Known issues with Opportunistic Encryption Claudia Schmeing ------------------------------------------ This is an overview of known issues with OE. This document supplements: FreeS/WAN Quickstart Guide doc/quickstart.html Opportunism HOWTO doc/opportunism.howto Opportunism spec doc/opportunism.spec Internet Draft doc/draft-richardson-ipsec-opportunistic.txt * Use the most recent Linux FreeS/WAN 2.x release from ftp.xs4all.nl to try OE. DESIGN LIMITATIONS * Because Opportunistic Encryption relies on DNS: - to authenticate one FreeS/WAN to another, and - to prove that we have the right to protect traffic for a given IP, this authentication/authorization is only as strong as your DNS is secure. Without secure DNS, OE protects against passive snooping only. Because the public key and gateway information that FreeS/WAN gets from DNS is not authenticated, a man-in-the-middle attack is still possible. We hope that as DNSsec is widely adopted, OE with strong authentication will become more widespread. However, our software does not yet distinguish between strongly and weakly authenticated OE. This information might be useful for defining local security policy. * Denial of service attacks are possible against OE. If you rely on OE rather than VPN to connect several offices, a determined attacker could prevent you from communicating securely. * OE challenges the notion that all IPsec peers are "friends". With OE, strangers can potentially tunnel IPsec packets _through_ your defenses against cleartext packets. This may call for a re-visit to firewall policy. * FreeS/WAN only creates OE connections when it traps an outgoing packet. Since most traffic is two-way, for most traffic, FreeS/WAN 2.x may soon trap an outgoing packet and create an IPsec connection to protect both incoming and outgoing traffic. However, if a local FreeS/WAN box accepts inbound traffic from a remote peer but generates no outbound traffic in response, the local FreeS/WAN will not attempt to initiate OE. Of course, the peer may also initiate OE upon trapping its own outbound traffic. * OE is only as reliable as your DNS is. If your DNS service is flaky, you will not be able to reliably establish OE connections to known OE-capable peers. If you ping a peer, but your FreeS/WAN does not find a TXT record signifying the peer's ability to respond to OE negotiation), FreeS/WAN will not try to opportunistically initiate, and communication will fallback to clear. For more secure and reliable DNS, we recommend that you run DNS within your security perimeter, either on your security gateway, or on a machine to which you have a VPN connection. It is also possible to have your DNS server located elsewhere on your LAN, though this may cause lag on startup. This mailing list message explains how to run a local caching name server: http://lists.freeswan.org/pipermail/design/2003-January/004205.html See also "Getting DNS through" in opportunism.howto http://lists.freeswan.org/pipermail/design/2002-April/002285.html . CURRENT ISSUES * There are several special issues re: using OE when running FreeS/WAN with kernel native IPsec, introduced in the 2.6 kernel. Please see doc/2.6.known-issues. * If A and B have an OE connection, but A is rebooted, normally A will try to re-connect to B and (if it has no DNS-related failures) it will succeed. But, if A is set up for responder-only OE, you will have a one-way connection until B notices that its original tunnel has expired. For details see: http://lists.freeswan.org/pipermail/design/2002-May/002582.html http://lists.freeswan.org/pipermail/design/2002-June/002610.html TIP: If an OE connection isn't behaving, you can recreate it with ipsec whack --oppohere sourceIPaddress --oppothere targetIPaddress * There is no good clean facility to delete OE connections. Available are: ipsec auto --status to list connections ipsec whack --deletestate to delete by state#. * You may experience seeming gaps at rekey time. Once you generate traffic, you will find that the OE connection returns. By default, OE connections are not rekeyed; if they were we'd have a mountain of useless connections. As a consequence, if your OE connection is idle at rekey time, it will go down until you generate further traffic. To ensure prompt rekeying, you can run a ping thorough the OE tunnel. * At the moment, you can only run active OE on one physical interface. Active means --routed, to trap outbound packets. It is this route that is a problem. Untested theory: you can have multiple active OE conns, for different source addresses, but they all have to point their traffic out the single interface. When responding: you can only define one OE connection (per host or subnet) in ipsec.conf, and that conn will apply to one interface. Normally this will be the public interface which your default route uses; it is, however, configurable. Theoretically, it might make sense to select between multiple OE conns based on some criterion, such as address ranges. This might be useful for local OE, or in a complex routing scenario. Currently, Pluto expects only one OE