Opportunistic Encryption
Henry Spencer
D. Hugh Redelmeier
henry@spsystems.net
hugh@mimosa.com
Linux FreeS/WAN Project
Opportunistic encryption permits secure
(encrypted, authenticated) communication via IPsec
without connection-by-connection prearrangement,
either explicitly between hosts (when the hosts
are capable of it) or transparently via packet-
intercepting security gateways. It uses DNS
records (authenticated with DNSSEC) to provide the
necessary information for gateway discovery and
gateway authentication, and constrains negotiation
enough to guarantee success.
Substantive changes since draft 3: write off
inverse queries as a lost cause; use Invalid-SPI
rather than Delete as notification of unknown SA;
minor wording improvements and clarifications.
This document takes over from the older ``Imple-
menting Opportunistic Encryption'' document.
1. Introduction
A major goal of the FreeS/WAN project is opportunistic
encryption: a (security) gateway intercepts an outgoing
packet aimed at a remote host, and quickly attempts to nego-
tiate an IPsec tunnel to that host's security gateway. If
the attempt succeeds, traffic can then be secure, transpar-
ently (without changes to the host software). If the
attempt fails, the packet (or a retry thereof) passes
through in clear or is dropped, depending on local policy.
Prearranged tunnels bypass the packet interception etc., so
static VPNs can coexist with opportunistic encryption.
This generalizes trivially to the end-to-end case: host and
security gateway simply are one and the same. Some opti-
mizations are possible in that case, but the basic scheme
need not change.
The objectives for security systems need to be explicitly
stated. Opportunistic encryption is meant to achieve secure
communication, without prearrangement of the individual con-
nection (although some prearrangement on a per-host basis is
Draft 4 3 May 2001 1
Opportunistic Encryption
required), between any two hosts which implement the proto-
col (and, if they act as security gateways, between hosts
behind them). Here ``secure'' means strong encryption and
authentication of packets, with authentication of partici-
pants--to prevent man-in-the-middle and impersonation
attacks--dependent on several factors. The biggest factor
is the authentication of DNS records, via DNSSEC or equiva-
lent means. A lesser factor is which exact variant of the
setup procedure (see section 2.2) is used, because there is
a tradeoff between strong authentication of the other end
and ability to negotiate opportunistic encryption with hosts
which have limited or no control of their reverse-map DNS
records: without reverse-map information, we can verify that
the host has the right to use a particular FQDN (Fully Qual-
ified Domain Name), but not whether that FQDN is authorized
to use that IP address. Local policy must decide whether
authentication or connectivity has higher priority.
Apart from careful attention to detail in various areas,
there are three crucial design problems for opportunistic
encryption. It needs a way to quickly identify the remote
host's security gateway. It needs a way to quickly obtain
an authentication key for the security gateway. And the
numerous options which can be specified with IKE must be
constrained sufficiently that two independent implementa-
tions are guaranteed to reach agreement, without any
explicit prearrangement or preliminary negotiation. The
first two problems are solved using DNS, with DNSSEC ensur-
ing that the data obtained is reliable; the third is solved
by specifying a minimum standard which must be supported.
A note on philosophy: we have deliberately avoided providing
six different ways to do each job, in favor of specifying
one good one. Choices are provided only when they appear to
be necessary, or at least important.
A note on terminology: to avoid constant circumlocutions, an
ISAKMP/IKE SA, possibly recreated occasionally by rekeying,
will be referred to as a ``keying channel'', and a set of
IPsec SAs providing bidirectional communication between two
IPsec hosts, possibly recreated occasionally by rekeying,
will be referred to as a ``tunnel'' (it could conceivably
use transport mode in the host-to-host case, but we advocate
using tunnel mode even there). The word ``connection'' is
here used in a more generic sense. The word ``lifetime''
will be avoided in favor of ``rekeying interval'', since
many of the connections will have useful lives far shorter
than any reasonable rekeying interval, and hence the two
concepts must be separated.
A note on document structure: Discussions of why things were
done a particular way, or not done a particular way, are
broken out in paragraphs headed ``Rationale:'' (to preserve
the flow of the text, many such paragraphs are deferred to
Draft 4 3 May 2001 2
Opportunistic Encryption
the ends of sections). Paragraphs headed ``Ahem:'' are dis-
cussions of where the problem is being made significantly
harder by problems elsewhere, and how that might be cor-
rected. Some meta-comments are enclosed in [].
Rationale: The motive is to get the Internet encrypted.
That requires encryption without connection-by-connection
prearrangement: a system must be able to reliably negotiate
an encrypted, authenticated connection with a total
stranger. While end-to-end encryption is preferable, doing
opportunistic encryption in security gateways gives enormous
leverage for quick deployment of this technology, in a world
where end-host software is often primitive, rigid, and out-
dated.
Rationale: Speed is of the essence in tunnel setup: a con-
nection-establishment delay longer than about 10 seconds
begins to cause problems for users and applications. Thus
the emphasis on rapidity in gateway discovery and key fetch-
ing.
Ahem: Host-to-host opportunistic encryption would be utterly
trivial if a fast public-key encryption/signature algorithm
was available. You would do a reverse lookup on the desti-
nation address to obtain a public key for that address, and
simply encrypt all packets going to it with that key, sign-
ing them with your own private key. Alas, this is impracti-
cal with current CPU speeds and current algorithms (although
as noted later, it might be of some use for limited pur-
poses). Nevertheless, it is a useful model.
2. Connection Setup
For purposes of discussion, the network is taken to look
like this:
Source----Initiator----...----Responder----Destination
The intercepted packet comes from the Source, bound for the
Destination, and is intercepted at the Initiator. The Ini-
tiator communicates over the insecure Internet to the
Responder. The Source and the Initiator might be the same
host, or the Source might be an end-user host and the Ini-
tiator a security gateway (SG). Likewise for the Responder
and the Destination.
Given an intercepted packet, whose useful information (for
our purposes) is essentially only the Destination's IP
address, the Initiator must quickly determine the Responder
(the Destination's SG) and fetch everything needed to
authenticate it. The Responder must do likewise for the
Initiator. Both must eventually also confirm that the other
is authorized to act on behalf of the client host behind it
(if any).
Draft 4 3 May 2001 3
Opportunistic Encryption
An important subtlety here is that if the alternative to an
IPsec tunnel is plaintext transmission, negative results
must be obtained quickly. That is, the decision that no
tunnel can be established must also be made rapidly.
2.1. Packet Interception
Interception of outgoing packets is relatively straightfor-
ward in principle. It is preferable to put the intercepted
packet on hold rather than dropping it, since higher-level
retries are not necessarily well-timed. There is a problem
of hosts and applications retrying during negotiations. ARP
implementations, which face the same problem, use the
approach of keeping the most recent packet for an as-yet-
unresolved address, and throwing away older ones. (Incre-
menting of request numbers etc. means that replies to older
ones may no longer be accepted.)
Is it worth intercepting incoming packets, from the outside
world, and attempting tunnel setup based on them? No,
unless and until a way can be devised to initiate oppor-
tunistic encryption to a non-opportunistic responder,
because if the other end has not initiated tunnel setup
itself, it will not be prepared to do so at our request.
Rationale: Note, however, that most incoming packets will
promptly be followed by an outgoing packet in response!
Conceivably it might be useful to start early stages of
negotiation, at least as far as looking up information, in
response to an incoming packet.
Rationale: If a plaintext incoming packet indicates that the
other end is not prepared to do opportunistic encryption, it
might seem that this fact should be noted, to avoid consum-
ing resources and delaying traffic in an attempt at oppor-
tunistic setup which is doomed to fail. However, this would
be a major security hole, since the plaintext packet is not
authenticated; see section 2.5.
2.2. Algorithm
For clarity, the following defers most discussion of error
handling to the end.
Step 1. Initiator does a DNS reverse lookup on the Destina-
tion address, asking not for the usual PTR records,
but for TXT records. Meanwhile, Initiator also
sends a ping to the Destination, to cause any other
dynamic setup actions to start happening. (Ping
replies are disregarded; the host might not be
reachable with plaintext pings.)
Step 2A. If at least one suitable TXT record (see section
2.3) comes back, each contains a potential
Draft 4 3 May 2001 4
Opportunistic Encryption
Responder's IP address and that Responder's public
key (or where to find it). Initiator picks one TXT
record, based on priority (see 2.3), thus picking a
Responder. If there was no public key in the TXT
record, the Initiator also starts a DNS lookup (as
specified by the TXT record) to get KEY records.
Step 2B. If no suitable TXT record is available, and policy
permits, Initiator designates the Destination
itself as the Responder (see section 2.4). If pol-
icy does not permit, or the Destination is unre-
sponsive to the negotiation, then opportunistic
encryption is not possible, and Initiator gives up
(see section 2.5).
Step 3. If there already is a keying channel to the Respon-
der's IP address, the Initiator uses the existing
keying channel; skip to step 10. Otherwise, the
Initiator starts an IKE Phase 1 negotiation (see
section 2.7 for details) with the Responder. The
address family of the Responder's IP address dic-
tates whether the keying channel and the outside of
the tunnel should be IPv4 or IPv6.
Step 4. Responder gets the first IKE message, and responds.
It also starts a DNS reverse lookup on the Initia-
tor's IP address, for KEY records, on speculation.
Step 5. Initiator gets Responder's reply, and sends first
message of IKE's D-H exchange (see 2.4).
Step 6. Responder gets Initiator's D-H message, and
responds with a matching one.
Step 7. Initiator gets Responder's D-H message; encryption
is now established, authentication remains to be
done. Initiator sends IKE authentication message,
with an FQDN identity if a reverse lookup on its
address will not yield a suitable KEY record.
(Note, an FQDN need not actually correspond to a
host--e.g., the DNS data for it need not include an
A record.)
Step 8. Responder gets Initiator's authentication message.
