04002-LOR 2004
LES INTERACTIONS IPSEC/DNS ---ooo--- Abstract :!! "!! $!!! "!! %$ & '( ) * + *, $ $,, $ ---ooo - - *./ 0! 1023224" 4 %- - *5 " 6 " 6 7 6 8./ 0! 1023224" 4 %6 "6 7 5 "
- - * Jean-Jacques.Puig@int-evry.fr 6 " 6 7 Maryline.Maknavicius@int-evry.fr
.669/4 2"1 : 22!/ : 2;: 2<,= > 2?1 > ; @ ;2!/ @ ;;@ ;<,= 2@ ;?1 ;2 < ;; <2 9A4;; <;,*;; << B4;<? ;:?2 ;:?; ;> :;C /;@
!"$ = ", * %"&'! D E(*F " 9G1/ G1/+ H E. I, * I! % dig int-evry.fr. @pompei.int-evry.fr. AXFR E"J E " $ F* $* "!,,,!, IH*! E"), F $ $ *$, * ") *, $! I K &!!'! E$ * L, ) " *F$ (!$!+ M$* $,!, E$, $ *, L, ) 4!$, ( ' "$ ") $, * * *F $, ") $ &, '$ I *, * * (*,,, "!*+F =(+ *F(% H +4 M$,F!, *F"9G1/ G1/*4$ E ) * $, F $ F $ ( ),, +
$E! I 8 (%, H!$ 8 ) +4$ &!'$")! * )I *J (%**$+ ) *+", $, * $ *,, "), *$*,! * I, $ * I(" $"!,* +$ N,,,* $, *F O,, *F *, $ *(, F *+ $ *I $, )!, * * 96!*,!*$* I$, * "!($$!$$ $+ I E!, H I, *,! *%*, *, ")!, *, $&' $*, ) J&6 ' *$ % ")F% ), =") ( + * * H $ * H!, = N * ")&'
4$ ")$ L,=, L(, E +=$ = L$&'! %,,,&! 'P *,, ) *F ) $ * *I! * ",) HI$,F
( -- $* )!,,/ "% ( %"&' $ $ *! 4$ $ H J!( +,(, * +,, $, (+, *, *!, ") F Q * F 4 $, E",, PO$,,4B4R! )H $*$6 F *Q ),J*4B4R$,H! $ F* *, & " ', I,,4B4RQ * $ *$ $ *, F! 9I, $, L, )$ ",,,, * ( &'$ FE *+ ( ( ' ( (. //01/$2 S$ ") * F, $, " I * 9$! $,, %
' " ",---------------. Correspondant Légitime,-------. `---------------',------. +--> DNS 1 --+ Hôte `-------' `------',-----------.,-------. --------- o------------o Attaquant **+--> DNS 2 --+--> Routeur ** Passerelle --> `-----------' `-------' --------- IPsec o------------o +... v v,-------. +--> DNS n --+ (*) liens bas débit `-------' (-) liens haut débit, *, $ $ $,,!L,, * I (% *, +$,!L H " * *,F ) $,! $ * H,, *, * ) I!, $$&E', )I,,$, *F6 "4!4$ ") O$ $* *F E= (T2U+ & * ' % ping -n -q -f -Q 0x08 -M dont -l nombre -s taille destination ([2]). % V2>333333 V2?C;(, + V20;2>@2@3 9 * (")" ;?;<1 ;3?+%
( % *,--------------. 192.168.2.50 ( Extrémité du tunnel ) `--------------',--------------. 192.168.1.80 `--------------' ---------------- o----------------o 192.168.2.1 192.168.1.1,--------------. 157.159.100.49 ** 157.159.100.52 192.168.3.76 -- 192.168.3.1 ( Extrémité `--------------' ---------------- du tunnel ) o----------------o (*) liens bas débit (-) liens haut débit, * $ L ")& '$ 20;2>@<C>$*, I 2:C2:0233?02:C2:0233:;9 $, *L " % tc qdisc add dev eth2 root handle 1: cbq avpkt 1000 bandwidth 1mbit tc class add dev eth2 parent 1: classid 1:1 cbq rate 64kbit \ allot 1500 prio 5 bounded isolated tc filter add dev eth2 parent 1: protocol ip prio 16 u32 \ match ip dst 157.159.100.52 flowid 1:1 ([3]) %, * $!(+ 20;2>@;:3 20;2>@2@3 $ B4!I = *$*, &E'$*, ")*$ I I* ( ( (. $ * N $ " 8! $!)*= ")$ F H =,, "! %,, * ") $ (;?;< 1 ;3?+$ % " (!+!! $ )$ *!!$!. * I,$ & *'
