Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-00.txt

Wed, 26 Jul 2023 10:16:56 -0700 

Lorenzo Colitti <lorenzo=40google....@dmarc.ietf.org> wrote:
    > When working on a VPN implementation we found that it's very difficult
    > to rely on IPv6 ESP packets because many networks drop them, so even if
    > IKE negotiation succeeds, the data plane might be broken. Worse, this
    > can happen on migrate, blackholing an existing session until the
    > problem is detected and fixed with another migration.

Oh, that's really sad to hear.

In v6ops a point was made that ESP was the evidence that Extension Headers
are already commonly in use.  It was, even for me, a "oh yeah, that's right"

    > In many cases, I think a simple "pre-flight check" to see if ESP is
    > supported on a given network path could solve this problem. So after a
    > few conversations with folks here I put together this draft. It
    > provides the equivalent of an ESP ping packet. Comments and feedback
    > appreciated.

This is a really good idea.
PLEASE ADOPT already.

Let me suggest that while a Header value of 59 is good, it would also be
interesting to put IPv6-ICMP type/code ICMP Echo Request in.

This would allow the size of the ESP packet to be made arbitrarily large,
eliciting both ICMP Too Big fragments, but also RFC9268 processing to occur.

I like that we could clearly write an "esping" command that would operate
without any IKEv2, etc.

Years ago I advocated for a situation like this during the interop tests,
just to even be sure that we'd typed in the right peer IP.  Two hours wasted
as peer A kept trying to initiate to peer 4231 rather than 4321...

If esp echo request is implemented in a kernel, then bullet point two:
  * An attacker can use ESP Echo Request packets to determine whether a
    particular destination address is an ESP endpoint. This is not a new attack
    because any endpoint that supports ESP must also reply to IKE INIT packets.

might not be true.  End points that aren't running IKE might also reply to
ESP Echo Requests.  This might be a feature. Or a bug.

It might be that kernels ought to have a sysctl or ioctl against the IKE
socket that would turn on ESP Echo Request processing.

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to