If there is no identity included, Responder waits
for step 4's speculative DNS lookup to finish; it
should yield a suitable KEY record (see 2.3). If
there is an FQDN identity, responder discards any
data obtained from step 4's DNS lookup; does a for-
ward lookup on the FQDN, for a KEY record; waits
for that lookup to return; it should yield a suit-
able KEY record. Either way, Responder uses the
KEY data to verify the message's hash. Responder
replies with an authentication message, with an
Draft 4 3 May 2001 5
Opportunistic Encryption
FQDN identity if a reverse lookup on its address
will not yield a suitable KEY record.
Step 9A. (If step 2A was used.) The Initiator gets the
Responder's authentication message. Step 2A has
provided a key (from the TXT record or via DNS
lookup). Verify message's hash. Encrypted and
authenticated keying channel established, man-in-
middle attack precluded.
Step 9B. (If step 2B was used.) The Initiator gets the
Responder's authentication message, which must con-
tain an FQDN identity (if the Responder can't put a
TXT in his reverse map he presumably can't do a KEY
either). Do forward lookup on the FQDN, get suit-
able KEY record, verify hash. Encrypted keying
channel established, man-in-middle attack pre-
cluded, but authentication weak (see 2.4).
Step 10. Initiator initiates IKE Phase 2 negotiation (see
2.7) to establish tunnel, specifying Source and
Destination identities as IP addresses (see 2.6).
The address family of those addresses also deter-
mines whether the inside of the tunnel should be
IPv4 or IPv6.
Step 11. Responder gets first Phase 2 message. Now the
Responder finally knows what's going on! Unless
the specified Source is identical to the Initiator,
Responder initiates DNS reverse lookup on Source IP
address, for TXT records; waits for result; gets
suitable TXT record(s) (see 2.3), which should con-
tain either the Initiator's IP address or an FQDN
identity identical to that supplied by the Initia-
tor in step 7. This verifies that the Initiator is
authorized to act as SG for the Source. Responder
replies with second Phase 2 message, selecting
acceptable details (see 2.7), and establishes tun-
nel.
Step 12. Initiator gets second Phase 2 message, establishes
tunnel (if he didn't already), and releases the
intercepted packet into it, finally.
Step 13. Communication proceeds. See section 3 for what
happens later.
As additional information becomes available, notably in
steps 1, 2, 4, 8, 9, 11, and 12, there is always a possibil-
ity that local policy (e.g., access limitations) might pre-
vent further progress. Whenever possible, at least attempt
to inform the other end of this.
Draft 4 3 May 2001 6
Opportunistic Encryption
At any time, there is a possibility of the negotiation fail-
ing due to unexpected responses, e.g. the Responder not
responding at all or rejecting all Initiator's proposals.
If multiple SGs were found as possible Responders, the Ini-
tiator should try at least one more before giving up. The
number tried should be influenced by what the alternative
is: if the traffic will otherwise be discarded, trying the
full list is probably appropriate, while if the alternative
is plaintext transmission, it might be based on how long the
tries are taking. The Initiator should try as many as it
reasonably can, ideally all of them.
There is a sticky problem with timeouts. If the Responder
is down or otherwise inaccessible, in the worst case we
won't hear about this except by not getting responses. Some
other, more pathological or even evil, failure cases can
have the same result. The problem is that in the case where
plaintext is permitted, we want to decide whether a tunnel
is possible quickly. There is no good solution to this,
alas; we just have to take the time and do it right. (Pass-
ing plaintext meanwhile looks attractive at first glance...
but exposing the first few seconds of a connection is often
almost as bad as exposing the whole thing. Worse, if the
user checks the status of the connection, after that brief
window it looks secure!)
The flip side of waiting for a timeout is that all other
forms of feedback, e.g. ``host not reachable'', arguably
should be ignored, because in the absence of authenticated
ICMP, you cannot trust them!
Rationale: An alternative, sometimes suggested, to the use
of explicit DNS records for SG discovery is to directly
attempt IKE negotiation with the destination host, and
assume that any relevant SG will be on the packet path, will
intercept the IKE packets, and will impersonate the destina-
tion host for the IKE negotiation. This is superficially
attractive but is a very bad idea. It assumes that routing
is stable throughout negotiation, that the SG is on the
plaintext-packets path, and that the destination host is
routable (yes, it is possible to have (private) DNS data for
an unroutable host). Playing extra games in the plaintext-
packet path hurts performance and can be expected to be
unpopular. Various difficulties ensue when there are multi-
ple SGs along the path (there is already bad experience with
this, in RSVP), and the presence of even one can make it
impossible to do IKE direct to the host when that is what's
wanted. Worst of all, such impersonation breaks the IP net-
work model badly, making problems difficult to diagnose and
impossible to work around (and there is already bad experi-
ence with this, in areas like web caching).
Rationale: (Step 1.) Dynamic setup actions might include
establishment of demand-dialed links. These might be
Draft 4 3 May 2001 7
Opportunistic Encryption
present anywhere along the path, so one cannot rely on out-
of-band communication at the Initiator to trigger them.
