[IPsec] draft-mglt-ipsecme-ts-dscp

2023-07-12 Thread Scott Fluhrer (sfluhrer) 
Hi,

   I rereviewed this draft, and have a few comments:


  *   As the draft is written, the administrator can specify that (for example) 
traffic with DSCP=3 must be protected, but other traffic is not.  I don't 
believe giving administrators this option is a good idea, it can likely result 
in a security foot gun.

The current selectors (protocol, IP addresses, ports) specify the traffic type, 
where it is coming from or where it is going to - that is, things that the 
application may check.  For example, if the SPD specifies that TCP traffic to 
port 22 MUST be protected, then someone cannot trick the system into accepting 
a TCP packet to port 22 (without going through authentication).

DSCP, on the other hand, doesn't specify the traffic type or 
source/destination, but instead how the traffic should be treated.  And, 
receiving applications do not verify themselves if the DSCP value is what they 
expect (because network devices are free to modify the DSCP value in transit).  
Hence, in the above scenario where only DSCP=3 traffic is protected, the 
adversary can inject any traffic they like (and just set the DSCP setting to 
something else).

It would appear to me that this draft would need to mandate that, if you do 
have a DSCP-specific SPD entry, that traffic that matches that (except for the 
DSCP) must also be protected (either encrypted or discarded).



  *   I'm going through the introduction, and quite frankly I don't understand 
some of the arguments.  For example, consider this text:


   If DSCP values are
   not agreed and between (for example) 2 SAs, it is unlikely the
   initiator and the responder miraculously select the same subset of
   DSCP values over the same SAs.  Instead each peer is likely that
   inbound and outbound traffic take different SA and as such does not
   solve the issue of discarding lower priority packets associated to
   different class of traffic sharing a given SA.

I'm completely missing the issue that is being brought up in this text.  If we 
have two peers Alice and Bob, and they negotiate two pairs of Sas (SA1, SA3 for 
Alice to Bob traffic, SA2, SA4 for Bob to Alice traffic), and Alice decides to 
send DSCP=2 traffic via SA1, DSCP=4 traffic via SA3, and Bob decides to send 
DSCP=2 traffic via SA4, DSCP=4 traffic via SA2, why is that an issue?  The 
original issue being addressed is for traffic in one direction (Alice to Bob) 
where sending different DSCP values over the same SA may cause drops; I do not 
believe there is any interaction between SAs going in different directions (or 
the differing decisions being made by Alice and Bob)


  *   One omission in this draft is any discussion of the decapsulation 
procedure.  According to 4301, we're supposed to do a check of the decrypted 
packet against the SAD selectors - is the DSCP included in that?  How is this 
handled in transport mode (where the original DSCP value would not be 
available)?  Or, is transport mode forbidden to these SAs?
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IETF 117 agenda items

2023-07-12 Thread Daniel Migault 
With very limited connectivity. We sent a request probably a month ago for
the following drafts. So just resending in case we missed anything. We are
looking for these drafts to be adopted by the wg.

https://datatracker.ietf.org/doc/draft-mglt-ipsecme-ts-dscp/

https://datatracker.ietf.org/doc/draft-liu-ipsecme-ikev2-mtu-dect/

https://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp/

https://datatracker.ietf.org/doc/draft-mglt-ipsecme-ikev2-diet-esp-extension/

Yours,
Daniel

On Wed, Jul 12, 2023, 00:06 Paul Wouters  wrote:

>
> On Tue, Jul 11, 2023 at 4:52 PM Rebecca Guthrie  40uwe.nsa@dmarc.ietf.org> wrote:
>
>> Greetings,
>>
>> Will there be an adoption call for draft-smslov-ipsecme-ikev2-qr-alt-08?
>> I support adoption, but if the group thinks it needs more discussion first,
>> I'd like to request that it be added to the agenda.
>
>
> We haven't really seen any further discussion other than at IETF-116. I
> don't think anyone is objecting. I believe some people said an alternative
> approach is to do a childless IKE SA and then do a CREATE_CHILD_SA with
> PPK, but those people could still do that if they prefer and not implement
> this draft.
>
> Note that libreswan and ELVIS+ have implemented this draft and done
> interop testing. So I think we can have an adoption call with a quick (not
> 4 month) WGLC after that. But I am not the chairs :/
>
> Paul
>
>
>
>
>> I have a few comments on the draft that I'm happy to share on list or as
>> part of a discussion at IETF 117.
>>
>> Thanks!
>>
>> Rebecca
>>
>> Rebecca Guthrie
>> she/her
>> Center for Cybersecurity Standards (CCSS)
>> Cybersecurity Collaboration Center (CCC)
>> National Security Agency (NSA)
>>
>> -Original Message-
>> From: IPsec  On Behalf Of Tero Kivinen
>> Sent: Monday, July 10, 2023 3:29 AM
>> To: ipsec@ietf.org
>> Subject: [IPsec] IETF 117 agenda items
>>
>> Send requests for IETF 117 IPsecME agenda items to the
>> ipsecme-cha...@ietf.org by the end of this week, so I can create the
>> agenda for the IPsecME WG next week.
>> --
>> kivi...@iki.fi
>>
>> ___
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>>
>> ___
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>>
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec