On Mon, Oct 24, 2022 at 2:26 PM Michael Richardson <mcr+i...@sandelman.ca> wrote:
>
> Ben Schwartz <bem...@google.com> wrote:
>
> ...
>
> >> Even assuming that you can insert an AH header (which I think you
> can
> >> legally
> >> do in IPv4, but not in IPv6), then you have to use a SPI# allocated
> by
> >> destination ASBR, so you have to put the dstip= ASBR.
> >>
>
> > No, the SPI# is allocated by AS pair, so the SPI scope is
> unambiguous (to
> > the recipient) from the source IP. (There is no sequence number or
> replay
> > defense.)
>
> No, RFC4301 says that the SPI# is allocated by the host indicated by the
> IP dst.
> If you allocate something for a host in the middle, then you will break
> IPsec
> for all end-hosts.
No, this is the main reason why the draft requests a new "RISAV-AH" IP
codepoint: so that it can stack on top of an end-to-end AH without
ambiguity. (This ambiguity only exists for a few seconds during RISAV
setup and teardown, and could be disambiguated by ICV validation, but the
draft still proposes a new codepoint to be safe.)
> That's not going to fly.
>
> > ICMPs go to the source IP, which is what we want. The only trick is
> > that
>
> No, that's absolutely not what you want.
> The host that put inserted the AH has to get the ICMP errors about that AH.
>
Can you describe an example of an ICMP message that ought to terminate at
the ASBR, rather than at the original sender? Or perhaps a situation where
RFC 5508-style ICMP rewriting is not good enough?
...
> >> It's not that big deal, but I assume you'd like to use commodity
> off the
> >> shelf hardware.
>
> > I'm pretty sure this doesn't actually affect that. I think we would
> do
> > something like "ESP Key = HKDF(IKEv2 DH key, source IP)", and then
> ESP mode
> > would run pretty much as usual. My main question was how to
> negotiate this
> > in the IKEv2 handshake.
>
> You would be negotiating something new that's not ESP or AH.
>
The draft proposes a new "RISAV-AH" codepoint and wire format, so indeed it
is not AH.
The draft proposes to reuse the ESP codepoint and wire format. Each RISAV
SA would take ownership of all ESP packets to the "contact IP" (regardless
of source IP), but would not interfere with any other use of IPsec.
> In terms of performance, my bigger concern is that sending and
> receiving a
> > RISAV packet requires an IP->ASN mapping lookup. Hopefully ASBRs
> are good
> > at that...
>
> That's easy. That's just a routing lookup with nexthop=IPsec-SA#foo.
>
Great!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