Hence the ping.
Rationale: (Step 2.) In many cases, the IP address on the
intercepted packet will be the result of a name lookup just
done. Inverse queries, an obscure DNS feature from the dis-
tant past, in theory can be used to ask a DNS server to
reverse that lookup, giving the name that produced the
address. This is not the same as a reverse lookup, and the
difference can matter a great deal in cases where a host
does not control its reverse map (e.g., when the host's IP
address is dynamically assigned). Unfortunately, inverse
queries were never widely implemented and are now considered
obsolete. Phooey.
Ahem: Support for a small subset of this admittedly-obscure
feature would be useful. Unfortunately, it seems unlikely.
Rationale: (Step 3.) Using only IP addresses to decide
whether there is already a relevant keying channel avoids
some difficult problems. In particular, it might seem that
this should be based on identities, but those are not known
until very late in IKE Phase 1 negotiations.
Rationale: (Step 4.) The DNS lookup is done on speculation
because the data will probably be useful and the lookup can
be done in parallel with IKE activity, potentially speeding
things up.
Rationale: (Steps 7 and 8.) If an SG does not control its
reverse map, there is no way it can prove its right to use
an IP address, but it can nevertheless supply both an iden-
tity (as an FQDN) and proof of its right to use that iden-
tity. This is somewhat better than nothing, and may be
quite useful if the SG is representing a client host which
can prove its right to its IP address. (For example, a
fixed-address subnet might live behind an SG with a dynami-
cally-assigned address; such an SG has to be the Initiator,
not the Responder, so the subnet's TXT records can contain
FQDN identities, but with that restriction, this works.) It
might sound like this would permit some man-in-the-middle
attacks in important cases like Road Warrior, but the RW can
still do full authentication of the home base, so a man in
the middle cannot successfully impersonate home base, and
the D-H exchange doesn't work unless the man in the middle
impersonates both ends.
Rationale: (Steps 7 and 8.) Another situation where proof
of the right to use an identity can be very useful is when
access is deliberately limited. While opportunistic encryp-
tion is intended as a general-purpose connection mechanism
between strangers, it may well be convenient for prearranged
connections to use the same mechanism.
Draft 4 3 May 2001 8
Opportunistic Encryption
Rationale: (Steps 7 and 8.) FQDNs as identities are avoided
where possible, since they can involve synchronous DNS
lookups.
Rationale: (Step 11.) Note that only here, in Phase 2, does
the Responder actually learn who the Source and Destination
hosts are. This unfortunately demands a synchronous DNS
lookup to verify that the Initiator is authorized to repre-
sent the Source, unless they are one and the same. This and
the initial TXT lookup are the only synchronous DNS lookups
absolutely required by the algorithm, and they appear to be
unavoidable.
Rationale: While it might seem unlikely that a refusal to
cooperate from one SG could be remedied by trying another--
presumably they all use the same policies--it's conceivable
that one might be misconfigured. Preferably they should all
be tried, but it may be necessary to set some limits on this
if alternatives exist.
2.3. DNS Records
Gateway discovery and key lookup are based on TXT and KEY
DNS records. The TXT record specifies IP address or other
identity of a host's SG, and possibly supplies its public
key as well, while the KEY record supplies public keys not
found in TXT records.
2.3.1. TXT
Opportunistic-encryption SG discovery uses TXT records with
the content:
X-IPsec-Gateway(nnn)=iii kkk
following RFC 1464 attribute/value notation. Records which
do not contain an ``='', or which do not have exactly the
specified form to the left of it, are ignored. (Near misses
perhaps should be reported.)
The nnn is an unsigned integer which will fit in 16 bits,
specifying an MX-style preference (lower number = stronger
preference) to control the order in which multiple SGs are
tried. If there are ties, pick one, randomly enough that
the choice will probably be different each time. The pref-
erence field is not optional; use ``0'' if there is no mean-
ingful preference ordering.
The iii part identifies the SG. Normally this is a dotted-
decimal IPv4 address or a colon-hex IPv6 address. The sole
exception is if the SG has no fixed address (see 2.4) but
the host(s) behind it do, in which case iii is of the form
``@fqdn'', where fqdn is the FQDN that the SG will use to
identify itself (in step 7 of section 2.2); such a record
Draft 4 3 May 2001 9
Opportunistic Encryption
cannot be used for SG discovery by an Initiator, but can be
used for SG verification (step 11 of 2.2) by a Responder.
The kkk part is optional. If it is present, it is an RSA-
MD5 public key in base-64 notation, as in the text form of
an RFC 2535 KEY record. If it is not present, this speci-
fies that the public key can be found in a KEY record
located based on the SG's identification: if iii is an IP
address, do a reverse lookup on that address, else do a for-
ward lookup on the FQDN.
