Architecture for the Use of PE-PE IPsec Tunnels in BGP/MPLS IP VPNs
draft-ietf-l3vpn-ipsec-2547-05
Discuss
Yes
(Mark Townsley)
No Objection
(Bert Wijnen)
(Dan Romascanu)
(David Kessens)
(Magnus Westerlund)
(Margaret Cullen)
(Ross Callon)
(Ted Hardie)
No Record
Deb Cooley
Erik Kline
Francesca Palombini
Gunter Van de Velde
Jim Guichard
John Scudder
Mahesh Jethanandani
Murray Kucherawy
Orie Steele
Paul Wouters
Roman Danyliw
Warren Kumari
Zaheduzzaman Sarker
Éric Vyncke
Summary: Needs a YES.
Deb Cooley
No Record
Erik Kline
No Record
Francesca Palombini
No Record
Gunter Van de Velde
No Record
Jim Guichard
No Record
John Scudder
No Record
Mahesh Jethanandani
No Record
Murray Kucherawy
No Record
Orie Steele
No Record
Paul Wouters
No Record
Roman Danyliw
No Record
Warren Kumari
No Record
Zaheduzzaman Sarker
No Record
Éric Vyncke
No Record
Russ Housley Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2006-01-19)
Unknown
Please excuse the length of this DISCUSS position. It summarizes concerns from reviewers in the Security Directorate and myself. I have tried to eliminate overlap from the various reviewers. The term "privacy" should be replaced with "confidentiality" in the whole document. See definitions in RFC 2828. The title of the document and the Introduction do not seem to agree on the purpose of the document. The Title says: > > Architecture for the Use of PE-PE IPsec Tunnels ... > And, the Introduction says: > > This document specifies procedures for replacing the backbone > route label with an IPsec encapsulation > I think that the Introduction is more accurate. The introductory text says that IPsec is used to 'encapsulate" MPLS traffic. It says the "payload" will be an MPLS packet with the label stack consisting of a single MPLS entry, a route label. This raises several concerns: * I assume ESP encapsulation is intended, but ESP is mentioned anywhere. * Section 2 explains the encapsulation, and that does not match the description in introductory text. A diagram in Section 2 would help. * There is no mention of the SPD. Without a discussion of the SPD, the granularity of access control unclear. Section 2.2 talks about selecting a security policy, but again there is no mention of the SPD. What SPD entries that are appropriate for this application? How are source and destination address used? How is the next protocol value used? How are the port fields used? * Section 1.2 talks about anti-spoofing protection; however, the actual protection depends on the way that the previous points are resolved. Section 2.2 says: > > [RFC2547bis] already provides an egress-to-ingress signaling > capability via BGP, and we specify below how to extend this to > the signaling of security policy. > I assume this is a reference to Section 2.3, which says: > > Distribution of labeled VPN-IP routes by BGP is done exactly as > specified in [RFC2547bis], except that some additional BGP > attributes are needed for each distributed VPN-IP route. > > A given egress PE will be configurable to indicate whether it expects > to receive all, some, or none of its VPN traffic through an IPsec- > secured IP or GRE tunnel. In general, an ingress PE will not have to > know in advance whether any of the egress PEs for its VPNs require > their VPN traffic to be sent through an IPsec-secured IP tunnel; this > will be signaled from the egress PE. If an egress PE wants to receive > traffic for a particular VPN-IP route through an IPsec-secured IP > tunnel, it adds a new BGP Extended Community attribute to the route. > This attribute will then get distributed along with the route to the > ingress PEs. > If I understand this correctly, unsecured BGP configures IPsec SPD entries. Authentication and integrity of this configuration information is vital to security. Maybe I did not understand the intention here, but later comments in section 2.4 suggest otherwise. For example, section 2.4 notes that "no a priori configuration of remote tunnel endpoints is needed." If my understanding is correct, please tell how the distribution of security policy will be protected. Section 2.3 says: > > It is conceivable that an egress PE will want some of its IPsec- > secured IP-tunneled VPN traffic to be encrypted, but will want some > to be authenticated and not encrypted. > And then, Section 2.6 says: > > It is conceivable that there might need to be two (or more) SAs > between a pair of PEs, e.g., one in which data encryption is used > and one in which authentication but not encryption is used. > Multiple SAs are needed to support this vision, but providing different security services to different packets in a single SA is not supported by IPsec. Since the purpose for this draft is to protect PE-PE MPLS-in-IP traffic from being spoofed, why skip the authentication? Section 2.6 suggests that one SA can be used to carry traffic for multiple VPNs between two routers (a PE-PE pair). This seems reasonable given the security model proposed; however, this section also says that the packet delivered for IPsec processing need not be in the MPLS-in-IP or MPLS-in-GRE format; it might be a raw MPLS packet Handling raw MPLS assumes an IPsec module design very different