summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5879.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5879.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5879.txt')
-rw-r--r--doc/rfc/rfc5879.txt1795
1 files changed, 1795 insertions, 0 deletions
diff --git a/doc/rfc/rfc5879.txt b/doc/rfc/rfc5879.txt
new file mode 100644
index 0000000..4616386
--- /dev/null
+++ b/doc/rfc/rfc5879.txt
@@ -0,0 +1,1795 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) T. Kivinen
+Request for Comments: 5879 AuthenTec, Inc.
+Category: Informational D. McDonald
+ISSN: 2070-1721 Oracle Corporation
+ May 2010
+
+
+ Heuristics for Detecting ESP-NULL Packets
+
+Abstract
+
+ This document describes a set of heuristics for distinguishing IPsec
+ ESP-NULL (Encapsulating Security Payload without encryption) packets
+ from encrypted ESP packets. These heuristics can be used on
+ intermediate devices, like traffic analyzers, and deep-inspection
+ engines, to quickly decide whether or not a given packet flow is
+ encrypted, i.e., whether or not it can be inspected. Use of these
+ heuristics does not require any changes made on existing IPsec hosts
+ that are compliant with RFC 4303.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5879.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kivinen & McDonald Informational [Page 1]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Applicability: Heuristic Traffic Inspection and
+ Wrapped ESP ................................................4
+ 1.2. Terminology ................................................4
+ 2. Other Options ...................................................5
+ 2.1. AH .........................................................5
+ 2.2. Mandating by Policy ........................................6
+ 2.3. Modifying ESP ..............................................6
+ 3. Description of Heuristics .......................................6
+ 4. IPsec Flows .....................................................7
+ 5. Deep-Inspection Engine ..........................................9
+ 6. Special and Error Cases .........................................9
+ 7. UDP Encapsulation ..............................................10
+ 8. Heuristic Checks ...............................................10
+ 8.1. ESP-NULL Format ...........................................11
+ 8.2. Self Describing Padding Check .............................12
+ 8.3. Protocol Checks ...........................................14
+ 8.3.1. TCP Checks .........................................15
+ 8.3.2. UDP Checks .........................................16
+ 8.3.3. ICMP Checks ........................................16
+ 8.3.4. SCTP Checks ........................................17
+ 8.3.5. IPv4 and IPv6 Tunnel Checks ........................17
+ 9. Security Considerations ........................................17
+ 10. References ....................................................18
+ 10.1. Normative References .....................................18
+ 10.2. Informative References ...................................18
+ Appendix A. Example Pseudocode ...................................20
+ A.1. Fastpath ..................................................20
+ A.2. Slowpath ..................................................23
+
+
+
+
+
+Kivinen & McDonald Informational [Page 2]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+1. Introduction
+
+ The ESP (Encapsulating Security Payload [RFC4303]) protocol can be
+ used with NULL encryption [RFC2410] to provide authentication,
+ integrity protection, and optionally replay detection, but without
+ confidentiality. ESP without encryption (referred to as ESP-NULL)
+ offers similar properties to IPsec's AH (Authentication Header
+ [RFC4302]). One reason to use ESP-NULL instead of AH is that AH
+ cannot be used if there are NAT (Network Address Translation) devices
+ on the path. With AH, it would be easy to detect packets that have
+ only authentication and integrity protection, as AH has its own
+ protocol number and deterministic packet length. With ESP-NULL, such
+ detection is nondeterministic, in spite of the base ESP packet format
+ being fixed.
+
+ In some cases, intermediate devices would like to detect ESP-NULL
+ packets so they could perform deep inspection or enforce access
+ control. This kind of deep inspection includes virus detection, spam
+ filtering, and intrusion detection. As end nodes might be able to
+ bypass those checks by using encrypted ESP instead of ESP-NULL, these
+ kinds of scenarios also require very specific policies to forbid such
+ circumvention.
+
+ These sorts of policy requirements usually mean that the whole
+ network needs to be controlled, i.e., under the same administrative
+ domain. Such setups are usually limited to inside the network of one
+ enterprise or organization, and encryption is not used as the network
+ is considered safe enough from eavesdroppers.
+
+ Because the traffic inspected is usually host-to-host traffic inside
+ one organization, that usually means transport mode IPsec is used.
+ Note, that most of the current uses of IPsec are not host-to-host
+ traffic inside one organization, but for the intended use cases for
+ the heuristics, this will most likely be the case. Also, the tunnel
+ mode case is much easier to solve than transport mode as it is much
+ easier to detect the IP header inside the ESP-NULL packet.
+
+ It should also be noted that even if new protocol modifications for
+ ESP support easier detection of ESP-NULL in the future, this document
+ will aid in the transition of older end-systems. That way, a
+ solution can be implemented immediately, and not after 5-10 years of
+ upgrade and deployment. Even with protocol modification for end
+ nodes, the intermediate devices will need heuristics until they can
+ assume that those protocol modifications can be found from all the
+ end devices. To make sure that any solution does not break in the
+ future, it would be best if such heuristics are documented -- i.e.,
+
+
+
+
+
+Kivinen & McDonald Informational [Page 3]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ publishing an RFC for what to do now, even though there might be a
+ new protocol coming in the future that will solve the same problem in
+ a better way.
+
+1.1. Applicability: Heuristic Traffic Inspection and Wrapped ESP
+
+ There are two ways to enable intermediate security devices to
+ distinguish between encrypted and unencrypted ESP traffic:
+
+ o The heuristics approach has the intermediate node inspect the
+ unchanged ESP traffic, to determine with extremely high
+ probability whether or not the traffic stream is encrypted.
+
+ o The Wrapped ESP (WESP) approach [RFC5840], in contrast, requires
+ the ESP endpoints to be modified to support the new protocol.
+ WESP allows the intermediate node to distinguish encrypted and
+ unencrypted traffic deterministically, using a simpler
+ implementation for the intermediate node.
+
+ Both approaches are being documented simultaneously by the IPsecME
+ Working Group, with WESP being put on Standards Track while the
+ heuristics approach is being published as an Informational RFC.
+ While endpoints are being modified to adopt WESP, both approaches
+ will likely coexist for years, because the heuristic approach is
+ needed to inspect traffic where at least one of the endpoints has not
+ been modified. In other words, intermediate nodes are expected to
+ support both approaches in order to achieve good security and
+ performance during the transition period.
+
+1.2. Terminology
+
+ This document uses following terminology:
+
+ Flow
+
+ A TCP/UDP or IPsec flow is a stream of packets that are part of
+ the same TCP/UDP or IPsec stream, i.e., TCP or UDP flow is a
+ stream of packets having same 5 tuple (source and destination IP
+ and port, and TCP/UDP protocol). Note, that this kind of flow is
+ also called microflow in some documents.
+
+ Flow Cache
+
+ deep-inspection engines and similar devices use a cache of flows
+ going through the device, and that cache keeps state of all flows
+ going through the device.
+
+
+
+
+
+Kivinen & McDonald Informational [Page 4]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ IPsec Flow
+
+ An IPsec flow is a stream of packets sharing the same source IP,
+ destination IP, protocol (ESP/AH), and Security Parameter Index
+ (SPI). Strictly speaking, the source IP does not need to be a
+ part of the flow identification, but it can be. For this reason,
+ it is safer to assume that the source IP is always part of the
+ flow identification.
+
+2. Other Options
+
+ This document will discuss the heuristic approach of detecting ESP-
+ NULL packets. There are some other options that can be used, and
+ this section will briefly discuss them.
+
+2.1. AH
+
+ The most logical approach would use the already defined protocol that
+ offers authentication and integrity protection, but not
+ confidentiality, namely AH. AH traffic is clearly marked as not
+ encrypted, and can always be inspected by intermediate devices.