Rationale: While it is unusual for a reverse lookup to go
for records other than PTR records (or possibly CNAME
records, for RFC 2317 classless delegation), there's no rea-
son why it can't. The TXT record is a temporary stand-in
for (we hope, someday) a new DNS record for SG identifica-
tion and keying. Keeping the setup process fast requires
minimizing the number of DNS lookups, hence the desire to
put all the information in one place.
Rationale: The use of RFC 1464 notation avoids collisions
with other uses of TXT records. The ``X-'' in the attribute
name indicates that this format is tentative and experimen-
tal; this design will probably need modification after ini-
tial experiments. The format is chosen with an eye on even-
tual binary encoding. Note, in particular, that the TXT
record normally contains the address of the SG, not (repeat,
not) its name. Name-to-address conversion is the job of
whatever generates the TXT record, which is expected to be a
program, not a human--this is conceptually a binary record,
temporarily using a text encoding. The ``@fqdn'' form of
the SG identity is for specialized uses and is never mapped
to an address.
Ahem: A DNS TXT record contains one or more character
strings, but RFC 1035 does not describe exactly how a multi-
string TXT record is interpreted. This is relevant because
a string can be at most 255 characters, and public keys can
exceed this. Empirically, the standard pattern is that each
string which is both less than 255 characters and not the
final string of the record should have a blank appended to
it, and the strings of the record should then be concate-
nated. (This observation is based on how BIND 8 transforms
a TXT record from text to DNS binary.)
2.3.2. KEY
An opportunistic-encryption KEY record is an Authentication-
permitted, Entity (host), non-Signatory, IPsec, RSA/MD5
record (that is, its first four bytes are 0x42000401), as
per RFCs 2535 and 2537. KEY records with other flags, pro-
tocol, or algorithm values are ignored.
Draft 4 3 May 2001 10
Opportunistic Encryption
Rationale: Unfortunately, the public key has to be associ-
ated with the SG, not the client host behind it. The
Responder does not know which client it is supposed to be
representing, or which client the Initiator is representing,
until far too late.
Ahem: Per-client keys would reduce vulnerability to key com-
promise, and simplify key changes, but they would require
changes to IKE Phase 1, to separately identify the SG and
its initial client(s). (At present, the client identities
are not known to the Responder until IKE Phase 2.) While
the current IKE standard does not actually specify (!) who
is being identified by identity payloads, the overwhelming
consensus is that they identify the SG, and as seen earlier,
this has important uses.
2.3.3. Summary
For reference, the minimum set of DNS records needed to make
this all work is either:
1. TXT in Destination reverse map, identifying Responder
and providing public key.
2. KEY in Initiator reverse map, providing public key.
3. TXT in Source reverse map, verifying relationship to
Initiator.
or:
1. TXT in Destination reverse map, identifying Responder.
2. KEY in Responder reverse map, providing public key.
3. KEY in Initiator reverse map, providing public key.
4. TXT in Source reverse map, verifying relationship to
Initiator.
Slight complications ensue for dynamic addresses, lack of
control over reverse maps, etc.
2.3.4. Implementation
In the long run, we need either a tree of trust or a web of
trust, so we can trust our DNS data. The obvious approach
for DNS is a tree of trust, but there are various practical
problems with running all of this through the root servers,
and a web of trust is arguably more robust anyway. This is
logically independent of opportunistic encryption, and a
separate design proposal will be prepared.
Draft 4 3 May 2001 11
Opportunistic Encryption
Interim stages of implementation of this will require a bit
of thought. Notably, we need some way of dealing with the
lack of fully signed DNSSEC records right away. Without
user interaction, probably the best we can do is to remember
the results of old fetches, compare them to the results of
new fetches, and complain and disbelieve all of it if
there's a mismatch. This does mean that somebody who gets
fake data into our very first fetch will fool us, at least
for a while, but that seems an acceptable tradeoff. (Obvi-
ously there needs to be a way to manually flush the remem-
bered results for a specific host, to permit deliberate
changes.)
2.4. Responders Without Credentials
In cases where the Destination simply does not control its
DNS reverse-map entries, there is no verifiable way to
determine a suitable SG. This does not make communication
utterly impossible, though.
Simply attempting negotiation directly with the host is a
last resort. (An aggressive implementation might wish to
attempt it in parallel, rather than waiting until other
options are known to be unavailable.) In particular, in
many cases involving dynamic addresses, it will work. It
has the disadvantage of delaying the discovery that oppor-
tunistic encryption is entirely impossible, but the case
seems common enough to justify the overhead.
However, there are policy issues here either way, because it
is possible to impersonate such a host. The host can supply
an FQDN identity and verify its right to use that identity,
but except by prearrangement, there is no way to verify that
the FQDN is the right one for that IP address. (The data
from forward lookups may be controlled by people who do not
own the address, so it cannot be trusted.) The encryption
is still solid, though, so in many cases this may be useful.
2.5. Failure of Opportunism
When there is no way to do opportunistic encryption, a pol-
icy issue arises: whether to put in a bypass (which allows
plaintext traffic through) or a block (which discards it,
perhaps with notification back to the sender). The choice
is very much a matter of local policy, and may depend on
details such as the higher-level protocol being used. For
example, an SG might well permit plaintext HTTP but forbid
plaintext Telnet, in which case both a block and a bypass
would be set up if opportunistic encryption failed.
