rfc9611v2.txt | rfc9611.txt | |||
---|---|---|---|---|
skipping to change at line 72 ¶ | skipping to change at line 72 ¶ | |||
include Revised BSD License text as described in Section 4.e of the | include Revised BSD License text as described in Section 4.e of the | |||
Trust Legal Provisions and are provided without warranty as described | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | in the Revised BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction | 1. Introduction | |||
1.1. Requirements Language | 1.1. Requirements Language | |||
1.2. Terminology | 1.2. Terminology | |||
2. Performance Bottlenecks | 2. Performance Bottlenecks | |||
3. Negotiation of CPU-Specific Child SAs | 3. Negotiation of Resource-Specific Child SAs | |||
4. Implementation Considerations | 4. Implementation Considerations | |||
5. Payload Format | 5. Payload Format | |||
5.1. SA_RESOURCE_INFO Notify Message Status Type Payload | 5.1. SA_RESOURCE_INFO Notify Message Status Type Payload | |||
5.2. TS_MAX_QUEUE Notify Message Error Type Payload | 5.2. TS_MAX_QUEUE Notify Message Error Type Payload | |||
6. Operational Considerations | 6. Operational Considerations | |||
7. Security Considerations | 7. Security Considerations | |||
8. IANA Considerations | 8. IANA Considerations | |||
9. References | 9. References | |||
9.1. Normative References | 9.1. Normative References | |||
9.2. Informative References | 9.2. Informative References | |||
skipping to change at line 152 ¶ | skipping to change at line 152 ¶ | |||
restrict a Child Security Association (SA) to a single specific | restrict a Child Security Association (SA) to a single specific | |||
hardware resource. A primary limitation arises from the challenges | hardware resource. A primary limitation arises from the challenges | |||
associated with sharing cryptographic states, counters, and sequence | associated with sharing cryptographic states, counters, and sequence | |||
numbers among multiple CPUs. When these CPUs attempt to | numbers among multiple CPUs. When these CPUs attempt to | |||
simultaneously utilize shared states, it becomes impractical to do so | simultaneously utilize shared states, it becomes impractical to do so | |||
without incurring a significant performance penalty. It is necessary | without incurring a significant performance penalty. It is necessary | |||
to negotiate and establish multiple Child SAs with identical Traffic | to negotiate and establish multiple Child SAs with identical Traffic | |||
Selector initiator (TSi) and Traffic Selector responder (TSr) on a | Selector initiator (TSi) and Traffic Selector responder (TSr) on a | |||
per-resource basis. | per-resource basis. | |||
3. Negotiation of CPU-Specific Child SAs | 3. Negotiation of Resource-Specific Child SAs | |||
An initial IKEv2 exchange is used to set up an IKE SA and the initial | An initial IKEv2 exchange is used to set up an IKE SA and the initial | |||
Child SA. If multiple Child SAs with the same Traffic Selectors that | Child SA. If multiple Child SAs with the same Traffic Selectors that | |||
are bound to a single resource are desired, the initiator will add | are bound to a single resource are desired, the initiator will add | |||
the SA_RESOURCE_INFO notify payload to the Exchange negotiating the | the SA_RESOURCE_INFO notify payload to the Exchange negotiating the | |||
Child SA (e.g., IKE_AUTH or CREATE_CHILD_SA). If this initial Child | Child SA (e.g., IKE_AUTH or CREATE_CHILD_SA). If this initial Child | |||
SA will be tied to a specific resource, it MAY indicate this by | SA will be tied to a specific resource, it MAY indicate this by | |||
including an identifier in the Notification Data. A responder that | including an identifier in the Notification Data. A responder that | |||
is willing to have multiple Child SAs for the same Traffic Selectors | is willing to have multiple Child SAs for the same Traffic Selectors | |||
will respond by also adding the SA_RESOURCE_INFO notify payload in | will respond by also adding the SA_RESOURCE_INFO notify payload in | |||
which it MAY add a non-zero Notify Data. | which it MAY add a non-zero Notification Data. | |||
Additional resource-specific Child SAs are negotiated as regular | Additional resource-specific Child SAs are negotiated as regular | |||
Child SAs using the CREATE_CHILD_SA exchange and are similarly | Child SAs using the CREATE_CHILD_SA exchange and are similarly | |||
identified by an accompanying SA_RESOURCE_INFO notification. | identified by an accompanying SA_RESOURCE_INFO notification. | |||
Upon installation, each resource-specific Child SA is associated with | Upon installation, each resource-specific Child SA is associated with | |||
an additional local selector, such as the CPU. These resource- | an additional local selector, such as the CPU. These resource- | |||
specific Child SAs MUST be negotiated with identical Child SA | specific Child SAs MUST be negotiated with identical Child SA | |||
properties that were negotiated for the initial Child SA. This | properties that were negotiated for the initial Child SA. This | |||
includes cryptographic algorithms, Traffic Selectors, Mode (e.g., | includes cryptographic algorithms, Traffic Selectors, Mode (e.g., | |||
skipping to change at line 373 ¶ | skipping to change at line 373 ¶ | |||
administrator has a trust relationship with the peer's administrator | administrator has a trust relationship with the peer's administrator | |||
and abuse is unlikely and easily escalated to resolve. | and abuse is unlikely and easily escalated to resolve. | |||
This trust relationship is usually not present for the deployments of | This trust relationship is usually not present for the deployments of | |||
remote access VPNs, and allowing per-CPU Child SAs is NOT RECOMMENDED | remote access VPNs, and allowing per-CPU Child SAs is NOT RECOMMENDED | |||
in these scenarios. Therefore, it is also NOT RECOMMENDED to allow | in these scenarios. Therefore, it is also NOT RECOMMENDED to allow | |||
per-CPU Child SAs by default. | per-CPU Child SAs by default. | |||
The SA_RESOURCE_INFO notify contains an optional data payload that | The SA_RESOURCE_INFO notify contains an optional data payload that | |||
can be used by the peer to identify the Child SA belonging to a | can be used by the peer to identify the Child SA belonging to a | |||
specific resource. The notify data SHOULD NOT be an identifier that | specific resource. Notification data SHOULD NOT be an identifier | |||
can be used to gain information about the hardware. For example, | that can be used to gain information about the hardware. For | |||
using the CPU number itself as the identifier might give an attacker | example, using the CPU number itself as the identifier might give an | |||
knowledge of which packets are handled by which CPU ID, and it might | attacker knowledge of which packets are handled by which CPU ID, and | |||
optimize a brute-force attack against the system. | it might optimize a brute-force attack against the system. | |||
8. IANA Considerations | 8. IANA Considerations | |||
IANA has registered one new value in the "IKEv2 Notify Message Status | IANA has registered one new value in the "IKEv2 Notify Message Status | |||
Types" registry. | Types" registry. | |||
+=======+============================+===========+ | +=======+============================+===========+ | |||
| Value | Notify Message Status Type | Reference | | | Value | Notify Message Status Type | Reference | | |||
+=======+============================+===========+ | +=======+============================+===========+ | |||
| 16444 | SA_RESOURCE_INFO | RFC 9611 | | | 16444 | SA_RESOURCE_INFO | RFC 9611 | | |||
End of changes. 4 change blocks. | ||||
8 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |