[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove tunnel mode from ipsec-tunnels-02?



Pekka,

I know about no implementation supporting IPv6 selectors (like ::/0) over an IPv4 IKE/IPsec... So, this IPsec tunnel mode of IPv6 over IPv4 could be dropped for clarity sake.

The most common (i.e. the one I'm using at home between routers) is indeed transport mode (selector IPv4 addresses & protocol=41).

NOTE: as a lot of 'remote access IPsec client' are actually using IPsec tunnel mode (typically selector 0.0.0.0/0), i.e., encrypting all IPv4 packets including protocol 41. So, this is a valid use of IPsec in tunnel mode for secure IPv6 tunnels. (this is actually double tunnels...). So, we may still want to keep a 'tunnel mode' IPsec for reality sake.

Just re-read the whole I-D in the same shot and have one further comment (as they are late, please feel free to drop them). BTW, its recent text additions are excellent.

2.2: outer IPv4 spoofing is not a threat, the wording is accurate but should stress that an attacker trying to inject packets in the IPv6 tunnels will go nowhere: all his/her packets will fail the decryption part and will be rejected.

Hope it helps

-eric


At 16:19 12/07/2006 +0200, Pekka Savola wrote:

Hello,

As proposed at the v6ops meeting [0], the authors of
draft-ietf-v6ops-ipsec-tunnels-02 propose to remove support for tunnel
mode in this particular context (securing v6-in-v4 configured
tunnels).

This is due to issues spotted by Francis [1] and Pasi [2].  Generic
"::/0 -> ::/0" selectors could not be made to work without
interface-specific SPDs, and those cannot be signalled in IKE (that's
run on top of IPv4) when the tunnel would be IPv6 in a standardized
way.  Generic selectors are required for link-local traffic (e.g., ND)
to work on the tunnel.

If we go through with this proposed resolution,
draft-ietf-v6ops-ipsec-tunnels would only describe transport mode.

Comments are welcome.

[0] http://www3.ietf.org/proceedings/06jul/slides/v6ops-4.pdf
[1] http://ops.ietf.org/lists/v6ops/v6ops.2006/msg00159.html
[2] http://ops.ietf.org/lists/v6ops/v6ops.2006/msg00230.html

For the authors of draft-ietf-v6ops-ipsec-tunnels-02,

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings