Better IPSec Security Association Resolution - Netconf 2006 Tokyo

100 %
0 %
Information about Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Technology

Published on June 30, 2009

Author: jamesmorris

Source: slideshare.net

Description

Better IPSec Security Association Resolution - Netconf 2006 Tokyo

Presentation slides.

Better IPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org    

Problem a) Outbound packet b) Security policy db entry match c) No security association in kernel ● Most of the time, we return EAGAIN to app or drop packet if forwarding. ● We kick the key manager, and usually have an SA available for next packet.    

Problem... ● It actually kind of works for one case: blocking sendmsg() of datagrams. ● Process is scheduled in a loop until SA resolved. See xfrm_lookup(). ● Does not work for connect(2), so ping and many UDP apps just get EAGAIN.    

Solution ● General solution for all protocols and contexts: – connect(2) – sendmsg(2) – forwarding path (tunnel endpoint) – various kernel-generated packets – blocking and non-blocking modes    

Solution... ● Ideally, we'd like connect(2) to follow Posix semantics, for non-blocking this is: – Return EINPROGESS first – Return EALREADY until SA resolved ● For non-blocking sockets in general, it'd be nice to make sure poll(2) works as expected. – even for datagram protocols, as IPSec adds a kind of session underneath.    

Solution... ● sendmsg(2) should return EAGAIN for non- blocking case ● For tunnel end point, we probably need to queue packets in a resolution queue. ● This may also be useful for non-blocking socket case. ● Herbert has suggested larval dst to go with larval SA.    

Status ● Current patch contains a lot of instrumentation and some initial changes: – Make connect(2) work for the blocking case, hooking into ip_route_connect() – Propagate new flags down to xfrm_lookup() to control behavior: ● Kick the key manager? ● Sleep until resolved?    

Ongoing work ● Continue to develop code to handle all cases and protocols ● Probably involve some code consolidation ● Determine how much of the problem to solve    

Issues ● Not clear on all of the use-cases for this: – Opportunistic encryption – Complex/large scale policy where pro-active SA negotiation overhead would be too high – Others?    

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Better IPSec Security Association Resolution

Better IPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org
Read more

Better IPSec Security Association Resolution - Vger - 豆 ...

BetterIPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org Outboundpacket Securitypolicy db entry match ...
Read more

Netconf | LinkedIn

View 1615 Netconf posts, ... Technical Consultant VOIP/LAN/WAN/SECURITY/WIFI at NetConf, ... Better IPSec Security Association Resolution - Netconf 2006 Tokyo.
Read more

International Association of Professional Security Consultants

View More… Security consultant members of the International Association of Professional Security Consultants (IAPSC) represent an elite group of ...
Read more

Automatic IPSec Security Association Negotiation in Mobile ...

... up the appropriate IPSec Security Associations each time ... 2006: Publication count: 4: ... routing with the contention resolution method ...
Read more

heise Netze - Identifier-Locator Network Protocol (ILNP ...

Identifier-Locator Network Protocol (ILNP) ... It also proposed separation of identity from location as a better ... have Security Associations (IPsec ...
Read more

heise Netze - IPv6 Configuration in Internet Key Exchange ...

heise Security; c't; iX; Technology Review; c't Fotografie; Mac & i; Make; Telepolis; heise Autos; TechStage; ... When Internet Key Exchange Protocol ...
Read more

This documentation has been moved

First Published: November 17, 2006 Last Updated: October 2, 2011 . Cisco Group Encrypted Transport Virtual Private Network (GET VPN) is a set of features ...
Read more