A bypass/block must, in practice, be treated much like an
IPsec tunnel. It should persist for a while, so that high-
overhead processing doesn't have to be done for every
packet, but should go away eventually to return resources.
Draft 4 3 May 2001 12
Opportunistic Encryption
It may be simplest to treat it as a degenerate tunnel. It
should have a relatively long lifetime (say 6h) to keep the
frequency of negotiation attempts down, except in the case
where the other SG simply did not respond to IKE packets,
where the lifetime should be short (say 10min) because the
other SG is presumably down and might come back up again.
(Cases where the other SG responded to IKE with unauthenti-
cated error reports like ``port unreachable'' are border-
line, and might deserve to be treated as an intermediate
case: while such reports cannot be trusted unreservedly, in
the absence of any other response, they do give some reason
to suspect that the other SG is unable or unwilling to par-
ticipate in opportunistic encryption.)
As noted in section 2.1, one might think that arrival of a
plaintext incoming packet should cause a bypass/block to be
set up for its source host: such a packet is almost always
followed by an outgoing reply packet; the incoming packet is
clear evidence that opportunistic encryption is not avail-
able at the other end; attempting it will waste resources
and delay traffic to no good purpose. Unfortunately, this
means that anyone out on the Internet who can forge a source
address can prevent encrypted communication! Since their
source addresses are not authenticated, plaintext packets
cannot be taken as evidence of anything, except perhaps that
communication from that host is likely to occur soon.
There needs to be a way for local administrators to remove a
bypass/block ahead of its normal expiry time, to force a
retry after a problem at the other end is known to have been
fixed.
2.6. Subnet Opportunism
In principle, when the Source or Destination host belongs to
a subnet and the corresponding SG is willing to provide tun-
nels to the whole subnet, this should be done. There is no
extra overhead, and considerable potential for avoiding
later overhead if similar communication occurs with other
members of the subnet. Unfortunately, at the moment, oppor-
tunistic tunnels can only have degenerate subnets (single
hosts) at their ends. (This does, at least, set up the key-
ing channel, so that negotiations for tunnels to other hosts
in the same subnets will be considerably faster.)
The crucial problem is step 11 of section 2.2: the Responder
must verify that the Initiator is authorized to represent
the Source, and this is impossible for a subnet because
there is no way to do a reverse lookup on it. Information
in DNS records for a name or a single address cannot be
trusted, because they may be controlled by people who do not
control the whole subnet.
Draft 4 3 May 2001 13
Opportunistic Encryption
Ahem: Except in the special case of a subnet masked on a
byte boundary (in which case RFC 1035's convention of an
incomplete in-addr.arpa name could be used), subnet lookup
would need extensions to the reverse-map name space, perhaps
along the lines of that commonly done for RFC 2317 delega-
tion. IPv6 already has suitable name syntax, as in RFC
2874, but has no specific provisions for subnet entries in
its reverse maps. Fixing all this is is not conceptually
difficult, but is logically independent of opportunistic
encryption, and will be proposed separately.
A less-troublesome problem is that the Initiator, in step 10
of 2.2, must know exactly what subnet is present on the
Responder's end so he can propose a tunnel to it. This
information could be included in the TXT record of the Des-
tination (it would have to be verified with a subnet lookup,
but that could be done in parallel with other operations).
The Initiator presumably can be configured to know what sub-
net(s) are present on its end.
2.7. Option Settings
IPsec and IKE have far too many useless options, and a few
useful ones. IKE negotiation is quite simplistic, and can-
not handle even simple discrepancies between the two SGs.
So it is necessary to be quite specific about what should be
done and what should be proposed, to guarantee interoper-
ability without prearrangement or other negotiation proto-
cols.
Rationale: The prohibition of other negotiations is simply
because there is no time. The setup algorithm (section 2.2)
is lengthy already.
[Open question: should opportunistic IKE use a different
port than normal IKE?]
Somewhat arbitrarily and tentatively, opportunistic SGs must
support Main Mode, Oakley group 5 for D-H, 3DES encryption
and MD5 authentication for both ISAKMP and IPsec SAs,
RSA/MD5 digital-signature authentication with keys between
2048 and 8192 bits, and ESP doing both encryption and
authentication. They must do key PFS in Quick Mode, but not
identity PFS. They may support IPComp, preferably using
Deflate, but must not insist on it. They may support AES as
an alternative to 3DES, but must not insist on it.
Rationale: Identity PFS essentially requires establishing a
complete new keying channel for each new tunnel, but key PFS
just does a new Diffie-Hellman exchange for each rekeying,
which is relatively cheap.
