RFC 5685 - Redirect Mechanism: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
[https://tools.ietf.org/html/rfc5685 RFC 5685] is a document that specifies guidelines for usage of Redirect Mechanism for Internet Key Exchange Version 2 (IKEv2). Basic idea is that responder peers should be able
[https://tools.ietf.org/html/rfc5685 RFC 5685] is a document that specifies guidelines for usage of Redirect Mechanism for Internet Key Exchange Version 2 (IKEv2). Basic idea is that responder peers should be able
to redirect the initiators to a new address. RFC suggests that the main usage is intended for server-to-client architectures, where server could (e.g. when he is going down for maintenance or is overloaded) redirect clients to other servers.
to redirect the initiators to a new address. RFC suggests that the main usage is intended for server-to-client architectures, where server could (e.g. when he is going down for maintenance or is overloaded) redirect clients to other servers.
Cisco, among the other vendors and implementations, supports this RFC and has a nice explanation of the feature [https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16-10/sec-flex-vpn-xe-16-10-book/sec-cfg-clb-supp.html here].


== Implementation ==
== Implementation ==


To allow the use of Redirect Mechanism in IKEv2, the following changes were made:
To allow the use of Redirect Mechanism in IKEv2, the following main changes were made:


* Two new source code files were created: ''programs/pluto/ikev2_redirect.{h,c}''.
* Two new source code files were created: ''programs/pluto/ikev2_redirect.{h,c}''.
Line 13: Line 15:


* Code for reading connection and config options was updated.
* Code for reading connection and config options was updated.
* Code for issuing dynamic whack commands was added.


* New test cases were added. These can be found as ‘’ikev2-redirect-*’’ folders in testing/pluto/ directory.
* New test cases were added. These can be found as ‘’ikev2-redirect-*’’ folders in testing/pluto/ directory.
Line 26: Line 30:
* '''accept-redirect''' - specify whether to send REDIRECT_SUPPORTED notification (and process incoming REDIRECT notifications) to the other end when we initiate IKEv2 exchange. Allowed values are yes (always send) and no (the default, never send).
* '''accept-redirect''' - specify whether to send REDIRECT_SUPPORTED notification (and process incoming REDIRECT notifications) to the other end when we initiate IKEv2 exchange. Allowed values are yes (always send) and no (the default, never send).


* '''accept-redirect-from''' - specify the address (or list of addresses) where we allow to be redirected to. Both IPv4 and IPv6 addresses are supported as well the FQDNs. The value %any, as well as not specifying any address, signifies that we will redirect to any address gateway sends us in REDIRECT Notify payload.
* '''accept-redirect-to''' - specify the address (or list of addresses) where we allow to be redirected to. Both IPv4 and IPv6 addresses are supported as well the FQDNs. The value %any, as well as not specifying any address, signifies that we will redirect to any address gateway sends us in REDIRECT Notify payload.


Examples:
Examples:
Line 33: Line 37:
   redirect-to=1.2.3.4
   redirect-to=1.2.3.4
</pre>
</pre>
<pre>
<pre>
   accept-redirect=yes
   accept-redirect=yes
   accept-redirect-from=1.1.1.1, 1.2.3.4, server.myserver.org
   accept-redirect-to=1.1.1.1, 1.2.3.4, server.myserver.org
</pre>
</pre>


Two more options are added for config configuration:
Two more options are added for config configuration:


* '''global-redirect''' - specifies whether to send REDIRECT payload in IKE_SA_INIT response when peer receives REDIRECT_SUPPORTED notification. Allowed values are on (redirect all requests), off (don’t redirect at all) and auto (redirect if busy - in DDoS mode).
* '''global-redirect''' - specifies whether to send REDIRECT payload in IKE_SA_INIT response when peer receives REDIRECT_SUPPORTED notification. Allowed values are yes (redirect all requests), no (don’t redirect at all) and auto (redirect if busy - in DDoS mode).


* '''global-redirect-to''' - specify what address to put in REDIRECT payload, that is where to redirect the other end. Both IPv4 and IPv6 addresses are supported as well the FQDNs. Only one address should be specified.
* '''global-redirect-to''' - specify what address to put in REDIRECT payload, that is where to redirect the other end. Both IPv4 and IPv6 addresses are supported as well the FQDNs. Since version 4.0 (14th October 2020), multiple addresses can be specified. In that case, server will go through them and redirect clients evenly to all specified addresses.


