "own" the IKE SA and manage the child SAs for | |||
| all other members. For IPsec, solutions fall into two broad | all other members. For IPsec, solutions fall into two broad | |||
| categories. | categories. | |||
| The first is the "sticky" category, where all communications with a | The first is the "sticky" category, where all communications with a | |||
| single peer, or all communications involving a certain SPD cache | single peer, or all communications involving a certain SPD cache | |||
| entry go through a single peer. In this case, all packets that match | entry go through a single peer. In this case, all packets that match | |||
| any particular SA go through the same member, so no synchronization | any particular SA go through the same member, so no synchronization | |||
| of the replay counter needs to be done. Inbound processing is a | of the replay counter needs to be done. Inbound processing is a | |||
| "sticky" issue, because the packets have to be processed by the | "sticky" issue (no pun intended), because the packets have to be | |||
| correct member based on peer and SPI. Another issue is that most | processed by the correct member based on peer and SPI, and most load | |||
| load balancers will not be able to match the SPIs of the encrypted | balancers will not be able to match the SPIs to the correct member, | |||
| side to the clear traffic, and so the wrong member may get the the | unless stickyness extends to all traffic with a particular peer. | |||
| other half of the flow. | Another disadvantage of sticky solutions, is that the load tends to | |||
| not distribute evenly, especially if one SA covers a significant | ||||
| portion of IPsec traffic. | ||||
| The second is the "duplicate" category, where the child SA is | The second is the "duplicate" category, where the child SA is | |||
| duplicated for each pair of IPsec SAs for each active member. | duplicated for each pair of IPsec SAs for each active member. | |||
| Different packets for the same peer go through different members, and | Different packets for the same peer go through different members, and | |||
| get protected using different SAs with the same selectors and | get protected using different SAs with the same selectors and | |||
| matching the same entries in the SPD cache. This has some | matching the same entries in the SPD cache. This has some | |||
| shortcomings: | shortcomings: | |||
| o It requires multiple parallel SAs, which the peer has no use for. | o It requires multiple parallel SAs, which the peer has no use for. | |||
| Section 2.8 or [RFC4306] specifically allows this, but some | Section 2.8 of [RFC4306] specifically allows this, but some | |||
| implementation might have a policy against long term maintenance | implementation might have a policy against long term maintenance | |||
| of redundant SAs. | of redundant SAs. | |||
| o Different packets that belong to the same flow may be protected by | o Different packets that belong to the same flow may be protected by | |||
| different SAs, which may seem "weird" to the peer gateway, | different SAs, which may seem "weird" to the peer gateway, | |||
| especially if it is integrated with some deep inspection | especially if it is integrated with some deep inspection | |||
| middleware such as a firewall. It is not known whether this will | middleware such as a firewall. It is not known whether this will | |||
| cause problems with current gateways. It is also impossible to | cause problems with current gateways. It is also impossible to | |||
| mandate against this, because the definition of "flow" varies from | mandate against this, because the definition of "flow" varies from | |||
| one implementation to another. | one implementation to another. | |||
| o Reply packets may arrive with an IPsec SA that is not "matched" to | o Reply packets may arrive with an IPsec SA that is not "matched" to | |||
| skipping to change at page 9, line 48 ¶ | skipping to change at page 9, line 50 ¶ | |||
| active member, or even failing over from one member to another need | active member, or even failing over from one member to another need | |||
| to make sure that they do not generate the same initial vector. See | to make sure that they do not generate the same initial vector. See | |||
| [COUNTER_MODES] for a discussion of this problem in another context. | [COUNTER_MODES] for a discussion of this problem in another context. | |||
| 3.8. Different IP addresses for IKE and IPsec | 3.8. Different IP addresses for IKE and IPsec | |||
| In many implementations there are separate IP addresses for the | In many implementations there are separate IP addresses for the | |||
| cluster, and for each member. While the packets protected by tunnel | cluster, and for each member. While the packets protected by tunnel | |||
| mode child SAs are encapsulated in IP headers with the cluster IP | mode child SAs are encapsulated in IP headers with the cluster IP | |||
| address, the IKE packets originate from a specific member, and carry | address, the IKE packets originate from a specific member, and carry | |||
| that member's IP address. For the peer, this looks weird, as the | that member's IP address. This may be done so that IPsec traffic | |||
| usual thing is for the IPsec packets to come from the same IP address | bypasses the load balancer for greater scalability. For the peer, | |||
| as the IKE packets. | this looks weird, as the usual thing is for the IPsec packets to come | |||
| from the same IP address as the IKE packets. Unmodified peers may | ||||
| drop such packets. | ||||
| One obvious solution is to use some fancy capability of the IKE host | One obvious solution is to use some fancy capability of the IKE host | |||