Keying channels must remain in existence at least as long as
any tunnel created with them remains (they are not costly,
Draft 4 3 May 2001 14
Opportunistic Encryption
and keeping the management path up and available simplifies
various issues). See section 3.1 for related issues. Given
the use of key PFS, frequent rekeying does not seem critical
here. In the absence of strong reason to do otherwise, the
Initiator should propose rekeying at 8hr-or-1MB. The
Responder must accept any proposal which specifies a rekey-
ing time between 1hr and 24hr inclusive and a rekeying vol-
ume between 100KB and 10MB inclusive.
Given the short expected useful life of most tunnels (see
section 3.1), very few of them will survive long enough to
be rekeyed. In the absence of strong reason to do other-
wise, the Initiator should propose rekeying at 1hr-or-100MB.
The Responder must accept any proposal which specifies a
rekeying time between 10min and 8hr inclusive and a rekeying
volume between 1MB and 1000MB inclusive.
It is highly desirable to add some random jitter to the
times of actual rekeying attempts, to break up ``convoys''
of rekeying events; this and certain other aspects of robust
rekeying practice will be the subject of a separate design
proposal.
Rationale: The numbers used here for rekeying intervals are
chosen quite arbitrarily and should be re-assessed after
some implementation experience is gathered.
3. Renewal and Teardown
3.1. Aging
When to tear tunnels down is a bit problematic, but if we're
setting up a potentially unbounded number of them, we have
to tear them down somehow sometime.
Set a short initial tentative lifespan, say 1min, since most
net flows in fact last only a few seconds. When that
expires, look to see if the tunnel is still in use (defini-
tion: has had traffic, in either direction, in the last half
of the tentative lifespan). If so, assign it a somewhat
longer tentative lifespan, say 20min, after which, look
again. If not, close it down. (This tentative lifespan is
independent of rekeying; it is just the time when the tun-
nel's future is next considered. This should happen reason-
ably frequently, unlike rekeying, which is costly and
shouldn't be too frequent.) Multi-step backoff algorithms
are not worth the trouble; looking every 20min doesn't seem
onerous.
If the security gateway and the client host are one and the
same, tunnel teardown decisions might wish to pay attention
to TCP connection status, as reported by the local TCP
layer. A still-open TCP connection is almost a guarantee
that more traffic is coming, while the demise of the only
Draft 4 3 May 2001 15
Opportunistic Encryption
TCP connection through a tunnel is a strong hint that none
is. If the SG and the client host are separate machines,
though, tracking TCP connection status requires packet
snooping, which is complicated and probably not worthwhile.
IKE keying channels likewise are torn down when it appears
the need has passed. They always linger longer than the
last tunnel they administer, in case they are needed again;
the cost of retaining them is low. Other than that, unless
the number of keying channels on the SG gets large, the SG
should simply retain all of them until rekeying time, since
rekeying is the only costly event. When about to rekey a
keying channel which has no current tunnels, note when the
last actual keying-channel traffic occurred, and close the
keying channel down if it wasn't in the last, say, 30min.
When rekeying a keying channel (or perhaps shortly before
rekeying is expected), Initiator and Responder should re-
fetch the public keys used for SG authentication, against
the possibility that they have changed or disappeared.
See section 2.7 for discussion of rekeying intervals.
Given the low user impact of tearing down and rebuilding a
connection (a tunnel or a keying channel), rekeying attempts
should not be too persistent: one can always just rebuild
when needed, so heroic efforts to preserve an existing con-
nection are unnecessary. Say, try every 10s for a minute
and every minute for 5min, and then give up and declare the
connection (and all other connections to that IKE peer)
dead.
Rationale: In future, more sophisticated, versions of this
protocol, examining the initial packet might permit a more
intelligent guess at the tunnel's useful life. HTTP connec-
tions in particular are notoriously bursty and repetitive.
Rationale: Note that rekeying a keying connection basically
consists of building a new keying connection from scratch,
using IKE Phase 1, and abandoning the old one.
3.2. Teardown and Cleanup
Teardown should always be coordinated with the other end.
This means interpreting and sending Delete notifications.
On receiving a Delete for the outbound SAs of a tunnel (or
some subset of them), tear down the inbound ones too, and
notify the other end with a Delete. Tunnels need to be con-
sidered as bidirectional entities, even though the low-level
protocols don't think of them that way.
When the deletion is initiated locally, rather than as a
response to a received Delete, send a Delete for (all) the
inbound SAs of a tunnel. If no responding Delete is
Draft 4 3 May 2001 16
Opportunistic Encryption
received for the outbound SAs, try re-sending the original
Delete. Three tries spaced 10s apart seems a reasonable
level of effort. (Indefinite persistence is not necessary;
whether the other end isn't cooperating because it doesn't
feel like it, or because it is down/disconnected/etc., the
problem will eventually be cleared up by other means.)
After rekeying, transmission should switch to using the new
SAs (ISAKMP or IPsec) immediately, and the old leftover SAs
should be cleared out promptly (and Deletes sent) rather
than waiting for them to expire. This reduces clutter and
minimizes confusion.
Since there is only one keying channel per remote IP
address, the question of whether a Delete notification has
appeared on a ``suitable'' keying channel does not arise.