Example:
Examples:
<pre>
<pre>
config setup
config setup
   global-redirect=on
   global-redirect=on
   global-redirect-to=1.2.3.4
   global-redirect-to=1.2.3.4
</pre>
<pre>
config setup
  global-redirect=on
  global-redirect-to=1.2.3.4,5.6.7.8,9.10.11.12
</pre>
</pre>


'''Redirect during an active session'''
'''Redirect during an active session'''


It is also possible to redirect specific peer during an active session (established IPsec tunnel). The whack command --redirect is used, followed by --peer-ip <ip-address> and --gateway <ip-address>, meaning
It is also possible to redirect peers (of specific connection) during an active session (established IPsec tunnel). For that, the whack command --redirect-to is used, possibly preceeded by --name <connection-name>, followed by an address or list of addresses. If more than one address is specified, the peers to be redirected will be redirected evenly to specified addresses. If connection name is not specified, all active peers on the server will be
that the peer with address specified after --peer-ip will be redirected to the gateway with IP address following the --gateway command.
redirected.


Examples:
<pre>
ipsec whack --redirect-to 1.2.3.4                              # all active peers will be redirected to address 1.2.3.4
</pre>
<pre>
<pre>
ipsec whack --redirect --peer-ip 1.1.1.1 --gateway 2.2.2.2
ipsec whack --name myconn --redirect-to 1.2.3.4                # active peers of connection myconn will be redirected to address 1.2.3.4
</pre>
</pre>
<pre>
ipsec whack --redirect-to 1.2.3.4,5.6.7.8,9.10.11.12          # all active peers will be (evenly distributed) redirected to addresses 1.2.3.4,5.6.7.8,9.10.11.12
</pre>
== Issues encountered ==
Combining new idea of redirection with network routing logic caused significant problems.


== Future work ==
== Future work ==


There are two more things that would be nice to have:
Things that would be nice to have:
1. (High priority) Redirect all peers connected to one connection with whack command.
 
2. (Low priority) Figure out a way to enable server to decide if to send REDIRECT payload based on multiple, custom, parameters.
1. Figure out a way to enable/disable redirection of peers in IKE_SA_INIT/IKE_AUTH reply based
on multiple parameters.
 
Example: 'Redirect in IKE_SA_INIT all IKEv2 requests received between 2pm and 4pm to gateway X; redirect
in IKE_AUTH all IKEv2 requests (received between 1am and 3am AND peer certificate is issued by Y) to
gateway Z'


== Source code ==
== Source code ==
Code status: merged in master branch, in the meantime it was refactored and heavily improved by main developer D. Hugh Redelmeier.
Code commit can be found here: https://github.com/vukasink/libreswan/commit/cd4dda55fbd15372f1b115f5d9d38b05da6ac50e
Test commit can be found here: https://github.com/vukasink/libreswan/commit/9de3fbf1ee2743e75dd362d52c9852defa6f3936


The main developer of this feature is Vukasin Karadzic. Work on this project was done under the mentorship of Paul Wouters and sponsored by Google as part of Google Summer of Code 2018 Program.
The main developer of this feature is Vukasin Karadzic. Work on this project was done under the mentorship of Paul Wouters and sponsored by Google as part of Google Summer of Code 2018 Program.

Latest revision as of 12:57, 18 October 2020

Introduction

RFC 5685 is a document that specifies guidelines for usage of Redirect Mechanism for Internet Key Exchange Version 2 (IKEv2). Basic idea is that responder peers should be able to redirect the initiators to a new address. RFC suggests that the main usage is intended for server-to-client architectures, where server could (e.g. when he is going down for maintenance or is overloaded) redirect clients to other servers.

Cisco, among the other vendors and implementations, supports this RFC and has a nice explanation of the feature here.

Implementation

To allow the use of Redirect Mechanism in IKEv2, the following main changes were made:

  • Two new source code files were created: programs/pluto/ikev2_redirect.{h,c}.
  • Added code in programs/pluto/ikev2_parent.c which deals with sending and processing of IKEv2 *REDIRECT* Notify payloads.
  • Code for reading connection and config options was updated.
  • Code for issuing dynamic whack commands was added.
  • New test cases were added. These can be found as ‘’ikev2-redirect-*’’ folders in testing/pluto/ directory.