| to change things so that IKE packets also come out of the cluster IP | to change things so that IKE packets also come out of the cluster IP | |||
| address. This can be achieved through NAT or through assigning | address. This can be achieved through NAT or through assigning | |||
| multiple addresses to interfaces. This is not, however, possible for | multiple addresses to interfaces. This is not, however, possible for | |||
| all implementations. | all implementations, and will not reduce load on the balancer. | |||
| [ARORA] discusses this problem in greater depth, and proposes another | [ARORA] discusses this problem in greater depth, and proposes another | |||
| solution, that does involve protocol changes. | solution, that does involve protocol changes. | |||
| 3.9. Allocation of SPIs | 3.9. Allocation of SPIs | |||
| The SPI associated with each child SA, and with each IKE SA, MUST be | The SPI associated with each child SA, and with each IKE SA, MUST be | |||
| unique relative to the peer of the SA. Thus, in the context of a | unique relative to the peer of the SA. Thus, in the context of a | |||
| cluster, each cluster member MUST generate SPIs in a fashion that | cluster, each cluster member MUST generate SPIs in a fashion that | |||
| avoids collisions (with other cluster members) for these SPI values. | avoids collisions (with other cluster members) for these SPI values. | |||
| skipping to change at page 10, line 39 ¶ | skipping to change at page 10, line 42 ¶ | |||
| Moreover, thought must be given to the synching requirements of any | Moreover, thought must be given to the synching requirements of any | |||
| protocol extension, to make sure that it does not create an | protocol extension, to make sure that it does not create an | |||
| opportunity for denial of service attacks on the cluster. | opportunity for denial of service attacks on the cluster. | |||
| As mentioned in Section 3.5, allowing an inbound child SA to fail | As mentioned in Section 3.5, allowing an inbound child SA to fail | |||
| over to another member has the effect of disabling replay counter | over to another member has the effect of disabling replay counter | |||
| protection for a short time. Though the threat is arguably low, it | protection for a short time. Though the threat is arguably low, it | |||
| is a policy decision whether this is acceptable. | is a policy decision whether this is acceptable. | |||
| Section 3.7 describes the problem of the two directions of a flow | ||||
| being protected by two SAs which are not part of a matched pair, or | ||||
| even not being processed by the same cluster member. This is not a | ||||
| security problem as far as IPsec is concerned, because IPsec has | ||||
| policy at the IP, protocol and port level only. However, many IPsec | ||||
| implementations are integrated with stateful firewalls, which need to | ||||
| see both sides of a flow. Such implementations may have to forward | ||||
| packets to other members for the firewall to properly inspect the | ||||
| traffic. | ||||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| This document is the collective work, and includes contribution from | This document is the collective work, and includes contribution from | |||
| many people who participate in the IPsecME working group. | many people who participate in the IPsecME working group. | |||
| The editor would particularly like to acknowledge the extensive | The editor would particularly like to acknowledge the extensive | |||
| contribution of the following people (in alphabetical order): | contribution of the following people (in alphabetical order): | |||
| Jitender Arora, Jean-Michel Combes, Dan Harkins, David Harrington, | ||||
| Jitender Arora, Jean-Michel Combes, Dan Harkins, Steve Kent, Tero | Steve Kent, Tero Kivinen, Alexey Melnikov, Yaron Sheffer, Melinda | |||
| Kivinen, Yaron Sheffer, Melinda Shore, and Rodney Van Meter. | Shore, and Rodney Van Meter. | |||
| 7. Change Log | 7. Change Log | |||
| NOTE TO RFC EDITOR: REMOVE THIS SECTION BEFORE PUBLICATION | NOTE TO RFC EDITOR: REMOVE THIS SECTION BEFORE PUBLICATION | |||
| Version 00 was identical to draft-nir-ipsecme-ipsecha-ps-00, re-spun | Version 00 was identical to draft-nir-ipsecme-ipsecha-ps-00, re-spun | |||
| as an WG document. | as an WG document. | |||
| Version 01 included closing issues 177, 178 and 180, with updates to | Version 01 included closing issues 177, 178 and 180, with updates to | |||
| terminology, and added discussion of inbound SAs and the CTR issue. | terminology, and added discussion of inbound SAs and the CTR issue. | |||
| skipping to change at page 11, line 30 ¶ | skipping to change at page 11, line 42 ¶ | |||
| Version 03 fixes some ID-nits, and adds the problem presented by | Version 03 fixes some ID-nits, and adds the problem presented by | |||
| Jitender Arora in [ARORA]. | Jitender Arora in [ARORA]. | |||
| Version 04 fixes a spelling mistake, moves the scope discussion to a | Version 04 fixes a spelling mistake, moves the scope discussion to a | |||
| subsection of its own (Section 3.1), and adds a short discussion of | subsection of its own (Section 3.1), and adds a short discussion of | |||
| the duplicate SPI problem, presented by Jean-Michel Combes. | the duplicate SPI problem, presented by Jean-Michel Combes. | |||
| Versions 05, 06 and 07 just corrected nits and notation | Versions 05, 06 and 07 just corrected nits and notation | |||
| Versions 08 and 09 include suggestions from the IETF last call. | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, December 2005. | |||
| End of changes. 16 change blocks. | ||||
| 28 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||