+
+ Using AH has two problems. First, as it also protects the IP
+ headers, it will also protect against NATs on the path; thus, it will
+ not work if there is a NAT on the path between end nodes. In some
+ environments this might not be a problem, but some environments,
+ include heavy use of NATs even inside the internal network of the
+ enterprise or organization. NAT-Traversal (NAT-T, [RFC3948]) could
+ be extended to support AH also, and the early versions of the NAT-T
+ proposals did include that, but it was left out as it was not seen as
+ necessary.
+
+ Another problem is that in the new IPsec Architecture [RFC4301] the
+ support for AH is now optional, meaning not all implementations
+ support it. ESP-NULL has been defined to be mandatory to implement
+ by "Cryptographic Algorithm Implementation Requirements for
+ Encapsulating Security Payload (ESP) and Authentication Header (AH)"
+ [RFC4835].
+
+ AH also has quite complex processing rules compared to ESP when
+ calculating the Integrity Check Value (ICV), including things like
+ zeroing out mutable fields. Also, as AH is not as widely used as
+ ESP, the AH support is not as well tested in the interoperability
+ events.
+
+
+
+
+
+
+
+Kivinen & McDonald Informational [Page 5]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+2.2. Mandating by Policy
+
+ Another easy way to solve this problem is to mandate the use of ESP-
+ NULL with common parameters within an entire organization. This
+ either removes the need for heuristics (if no ESP-encrypted traffic
+ is allowed at all) or simplifies them considerably (only one set of
+ parameters needs to be inspected, e.g., everybody in the organization
+ who is using ESP-NULL must use HMAC-SHA-1-96 as their integrity
+ algorithm). This does work unless one of a pair of communicating
+ machines is not under the same administrative domain as the deep-
+ inspection engine. (IPsec Security Associations (SAs) must be
+ satisfactory to all communicating parties, so only one communicating
+ peer needs to have a sufficiently narrow policy.) Also, such a
+ solution might require some kind of centralized policy management to
+ make sure everybody in an administrative domain uses the same policy,
+ and that changes to that single policy can be coordinated throughout
+ the administrative domain.
+
+2.3. Modifying ESP
+
+ Several documents discuss ways of modifying ESP to offer intermediate
+ devices information about an ESP packet's use of NULL encryption.
+ The following methods have been discussed: adding an IP-option,
+ adding a new IP-protocol number plus an extra header [RFC5840],
+ adding new IP-protocol numbers that tell the ESP-NULL parameters
+ [AUTH-ONLY-ESP], reserving an SPI range for ESP-NULL [ESP-NULL], and
+ using UDP encapsulation with a different format and ports.
+
+ All of the aforementioned documents require modification to ESP,
+ which requires that all end nodes be modified before intermediate
+ devices can assume that this new ESP format is in use. Updating end
+ nodes will require a lot of time. An example of slow end-node
+ deployment is Internet Key Exchange Protocol version 2 (IKEv2).
+ Considering an implementation that requires both IKEv2 and a new ESP
+ format, it would take several years, possibly as long as a decade,
+ before widespread deployment.
+
+3. Description of Heuristics
+
+ The heuristics to detect ESP-NULL packets will only require changes
+ to those intermediate devices that do deep inspection or other
+ operations that require the detection of ESP-NULL. As those nodes
+ require changes regardless of any ESP-NULL method, updating
+ intermediate nodes is unavoidable. Heuristics do not require updates
+ or modifications to any other devices on the rest of the network,
+ including (especially) end nodes.
+
+
+
+
+
+Kivinen & McDonald Informational [Page 6]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ In this document, it is assumed that an affected intermediate node
+ will act as a stateful interception device, meaning it will keep
+ state of the IPsec flows -- where flows are defined by the ESP SPI
+ and IP addresses forming an IPsec SA -- going through it. The
+ heuristics can also be used without storing any state, but
+ performance will be worse in that case, as heuristic checks will need
+ to be done for each packet, not only once per flow. This will also
+ affect the reliability of the heuristics.
+
+ Generally, an intermediate node runs heuristics only for the first
+ few packets of the new flow (i.e., the new IPsec SA). After those
+ few packets, the node detects parameters of the IPsec flow, it skips
+ detection heuristics, and it can perform direct packet-inspecting
+ action based on its own policy. Once detected, ESP-NULL packets will
+ never be detected as encrypted ESP packets, meaning that valid ESP-
+ NULL packets will never bypass the deep inspection.
+
+ The only failure mode of these heuristics is to assume encrypted ESP
+ packets are ESP-NULL packets, thus causing completely random packet
+ data to be deeply inspected. An attacker can easily send random-
+ looking ESP-NULL packets that will cause heuristics to detect packets
+ as encrypted ESP, but that is no worse than sending non-ESP fuzz
+ through an intermediate node. The only way an ESP-NULL flow can be
+ mistaken for an encrypted ESP flow is if the ESP-NULL flow uses an
+ authentication algorithm of which the packet inspector has no
+ knowledge.
+
+ For hardware implementations, all the flow lookup based on the ESP
+ next header number (50), source address, destination address, and SPI
+ can be done by the hardware (there is usually already similar
+ functionality there, for TCP/UDP flows). The heuristics can be
+ implemented by the hardware, but using software will allow faster
+ updates when new protocol modifications come out or new protocols
+ need support.
+
+ As described in Section 7, UDP-encapsulated ESP traffic may also have
+ Network Address Port Translation (NAPT) applied to it, and so there
+ is already a 5-tuple state in the stateful inspection gateway.
+
+4. IPsec Flows
+
+ ESP is a stateful protocol, meaning there is state stored in both end
+ nodes of the ESP IPsec SA, and the state is identified by the pair of
+ destination IP and SPI. Also, end nodes often fix the source IP
+ address in an SA unless the destination is a multicast group.
+ Typically, most (if not all) flows of interest to an intermediate
+ device are unicast, so it is safer to assume the receiving node also
+ uses a source address, and the intermediate device should therefore
+
+
+
+Kivinen & McDonald Informational [Page 7]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ do the same. In some cases, this might cause extraneous cached ESP
+ IPsec SA flows, but by using the source address, two distinct flows
+ will never be mixed. For sites that heavily use multicast, such
+ traffic is deterministically identifiable (224.0.0.0/4 for IPv4 and
+ ff00::0/8 for IPv6), and an implementation can save the space of
+ multiple cache entries for a multicast flow by checking the
+ destination address first.
+
+ When the intermediate device sees a new ESP IPsec flow, i.e., a new
+ flow of ESP packets where the source address, destination address,
+ and SPI number form a triplet that has not been cached, it will start
+ the heuristics to detect whether or not this flow is ESP-NULL. These
+ heuristics appear in Section 8.
+
+ When the heuristics finish, they will label the flow as either
+ encrypted (which tells that packets in this flow are encrypted, and
+ cannot be ESP-NULL packets) or as ESP-NULL. This information, along
+ with the ESP-NULL parameters detected by the heuristics, is stored to
+ a flow cache, which will be used in the future when processing
+ packets of the same flow.
+
+ Both encrypted ESP and ESP-NULL flows are processed based on the
+ local policy. In normal operation, encrypted ESP flows are passed
+ through or dropped per local policy, and ESP-NULL flows are passed to
+ the deep-inspection engine. Local policy will also be used to
+ determine other packet-processing parameters. Local policy issues
+ will be clearly marked in this document to ease implementation.
+
+ In some cases, the heuristics cannot determine the type of flow from
+ a single packet; and in that case, it might need multiple packets
+ before it can finish the process. In those cases, the heuristics
+ return "unsure" status. In that case, the packet processed based on
+ the local policy and flow cache is updated with "unsure" status.
+ Local policy for "unsure" packets could range from dropping (which
+ encourages end-node retransmission) to queuing (which may preserve
+ delivery, at the cost of artificially inflating round-trip times if
+ they are measured). When the next packet to the flow arrives, it is
+ heuristically processed again, and the cached flow may continue to be
+ "unsure", marked as ESP, or marked as an ESP-NULL flow.