( ( ( - ", % CONFIG_IP_NF_MATCH_AH_ESP CONFIG_IPSEC_IPIP CONFIG_IPSEC_AH CONFIG_IPSEC_AUTH_HMAC_MD5 CONFIG_IPSEC_AUTH_HMAC_SHA1 CONFIG_IPSEC_ESP CONFIG_IPSEC_ENC_3DES CONFIG_IPCOMP CONFIG_IPSEC_DEBUG CONFIG_IPSEC_REGRESS 9, ( ( ( ( "!! (/9+ (B+ B4!,,, " ",I $, *,F I *, * *,, F *$ /9$ *, $$*,$,$ F $ *!!$ * $ W "$W ">) * * I, * " XY?X9/XY>X9/ B4$ I,!! *$* () +, I,% 2 */9$ ), ; *B$,, J $, B4(+*, $!, Z $,*$,$! ( + *$ HF )*!! *,! *I, **, ( ( ( ( ' ' " /""' 9*!$,!%
) ',--------------. 192.168.2.50 ( Extrémité du tunnel ) `--------------',--------------. 192.168.1.80 `--------------' ---------------- o----------------o 192.168.2.1 192.168.1.1 157.159.100.49 -- 157.159.100.52 ---------------- ( Extrémité du tunnel ) o----------------o! * I 20;2>@;:3 *$ $ ( F+ $ H, I!! )! % roadwarrior.maquette.int-evry.fr: RSA {... clef RSA 1... } : RSA {... clef RSA 2... },$ 20;2>@22 * I /92$ *, 20;2>@;:3!$ ) ** $ * 4$* $ $*!$ * F Z, * )% *!$ &'*)$!, N* $* ** FZ *$! % : RSA {... clef RSA 2... } roadwarrior.maquette.int-evry.fr: RSA {... clef RSA 1... }!** $ /92 (,*+ *!$ * $! * $ /9;!,K ( +% $!,,$* (2+,,!L) $, (;+,,!
*,,!L, F(;,+, * *,, [1, IP, *, RSA] [3, Nb, C, RSA] [4, Nr, C, PSK] [2, Nr, *, RSA] [4, Nr, C, PSK] [1, IP, *, RSA] [3, Nb, C, RSA] [1, IP, *, RSA] [2, Nr, *, RSA] [4, Nr, C, PSK] [2, Nr, *, RSA] [3, Nb, C, RSA] [5, *, C, PSK] [5, *, C, PSK] [5, *, C, PSK] [6, *, C, RSA] [6, *, C, RSA] [6, *, C, RSA] Liste 1 Liste 2 Liste 2' Légende: [ordre, hôte, partenaire, clef] Nb : Nom bloqué (résolution contrée) Nr : Nom résolu IP : Adresse IP * : Masque (Sélecteur par défaut) 9$$* )(T<$$ $/9U+$ *, ;,, )$,!L $ 4!$$,!L " ( T2$$[$/9U /9+ I$*J H% 2, * I, *, J,! ;, * I,,*,)$ *, ) N, * (,/9+$, (,B+ < $ * *, I,!L*,!L! $F ( ( ( ( ( ' ' " /" F,$ ) $*!,O N * I,,!L $ *,!L$ ", X2 X2 ;J $, * %
