| draft-ietf-ipsecme-failure-detection-04.txt | draft-ietf-ipsecme-failure-detection-05.txt | |||
|---|---|---|---|---|
| IPsecME Working Group Y. Nir, Ed. | IPsecME Working Group Y. Nir, Ed. | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track D. Wierbowski | Intended status: Standards Track D. Wierbowski | |||
| Expires: August 15, 2011 IBM | Expires: August 22, 2011 IBM | |||
| F. Detienne | F. Detienne | |||
| P. Sethi | P. Sethi | |||
| Cisco | Cisco | |||
| February 11, 2011 | February 18, 2011 | |||
| A Quick Crash Detection Method for IKE | A Quick Crash Detection Method for IKE | |||
| draft-ietf-ipsecme-failure-detection-04 | draft-ietf-ipsecme-failure-detection-05 | |||
| Abstract | Abstract | |||
| This document describes an extension to the IKEv2 protocol that | This document describes an extension to the IKEv2 protocol that | |||
| allows for faster detection of SA desynchronization using a saved | allows for faster detection of SA desynchronization using a saved | |||
| token. | token. | |||
| When an IPsec tunnel between two IKEv2 peers is disconnected due to a | When an IPsec tunnel between two IKEv2 peers is disconnected due to a | |||
| restart of one peer, it can take as much as several minutes for the | restart of one peer, it can take as much as several minutes for the | |||
| other peer to discover that the reboot has occurred, thus delaying | other peer to discover that the reboot has occurred, thus delaying | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 15, 2011. | This Internet-Draft will expire on August 22, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 29 | skipping to change at page 2, line 37 | |||
| 5.2. A Stateless Method with IP addresses . . . . . . . . . . 12 | 5.2. A Stateless Method with IP addresses . . . . . . . . . . 12 | |||
| 5.3. Token Lifetime . . . . . . . . . . . . . . . . . . . . . 12 | 5.3. Token Lifetime . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6. Backup Gateways . . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Backup Gateways . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7. Interaction with Session Resumption . . . . . . . . . . . . . 13 | 7. Interaction with Session Resumption . . . . . . . . . . . . . 13 | |||
| 8. Operational Considerations . . . . . . . . . . . . . . . . . . 14 | 8. Operational Considerations . . . . . . . . . . . . . . . . . . 14 | |||
| 8.1. Who should implement this specification . . . . . . . . . 14 | 8.1. Who should implement this specification . . . . . . . . . 14 | |||
| 8.2. Response to unknown child SPI . . . . . . . . . . . . . . 15 | 8.2. Response to unknown child SPI . . . . . . . . . . . . . . 15 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
| 9.1. QCD Token Generation and Handling . . . . . . . . . . . . 16 | 9.1. QCD Token Generation and Handling . . . . . . . . . . . . 16 | |||
| 9.2. QCD Token Transmission . . . . . . . . . . . . . . . . . 17 | 9.2. QCD Token Transmission . . . . . . . . . . . . . . . . . 17 | |||
| 9.3. QCD Token Enumeration . . . . . . . . . . . . . . . . . . 18 | 9.3. QCD Token Enumeration . . . . . . . . . . . . . . . . . . 17 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 12. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 12. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 12.1. Changes from draft-ietf-ipsecme-failure-detection-03 . . 19 | 12.1. Changes from draft-ietf-ipsecme-failure-detection-04 . . 18 | |||
| 12.2. Changes from draft-ietf-ipsecme-failure-detection-02 . . 19 | 12.2. Changes from draft-ietf-ipsecme-failure-detection-03 . . 19 | |||
| 12.3. Changes from draft-ietf-ipsecme-failure-detection-01 . . 19 | 12.3. Changes from draft-ietf-ipsecme-failure-detection-02 . . 19 | |||
| 12.4. Changes from draft-ietf-ipsecme-failure-detection-00 . . 19 | 12.4. Changes from draft-ietf-ipsecme-failure-detection-01 . . 19 | |||
| 12.5. Changes from draft-nir-ike-qcd-07 . . . . . . . . . . . . 19 | 12.5. Changes from draft-ietf-ipsecme-failure-detection-00 . . 19 | |||
| 12.6. Changes from draft-nir-ike-qcd-03 and -04 . . . . . . . . 20 | 12.6. Changes from draft-nir-ike-qcd-07 . . . . . . . . . . . . 19 | |||
| 12.7. Changes from draft-nir-ike-qcd-02 . . . . . . . . . . . . 20 | 12.7. Changes from draft-nir-ike-qcd-03 and -04 . . . . . . . . 20 | |||
| 12.8. Changes from draft-nir-ike-qcd-01 . . . . . . . . . . . . 20 | 12.8. Changes from draft-nir-ike-qcd-02 . . . . . . . . . . . . 20 | |||
| 12.9. Changes from draft-nir-ike-qcd-00 . . . . . . . . . . . . 20 | 12.9. Changes from draft-nir-ike-qcd-01 . . . . . . . . . . . . 20 | |||
| 12.10. Changes from draft-nir-qcr-00 . . . . . . . . . . . . . . 20 | 12.10. Changes from draft-nir-ike-qcd-00 . . . . . . . . . . . . 20 | |||
| 12.11. Changes from draft-nir-qcr-00 . . . . . . . . . . . . . . 20 | ||||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 20 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 20 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 21 | 13.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. The Path Not Taken . . . . . . . . . . . . . . . . . 21 | Appendix A. The Path Not Taken . . . . . . . . . . . . . . . . . 21 | |||