+
+ There are several reasons why a single packet might not be enough to
+ detect the type of flow. One of them is that the next header number
+ was unknown, i.e., if heuristics do not know about the protocol for
+ the packet, they cannot verify it has properly detected ESP-NULL
+ parameters, even when the packet otherwise looks like ESP-NULL. If
+ the packet does not look like ESP-NULL at all, then the encrypted ESP
+
+
+
+
+
+Kivinen & McDonald Informational [Page 8]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ status can be returned quickly. As ESP-NULL heuristics need to know
+ the same protocols as a deep-inspection device, an ESP-NULL instance
+ of an unknown protocol can be handled the same way as a cleartext
+ instance of the same unknown protocol.
+
+5. Deep-Inspection Engine
+
+ A deep-inspection engine running on an intermediate node usually
+ checks deeply into the packet and performs policy decisions based on
+ the contents of the packet. The deep-inspection engine should be
+ able to tell the difference between success, failure, and garbage.
+ Success means that a packet was successfully checked with the deep-
+ inspection engine, and it passed the checks and is allowed to be
+ forwarded. Failure means that a packet was successfully checked, but
+ the actual checks done indicated that packets should be dropped,
+ i.e., the packet contained a virus, was a known attack, or something
+ similar.
+
+ Garbage means that the packet's protocol headers or other portions
+ were unparseable. For the heuristics, it would be useful if the
+ deep-inspection engine could differentiate the garbage and failure
+ cases, as garbage cases can be used to detect certain error cases
+ (e.g., where the ESP-NULL parameters are incorrect, or the flow is
+ really an encrypted ESP flow, not an ESP-NULL flow).
+
+ If the deep-inspection engine only returns failure for all garbage
+ packets in addition to real failure cases, then a system implementing
+ the ESP-NULL heuristics cannot recover from error situations quickly.
+
+6. Special and Error Cases
+
+ There is a small probability that an encrypted ESP packet (which
+ looks like it contains completely random bytes) will have plausible
+ bytes in expected locations, such that heuristics will detect the
+ packet as an ESP-NULL packet instead of detecting that it is
+ encrypted ESP packet. The actual probabilities will be computed
+ later in this document. Such a packet will not cause problems, as
+ the deep-inspection engine will most likely reject the packet and
+ return that it is garbage. If the deep-inspection engine is
+ rejecting a high number of packets as garbage, it might indicate an
+ original ESP-NULL detection for the flow was wrong (i.e., an
+ encrypted ESP flow was improperly detected as ESP-NULL). In that
+ case, the cached flow should be invalidated and discovery should
+ happen again.
+
+ Each ESP-NULL flow should also keep statistics about how many packets
+ have been detected as garbage by deep inspection, how many have
+ passed checks, or how many have failed checks with policy violations
+
+
+
+Kivinen & McDonald Informational [Page 9]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ (i.e., failed because of actual inspection policy failures, not
+ because the packet looked like garbage). If the number of garbage
+ packets suddenly increases (e.g., most of the packets start to look
+ like garbage according to the deep-inspection engine), it is possible
+ the old ESP-NULL SA was replaced by an encrypted ESP SA with an
+ identical SPI. If both ends use random SPI generation, this is a
+ very unlikely situation (1 in 2^32), but it is possible that some
+ nodes reuse SPI numbers (e.g., a 32-bit memory address of the SA
+ descriptor); thus, this situation needs to be handled.
+
+ Actual limits for cache invalidation are local policy decisions.
+ Sample invalidation policies include: 50% of packets marked as
+ garbage within a second, or if a deep-inspection engine cannot
+ differentiate between garbage and failure, failing more than 95% of
+ packets in last 10 seconds. For implementations that do not
+ distinguish between garbage and failure, failures should not be
+ treated too quickly as an indication of SA reuse. Often, single
+ packets cause state-related errors that block otherwise normal
+ packets from passing.
+
+7. UDP Encapsulation
+
+ The flow lookup code needs to detect UDP packets to or from port 4500
+ in addition to the ESP packets, and perform similar processing to
+ them after skipping the UDP header. Port-translation by NAT often
+ rewrites what was originally 4500 into a different value, which means
+ each unique port pair constitutes a separate IPsec flow. That is,
+ UDP-encapsulated IPsec flows are identified by the source and
+ destination IP, source and destination port number, and SPI number.
+ As devices might be using IKEv2 Mobility and Multihoming (MOBIKE)
+ ([RFC4555]), that also means that the flow cache should be shared
+ between the UDP encapsulated IPsec flows and non-encapsulated IPsec
+ flows. As previously mentioned, differentiating between garbage and
+ actual policy failures will help in proper detection immensely.
+
+ Because the checks are run for packets having just source port 4500
+ or packets having just destination port 4500, this might cause checks
+ to be run for non-ESP traffic too. Some traffic may randomly use
+ port 4500 for other reasons, especially if a port-translating NAT is
+ involved. The UDP encapsulation processing should also be aware of
+ that possibility.
+
+8. Heuristic Checks
+
+ Normally, HMAC-SHA1-96 or HMAC-MD5-96 gives 1 out of 2^96 probability
+ that a random packet will pass the Hashed Message Authentication Code
+ (HMAC) test. This yields a 99.999999999999999999999999998%
+ probability that an end node will correctly detect a random packet as
+
+
+
+Kivinen & McDonald Informational [Page 10]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ being invalid. This means that it should be enough for an
+ intermediate device to check around 96 bits from the input packet.
+ By comparing them against known values for the packet, a deep-
+ inspection engine gains more or less the same probability as that
+ which an end node is using. This gives an upper limit of how many
+ bits heuristics need to check -- there is no point of checking much
+ more than that many bits (since that same probability is acceptable
+ for the end node). In most of the cases, the intermediate device
+ does not need probability that is that high, perhaps something around
+ 32-64 bits is enough.
+
+ IPsec's ESP has a well-understood packet layout, but its variable-
+ length fields reduce the ability of pure algorithmic matching to one
+ requiring heuristics and assigning probabilities.
+
+8.1. ESP-NULL Format
+
+ The ESP-NULL format is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Security Parameter Index (SPI) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IV (optional) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Payload Data (variable) |
+ ~ ~
+ | |
+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | Padding (0-255 bytes) |
+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | Pad Length | Next Header |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Integrity Check Value (variable) |
+ ~ ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 1
+
+ The output of the heuristics should provide information about whether
+ the packet is encrypted ESP or ESP-NULL. In case it is ESP-NULL, the
+ heuristics should also provide the Integrity Check Value (ICV) field
+ length and the Initialization Vector (IV) length.
+
+
+
+
+Kivinen & McDonald Informational [Page 11]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ The currently defined ESP authentication algorithms have 4 different
+ lengths for the ICV field.
+
+ Different ICV lengths for different algorithm:
+
+ Algorithm ICV Length
+ ------------------------------- ----------
+ AUTH_HMAC_MD5_96 96
+ AUTH_HMAC_SHA1_96 96
+ AUTH_AES_XCBC_96 96
+ AUTH_AES_CMAC_96 96
+ AUTH_HMAC_SHA2_256_128 128
+ AUTH_HMAC_SHA2_384_192 192
+ AUTH_HMAC_SHA2_512_256 256
+
+ Figure 2
+
+ In addition to the ESP authentication algorithms listed above, there
+ is also the encryption algorithm ENCR_NULL_AUTH_AES_GMAC, which does
+ not provide confidentiality but provides authentication, just like
+ ESP-NULL. This algorithm has an ICV Length of 128 bits, and it also
+ requires 8 bytes of IV.
