blob: d7e02740fc3af57d53beb36b8adfdd86c5c8ab01 [file] [log] [blame]
Neale Ranns9de80282020-11-18 11:13:27 +00001.. _ipsec:
2
3.. toctree::
4
5IP Security
6===========
7
8This is not a description on how IPSec works. Please read:
9
10 - https://tools.ietf.org/html/rfc4301
11 - https://tools.ietf.org/html/rfc4302
12 - https://tools.ietf.org/html/rfc4303
13
14
15I would also suggest this:
16
17 - https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
18
19
20If you're interested in cryptography, I would recommend this excellent
21introductory lecture series (there is also a book, but you'll have to
22buy it, IMHO it's worth it):
23
24 - https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg/featured
25
26
27IPSec VPNs come in two flavours; policy and route based, the
28difference is how the Security Association (SA) is chosen.
29
30
31Route Base VPNs
32---------------
33
34There are two aspects of a route based VPN; all packets to a
35particular peer are encrypted by the same SA and routing
36decides the peer to which to forward traffic (as routing always
37does). Therefore, routing is choosing the SA. Of course the same must
38be true in reverse, that all packets from a given peer are decrypted
39with the same SA. Another way of expressing this is to say a peer is
40'protected' by this SA (really a pair of SAs; one for rx and tx).
41
42The 'standard' [#i1]_ way of representing this protected peer is by
43using a point-to-point virtual interface to which the peer is
44attached and the SA pair is associated. Prefixes
45that require protection are routed through this virtual interface and
46hence implicitly to the peer.
47
48There are three components to the model:
49
50- The SAs; An **ipsec_sa_t**, use the force, read the source.
51- The virtual interface
52- The protection - the association of the SAs to the interface.
53
54
55The protection is represented by a **ipsec_tun_protect_t**. The "tun"
56part comes from the fact that the protected interface is usually a
57tunnel. IMO It would have been better if the author had not assumed
58this [#i2]_.
59The protection associates a single TX SA and up to four RX SAs to an
60interface. Four is as many as can fit on one cache-line. Multiple RX
61SAs mean that a peer can be using any SA in the set, this is
62particularly useful during rekeying because it is not possible for the
63peers to swap their RX and TX SAs at exactly the same moment in the
64traffic stream. Instead they can add the new RX immediately, then swap
65the TX after a short delay, then remove the old RX after another short
66delay. This will minimize, if not eliminate, packet loss.
67
68The virtual interface can be represented in two ways:
69
70 - interface + encap + SA = (interface + encap) + SA = ipip-interface + SA transport mode
71
72or
73
74 - interface + encap + SA = interface + (encap + SA) = IPSec-interface + SA tunnel mode
75
76It's a question of where you add the parenthesis, from the perspective
77of the external user the effect is identical.
78
79The IPSec interface serves as the encap-free interface to be used in
80conjunction with an encap-describing tunnel mode SA. VPP supports both models.
81
82A route based VPN could impose 0, 1 or 2 encaps. the support matrix for these use cases is:
83
84.. code-block:: console
85
86
87 | 0 | 1 | 2 |
88 --------------------------
89 ipip | N | Y | Y |
90 ipsec | P | Y | P |
91
92Where P = potentially.
93
94Ipsec could potentially support 0 encap (i.e. transport mode) since
95neither the interface nor the SA *requires* encap. However, for a
96route based VPN to use transport mode is probably wrong since one
97shouldn't use transport mode for transit traffic, since without encap
98it is not guaranteed to return. IPSec could potentially support 2
99encaps, but that would require the SA to describe both, something it
100does not do at this time.
101
102Internally the difference is that the mid-chain adjacency for the IPSec
103interface has no associated encap (whereas for an ipip tunnel it
104describes the peer). Consequently, features on the output arc see
105packets without any encap. Since the protecting SAs are in tunnel
106mode, they apply the encap. The mid-chain adj is stacked only once the
107protecting SA is known, since only then is the peer known. Otherwise
108the VLIB graph nodes used are the same:
109
110.. code-block:: console
111
112 (routing) --> ipX-michain --> espX-encrypt --> adj-midchain-tx --> (routing)
113
114 where X = 4 or 6.
115
116
117Some benefits to the ipsec interface:
118
119- it is slightly more efficient since the encapsulating IP header has its checksum updated only once.
120- even when the interface is admin up traffic cannot be sent to a peer
121 unless the SA is available (since it's the SA that determines the
122 encap). With ipip interfaces a client must use the admin state to
123 prevent sending until the SA is available.
124
125The best recommendations I can make are:
126
127- pick a model that supports your use case
128- make sure any other features you wish to use are supported by the model
129- choose the model that best fits your control plane's model.
130
131
132Multi-point Interfaces
133^^^^^^^^^^^^^^^^^^^^^^
134
135As mentioned above route based VPNs protect all packets destined to
136a given peer with the same SA pair. This protection was modelled using
137a virtual p2p interface, so one could legitimately reason that
138all traffic through the interface is protected with the SA pair or all
139traffic to the peer is protected, since they are one in the
140same. However, when we consider multi-point interfaces, we have to
141think of protection applying to the peers on the link.
142
143When using IPSec protection on a P2MP link the **ipsec_tun_protect_t**
144will be specific to a particular peer (in the P2P case this peer is
145the usual special all zero address).
146
147All other aspects of using route based VPNs remains the same. The
148routes are resolved via specific peers on the interface, i.e.
149
150.. code-block:: console
151
152 ip route add 10.0.0.0/8 via 192.168.1.1 mipip0
153
154
155rather than
156
157.. code-block:: console
158
159 ip route add 10.0.0.0/8 via ipip0
160
161
162but one should always use a next-hop on a multi-access interface, so
163this is not a restriction.
164
165The data-path is unchanged, in both P2P and P2MP case the SA to
166use for TX comes from the adjacency, and for RX it's the SPI that
167matches to the SA and interface.
168
169
170Policy Based VPNs
171-----------------
172
173At the risk of stating the obvious, in a policy based VPN the SA is
174chosen based on a specific IPSec policy. A policy describes what
175attributes of the packets to match and what action to take if
176matched. Actions are:
177
178- bypass: Ignore it
179- discard: Drop it
180- protect: Either encrypt or decrypt with a specific SA
181
182The 'resolve' action which (as per-RFC4301) states that an IKE session
183should be initiated, is not supported.
184
185Policies are stored in a security policy database (SPD). An SPD is
186attached to an interface. Packets that ingress and egress the
187interface are matched against the policies in the attached SPD.
188This is IPSec as described in RFC4301.
189
190
191.. rubric:: Footnotes:
192
193.. [#i1] Standard in inverted commas because, at least to my
194 knowledge, there is no official standard (RFC) that states it
195 should be this way. It is probably this way because routers
196 model/implement/restrict/etc IPSec as an interface
197 input/output feature.
198.. [#i2] That's a self criticism.
199