| A.1. Initiating a new IKE SA . . . . . . . . . . . . . . . . . 21 | A.1. Initiating a new IKE SA . . . . . . . . . . . . . . . . . 21 | |||
| A.2. SIR . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | A.2. SIR . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| A.3. Birth Certificates . . . . . . . . . . . . . . . . . . . 22 | A.3. Birth Certificates . . . . . . . . . . . . . . . . . . . 22 | |||
| A.4. Reducing Liveness Check Length . . . . . . . . . . . . . 22 | A.4. Reducing Liveness Check Length . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| skipping to change at page 17, line 11 | skipping to change at page 17, line 11 | |||
| A message like that is subject to modification, deletion and replay | A message like that is subject to modification, deletion and replay | |||
| by an attacker. However, these attacks will not compromise the | by an attacker. However, these attacks will not compromise the | |||
| security of either side. Modification is meaningless because a | security of either side. Modification is meaningless because a | |||
| modified token is simply an invalid token. Deletion will only cause | modified token is simply an invalid token. Deletion will only cause | |||
| the protocol not to work, resulting in a delay in tunnel re- | the protocol not to work, resulting in a delay in tunnel re- | |||
| establishment as described in Section 2. Replay is also meaningless, | establishment as described in Section 2. Replay is also meaningless, | |||
| because the IKE SA has been deleted after the first transmission. | because the IKE SA has been deleted after the first transmission. | |||
| 9.2. QCD Token Transmission | 9.2. QCD Token Transmission | |||
| A token maker MUST NOT send a valid QCD token in an | A token maker MUST NOT send a valid QCD token in an unprotected | |||
| unprotectedmessage for an existing IKE SA. | message for an existing IKE SA. | |||
| This requirement is obvious and easy in the case of a single gateway. | This requirement is obvious and easy in the case of a single gateway. | |||
| However, some implementations use a load balancer to divide the load | However, some implementations use a load balancer to divide the load | |||
| between several physical gateways. It MUST NOT be possible even in | between several physical gateways. It MUST NOT be possible even in | |||
| such a configuration to trick one gateway into sending a valid QCD | such a configuration to trick one gateway into sending a valid QCD | |||
| token for an IKE SA which is valid on another gateway. This is true | token for an IKE SA which is valid on another gateway. This is true | |||
| whether the attempt to trick the gateway uses the token taker's IP | whether the attempt to trick the gateway uses the token taker's IP | |||
| address or a different IP address. | address or a different IP address. | |||
| Because it includes the token taker's IP address in the token | IPsec Failure Detection is not applicable to deployments where the | |||
| generation, the method in Section 5.2 prevents revealing the QCD | QCD secret is shared by multiple gateways and the gateways cannot | |||
| token for an existing pair of IKE SPIs to an attacker who is using a | assess whether the token can be legitimately sent in the clear while | |||
| different IP address. Note that the use of this method causes the | another gateway may actually still own the SA's. Load balancer | |||
| tokens to be invalidated whenever the token taker's address changes. | configurations typically fall in this category. In order for a load | |||
| It is also important to note that this method does not prevent | balancing configuration of IPsec gateways to support this | |||
| revealing the QCD token to a man-in-the-middle attacker who is | ||||
| spoofing the token taker's IP address, if that attacker is able to | ||||
| direct messages to a cluster member other than the member responsible | ||||
| for the IKE SA. | ||||
| This document does not specify how a load-sharing configuration of | ||||
| IPsec gateways would work, but in order to support this | ||||
| specification, all members MUST be able to tell whether a particular | specification, all members MUST be able to tell whether a particular | |||
| IKE SA is active anywhere in the cluster. One way to do it is to | IKE SA is active anywhere in the cluster. One way to do it is to | |||
| synchronize a list of active IKE SPIs among all the cluster members. | synchronize a list of active IKE SPIs among all the cluster members. | |||
| If an attacker can somehow access a QCD token while the SA's are | Because it includes the token taker's IP address in the token | |||