connection. If you add another, Pluto may choose randomly between them, producing unpredictable results. * Building OE conns between nodes on a LAN is not possible. This is a side effect of conflicts about ARP entries in the rt_cache and our "stupid routing tricks". There is no known workaround at this time. "Stupid routing tricks" are an ongoing issue, and should go away in a future software revision. See these explanations: http://lists.freeswan.org/pipermail/design/2002-April/002285.html http://lists.freeswan.org/pipermail/design/2002-August/003249.html * FreeS/WAN may not correctly follow a CNAME (Canonical Name) trail resulting from reverse DNS delegation. Solution: Use a recent Bind 9 (we tested with Bind snap-pre9.3) for the DNS services which the FreeS/WAN box relies on. Reason: This Bind correctly implements "implied helper support" for traditional DNS records, and so can follow a properly constructed CNAME record trail which ends in a TXT record. Thus, in cases where a reverse domain has been delegated, FreeS/WAN + Bind 9 can find a TXT record and create an OE connection. For more on the problem, see "OLD ISSUES", below. * To make OE operation smoother, we may need a script that runs and warns if we have the reverse DNS records, but not the software running. The reverse records advertise that we can do OE, but when the software is not running this is false advertising. OLD ISSUES * Coterminal OE doesn't work in practise. This includes OE-in-WAVEsec. Solved in 2.02. Old diagnosis: If you have coterminal OE connections (two OE connections which share one endpoint), you should have use of one of the encrypted links, but it is not clear which one KLIPS will prefer. In particular, the behaviour may not be symmetrical. Worse yet, it just seems to trip over itself and be generally unworkable. Weird but predictable: If you have both a gateway and a host who advertise (via DNS) an ability to do OE you need to be serious about doing host-based OE, or you will be stuck in initiator-only mode. If your host advertises but does not run OE, then when a peer tries to connect to your host, it will fail to clear. The peer will then not try to encrypt traffic bound for that host as it travels to the gateway. To remedy the situation, restart ipsec on the peer (or otherwise flush out the %pass eroute), and ping the peer from your host to initiate OE. * One-way connection was created on rekey. Solved in 2.0. If one side (A) has a shorter _keylife_ than the other, and that side also has _rekey=no_, then when the keylife has expired, it will expect that its peer (B) will make a new conn to replace the existing one. Unfortunately, B has no idea. B continues to send out encrypted packets on the original connection, while A passes the return packets along in the clear. There is a proposed patch for (A) here: http://lists.freeswan.org/pipermail/design/2002-July/003114.html * Failure to look up own host name is a show stopper. Solved in 1.98 and 1.98b. Solution: new setting %dnsondemand. Usage: leftrsasigkey=%dnsondemand # now in sample ipsec.conf rightrsasigkey=%dnsondemand. From man ipsec.conf: The value %dnsondemand means the key is to fetched from DNS at the time it is needed. If Linux FreeS/WAN can't get the key for your public interface from DNS, it will not keep trying, and you will not be able to do OE. The error message is: May 14 09:40:24 road Pluto[21210]: failure to fetch key for 193.110.157.18 from DNS: failure querying DNS for KEY of 18.157.110.193.in-addr.arpa.: Host name lookup failure Workaround: 1 or 2 1. Supply a key in the conn. leftrsasigkey=0s... 2. Fix the KEY lookup failure and try again. * Assertion failure at OE rekey time. Fixed in 2.0pre0. Patch for 1.98b posted at http://lists.freeswan.org/pipermail/design/2002-August/003347.html * 1.91 to 1.94 have serious problems with %trap and %hold bugs. These bugs, introduced while coding the support structure for OE, affect both OE and VPN connections. * OE may not work with reverse delegation (CNAMEs). This problem was once capable of being a show stopper. When relying on Bind versions before 9 for local DNS services, FreeS/WAN could not follow a well constructed CNAME trail that ended in a TXT or KEY record. Although OE required both record types, in practise we noticed the problem with the more common TXT lookups, rather than the rarer KEY lookups. Bind 9 largely solves the problem, by correctly seeking TXT records in delegated reverse domains. In addition, OE between two FreeS/WAN 2.02 or later boxes no longer relies on KEY records. Old symptoms: When a DNS server queried by Linux FreeS/WAN follows a CNAME, it seems to forget what record type it is looking for, and it returns a PTR, despite the fact that another record type was requested. Workaround: Send your provider KEY and TXT records for direct insertion into the reverse ZONE files, rather than asking your provider to delegate authority using CNAME. People who own IP blocks, rather than leasing them, may not experience this problem. If you were assigned IPs more than five years ago, you may own your IPs.