Rationale: The pairing of Delete notifications effectively
constitutes an acknowledged Delete, which is highly desir-
able.
3.3. Outages and Reboots
Tunnels sometimes go down because the other end crashes, or
disconnects, or has a network link break, and there is no
notice of this in the general case. (Even in the event of a
crash and successful reboot, other SGs don't hear about it
unless the rebooted SG has specific reason to talk to them
immediately.) Over-quick response to temporary network out-
ages is undesirable... but note that a tunnel can be torn
down and then re-established without any user-visible effect
except a pause in traffic, whereas if one end does reboot,
the other end can't get packets to it at all (except via
IKE) until the situation is noticed. So a bias toward quick
response is appropriate, even at the cost of occasional
false alarms.
Heartbeat mechanisms are somewhat unsatisfactory for this.
Unless they are very frequent, which causes other problems,
they do not detect the problem promptly.
Ahem: What is really wanted is authenticated ICMP. This
might be a case where public-key encryption/authentication
of network packets is the right thing to do, despite the
expense.
In the absence of that, a two-part approach seems warranted.
First, when an SG receives an IPsec packet that is addressed
to it, and otherwise appears healthy, but specifies an
unknown SA and is from a host that the receiver currently
has no keying channel to, the receiver must attempt to
inform the sender via an IKE Initial-Contact notification
(necessarily sent in plaintext, since there is no suitable
Draft 4 3 May 2001 17
Opportunistic Encryption
keying channel). This must be severely rate-limited on both
ends; one notification per SG pair per minute seems ample.
Second, there is an obvious difficulty with this: the Ini-
tial-Contact notification is unauthenticated and cannot be
trusted. So it must be taken as a hint only: there must be
a way to confirm it.
What is needed here is something that's desirable for debug-
ging and testing anyway: an IKE-level ping mechanism. Ping-
ing direct at the IP level instead will not tell us about a
crash/reboot event. Sending pings through tunnels has vari-
ous complications (they should stop at the far mouth of the
tunnel instead of going on to a subnet; they should not
count against idle timers; etc.). What is needed is a con-
tinuity check on a keying channel. (This could also be used
as a heartbeat, should that seem useful.)
IKE Ping delivery need not be reliable, since the whole
point of a ping is simply to provoke an acknowledgement.
They should preferably be authenticated, but it is not clear
that this is absolutely necessary, although if they are not
they need encryption plus a timestamp or a nonce, to foil
replay mischief. How they are implemented is a secondary
issue, and a separate design proposal will be prepared.
Ahem: Some existing implementations are already using (pri-
vate) notify value 30000 (``LIKE_HELLO'') as ping and (pri-
vate) notify value 30002 (``SHUT_UP'') as ping reply.
If an IKE Ping gets no response, try some (say 8) IP pings,
spaced a few seconds apart, to check IP connectivity; if one
comes back, try another IKE Ping; if that gets no response,
the other end probably has rebooted, or otherwise been re-
initialized, and its tunnels and keying channel(s) should be
torn down.
In a similar vein, giving limited rekeying persistence, a
short network outage could take some tunnels down without
disrupting others. On receiving a packet for an unknown SA
from a host that a keying channel is currently open to, send
that host a Invalid-SPI notification for that SA. The other
host can then tear down the half-torn-down tunnel, and nego-
tiate a new tunnel for the traffic it presumably still wants
to send.
Finally, it would be helpful if SGs made some attempt to
deal intelligently with crashes and reboots. A deliberate
shutdown should include an attempt to notify all other SGs
currently connected by keying channels, using Deletes, that
communication is about to fail. (Again, these will be taken
as teardowns; attempts by the other SGs to negotiate new
tunnels as replacements should be ignored at this point.)
And when possible, SGs should attempt to preserve
Draft 4 3 May 2001 18
Opportunistic Encryption
information about currently-connected SGs in non-volatile
storage, so that after a crash, an Initial-Contact can be
sent to previous partners to indicate loss of all previ-
ously-established connections.
4. Conclusions
This design appears to achieve the objective of setting up
encryption with strangers. The authentication aspects also
seem adequately addressed if the destination controls its
reverse-map DNS entries and the DNS data itself can be reli-
ably authenticated as having originated from the legitimate
administrators of that subnet/FQDN. The authentication sit-
uation is less satisfactory when DNS is less helpful, but it
is difficult to see what else could be done about it.
5. References
[TBW]
6. Appendix: Separate Design Proposals TBW
o How can we build a web of trust with DNSSEC? (See sec-
tion 2.3.4.)
o How can we extend DNS reverse lookups to permit reverse
lookup on a subnet? (Both address and mask must appear
in the name to be looked up.) (See section 2.6.)
o How can rekeying be done as robustly as possible? (At
least partly, this is just documenting current FreeS/WAN
practice.) (See section 2.7.)
o How should IKE Pings be implemented? (See section 3.3.)
Draft 4 3 May 2001 19
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
cb04c52ccedb52ab907eaca84d718eba
>
files
>
57