| still active, this attacker will be able to tear down the sessions at | generation, the method in Section 5.2 can (under certain conditions) | |||
| will. In particular, avoiding false positives is critical to the | prevent revealing the QCD token for an existing pair of IKE SPIs to | |||
| security of the proposal and a token maker MUST NOT send a QCD token | an attacker who is using a different IP address, even in a load- | |||
| in an unprotected message for an existing IKE SA. IPsec Failure | sharing cluster without state synchronization. This method does not | |||
| Detection is thus not applicable to deployments where the QCD token | prevent revealing the QCD token to an active attacker who is spoofing | |||
| is shared by multiple gateways and the gateways can not assess | the token taker's IP address. Such an attacker may attempt to direct | |||
| whether the token can be legitimately sent in the clear while another | messages to a cluster member other than the member responsible for | |||
| gateway may actually still own the SA's. Load balancer designs | the IKE SA in an attempt to trick that gateway into sending a QCD | |||
| typically fall in this category. | token for a valid IKE SA. This method should not be used unless the | |||
| load balancer guarantees that IKE packets from the same source IP | ||||
| address always go to the same cluster member. | ||||
| 9.3. QCD Token Enumeration | 9.3. QCD Token Enumeration | |||
| An attacker may try to attack QCD if the generation algorithm | An attacker may try to attack QCD if the generation algorithm | |||
| described in Section 5.1 is used. The attacker will send several | described in Section 5.1 is used. The attacker will send several | |||
| fake IKE requests to the gateway under attack, receiving and | fake IKE requests to the gateway under attack, receiving and | |||
| recording the QCD Tokens in the responses. This will allow the | recording the QCD Tokens in the responses. This will allow the | |||
| attacker to create a dictionary of IKE SPIs to QCD Tokens, which can | attacker to create a dictionary of IKE SPIs to QCD Tokens, which can | |||
| later be used to tear down any IKE SA. | later be used to tear down any IKE SA. | |||
| skipping to change at page 19, line 5 | skipping to change at page 18, line 42 | |||
| Others who have contributed valuable comments are, in alphabetical | Others who have contributed valuable comments are, in alphabetical | |||
| order, Lakshminath Dondeti, Paul Hoffman, Tero Kivinen, Scott C | order, Lakshminath Dondeti, Paul Hoffman, Tero Kivinen, Scott C | |||
| Moonen, and Keith Welter. | Moonen, and Keith Welter. | |||
| 12. Change Log | 12. Change Log | |||
| This section lists all changes in this document | This section lists all changes in this document | |||
| NOTE TO RFC EDITOR : Please remove this section in the final RFC | NOTE TO RFC EDITOR : Please remove this section in the final RFC | |||
| 12.1. Changes from draft-ietf-ipsecme-failure-detection-03 | 12.1. Changes from draft-ietf-ipsecme-failure-detection-04 | |||
| o Some more rephrasing of section 9.2 based on suggestions by Tero | ||||
| Kivinen and Dave Wierbowski. | ||||
| 12.2. Changes from draft-ietf-ipsecme-failure-detection-03 | ||||
| o Merged section 9.4 into section 9.2. | o Merged section 9.4 into section 9.2. | |||
| o Multiple typos discovered by Scott Moonen, Keith Welter and Yaron. | o Multiple typos discovered by Scott Moonen, Keith Welter and Yaron. | |||
| 12.2. Changes from draft-ietf-ipsecme-failure-detection-02 | 12.3. Changes from draft-ietf-ipsecme-failure-detection-02 | |||
| o Moved section 7 to Appendix A. Also changed some wording. | o Moved section 7 to Appendix A. Also changed some wording. | |||
| o Fixed some language in the "interaction with session resumption" | o Fixed some language in the "interaction with session resumption" | |||
| section to say that although liveness check MUST be done, there | section to say that although liveness check MUST be done, there | |||
| are no time limits to how long an implementation takes before | are no time limits to how long an implementation takes before | |||
| starting liveness check, or ending it. | starting liveness check, or ending it. | |||
| 12.3. Changes from draft-ietf-ipsecme-failure-detection-01 | 12.4. Changes from draft-ietf-ipsecme-failure-detection-01 | |||
| o Fixed the language requiring random IKE SPIs. | o Fixed the language requiring random IKE SPIs. | |||
| o Some better explanation of the reasons to choose the methods in | o Some better explanation of the reasons to choose the methods in | |||
| Section 5.2 and the method in Section 5.1, to close issue #193. | Section 5.2 and the method in Section 5.1, to close issue #193. | |||
| o Added text to the beginning of Section 9 to accomodate issue #194. | o Added text to the beginning of Section 9 to accomodate issue #194. | |||
| 12.4. Changes from draft-ietf-ipsecme-failure-detection-00 | 12.5. Changes from draft-ietf-ipsecme-failure-detection-00 | |||