+
+ In addition to the ICV length, there are also two possible values for
+ IV lengths: 0 bytes (default) and 8 bytes (for
+ ENCR_NULL_AUTH_AES_GMAC). Detecting the IV length requires
+ understanding the payload, i.e., the actual protocol data (meaning
+ TCP, UDP, etc.). This is required to distinguish the optional IV
+ from the actual protocol data. How well the IV can be distinguished
+ from the actual protocol data depends on how the IV is generated. If
+ the IV is generated using a method that generates random-looking data
+ (i.e., encrypted counter, etc.) then distinguishing protocol data
+ from the IV is quite easy. If an IV is a counter or similar non-
+ random value, then there are more possibilities for error. If the
+ protocol (also known as the, "next header") of the packet is one that
+ is not supported by the heuristics, then detecting the IV length is
+ impossible; thus, the heuristics cannot finish. In that case, the
+ heuristics return "unsure" and require further packets.
+
+ This document does not cover RSA authentication in ESP ([RFC4359]),
+ as it is considered beyond the scope of this document.
+
+8.2. Self Describing Padding Check
+
+ Before obtaining the next header field, the ICV length must be
+ measured. Four different ICV lengths lead to four possible places
+ for the pad length and padding. Implementations must be careful when
+ trying larger sizes of the ICV such that the inspected bytes do not
+
+
+
+Kivinen & McDonald Informational [Page 12]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ belong to data that is not payload data. For example, a 10-byte ICMP
+ echo request will have zero-length padding, but any checks for
+ 256-bit ICVs will inspect sequence number or SPI data if the packet
+ actually contains a 96-bit or 128-bit ICV.
+
+ ICV lengths should always be checked from shortest to longest. It is
+ much more likely to obtain valid-looking padding bytes in the
+ cleartext part of the payload than from the ICV field of a longer ICV
+ than what is currently inspected. For example, if a packet has a
+ 96-bit ICV and the implementation starts checking for a 256-bit ICV
+ first, it is possible that the cleartext part of the payload contains
+ valid-looking bytes. If done in the other order, i.e., a packet
+ having a 256-bit ICV and the implementation checks for a 96-bit ICV
+ first, the inspected bytes are part of the longer ICV field, and
+ should be indistinguishable from random noise.
+
+ Each ESP packet always has between 0-255 bytes of padding, and
+ payload, pad length, and next header are always right aligned within
+ a 4-byte boundary. Normally, implementations use a minimal amount of
+ padding, but the heuristics method would be even more reliable if
+ some extra padding is added. The actual padding data has bytes
+ starting from 01 and ending at the pad length, i.e., exact padding
+ and pad length bytes for 4 bytes of padding would be 01 02 03 04 04.
+
+ Two cases of ESP-NULL padding are matched bytes (like the 04 04 shown
+ above), or the 0-byte padding case. In cases where there is one or
+ more bytes of padding, a node can perform a very simple and fast test
+ -- a sequence of N N in any of those four locations. Given four
+ 2-byte locations (assuming the packet size allows all four possible
+ ICV lengths), the upper-bound probability of finding a random
+ encrypted packet that exhibits non-zero length ESP-NULL properties
+ is:
+
+ 1 - (1 - 255 / 65536) ^ 4 == 0.015 == 1.5%
+
+ In the cases where there are 0 bytes of padding, a random encrypted
+ ESP packet has:
+
+ 1 - (1 - 1 / 256) ^ 4 == 0.016 == 1.6%.
+
+ Together, both cases yield a 3.1% upper-bound chance of
+ misclassifying an encrypted packet as an ESP-NULL packet.
+
+ In the matched bytes case, further inspection (counting the pad bytes
+ backward and downward from the pad-length match) can reduce the
+ number of misclassified packets further. A padding length of 255
+ means a specific 256^254 sequence of bytes must occur. This
+ virtually eliminates pairs of 'FF FF' as viable ESP-NULL padding.
+
+
+
+Kivinen & McDonald Informational [Page 13]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ Every one of the 255 pairs for padding length N has only a 1 / 256^N
+ probability of being correct ESP-NULL padding. This shrinks the
+ aforementioned 1.5% of matched pairs to virtually nothing.
+
+ At this point, a maximum of 1.6% of possible byte values remain, so
+ the next header number is inspected. If the next header number is
+ known (and supported), then the packet can be inspected based on the
+ next header number. If the next header number is unknown (i.e., not
+ any of those with protocol checking support) the packet is marked
+ "unsure", because there is no way to detect the IV length without
+ inspecting the inner protocol payload.
+
+ There are six different next header fields that are in common use
+ (TCP (6), UDP (17), ICMP (1), Stream Control Transmission Protocol
+ (SCTP) (132), IPv4 (4), and IPv6 (41)), and if IPv6 is in heavy use,
+ that number increases to nine (Fragment (44), ICMPv6 (58), and IPv6
+ options (60)). To ensure that no packet is misinterpreted as an
+ encrypted ESP packet even when it is an ESP-NULL packet, a packet
+ cannot be marked as a failure even when the next header number is one
+ of those that is not known and supported. In those cases, the
+ packets are marked as "unsure".
+
+ An intermediate node's policy, however, can aid in detecting an ESP-
+ NULL flow even when the protocol is not a common-case one. By
+ counting how many "unsure" returns obtained via heuristics, and after
+ the receipt of a consistent, but unknown, next header number in same
+ location (i.e., likely with the same ICV length), the node can
+ conclude that the flow has high probability of being ESP-NULL (since
+ it is unlikely that so many packets would pass the integrity check at
+ the destination unless they are legitimate). The flow can be
+ classified as ESP-NULL with a known ICV length but an unknown IV
+ length.
+
+ Fortunately, in unknown protocol cases, the IV length does not
+ matter. If the protocol is unknown to the heuristics, it will most
+ likely be unknown by the deep-inspection engine also. It is
+ therefore important that heuristics should support at least those
+ same protocols as the deep-inspection engine. Upon receipt of any
+ inner next header number that is known by the heuristics (and deep-
+ inspection engine), the heuristics can detect the IV length properly.
+
+8.3. Protocol Checks
+
+ Generic protocol checking is much easier with preexisting state. For
+ example, when many TCP/UDP flows are established over one IPsec SA, a
+ rekey produces a new SA that needs heuristics to detect its
+ parameters, and those heuristics benefit from the existing TCP/UDP
+ flows that were present in the previous IPsec SA. In that case, it
+
+
+
+Kivinen & McDonald Informational [Page 14]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ is just enough to check that if a new IPsec SA has packets belonging
+ to the flows of some other IPsec SA (previous IPsec SA before rekey),
+ and if those flows are already known by the deep-inspection engine,
+ it will give a strong indication that the new SA is really ESP-NULL.
+
+ The worst case scenario is when an end node starts up communication,
+ i.e., it does not have any previous flows through the device.
+ Heuristics will run on the first few packets received from the end
+ node. The later subsections mainly cover these start-up cases, as
+ they are the most difficult.
+
+ In the protocol checks, there are two different types of checks. The
+ first check is for packet validity, i.e., certain locations must
+ contain specific values. For example, an inner IPv4 header of an
+ IPv4 tunnel packet must have its 4-bit version number set to 4. If
+ it does not, the packet is not valid, and can be marked as a failure.
+ Other positions depending on ICV and IV lengths must also be checked,
+ and if all of them are failures, then the packet is a failure. If
+ any of the checks are "unsure", the packet is marked as such.
+
+ The second type of check is for variable, but easy-to-parse values.
+ For example, the 4-bit header length field of an inner IPv4 packet.
+ It has a fixed value (5) as long as there are no inner IPv4 options.
+ If the header-length has that specific value, the number of known
+ "good" bits increases. If it has some other value, the known "good"
+ bit count stays the same. A local policy might include reaching a
+ bit count that is over a threshold (for example, 96 bits), causing a
+ packet to be marked as valid.
+
+8.3.1. TCP Checks
+
+ When the first TCP packet is fed to the heuristics, it is most likely
+ going to be the SYN packet of the new connection; thus, it will have
+ less useful information than other later packets might have. The
+ best valid packet checks include checking that header length and
+ flags have valid values and checking source and destination port
+ numbers, which in some cases can be used for heuristics (but in
+ general they cannot be reliably distinguished from random numbers
+ apart from some well-known ports like 25/80/110/143).