than ones seen today in hosts, security gateways, or even bump-in-the-wire implementations. The text also says that the module would "apply the appropriate IPsec procedures," which seem to include generation of an IP header for the transport mode SA. This sort of processing is not part of IPsec. It needs to be specified in this document. (Only a tunnel mode SA can generate an IP header to encapsulate outbound traffic, but transport mode is used here.) Section 2.7 describes inbound processing and tries to address the problem of detecting and rejecting traffic that arrives with an MPLS label associated with an IPsec-protected VPN, but which has not be delivered via an appropriate SA. This discussion points out that the intent is to use MPLS labels as a basis for access control, even though it does not explicitly say so. The problem is that IPsec is not prepared to enforce this particular access control model, since MPLS labels are not selectors. It would be good to see a diagram showing where the IPsec boundary fits in this proposed use of IPsec, since the easy interpretation of the access control goal here does not match IPsec capabilities. This will also help make it clear how to configure the SPD for this application. The use of virtual interfaces is mentioned briefly, and that might be a way to address the access control issues. The Security Considerations are insufficient. Some points that need to be included are: * Describe any of the concerns arising from security policy distribution via BGP. RFC 3723 requires that iSNS be secured when it is used for security policy distribution. If BGP is used to distribution security policy I would expect similar considerations to apply. * Discuss the IPsec Extended Community. Is this community transitive? The Extended Community attribute is itself transitive, but each community must be identified as to whether it is transitive across ASes or not. There are concerns about the integrity of this way of signaling security policy: -- In the case where all PEs are in one AS, then the VPN-IPv4 routes can be distributed through IBGP connections (single hop) or through route reflectors. -- RFC 2796 does not mention any restrictions on the types of modifications a route reflector might do to reflected routes. General rules of BGP operation would then presume to apply. -- draft-ietf-idr-bgp-ext-communities-09.txt says that "A BGP speaker receiving a route with the Extended Communities attribute MAY modify this attribute according to the local policy." So, integrity/authentication protection would be difficult to provide for this field, in its hop through route reflectors. -- If the ingress and egress routers are in different ASes, then the draft says there must be an EBGP connection between a pair of routers in the two ASes (presumably not necessarily the ingress/router pair). This should be a single hop, so there should not be a problem with the integrity of the community, given that it is transitive and understood by both endpoints (assuming integrity/authentication for the BGP session). But, the Multi-AS Backbones section talks of using EBGP connections between ASBR's with the ASBR forwarding IBGP learned routes, so the ASBR would have the opportunity to affect the IPsec Extended Community attribute. The Multi-AS Backbones also speaks of ASes that serve as transit between the source AS and the destination AS, giving even more routers the chance to modify the IPsec Extended Community attribute. * Discuss the consequences of a misconfigured PE router. The document already says: "The SP must be careful not to incorrectly create a VPN containing sites that are not supposed to communicate with each other." This is too easily dismissed in the body of the document, where it says: "likely as not the PE has been misconfigured to apply that VPN's authenticator to packets to/from that site." This presumes that the PE is legitimately associated with the incorrect VPN, otherwise it should not know the authenticator.
Mark Townsley Former IESG member
Yes
Yes
()
Unknown
Bert Wijnen Former IESG member
No Objection
No Objection
()
Unknown
Dan Romascanu Former IESG member
No Objection
No Objection
()
Unknown
David Kessens Former IESG member
No Objection
No Objection
()
Unknown
Magnus Westerlund Former IESG member
No Objection
No Objection
()
Unknown
Margaret Cullen Former IESG member
No Objection
No Objection
()
Unknown
Ross Callon Former IESG member
No Objection
No Objection
()
Unknown
Sam Hartman Former IESG member
No Objection
No Objection
(2006-01-19)
Unknown
I agree with Russ's discuss. One way to address the concerns about SPD configuration and IPsec policy may be to include enough information in the extended community attribute to configure the PAD and SPD. This would probably include the identity of the peers involved as well as enough information to know what IP addresses would be used so the PAD entries could be created. I do wish the working group the best of luck in addressing these issues; I believe this document is critical to providing customers with an optionn for cryptographically isolated VPNs.
Ted Hardie Former IESG member
No Objection
No Objection
()
Unknown