| o Nits pointed out by Scott and Yaron. | o Nits pointed out by Scott and Yaron. | |||
| o Pratima and Frederic are back on board. | o Pratima and Frederic are back on board. | |||
| o Changed IKEv2bis draft reference to RFC 5996. | o Changed IKEv2bis draft reference to RFC 5996. | |||
| o Resolved issues #189, #190, #191, and #192: | o Resolved issues #189, #190, #191, and #192: | |||
| * Renamed section 4.5 and removed the requirement to send an | * Renamed section 4.5 and removed the requirement to send an | |||
| acknowledgement for the unprotected message. | acknowledgement for the unprotected message. | |||
| * Moved the QCD token from the last to the first IKE_AUTH | * Moved the QCD token from the last to the first IKE_AUTH | |||
| request. | request. | |||
| * Added a MUST to Section 9.3 to require that IKE SPIs be | * Added a MUST to Section 9.3 to require that IKE SPIs be | |||
| randomly generated. | randomly generated. | |||
| * Changed the language in Section 8.1, to not use RFC 2119 | * Changed the language in Section 8.1, to not use RFC 2119 | |||
| terminology. | terminology. | |||
| * Moved the section describing why one would want the method | * Moved the section describing why one would want the method | |||
| dependant on IP addresses (in Section 5.2 from operational | dependant on IP addresses (in Section 5.2 from operational | |||
| considerations to security considerations. | considerations to security considerations. | |||
| 12.5. Changes from draft-nir-ike-qcd-07 | 12.6. Changes from draft-nir-ike-qcd-07 | |||
| o First WG version. | o First WG version. | |||
| o Addressed Scott C Moonen's concern about collisions of QCD tokens. | o Addressed Scott C Moonen's concern about collisions of QCD tokens. | |||
| o Updated references to point to IKEv2bis instead of RFC 4306 and | o Updated references to point to IKEv2bis instead of RFC 4306 and | |||
| 4718. Also converted draft reference for resumption to RFC 5723. | 4718. Also converted draft reference for resumption to RFC 5723. | |||
| o Added Dave Wiebrowski as author, and removed Pratima and Frederic. | o Added Dave Wiebrowski as author, and removed Pratima and Frederic. | |||
| 12.6. Changes from draft-nir-ike-qcd-03 and -04 | 12.7. Changes from draft-nir-ike-qcd-03 and -04 | |||
| Mostly editorial changes and cleaning up. | Mostly editorial changes and cleaning up. | |||
| 12.7. Changes from draft-nir-ike-qcd-02 | 12.8. Changes from draft-nir-ike-qcd-02 | |||
| o Described QCD token enumeration, following a question by | o Described QCD token enumeration, following a question by | |||
| Lakshminath Dondeti. | Lakshminath Dondeti. | |||
| o Added the ability to replace the QCD token for an existing IKE SA. | o Added the ability to replace the QCD token for an existing IKE SA. | |||
| o Added tokens dependent on peer IP address and their interaction | o Added tokens dependent on peer IP address and their interaction | |||
| with MOBIKE. | with MOBIKE. | |||
| 12.8. Changes from draft-nir-ike-qcd-01 | 12.9. Changes from draft-nir-ike-qcd-01 | |||
| o Removed stateless method. | o Removed stateless method. | |||
| o Added discussion of rekeying and resumption. | o Added discussion of rekeying and resumption. | |||
| o Added discussion of non-synchronized load-balanced clusters of | o Added discussion of non-synchronized load-balanced clusters of | |||
| gateways in the security considerations. | gateways in the security considerations. | |||
| o Other wording fixes. | o Other wording fixes. | |||
| 12.9. Changes from draft-nir-ike-qcd-00 | 12.10. Changes from draft-nir-ike-qcd-00 | |||
| o Merged proposal with draft-detienne-ikev2-recovery | o Merged proposal with draft-detienne-ikev2-recovery | |||
| o Changed the protocol so that the rebooted peer generates the | o Changed the protocol so that the rebooted peer generates the | |||
| token. This has the effect, that the need for persistent storage | token. This has the effect, that the need for persistent storage | |||
| is eliminated. | is eliminated. | |||
| o Added discussion of birth certificates. | o Added discussion of birth certificates. | |||
| 12.10. Changes from draft-nir-qcr-00 | 12.11. Changes from draft-nir-qcr-00 | |||
| o Changed name to reflect that this relates to IKE. Also changed | o Changed name to reflect that this relates to IKE. Also changed | |||
| from quick crash recovery to quick crash detection to avoid | from quick crash recovery to quick crash detection to avoid | |||
| confusion with IFARE. | confusion with IFARE. | |||
| o Added more operational considerations. | o Added more operational considerations. | |||
| o Added interaction with IFARE. | o Added interaction with IFARE. | |||
| o Added discussion of backup gateways. | o Added discussion of backup gateways. | |||
| 13. References | 13. References | |||
| End of changes. 19 change blocks. | ||||
| 50 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||