+
+ The most obvious field, TCP checksum, might not be usable, as it is
+ possible that the packet has already transited a NAT box that changed
+ the IP addresses but assumed any ESP payload was encrypted and did
+ not fix the transport checksums with the new IP addresses. Thus, the
+ IP numbers used in the checksum are wrong; thus, the checksum is
+ wrong. If the checksum is correct, it can again be used to increase
+ the valid bit count, but verifying checksums is a costly operation,
+ thus skipping that check might be best unless there is hardware to
+
+
+
+Kivinen & McDonald Informational [Page 15]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ help the calculation. Window size, urgent pointer, sequence number,
+ and acknowledgment numbers can be used, but there is not one specific
+ known value for them.
+
+ One good method of detection is that if a packet is dropped, then the
+ next packet will most likely be a retransmission of the previous
+ packet. Thus, if two packets are received with the same source and
+ destination port numbers, and where sequence numbers are either the
+ same or right after each other, then it's likely a TCP packet has
+ been correctly detected. This heuristic is most helpful when only
+ one packet is outstanding. For example, if a TCP SYN packet is lost
+ (or dropped because of policy), the next packet would always be a
+ retransmission of the same TCP SYN packet.
+
+ Existing deep-inspection engines usually do very good TCP flow
+ checking already, including flow tracking, verification of sequence
+ numbers, and reconstruction of the whole TCP flow. Similar methods
+ can be used here, but they are implementation dependent and not
+ described here.
+
+8.3.2. UDP Checks
+
+ UDP header has even more problems than the TCP header, as UDP has
+ even less known data. The checksum has the same problem as the TCP
+ checksum, due to NATs. The UDP length field might not match the
+ overall packet length, as the sender is allowed to include TFC
+ (traffic flow confidentiality; see Section 2.7 of "IP Encapsulating
+ Security Payload" [RFC4303]) padding.
+
+ With UDP packets similar multiple packet methods can be used as with
+ TCP, as UDP protocols usually include several packets using same port
+ numbers going from one end node to another, thus receiving multiple
+ packets having a known pair of UDP port numbers is good indication
+ that the heuristics have passed.
+
+ Some UDP protocols also use identical source and destination port
+ numbers; thus, that is also a good check.
+
+8.3.3. ICMP Checks
+
+ As ICMP messages are usually sent as return packets for other
+ packets, they are not very common packets to get as first packets for
+ the SA, the ICMP ECHO_REQUEST message being a noteworthy exception.
+ ICMP ECHO_REQUEST has a known type, code, identifier, and sequence
+ number. The checksum, however, might be incorrect again because of
+ NATs.
+
+
+
+
+
+Kivinen & McDonald Informational [Page 16]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ For ICMP error messages, the ICMP message contains part of the
+ original IP packet inside. Then, the same rules that are used to
+ detect IPv4/IPv6 tunnel checks can be used.
+
+8.3.4. SCTP Checks
+
+ SCTP [RFC4960] has a self-contained checksum, which is computed over
+ the SCTP payload and is not affected by NATs unless the NAT is SCTP-
+ aware. Even more than the TCP and UDP checksums, the SCTP checksum
+ is expensive, and may be prohibitive even for deep packet
+ inspections.
+
+ SCTP chunks can be inspected to see if their lengths are consistent
+ across the total length of the IP datagram, so long as TFC padding is
+ not present.
+
+8.3.5. IPv4 and IPv6 Tunnel Checks
+
+ In cases of tunneled traffic, the packet inside contains a full IPv4
+ or IPv6 packet. Many fields are usable. For IPv4, those fields
+ include version, header length, total length (again TFC padding might
+ confuse things there), protocol number, and 16-bit header checksum.
+ In those cases, the intermediate device should give the decapsulated
+ IP packet to the deep-inspection engine. IPv6 has fewer usable
+ fields, but the version number, packet length (modulo TFC confusion),
+ and next header all can be used by deep packet inspection.
+
+ If all traffic going through the intermediate device is either from
+ or to certain address blocks (for example, either to or from the
+ company intranet prefix), this can also be checked by the heuristics.
+
+9. Security Considerations
+
+ Attackers can always bypass ESP-NULL deep packet inspection by using
+ encrypted ESP (or some other encryption or tunneling method) instead,
+ unless the intermediate node's policy requires dropping of packets
+ that it cannot inspect. Ultimately, the responsibility for
+ performing deep inspection, or allowing intermediate nodes to perform
+ deep inspection, must rest on the end nodes. That is, if a server
+ allows encrypted connections also, then an attacker who wants to
+ attack the server and wants to bypass a deep-inspection device in the
+ middle, will use encrypted traffic. This means that the protection
+ of the whole network is only as good as the policy enforcement and
+ protection of the end node. One way to enforce deep inspection for
+ all traffic, is to forbid encrypted ESP completely, in which case
+ ESP-NULL detection is easier, as all packets must be ESP-NULL based
+
+
+
+
+
+Kivinen & McDonald Informational [Page 17]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ on the policy (heuristics may still be needed to find out the IV and
+ ICV lengths, unless further policy restrictions eliminate the
+ ambiguities).
+
+ Section 3 discusses failure modes of the heuristics. An attacker can
+ poison flows, tricking inspectors into ignoring legitimate ESP-NULL
+ flows, but that is no worse than injecting fuzz.
+
+ Forcing the use of ESP-NULL everywhere inside the enterprise, so that
+ accounting, logging, network monitoring, and intrusion detection all
+ work, increases the risk of sending confidential information where
+ eavesdroppers can see it.
+
+10. References
+
+10.1. Normative References
+
+ [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm
+ and Its Use With IPsec", RFC 2410, November 1998.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
+ December 2005.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
+ RFC 4303, December 2005.
+
+10.2. Informative References
+
+ [AUTH-ONLY-ESP]
+ Hoffman, P. and D. McGrew, "An Authentication-only
+ Profile for ESP with an IP Protocol Identifier", Work
+ in Progress, August 2007.
+
+ [ESP-NULL] Bhatia, M., "Identifying ESP-NULL Packets", Work
+ in Progress, December 2008.
+
+ [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and
+ M. Stenberg, "UDP Encapsulation of IPsec ESP Packets",
+ RFC 3948, January 2005.
+
+ [RFC4359] Weis, B., "The Use of RSA/SHA-1 Signatures within
+ Encapsulating Security Payload (ESP) and Authentication
+ Header (AH)", RFC 4359, January 2006.
+
+
+
+
+
+Kivinen & McDonald Informational [Page 18]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol
+ (MOBIKE)", RFC 4555, June 2006.
+
+ [RFC4835] Manral, V., "Cryptographic Algorithm Implementation
+ Requirements for Encapsulating Security Payload (ESP)
+ and Authentication Header (AH)", RFC 4835, April 2007.
+
+ [RFC4960] Stewart, R., "Stream Control Transmission Protocol",
+ RFC 4960, September 2007.
+
+ [RFC5840] Grewal, K., Montenegro, G., and M. Bhatia, "Wrapped
+ Encapsulating Security Payload (ESP) for Traffic
+ Visibility", RFC 5840, April 2010.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kivinen & McDonald Informational [Page 19]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+Appendix A. Example Pseudocode
+
+ This appendix is meant for the implementors. It does not include all
+ the required checks, and this is just example pseudocode, so final
+ implementation can be very different. It mostly lists things that
+ need to be done, but implementations can optimize steps depending on
+ their other parts. For example, implementation might combine
+ heuristics and deep inspection tightly together.
+
+A.1. Fastpath
+
+ The following example pseudocode show the fastpath part of the packet
+ processing engine. This part is usually implemented in hardware.