Configuring the IKEv2 Redirect Mechanism in libreswan

Four connection options are added for this mechanism:

  • send-redirect - specifies whether to send REDIRECT payload in IKE_AUTH response when peer receives REDIRECT_SUPPORTED notification. Allowed values are yes (always send), no (never send) and auto (the default, redirect if in DDoS mode).
  • redirect-to - specify what address to put in REDIRECT payload, that is where to redirect the other end. Both IPv4 and IPv6 addresses are supported as well the FQDNs. Only one address should be specified. The value of this option is not considered if send-redirect is set to no.
  • accept-redirect - specify whether to send REDIRECT_SUPPORTED notification (and process incoming REDIRECT notifications) to the other end when we initiate IKEv2 exchange. Allowed values are yes (always send) and no (the default, never send).
  • accept-redirect-to - specify the address (or list of addresses) where we allow to be redirected to. Both IPv4 and IPv6 addresses are supported as well the FQDNs. The value %any, as well as not specifying any address, signifies that we will redirect to any address gateway sends us in REDIRECT Notify payload.

Examples: 

   send-redirect=yes
   redirect-to=1.2.3.4

   accept-redirect=yes
   accept-redirect-to=1.1.1.1, 1.2.3.4, server.myserver.org

Two more options are added for config configuration:

  • global-redirect - specifies whether to send REDIRECT payload in IKE_SA_INIT response when peer receives REDIRECT_SUPPORTED notification. Allowed values are yes (redirect all requests), no (don’t redirect at all) and auto (redirect if busy - in DDoS mode).
  • global-redirect-to - specify what address to put in REDIRECT payload, that is where to redirect the other end. Both IPv4 and IPv6 addresses are supported as well the FQDNs. Since version 4.0 (14th October 2020), multiple addresses can be specified. In that case, server will go through them and redirect clients evenly to all specified addresses.

Examples: 

config setup
   global-redirect=on
   global-redirect-to=1.2.3.4

config setup
   global-redirect=on
   global-redirect-to=1.2.3.4,5.6.7.8,9.10.11.12

Redirect during an active session

It is also possible to redirect peers (of specific connection) during an active session (established IPsec tunnel). For that, the whack command --redirect-to is used, possibly preceeded by --name <connection-name>, followed by an address or list of addresses. If more than one address is specified, the peers to be redirected will be redirected evenly to specified addresses. If connection name is not specified, all active peers on the server will be redirected.

Examples: 

ipsec whack --redirect-to 1.2.3.4                              # all active peers will be redirected to address 1.2.3.4

ipsec whack --name myconn --redirect-to 1.2.3.4                # active peers of connection myconn will be redirected to address 1.2.3.4

ipsec whack --redirect-to 1.2.3.4,5.6.7.8,9.10.11.12           # all active peers will be (evenly distributed) redirected to addresses 1.2.3.4,5.6.7.8,9.10.11.12

Issues encountered

Combining new idea of redirection with network routing logic caused significant problems.

Future work

Things that would be nice to have:

1. Figure out a way to enable/disable redirection of peers in IKE_SA_INIT/IKE_AUTH reply based on multiple parameters.

Example: 'Redirect in IKE_SA_INIT all IKEv2 requests received between 2pm and 4pm to gateway X; redirect in IKE_AUTH all IKEv2 requests (received between 1am and 3am AND peer certificate is issued by Y) to gateway Z'

Source code

Code status: merged in master branch, in the meantime it was refactored and heavily improved by main developer D. Hugh Redelmeier.

Code commit can be found here: https://github.com/vukasink/libreswan/commit/cd4dda55fbd15372f1b115f5d9d38b05da6ac50e

Test commit can be found here: https://github.com/vukasink/libreswan/commit/9de3fbf1ee2743e75dd362d52c9852defa6f3936

The main developer of this feature is Vukasin Karadzic. Work on this project was done under the mentorship of Paul Wouters and sponsored by Google as part of Google Summer of Code 2018 Program.

Retrieved from "https://libreswan.org/wiki/index.php?title=RFC_5685_-_Redirect_Mechanism&oldid=22038"