[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remove tunnel mode from ipsec-tunnels-02?
- To: "Pekka Savola" <pekkas@netcore.fi>
- Subject: Re: Remove tunnel mode from ipsec-tunnels-02?
- From: Eric Vyncke <evyncke@cisco.com>
- Date: Mon, 17 Jul 2006 12:27:10 +0200
- Authentication-results: sj-dkim-2.cisco.com; header.From=evyncke@cisco.com; dkim=pass ( 53 extraneous bytes; sig from cisco.com verified; );
- Cc: <v6ops@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=5689; t=1153132048; x=1153996048; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=evyncke@cisco.com; z=From:Eric=20Vyncke=20<evyncke@cisco.com> |Subject:Re=3A=20Remove=20tunnel=20mode=20from=20ipsec-tunnels-02?; X=v=3Dcisco.com=3B=20h=3Dya81CPA8oQodTq5xpeBIJsSyC4M=3D; b=fBnzTQIkFpQMnvDZD6v0DINxjzFc52gR6H71/25WTkLDU5OIb4lL86wzPUaephBK/zdyaLuM h3p0QASLEbb6d2TiEMTskRLSDxXBfV4xbjSsRFjsRlBJe/6SePRhSEPW;
- In-reply-to: <Pine.LNX.4.64.0607121659020.31877@netcore.fi>
Pekka,
I know about no implementation supporting IPv6 selectors (like ::/0) over
an IPv4 IKE/IPsec... So, this IPsec tunnel mode of IPv6 over IPv4 could
be dropped for clarity sake.
The most common (i.e. the one I'm using at home between routers) is
indeed transport mode (selector IPv4 addresses &
protocol=41).
NOTE: as a lot of 'remote access IPsec client' are actually using IPsec
tunnel mode (typically selector 0.0.0.0/0), i.e., encrypting all IPv4
packets including protocol 41. So, this is a valid use of IPsec in tunnel
mode for secure IPv6 tunnels. (this is actually double tunnels...). So,
we may still want to keep a 'tunnel mode' IPsec for reality
sake.
Just re-read the whole I-D in the same shot and have one further comment
(as they are late, please feel free to drop them). BTW, its recent text
additions are excellent.
2.2: outer IPv4 spoofing is not a threat, the wording is accurate but
should stress that an attacker trying to inject packets in the IPv6
tunnels will go nowhere: all his/her packets will fail the decryption
part and will be rejected.
Hope it helps
-eric
At 16:19 12/07/2006 +0200, Pekka Savola wrote:
Hello,
As proposed at the v6ops meeting [0], the authors of
draft-ietf-v6ops-ipsec-tunnels-02 propose to remove support for
tunnel
mode in this particular context (securing v6-in-v4 configured
tunnels).
This is due to issues spotted by Francis [1] and Pasi [2].
Generic
"::/0 -> ::/0" selectors could not be made to work
without
interface-specific SPDs, and those cannot be signalled in IKE
(that's
run on top of IPv4) when the tunnel would be IPv6 in a standardized
way. Generic selectors are required for link-local traffic (e.g.,
ND)
to work on the tunnel.
If we go through with this proposed resolution,
draft-ietf-v6ops-ipsec-tunnels would only describe transport
mode.
Comments are welcome.
[0]
http://www3.ietf.org/proceedings/06jul/slides/v6ops-4.pdf
[1]
http://ops.ietf.org/lists/v6ops/v6ops.2006/msg00159.html
[2]
http://ops.ietf.org/lists/v6ops/v6ops.2006/msg00230.html
For the authors of draft-ietf-v6ops-ipsec-tunnels-02,
--
Pekka
Savola
"You each name yourselves king, yet the
Netcore
Oy
kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of
Kings