+
+ ////////////////////////////////////////////////////////////
+ // This pseudocode uses following variables:
+ //
+ // SPI_offset: Number of bytes between start of protocol
+ // data and SPI. This is 0 for ESP and
+ // 8 for UDP-encapsulated ESP (i.e, skipping
+ // UDP header).
+ //
+ // IV_len: Length of the IV of the ESP-NULL packet.
+ //
+ // ICV_len: Length of the ICV of the ESP-NULL packet.
+ //
+ // State: State of the packet, i.e., ESP-NULL, ESP, or
+ // unsure.
+ //
+ // Also following data is taken from the packet:
+ //
+ // IP_total_len: Total IP packet length.
+ // IP_hdr_len: Header length of IP packet in bytes.
+ // IP_Src_IP: Source address of IP packet.
+ // IP_Dst_IP: Destination address of IP packet.
+ //
+ // UDP_len: Length of the UDP packet taken from UDP header.
+ // UDP_src_port: Source port of UDP packet.
+ // UDP_dst_port: Destination port of UDP packet.
+ //
+ // SPI: SPI number from ESP packet.
+ //
+ // Protocol: Actual protocol number of the protocol inside
+ // ESP-NULL packet.
+ // Protocol_off: Calculated offset to the protocol payload data
+ // inside ESP-NULL packet.
+
+
+
+
+
+Kivinen & McDonald Informational [Page 20]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ ////////////////////////////////////////////////////////////
+ // This is the main processing code for the packet
+ // This will check if the packet requires ESP processing,
+ //
+ Process packet:
+ * If IP protocol is ESP
+ * Set SPI_offset to 0 bytes
+ * Goto Process ESP
+ * If IP protocol is UDP
+ * Goto Process UDP
+ * If IP protocol is WESP
+ // For information about WESP processing, see WESP
+ // specification.
+ * Continue WESP processing
+ * Continue Non-ESP processing
+
+ ////////////////////////////////////////////////////////////
+ // This code is run for UDP packets, and it checks if the
+ // packet is UDP encapsulated UDP packet, or UDP
+ // encapsulated IKE packet, or keepalive packet.
+ //
+ Process UDP:
+ // Reassembly is not mandatory here, we could
+ // do reassembly also only after detecting the
+ // packet being UDP encapsulated ESP packet, but
+ // that would complicate the pseudocode here
+ // a lot, as then we would need to add code
+ // for checking whether or not the UDP header is in this
+ // packet.
+ // Reassembly is to simplify things
+ * If packet is fragment
+ * Do full reassembly before processing
+ * If UDP_src_port != 4500 and UDP_dst_port != 4500
+ * Continue Non-ESP processing
+ * Set SPI_offset to 8 bytes
+ * If UDP_len > 4 and first 4 bytes of UDP packet are 0x000000
+ * Continue Non-ESP processing (pass IKE-packet)
+ * If UDP_len > 4 and first 4 bytes of UDP packet are 0x000002
+ * Continue WESP processing
+ * If UDP_len == 1 and first byte is 0xff
+ * Continue Non-ESP processing (pass NAT-Keepalive Packet)
+ * Goto Process ESP
+
+
+
+
+
+
+
+
+
+Kivinen & McDonald Informational [Page 21]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ ////////////////////////////////////////////////////////////
+ // This code is run for ESP packets (or UDP-encapsulated ESP
+ // packets). This checks if IPsec flow is known, and
+ // if not calls heuristics. If the IPsec flow is known
+ // then it continues processing based on the policy.
+ //
+ Process ESP:
+ * If packet is fragment
+ * Do full reassembly before processing
+ * If IP_total_len < IP_hdr_len + SPI_offset + 4
+ // If this packet was UDP encapsulated ESP packet then
+ // this might be valid UDP packet that might
+ // be passed or dropped depending on policy.
+ * Continue normal packet processing
+ * Load SPI from IP_hdr_len + SPI_offset
+ * Initialize State to ESP
+ // In case this was UDP encapsulated ESP, use UDP_src_port and
+ // UDP_dst_port also when finding data from SPI cache.
+ * Find IP_Src_IP + IP_Dst_IP + SPI from SPI cache
+ * If SPI found
+ * Load State, IV_len, ICV_len from cache
+ * If SPI not found or State is unsure
+ * Call Autodetect ESP parameters (drop to slowpath)
+ * If State is ESP
+ * Continue Non-ESP-NULL processing
+ * Goto Check ESP-NULL packet
+
+ ////////////////////////////////////////////////////////////
+ // This code is run for ESP-NULL packets, and this
+ // finds out the data required for deep-inspection
+ // engine (protocol number, and offset to data)
+ // and calls the deep-inspection engine.
+ //
+ Check ESP-NULL packet:
+ * If IP_total_len < IP_hdr_len + SPI_offset + IV_len + ICV_len
+ + 4 (spi) + 4 (seq no) + 4 (protocol + padding)
+ // This packet was detected earlier as being part of
+ // ESP-NULL flow, so this means that either ESP-NULL
+ // was replaced with other flow or this is an invalid packet.
+ // Either drop or pass the packet, or restart
+ // heuristics based on the policy
+ * Continue packet processing
+ * Load Protocol from IP_total_len - ICV_len - 1
+ * Set Protocol_off to
+ IP_hdr_len + SPI_offset + IV_len + 4 (spi) + 4 (seq no)
+ * Do normal deep inspection on packet.
+
+
+
+
+
+Kivinen & McDonald Informational [Page 22]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ Figure 3
+
+A.2. Slowpath
+
+ The following example pseudocode shows the actual heuristics part of
+ the packet processing engine. This part is usually implemented in
+ software.
+
+ ////////////////////////////////////////////////////////////
+ // This pseudocode uses following variables:
+ //
+ // SPI_offset, IV_len, ICV_len, State, SPI,
+ // IP_total_len, IP_hdr_len, IP_Src_IP, IP_Dst_IP
+ // as defined in fastpath pseudocode.
+ //
+ // Stored_Check_Bits:Number of bits we have successfully
+ // checked to contain acceptable values
+ // in the actual payload data. This value
+ // is stored/retrieved from SPI cache.
+ //
+ // Check_Bits: Number of bits we have successfully
+ // checked to contain acceptable values
+ // in the actual payload data. This value
+ // is updated during the packet
+ // verification.
+ //
+ // Last_Packet_Data: Contains selected pieces from the
+ // last packet. This is used to compare
+ // certain fields of this packet to
+ // same fields in previous packet.
+ //
+ // Packet_Data: Selected pieces of this packet, same
+ // fields as Last_Packet_Data, and this
+ // is stored as new Last_Packet_Data to
+ // SPI cache after this packet is processed.
+ //
+ // Test_ICV_len: Temporary ICV length used during tests.
+ // This is stored to ICV_len when
+ // padding checks for the packet succeed
+ // and the packet didn't yet have unsure
+ // status.
+ //
+ // Test_IV_len: Temporary IV length used during tests.
+ //
+ // Pad_len: Padding length from the ESP packet.
+ //
+
+
+
+
+
+Kivinen & McDonald Informational [Page 23]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ // Protocol: Protocol number of the packet inside ESP
+ // packet.
+ //
+ // TCP.*: Fields from TCP header (from inside ESP)
+ // UDP.*: Fields from UDP header (from inside ESP)
+
+ ////////////////////////////////////////////////////////////
+ // This code starts the actual heuristics.
+ // During this the fastpath has already loaded
+ // State, ICV_len, and IV_len in case they were
+ // found from the SPI cache (i.e., in case the flow
+ // had unsure status).
+ //
+ Autodetect ESP parameters:
+ // First, we check if this is unsure flow, and
+ // if so, we check next packet against the
+ // already set IV/ICV_len combination.