3 [1, IP_1, IP_C1, RSA] [1, IP_1, IP_C1, RSA] [3, Nb_1, IP_C2, RSA] [2, IP_2, IP_C2, RSA] [3, Nb_1, IP_C2, RSA] [6, @N_2, Nb_C2, RSA] [3, Nb_1, IP_C2, RSA] [6, @N_2, Nb_C2, RSA] [7, @N_1, Nr_C2, PSK] -(B1)------------------ [4, Nr_2, IP_C3, PSK] [7, @N_1, Nr_C2, PSK] [1, IP_1, IP_C1, RSA] -(A)------------------------------------------- [5, *, Nr_C1, RSA] [2, IP_2, IP_C2, RSA] [2, IP_2, IP_C2, RSA] -(B2)------------------ [6, @N_2, Nb_C2, RSA] [4, Nr_2, IP_C3, PSK] [4, Nr_2, IP_C3, PSK] [7, @N_1, Nr_C2, PSK] [5, *, Nr_C1, RSA] [5, *, Nr_C1, RSA] [8, IP_3, IP_C3, PSK] [8, IP_3, IP_C3, PSK] [8, IP_3, IP_C3, PSK] [9, *, %any, RSA] [9, *, %any, RSA] [9, *, %any, RSA] [A, *, *, RSA] [A, *, *, RSA] [A, *, *, RSA] Liste 1 Liste 2 Liste 3 Légende: [ordre, hôte, partenaire, clef] Nb : Nom bloqué (résolution contrée) Nr : Nom résolu @N : Nom symbolique (non-résolu) IP : Adresse IP * : Masque (Sélecteur par défaut) %any: n'importe quel correspondant 2 *! ;,,!LJ (9+. **5 X;$, $ < ) $ *! (9+$ $* (P2+(P;+, * $ % 4 [1, IP_1, IP_C1, RSA] [1, IP_1, IP_C1, RSA] [7, @N_1, Nr_C2, PSK] -(B1)------------------ [2, IP_2, IP_C2, RSA] [6, @N_2, Nb_C2, RSA] [1, IP_1, IP_C1, RSA] [3, Nb_1, IP_C2, RSA] [7, @N_1, Nr_C2, PSK] [6, @N_2, Nb_C2, RSA] -(A)------------------------------------------- [4, Nr_2, IP_C3, PSK] [3, Nb_1, IP_C2, RSA] [3, Nb_1, IP_C2, RSA] [5, *, Nr_C1, RSA] [2, IP_2, IP_C2, RSA] [2, IP_2, IP_C2, RSA] -(B2)------------------ [6, @N_2, Nb_C2, RSA] [4, Nr_2, IP_C3, PSK] [4, Nr_2, IP_C3, PSK] [7, @N_1, Nr_C2, PSK] [5, *, Nr_C1, RSA] [5, *, Nr_C1, RSA] [8, IP_3, IP_C3, PSK] [8, IP_3, IP_C3, PSK] [8, IP_3, IP_C3, PSK] [9, *, %any, RSA] [9, *, %any, RSA] [9, *, %any, RSA] [A, *, *, RSA] [A, *, *, RSA] [A, *, *, RSA] Liste 1 Liste 2' Liste 3' Légende: [ordre, hôte, partenaire, clef] Nb : Nom bloqué (résolution contrée) Nr : Nom résolu @N : Nom symbolique (non-résolu) IP : Adresse IP * : Masque (Sélecteur par défaut) %any: n'importe quel correspondant
4 * X2 X;$, * $ $I, J*F* *,F $ % "! * F I *$, *,, $! H I/9 H!$F*,I * $ F In many cases it is a bad idea to use domain names because the name server may not be running or may be insecure. *$ 1 F*,I * ( ( ( ) " -! " % ( ( ( ) - \,! $,*,"$, * )I " ), B4 F," % 2 9("XY?X9/XY>X9/+ ;! ("XY?X9/XY>X9/+ < ("X1]X=4/X1]+? &', $"^;), $ B4! $ "% 024 need --listen before --initiate B4$ I,( B4 + L *,I,, ), )$ $F, *,,!L( $,+ $ )", ("&' F+$") *$, % 2 9, I * $ 4B4R (T?U+ F EI
;,!L(! +$ 4B4R F E < &', I*$, * * *, ( F * +, ** ) *F(, +$, * F,, * $ *, *F E$ * * E * I, * 4$ ) ",*, *,$, *,, $,, * ( ( ( ) ( " ) % (!+ (!+!(!!+ (!+ 7"(! 7"$ 7";$! 7";+! &!' &'$* L, $ $,I * * $,! "*(% _V` +$! ") $ ") ) & '")F, I, F $$ $F! ( + B4! " F *4$ ) &H7'% W " * I,,F W * /!,, I I F, 4 1 ;33 W * ") $ I,!L $ " $B4! % 022 "rwsg": we have no ipsecn interface for either end of this connection
