| rfc9611v2.txt | rfc9611.txt | |||
|---|---|---|---|---|
| skipping to change at line 72 ¶ | skipping to change at line 72 ¶ | |||
| include Revised BSD License text as described in Section 4.e of the | include Revised BSD License text as described in Section 4.e of the | |||
| Trust Legal Provisions and are provided without warranty as described | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| 1.2. Terminology | 1.2. Terminology | |||
| 2. Performance Bottlenecks | 2. Performance Bottlenecks | |||
| 3. Negotiation of CPU-Specific Child SAs | 3. Negotiation of Resource-Specific Child SAs | |||
| 4. Implementation Considerations | 4. Implementation Considerations | |||
| 5. Payload Format | 5. Payload Format | |||
| 5.1. SA_RESOURCE_INFO Notify Message Status Type Payload | 5.1. SA_RESOURCE_INFO Notify Message Status Type Payload | |||
| 5.2. TS_MAX_QUEUE Notify Message Error Type Payload | 5.2. TS_MAX_QUEUE Notify Message Error Type Payload | |||
| 6. Operational Considerations | 6. Operational Considerations | |||
| 7. Security Considerations | 7. Security Considerations | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| 9.2. Informative References | 9.2. Informative References | |||
| skipping to change at line 152 ¶ | skipping to change at line 152 ¶ | |||
| restrict a Child Security Association (SA) to a single specific | restrict a Child Security Association (SA) to a single specific | |||
| hardware resource. A primary limitation arises from the challenges | hardware resource. A primary limitation arises from the challenges | |||
| associated with sharing cryptographic states, counters, and sequence | associated with sharing cryptographic states, counters, and sequence | |||
| numbers among multiple CPUs. When these CPUs attempt to | numbers among multiple CPUs. When these CPUs attempt to | |||
| simultaneously utilize shared states, it becomes impractical to do so | simultaneously utilize shared states, it becomes impractical to do so | |||
| without incurring a significant performance penalty. It is necessary | without incurring a significant performance penalty. It is necessary | |||
| to negotiate and establish multiple Child SAs with identical Traffic | to negotiate and establish multiple Child SAs with identical Traffic | |||
| Selector initiator (TSi) and Traffic Selector responder (TSr) on a | Selector initiator (TSi) and Traffic Selector responder (TSr) on a | |||
| per-resource basis. | per-resource basis. | |||
| 3. Negotiation of CPU-Specific Child SAs | 3. Negotiation of Resource-Specific Child SAs | |||
| An initial IKEv2 exchange is used to set up an IKE SA and the initial | An initial IKEv2 exchange is used to set up an IKE SA and the initial | |||
| Child SA. If multiple Child SAs with the same Traffic Selectors that | Child SA. If multiple Child SAs with the same Traffic Selectors that | |||
| are bound to a single resource are desired, the initiator will add | are bound to a single resource are desired, the initiator will add | |||
| the SA_RESOURCE_INFO notify payload to the Exchange negotiating the | the SA_RESOURCE_INFO notify payload to the Exchange negotiating the | |||
| Child SA (e.g., IKE_AUTH or CREATE_CHILD_SA). If this initial Child | Child SA (e.g., IKE_AUTH or CREATE_CHILD_SA). If this initial Child | |||
| SA will be tied to a specific resource, it MAY indicate this by | SA will be tied to a specific resource, it MAY indicate this by | |||
| including an identifier in the Notification Data. A responder that | including an identifier in the Notification Data. A responder that | |||
| is willing to have multiple Child SAs for the same Traffic Selectors | is willing to have multiple Child SAs for the same Traffic Selectors | |||
| will respond by also adding the SA_RESOURCE_INFO notify payload in | will respond by also adding the SA_RESOURCE_INFO notify payload in | |||
| which it MAY add a non-zero Notify Data. | which it MAY add a non-zero Notification Data. | |||
| Additional resource-specific Child SAs are negotiated as regular | Additional resource-specific Child SAs are negotiated as regular | |||
| Child SAs using the CREATE_CHILD_SA exchange and are similarly | Child SAs using the CREATE_CHILD_SA exchange and are similarly | |||
| identified by an accompanying SA_RESOURCE_INFO notification. | identified by an accompanying SA_RESOURCE_INFO notification. | |||
| Upon installation, each resource-specific Child SA is associated with | Upon installation, each resource-specific Child SA is associated with | |||
| an additional local selector, such as the CPU. These resource- | an additional local selector, such as the CPU. These resource- | |||
| specific Child SAs MUST be negotiated with identical Child SA | specific Child SAs MUST be negotiated with identical Child SA | |||
| properties that were negotiated for the initial Child SA. This | properties that were negotiated for the initial Child SA. This | |||
| includes cryptographic algorithms, Traffic Selectors, Mode (e.g., | includes cryptographic algorithms, Traffic Selectors, Mode (e.g., | |||
| skipping to change at line 373 ¶ | skipping to change at line 373 ¶ | |||
| administrator has a trust relationship with the peer's administrator | administrator has a trust relationship with the peer's administrator | |||
| and abuse is unlikely and easily escalated to resolve. | and abuse is unlikely and easily escalated to resolve. | |||
| This trust relationship is usually not present for the deployments of | This trust relationship is usually not present for the deployments of | |||
| remote access VPNs, and allowing per-CPU Child SAs is NOT RECOMMENDED | remote access VPNs, and allowing per-CPU Child SAs is NOT RECOMMENDED | |||
| in these scenarios. Therefore, it is also NOT RECOMMENDED to allow | in these scenarios. Therefore, it is also NOT RECOMMENDED to allow | |||
| per-CPU Child SAs by default. | per-CPU Child SAs by default. | |||
| The SA_RESOURCE_INFO notify contains an optional data payload that | The SA_RESOURCE_INFO notify contains an optional data payload that | |||
| can be used by the peer to identify the Child SA belonging to a | can be used by the peer to identify the Child SA belonging to a | |||
| specific resource. The notify data SHOULD NOT be an identifier that | specific resource. Notification data SHOULD NOT be an identifier | |||
| can be used to gain information about the hardware. For example, | that can be used to gain information about the hardware. For | |||
| using the CPU number itself as the identifier might give an attacker | example, using the CPU number itself as the identifier might give an | |||
| knowledge of which packets are handled by which CPU ID, and it might | attacker knowledge of which packets are handled by which CPU ID, and | |||
| optimize a brute-force attack against the system. | it might optimize a brute-force attack against the system. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| IANA has registered one new value in the "IKEv2 Notify Message Status | IANA has registered one new value in the "IKEv2 Notify Message Status | |||
| Types" registry. | Types" registry. | |||
| +=======+============================+===========+ | +=======+============================+===========+ | |||
| | Value | Notify Message Status Type | Reference | | | Value | Notify Message Status Type | Reference | | |||
| +=======+============================+===========+ | +=======+============================+===========+ | |||
| | 16444 | SA_RESOURCE_INFO | RFC 9611 | | | 16444 | SA_RESOURCE_INFO | RFC 9611 | | |||
| End of changes. 4 change blocks. | ||||
| 8 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||