+ * If State is unsure
+ * Call Verify next packet
+ * If State is ESP-NULL
+ * Goto Store ESP-NULL SPI cache info
+ * If State is unsure
+ * Goto Verify unsure
+ // If we failed the test, i.e., State
+ // was changed to ESP, we check other
+ // ICV/IV_len values, i.e., fall through
+ // ICV lengths are tested in order of ICV lengths,
+ // from shortest to longest.
+ * Call Try standard algorithms
+ * If State is ESP-NULL
+ * Goto Store ESP-NULL SPI cache info
+ * Call Try 128bit algorithms
+ * If State is ESP-NULL
+ * Goto Store ESP-NULL SPI cache info
+ * Call Try 192bit algorithms
+ * If State is ESP-NULL
+ * Goto Store ESP-NULL SPI cache info
+ * Call Try 256bit algorithms
+ * If State is ESP-NULL
+ * Goto Store ESP-NULL SPI cache info
+ // AUTH_DES_MAC and AUTH_KPDK_MD5 are left out from
+ // this document.
+ // If any of those test above set state to unsure
+ // we mark IPsec flow as unsure.
+ * If State is unsure
+ * Goto Store unsure SPI cache info
+
+
+
+
+
+Kivinen & McDonald Informational [Page 24]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ // All of the test failed, meaning the packet cannot
+ // be ESP-NULL packet, thus we mark IPsec flow as ESP
+ * Goto Store ESP SPI cache info
+ ////////////////////////////////////////////////////////////
+ // Store ESP-NULL status to the IPsec flow cache.
+ //
+ Store ESP-NULL SPI cache info:
+ * Store State, IV_len, ICV_len to SPI cache
+ using IP_Src_IP + IP_Dst_IP + SPI as key
+ * Continue Check ESP-NULL packet
+
+ ////////////////////////////////////////////////////////////
+ // Store encrypted ESP status to the IPsec flow cache.
+ //
+ Store ESP SPI cache info:
+ * Store State, IV_len, ICV_len to SPI cache
+ using IP_Src_IP + IP_Dst_IP + SPI as key
+ * Continue Check non-ESP-NULL packet
+
+ ////////////////////////////////////////////////////////////
+ // Store unsure flow status to IPsec flow cache.
+ // Here we also store the Check_Bits.
+ //
+ Store unsure SPI cache info:
+ * Store State, IV_len, ICV_len,
+ Stored_Check_Bits to SPI cache
+ using IP_Src_IP + IP_Dst_IP + SPI as key
+ * Continue Check unknown packet
+
+ ////////////////////////////////////////////////////////////
+ // Verify this packet against the previously selected
+ // ICV_len and IV_len values. This will either
+ // fail (and set state to ESP to mark we do not yet
+ // know what type of flow this is) or will
+ // increment Check_Bits.
+ //
+ Verify next packet:
+ // We already have IV_len, ICV_len, and State loaded
+ * Load Stored_Check_Bits, Last_Packet_Data from SPI Cache
+ * Set Test_ICV_len to ICV_len, Test_IV_len to IV_len
+ * Initialize Check_Bits to 0
+ * Call Verify padding
+ * If verify padding returned Failure
+ // Initial guess was wrong, restart
+ * Set State to ESP
+ * Clear IV_len, ICV_len, State,
+ Stored_Check_Bits, Last_Packet_Data
+ from SPI Cache
+
+
+
+Kivinen & McDonald Informational [Page 25]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ * Return
+ // Ok, padding check succeeded again
+ * Call Verify packet
+ * If verify packet returned Failure
+ // Guess was wrong, restart
+ * Set State to ESP
+ * Clear IV_len, ICV_len, State,
+ Stored_Check_Bits, Last_Packet_Data
+ from SPI Cache
+ * Return
+ // It succeeded and updated Check_Bits and Last_Packet_Data store
+ // them to SPI cache.
+ * Increment Stored_Check_Bits by Check_Bits
+ * Store Stored_Check_Bits to SPI Cache
+ * Store Packet_Data as Last_Packet_Data to SPI cache
+ * Return
+
+ ////////////////////////////////////////////////////////////
+ // This will check if we have already seen enough bits
+ // acceptable from the payload data, so we can decide
+ // that this IPsec flow is ESP-NULL flow.
+ //
+ Verify unsure:
+ // Check if we have enough check bits.
+ * If Stored_Check_Bits > configured limit
+ // We have checked enough bits, return ESP-NULL
+ * Set State ESP-NULL
+ * Goto Store ESP-NULL SPI cache info
+ // Not yet enough bits, continue
+ * Continue Check unknown packet
+
+ ////////////////////////////////////////////////////////////
+ // Check for standard 96-bit algorithms.
+ //
+ Try standard algorithms:
+ // AUTH_HMAC_MD5_96, AUTH_HMAC_SHA1_96, AUTH_AES_XCBC_96,
+ // AUTH_AES_CMAC_96
+ * Set Test_ICV_len to 12, Test_IV_len to 0
+ * Goto Check packet
+
+ ////////////////////////////////////////////////////////////
+ // Check for 128-bit algorithms, this is only one that
+ // can have IV, so we need to check different IV_len values
+ // here too.
+ //
+ Try 128bit algorithms:
+ // AUTH_HMAC_SHA2_256_128, ENCR_NULL_AUTH_AES_GMAC
+ * Set Test_ICV_len to 16, Test_IV_len to 0
+
+
+
+Kivinen & McDonald Informational [Page 26]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ * If IP_total_len < IP_hdr_len + SPI_offset
+ + Test_IV_len + Test_ICV_len
+ + 4 (spi) + 4 (seq no) + 4 (protocol + padding)
+ * Return
+ * Call Verify padding
+ * If verify padding returned Failure
+ * Return
+ * Initialize Check_Bits to 0
+ * Call Verify packet
+ * If verify packet returned Failure
+ * Goto Try GMAC
+ // Ok, packet seemed ok, but go now and check if we have enough
+ // data bits so we can assume it is ESP-NULL
+ * Goto Check if done for unsure
+
+ ////////////////////////////////////////////////////////////
+ // Check for GMAC MACs, i.e., MACs that have an 8-byte IV.
+ //
+ Try GMAC:
+ // ENCR_NULL_AUTH_AES_GMAC
+ * Set Test_IV_len to 8
+ * If IP_total_len < IP_hdr_len + SPI_offset
+ + Test_IV_len + Test_ICV_len
+ + 4 (spi) + 4 (seq no) + 4 (protocol + padding)
+ * Return
+ * Initialize Check_Bits to 0
+ * Call Verify packet
+ * If verify packet returned Failure
+ // Guess was wrong, continue
+ * Return
+ // Ok, packet seemed ok, but go now and check if we have enough
+ // data bits so we can assume it is ESP-NULL
+ * Goto Check if done for unsure
+
+ ////////////////////////////////////////////////////////////
+ // Check for 192-bit algorithms.
+ //
+ Try 192bit algorithms:
+ // AUTH_HMAC_SHA2_384_192
+ * Set Test_ICV_len to 24, Test_IV_len to 0
+ * Goto Check packet
+
+ ////////////////////////////////////////////////////////////
+ // Check for 256-bit algorithms.
+ //
+ Try 256bit algorithms:
+ // AUTH_HMAC_SHA2_512_256
+ * Set Test_ICV_len to 32, Test_IV_len to 0
+
+
+
+Kivinen & McDonald Informational [Page 27]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ * Goto Check packet
+
+ ////////////////////////////////////////////////////////////
+ // This actually does the checking for the packet, by
+ // first verifying the length, and then self describing
+ // padding, and if that succeeds, then checks the actual
+ // payload content.
