SlideShare a Scribd company logo

Better IPSec Security Association Resolution - Netconf 2006 Tokyo

J
James Morris

This document discusses improving IPsec security association resolution. It outlines problems with the current approach, where applications often get errors when no SA exists. The proposed solution is to have connect(), sendmsg(), and other calls return status to indicate resolution is in progress, and queue or retry packets as needed. Ongoing work includes handling all use cases and determining the full scope of the problem to address. Key challenges include different needs for opportunistic encryption versus large scale deployments.

Technology
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
Better IPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org    
Problem a) Outbound packet b) Security policy db entry match c) No security association in kernel ● Most of the time, we return EAGAIN to app or drop packet if forwarding. ● We kick the key manager, and usually have an SA available for next packet.    
Problem... ● It actually kind of works for one case: blocking sendmsg() of datagrams. ● Process is scheduled in a loop until SA resolved. See xfrm_lookup(). ● Does not work for connect(2), so ping and many UDP apps just get EAGAIN.    
Solution ● General solution for all protocols and contexts: – connect(2) – sendmsg(2) – forwarding path (tunnel endpoint) – various kernel-generated packets – blocking and non-blocking modes    
Solution... ● Ideally, we'd like connect(2) to follow Posix semantics, for non-blocking this is: – Return EINPROGESS first – Return EALREADY until SA resolved ● For non-blocking sockets in general, it'd be nice to make sure poll(2) works as expected. – even for datagram protocols, as IPSec adds a kind of session underneath.    
Solution... ● sendmsg(2) should return EAGAIN for non- blocking case ● For tunnel end point, we probably need to queue packets in a resolution queue. ● This may also be useful for non-blocking socket case. ● Herbert has suggested larval dst to go with larval SA.    
Status ● Current patch contains a lot of instrumentation and some initial changes: – Make connect(2) work for the blocking case, hooking into ip_route_connect() – Propagate new flags down to xfrm_lookup() to control behavior: ● Kick the key manager? ● Sleep until resolved?    
Ongoing work ● Continue to develop code to handle all cases and protocols ● Probably involve some code consolidation ● Determine how much of the problem to solve    
Issues ● Not clear on all of the use-cases for this: – Opportunistic encryption – Complex/large scale policy where pro-active SA negotiation overhead would be too high – Others?    

More Related Content

PDF
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Pantazis Deligiannis
 
PDF
ITFT_Semaphores and bounded buffer
Sneh Prabha
 
PPT
Synchronization linux
Susant Sahani
 
PDF
120827 JAWS-UG Sapporo7 openswanでvpc
Machie Atarashi
 
PDF
VPNaaS neutron
Narasimha sreeram
 
PDF
IPSec VPN Tutorial Part1
Abdallah Abuouf
 
PDF
SELinux Project Overview - Linux Foundation Japan Symposium 2008
James Morris
 
PDF
The State of Security Enhanced Linux - FOSS.IN/2007
James Morris
 
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Pantazis Deligiannis
 
ITFT_Semaphores and bounded buffer
Sneh Prabha
 
Synchronization linux
Susant Sahani
 
120827 JAWS-UG Sapporo7 openswanでvpc
Machie Atarashi
 
VPNaaS neutron
Narasimha sreeram
 
IPSec VPN Tutorial Part1
Abdallah Abuouf
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
James Morris
 

Viewers also liked (8)

PDF
Directions in SELinux Networking
James Morris
 
PDF
VTI の中身
Masakazu Asama
 
PPT
SmartCloud Enterprise: Using a SOCKS Proxy with VLANs
Alex Amies
 
PDF
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
James Morris
 
PDF
Secure and Simple Sandboxing in SELinux
James Morris
 
PDF
SDN in the Management Plane: OpenConfig and Streaming Telemetry
Anees Shaikh
 
ODP
Slug 2009 06 SELinux For Sysadmins
PaulWay
 
ODP
SELinux for Everyday Users
PaulWay
 
Directions in SELinux Networking
James Morris
 
VTI の中身
Masakazu Asama
 
SmartCloud Enterprise: Using a SOCKS Proxy with VLANs
Alex Amies
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
James Morris
 
Secure and Simple Sandboxing in SELinux
James Morris
 
SDN in the Management Plane: OpenConfig and Streaming Telemetry
Anees Shaikh
 
Slug 2009 06 SELinux For Sysadmins
PaulWay
 
SELinux for Everyday Users
PaulWay
 
Ad

Similar to Better IPSec Security Association Resolution - Netconf 2006 Tokyo (20)

PDF
One Year of Porting - Post-mortem of two Linux/SteamOS launches
Leszek Godlewski
 
PDF
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
PDF
Single Packet Authorization - Slides English
Leandro Almeida
 
PDF
Layer 7 Firewall on Mikrotik
GLC Networks
 
PPTX
Linux Network Stack
Adrien Mahieux
 
PDF
Fast dynamic analysis, Kostya Serebryany
yaevents
 
PDF
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Yandex
 
PDF
cachegrand: A Take on High Performance Caching
ScyllaDB
 
ODP
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
edlangley
 
PDF
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
Roger Zhou 周志强
 
PDF
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
HostedGraphite
 
PDF
Userspace adaptive spinlocks with rseq
Igalia
 
PPTX
Memory model
MingdongLiao
 
PPTX
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
PDF
Performance optimization techniques for Java code
Attila Balazs
 
PDF
pfSense 2.2 Preview - pfSense Hangout November 2014
Netgate
 
PDF
Snap - the universal packaging format for linux distros
Anthony Wong
 
ODP
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Community
 
PDF
BlackHat 2009 - Hacking Zigbee Chips (slides)
Michael Smith
 
PDF
Streaming huge databases using logical decoding
Alexander Shulgin
 
One Year of Porting - Post-mortem of two Linux/SteamOS launches
Leszek Godlewski
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
Single Packet Authorization - Slides English
Leandro Almeida
 
Layer 7 Firewall on Mikrotik
GLC Networks
 
Linux Network Stack
Adrien Mahieux
 
Fast dynamic analysis, Kostya Serebryany
yaevents
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Yandex
 
cachegrand: A Take on High Performance Caching
ScyllaDB
 
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
edlangley
 
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
Roger Zhou 周志强
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
HostedGraphite
 
Userspace adaptive spinlocks with rseq
Igalia
 
Memory model
MingdongLiao
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Performance optimization techniques for Java code
Attila Balazs
 
pfSense 2.2 Preview - pfSense Hangout November 2014
Netgate
 
Snap - the universal packaging format for linux distros
Anthony Wong
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Community
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
Michael Smith
 
Streaming huge databases using logical decoding
Alexander Shulgin
 
Ad

More from James Morris (12)

PDF
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
PDF
Adding Extended Attribute Support to NFS
James Morris
 
PDF
Linux Kernel Security Overview - KCA 2009
James Morris
 
PDF
sVirt: Hardening Linux Virtualization with Mandatory Access Control
James Morris
 
PDF
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
PDF
OLPC Networking Overview
James Morris
 
PDF
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
PDF
Kernel Security for 2.8 - Kernel Summit 2004
James Morris
 
PDF
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
James Morris
 
PDF
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
PDF
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
PDF
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Adding Extended Attribute Support to NFS
James Morris
 
Linux Kernel Security Overview - KCA 2009
James Morris
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
James Morris
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
OLPC Networking Overview
James Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
James Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
James Morris
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
James Morris
 

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Approach and Philosophy of On baking technology
30anthuong17
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 

Better IPSec Security Association Resolution - Netconf 2006 Tokyo

  • 1. Better IPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org    
  • 2. Problem a) Outbound packet b) Security policy db entry match c) No security association in kernel ● Most of the time, we return EAGAIN to app or drop packet if forwarding. ● We kick the key manager, and usually have an SA available for next packet.    
  • 3. Problem... ● It actually kind of works for one case: blocking sendmsg() of datagrams. ● Process is scheduled in a loop until SA resolved. See xfrm_lookup(). ● Does not work for connect(2), so ping and many UDP apps just get EAGAIN.    
  • 4. Solution ● General solution for all protocols and contexts: – connect(2) – sendmsg(2) – forwarding path (tunnel endpoint) – various kernel-generated packets – blocking and non-blocking modes    
  • 5. Solution... ● Ideally, we'd like connect(2) to follow Posix semantics, for non-blocking this is: – Return EINPROGESS first – Return EALREADY until SA resolved ● For non-blocking sockets in general, it'd be nice to make sure poll(2) works as expected. – even for datagram protocols, as IPSec adds a kind of session underneath.    
  • 6. Solution... ● sendmsg(2) should return EAGAIN for non- blocking case ● For tunnel end point, we probably need to queue packets in a resolution queue. ● This may also be useful for non-blocking socket case. ● Herbert has suggested larval dst to go with larval SA.    
  • 7. Status ● Current patch contains a lot of instrumentation and some initial changes: – Make connect(2) work for the blocking case, hooking into ip_route_connect() – Propagate new flags down to xfrm_lookup() to control behavior: ● Kick the key manager? ● Sleep until resolved?    
  • 8. Ongoing work ● Continue to develop code to handle all cases and protocols ● Probably involve some code consolidation ● Determine how much of the problem to solve    
  • 9. Issues ● Not clear on all of the use-cases for this: – Opportunistic encryption – Complex/large scale policy where pro-active SA negotiation overhead would be too high – Others?