[Cryptography] IPsec is worse than unusable (Re: TLS/DTLS Use Cases)

Nico Williams nico at cryptonector.com
Wed Apr 2 11:59:52 EDT 2014 

On Tue, Apr 01, 2014 at 10:31:54PM -0400, Jerry Leichter wrote:
> IPSec has many faults - so many as to render it unusable - but it did
> get one thing right:  To most code, an IPSec socket looks just like a
> plain TCP socket.  Anything that talks TCP can talk TCP "securely"
> over IPSec with essentially no changes.  ("Securely" in quotes because
> it's a rather specialized notion of "securely".)

Actually, IPsec fails to do exactly what you say.  That is a key failure
of IPsec's.  There are no "IPsec sockets", nor "TCP w/ IPsec sockets".

A TCP SYN and SYN+ACK (etc...) for the same TCP connection can easily be
sent to different peers altogether even though using IPsec!

The reason is a combination of statelessness in IPsec[*] and that
authenticating IP addresses is ETOOHARD, so the typical IPsec
configuration says "anyone with certs from these issuers can claim any
IP addresses from these ranges".  This fails to scale.

Plus IP addresses are meaningless as security identifiers to users and
applications.  connect() to domainnames -with IPsec doing the hard work
under the covers- would have been better.

There are ways to fix all this, but it's ETOOLATE for IPsec.

And anyways, in-band key exchange and authentication (TLS, SSH, and
friends) have won out over out-of-band (IKE) key exchange.  Tragic or
not, it is what it is.

Nico

[*] IPsec is a layer below TCP: a "secure" analog to IP.  IP is
    stateless and unaware of TCP (and other) state.  The same is true of
    IPsec.

PS: I know I must sound like a broken record about this, but it's worth
    repeating to all and sundry in the security industry.  IPsec is a
    great case study in critical interface design failures leading to
    market failure for a security protocol.  If we are to learn from
    failure we must identify, study, and teach failures.  I'm sorry to
    pick on you.

    Perhaps it's worth writing a paper/RFC on this topic just so we can
    just point at it every time misconceptions about IPsec come up.  But
    there's no positive value in writing such a thing.

More information about the cryptography mailing list