+ //
+ Check packet:
+ * If IP_total_len < IP_hdr_len + SPI_offset
+ + Test_IV_len + Test_ICV_len
+ + 4 (spi) + 4 (seq no) + 4 (protocol + padding)
+ * Return
+ * Call Verify padding
+ * If verify padding returned Failure
+ * Return
+ * Initialize Check_Bits to 0
+ * Call Verify packet
+ * If verify packet returned Failure
+ // Guess was wrong, continue
+ * Return
+ // Ok, packet seemed ok, but go now and check if we have enough
+ // data bits so we can assume it is ESP-NULL
+ * Goto Check if done for unsure
+
+ ////////////////////////////////////////////////////////////
+ // This code checks if we have seen enough acceptable
+ // values in the payload data, so we can decide that this
+ // IPsec flow is ESP-NULL flow.
+ //
+ Check if done for unsure:
+ * If Stored_Check_Bits > configured limit
+ // We have checked enough bits, return ESP-NULL
+ * Set State ESP-NULL
+ * Set IV_len to Test_IV_len, ICV_len to Test_ICV_len
+ * Clear Stored_Check_Bits, Last_Packet_Data from SPI Cache
+ * Return
+ // Not yet enough bits, check if this is first unsure, if so
+ // store information. In case there are multiple
+ // tests succeeding, we always assume the first one
+ // (the one using shortest MAC) is the one we want to
+ // check in the future.
+ * If State is not unsure
+ * Set State unsure
+
+
+
+
+
+
+
+Kivinen & McDonald Informational [Page 28]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ // These values will be stored to SPI cache if
+ // the final state will be unsure
+ * Set IV_len to Test_IV_len, ICV_len to Test_ICV_len
+ * Set Stored_Check_Bits as Check_Bits
+ * Return
+
+ ////////////////////////////////////////////////////////////
+ // Verify self describing padding
+ //
+ Verify padding:
+ * Load Pad_len from IP_total_len - Test_ICV_len - 2
+ * Verify padding bytes at
+ IP_total_len - Test_ICV_len - 1 - Pad_len ..
+ IP_total_len - Test_ICV_len - 2 are
+ 1, 2, ..., Pad_len
+ * If Verify of padding bytes succeeded
+ * Return Success
+ * Return Failure
+
+ ////////////////////////////////////////////////////////////
+ // This will verify the actual protocol content inside ESP
+ // packet.
+ //
+ Verify packet:
+ // We need to first check things that cannot be set, i.e., if any of
+ // those are incorrect, then we return Failure. For any
+ / fields that might be correct, we increment the Check_Bits
+ // for a suitable amount of bits. If all checks pass, then
+ // we just return Success, and the upper layer will then
+ // later check if we have enough bits checked already.
+ * Load Protocol From IP_total_len - Test_ICV_len - 1
+ * If Protocol TCP
+ * Goto Verify TCP
+ * If Protocol UDP
+ * Goto Verify UDP
+ // Other protocols can be added here as needed, most likely same
+ // protocols as deep inspection does.
+ // Tunnel mode checks (protocol 4 for IPv4 and protocol 41 for
+ // IPv6) is also left out from here to make the document shorter.
+ * Return Failure
+
+ ////////////////////////////////////////////////////////////
+ // Verify TCP protocol headers
+ //
+ Verify TCP:
+ // First we check things that must be set correctly.
+ * If TCP.Data_Offset field < 5
+ // TCP head length too small
+
+
+
+Kivinen & McDonald Informational [Page 29]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ * Return Failure
+ // After that, we start to check things that do not
+ // have one definitive value, but can have multiple possible
+ // valid values.
+ * If TCP.ACK bit is not set, then check
+ that TCP.Acknowledgment_number field contains 0
+ // If the ACK bit is not set, then the acknowledgment
+ // field usually contains 0, but I do not think
+ // RFCs mandate it being zero, so we cannot make
+ // this a failure if it is not so.
+ * Increment Check_Bits by 32
+ * If TCP.URG bit is not set, then check
+ that TCP.Urgent_Pointer field contains 0
+ // If the URG bit is not set, then urgent pointer
+ // field usually contains 0, but I do not think
+ // RFCs mandate it being zero, so we cannot make
+ // this failure if it is not so.
+ * Increment Check_Bits by 16
+ * If TCP.Data_Offset field == 5
+ * Increment Check_Bits by 4
+ * If TCP.Data_Offset field > 5
+ * If TCP options format is valid and it is padded correctly
+ * Increment Check_Bits accordingly
+ * If TCP options format was garbage
+ * Return Failure
+ * If TCP.checksum is correct
+ // This might be wrong because packet passed NAT, so
+ // we cannot make this failure case.
+ * Increment Check_Bits by 16
+ // We can also do normal deeper TCP inspection here, i.e.,
+ // check that the SYN/ACK/FIN/RST bits are correct and state
+ // matches the state of existing flow if this is packet
+ // to existing flow, etc.
+ // If there is anything clearly wrong in the packet (i.e.,
+ // some data is set to something that it cannot be), then
+ // this can return Failure; otherwise, it should just
+ // increment Check_Bits matching the number of bits checked.
+ //
+ // We can also check things here compared to the last packet
+ * If Last_Packet_Data.TCP.source port =
+ Packet_Data.TCP.source_port and
+ Last_Packet_Data.TCP.destination port =
+ Packet_Data.TCP.destination port
+ * Increment Check_Bits by 32
+ * If Last_Packet_Data.TCP.Acknowledgement_number =
+ Packet_Data.TCP.Acknowledgement_number
+ * Increment Check_Bits by 32
+ * If Last_Packet_Data.TCP.sequence_number =
+
+
+
+Kivinen & McDonald Informational [Page 30]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+ Packet_Data.TCP.sequence_number
+ * Increment Check_Bits by 32
+ // We can do other similar checks here
+ * Return Success
+
+ ////////////////////////////////////////////////////////////
+ // Verify UDP protocol headers
+ //
+ Verify UDP:
+ // First we check things that must be set correctly.
+ * If UDP.UDP_length > IP_total_len - IP_hdr_len - SPI_offset
+ - Test_IV_len - Test_ICV_len - 4 (spi)
+ - 4 (seq no) - 1 (protocol)
+ - Pad_len - 1 (Pad_len)
+ * Return Failure
+ * If UDP.UDP_length < 8
+ * Return Failure
+ // After that, we start to check things that do not
+ // have one definitive value, but can have multiple possible
+ // valid values.
+ * If UDP.UDP_checksum is correct
+ // This might be wrong because packet passed NAT, so
+ // we cannot make this failure case.
+ * Increment Check_Bits by 16
+ * If UDP.UDP_length = IP_total_len - IP_hdr_len - SPI_offset
+ - Test_IV_len - Test_ICV_len - 4 (spi)
+ - 4 (seq no) - 1 (protocol)
+ - Pad_len - 1 (Pad_len)
+ // If there is no TFC padding then UDP_length
+ // will be matching the full packet length
+ * Increment Check_Bits by 16
+ // We can also do normal deeper UDP inspection here.
+ // If there is anything clearly wrong in the packet (i.e.,
+ // some data is set to something that it cannot be), then
+ // this can return Failure; otherwise, it should just
+ // increment Check_Bits matching the number of bits checked.
+ //
+ // We can also check things here compared to the last packet
+ * If Last_Packet_Data.UDP.source_port =
+ Packet_Data.UDP.source_port and
+ Last_Packet_Data.destination_port =
+ Packet_Data.UDP.destination_port
+ * Increment Check_Bits by 32
+ * Return Success
+
+ Figure 4
+
+
+
+
+
+Kivinen & McDonald Informational [Page 31]
+
+RFC 5879 Heuristics for Detecting ESP-NULL May 2010
+
+
+Authors' Addresses
+
+ Tero Kivinen
+ AuthenTec, Inc.
+ Fredrikinkatu 47
+ Helsinki FIN-00100
+ FI
+
+ EMail: kivinen@iki.fi
+
+
+ Daniel L. McDonald
+ Oracle Corporation
+ 35 Network Drive
+ MS UBUR02-212
+ Burlington, MA 01803
+ USA
+
+ EMail: danmcd@opensolaris.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kivinen & McDonald Informational [Page 32]
+