4!$ I,!L $* $, *!! *,,,,"XY?X9/XY>X9/$ E "X1]X=4/X1]$ E * $,, I $,B4, $*FI $H*,I, % 031 "rwsg" 1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message W F * $, /, * F ) * ") 9$ 1;$&, '$ 2:C2:0233:; 20;2>@23;? = ;?$K * 20;2>@23;? ) &' 4, " *! ( $ +S$ * $B4 % 021 no connection named "rwsg" $,, B4( &7'=G+* % ipsec plutorun: whack error: "rwsg" does not look numeric and name lookup failed "toto-le-sous-reseau/24" ipsec plutorun:...could not add conn "rwsg", $," F! 2$, * F! )!*! *! * $,$, *! $ F!,! * $!VJ *, % 024 need --listen before --initiate *% ipsec plutorun: whack error: "rwsg" does not look numeric and name lookup failed "toto-le-routeur/24" ipsec plutorun:...could not add conn "rwsg" ),")B4! ) "$ ) * I $ * ) 7" *")&!'(! 7"+ )W W
!! * $! I, =*F % 021 no connection named "rwsg" *% ipsec plutorun: 028 failure to fetch key for @toto-la-passerelle from DNS: failure querying DNS for TXT of toto-la-passerelle: Hostname lookup failure ipsec plutorun: 028 failure to fetch key for @toto-la-passerelle from DNS: failure querying DNS for KEY of toto-la-passerelle: Hostname lookup failure ipsec plutorun:...could not add conn "rwsg" $ ( ) *+" $ )I 4$, * $," N K F $! ( ) +" " /'5- "! *$ *, F"%,,!L$* (+,!L$, I (+ 4$, I$ I& ' $,I*, F** (+ ")$," $ FJ$ $, % 003 "rwsg" 1: unable to locate my private key for RSA Signature $ (+$ F (+$ *, * (+, $ $ *," %*F! (* H I+, I $, *,,*(+ OF I (F *! $,33<,+, $*,!L$ ") I$ L!L, $!
F$! H $ *,33<,(! + 4$, $*,,$! $, (,, * + ( ) ( +" " /"'-' " - )"(+ *, * $, I $ (* +!% ipsec plutorun: 027 bad --keyid "%myid": illegal (non-dns-name) character in name I *,,, $*, J $, * F! "$* *W", * * $, * ") I * $")! 4B4R $ *! I ")$! 4$, *,*, * F $)! I )$*, $ )* ") * * )F *$ ;? F ) 6 $ I * % 6,--------------. 192.168.2.50 ( Extrémité du tunnel ) `--------------',--------------. 192.168.1.80 `--------------' ---------------- o----------------o 192.168.2.1 192.168.1.1 157.159.100.49 -- 157.159.100.52 ---------------- ( Extrémité du tunnel ),-----. o----------------o DNS `-----',--------------. 192.168.3.27 `--------------'
$*20;2>@23;? I*20;2>@<3;? 20;2>@;:3 ( + 2:C2:0233:; ( + N*")(,) $ *, +$"* ;?$ 20;2>@22 $, * I L I 20;2>@<2 ( +$ E $ * $,",$* *, ** N *,, I * $ *%*, *! H! = $*,,, $,F,, * " * " *&' $ )$ " )"$ ), &!'&' )$,!L$, (*+,$!! $, * )$*,, $*, F ( *,! &'*,," $*, += ),, 4B4R $, * I I I $ 4$ *,. H, (* 4B4R+$ )! 7"$* * )F!,I I,4B4R *$ F *,,,4B4R!, $I &' * 4B4R,,!( + 4$,!,H!, $ L,, $*$,*$,*,
(, *, 1 $!"!) ** %, ") $ ) F ) ( "$!$ +, I,, ")! $,, $ *, * )( N + *,!L F!,, 4$4B4R $, * ( ") +$,!( * + $")$ $ ( $ *, I J,$ ") +
) -- & '$* / % (9A4+ =I *( +,! (B4B4;+ ) 78. $ 9A 4 I! $ $,,=$ $ $ * *! = % 9 +-----+ +---+ DNS H +-----+ +---+ \ / +----------+ +------+ Pare-Feu SG-B +----------+ +------+ \ / +------+ SG-A +------+ $ * A *=, * *$ IM9 F IMP6!$ *= 6 = * *] " *$ *,1 * H"), = 6 " =! 1, 1 " I, 1$ )E$ * 6 $, I AH * $!! *, * &!6 =',(1a 9+F,1 $,6I * * ) ( *" I $ I$L, *I
= IH % * 6, *,, *F J H L* 1 &7',, % 2 K,! $I *F ") $ 6 b,$,!, I*, ; *.A.J,% : +--------+ +---------+ Hôte-1 Serveur +--------+ +---------+ \ / +-----+ +------+ +----------+ +------+-- DNS SG-A -- Internet -- SG-B +-----+ +------+ +----------+ +------+ / +--------+ Hôte-2 +--------+ * %$$AL2AL; H $ I $ *($! +4$ * AL2I M9! 6!$ $ I $ * * AL2 F,,, *$ $* * *F, &'$F* I (, * *+ < =,,4B4R *, * *, *! 4B4R!,! *F$$ F * *F $&' )! L$, *,, I, ( $ *, H +,! I * * E ) ) ";. B4 = " $ $, B4 $ B4! I,, I!*F$
$ =$ B4, L, (*+$ =$ $* I % < +-------+ +-------+ +--------+ Net-A DNS-C Net-B1 +-------+ +-------+ +--------+ \ \ / +------+ +---------+ +------+ SG-A Routeur SG-B +------+ +---------+ +------+ \ / \ / +------+ +------+ GW-A GW-B +------+ +------+ \ +--------+ Net-B2 +--------+ $ M9 MP 9 P2$,!LJMP I ( $&!'$+$*FB4 = Ma P / P;F / J $ B4 N *F $ ** *! "!*I! *
,,, "), " I (, + ), ", J )$ I F$ 6 ( 6 G+,HK, *$," $$ * 4=/IFH, E $F$,/,F!,I! * F, *$ I $ % ( + I *(,! + = * F,, I *, I ( "&6 E $R- '+ $, F,4B4R$ F,,,, ), $ ( BG 4/+ 9 $!!! B4RG(! B4R +9$! 4B4R$ " * $,( * &,' **! + I *%&.K, Q' 4 $ *, * I $" E$ EX EX, + 1 =-> E, I * J!L$E $ %,!L ")* $"! * OI, *$ EX N, F, I (, "*!" +,!L $,! ("*$ *+$ I * "! EX $ I,! 2B4(&- E HE'+I, E
, ( + 1 = EX J$*,,!, *$ 4, F I I E $ * EX ) 6!$E) S$ **, $ " I 4!$ F $ ")*,B O $ *! $ * I "!, ( ")* I,(+ \ $ I $ )$, J,$ $L, ) E $! I, ") ", $6 $ I" * $ I! $ $*,F*,, %! E L, ),!,!F (L, )+, *,! *F! 6!$,F, $, * ( E$,* E+
3 % $ $ * "),,,, 9$$%6 8!)!, $ F * Z) $$, $ 8 ")*,I, $*!*, $
'-' TP3<U $ % P ;3. ;33<!%!! 9 TP6 3<U&S!. 6 '- - * $ - P $6 " 6 7 &';33< T3;U&4 6 ' 4 '? ;33; TM3;U&1 '!!M (22 T63;U& ) &! ' - - *6 "6 7 ;33;//3<33;./ T93;U*!(!" (6 ;33; 9 T1a 9U+,$-.&!% T"U )!!% 7 TU "!% 7" T U&96 '!/:;- 200@!%! 7 T23<?U 0& &* '0'*1& $&'+1* 6 7 20@C/1 23<?41 T23<:U0&&*+**1&10&*'$'&106 7 20@C/123<:41 T202;U'0'"(* P 1200>/1202;41 T;:<:U *, 4 76 2000/1;:<:41 T2U 4$ $ I T;U, I % WARNING: probably, rcvbuf is not enough to hold preload. T<U D$ ")
T?U 4 $ *,4B4R, I, $ G F H $ * 4B4R$F )