Discussion:
[strongSwan-dev] ISAKMP SA lifetime, Mode Config, and DHCP
Thor Simon
2018-04-05 14:22:21 UTC
Permalink
We've been investigating some sporadic issues with clients failing to receive addresses via the DHCP plugin. I think we've found a general problem with address plugins and would appreciate others' feedback on the best path towards a fix.

First, a few observations:

1) The interface for address plugins is that they're asked for an "address" attr, which is a bare host_t.

2) Mode Config supports an "address lifetime" key but because of #1 above, we don't and can't easily feed this to the client -- it gets an address only, with no notion of expiry.

3) IKEv2 Mode Config is pull-only, so the server can't later tell the client a new address

4) StrongSwan's behavior as a client is to issue a new mode config pull when it renews its Phase 1 SA. This causes another call into the DHCP plugin on the server side, thus another full DORA cycle with the DHCP server or servers, thus a reacquisition of the client's address. This is the only mechanism which causes renewal of a DHCP-allocated address in StrongSwan as far as we can tell.

Issues:

1) Issuing a new config pull on phase 1 SA renewal does not appear to be required by the standard and some peers may not do this, thus allowing their leased addresses to expire with no attempt to reacquire them.

2) If the Phase 1 SA lifetime is longer than the DHCP lease time, the client will continue to use an address whose corresponding lease has expired. For most ISC-dervived DHCP server code, this will cause a serious pathology:
A) the lease expires with no attempt to renew and is marked as "abandoned"
B) if the backing address range runs out of addresses, the server will attempt to ping addresses it believes to have abandoned leases
C) If the Phase 1 SA has not yet expired, the client will respond to the ping
D) The server will thereafter refuse to allocate the address
E) This will eventually exhaust the DHCP server's address space and nobody will get addresses.

3) We can _minimize_ this issue by configuring long DHCP lease times and short Phase 1 SA lifetimes, but not eliminate it. In failover DHCP configurations, per the standard, factors such as the MCLT (max client lead time) will result in some clients receiving shorter-than-default leases until their first renewal, and this will eventually trigger the pathology detailed above.

Possible fixes:

1) Feed the client an address-lifetime attribute along with its address. Then the client will trigger a new DORA cycle at a more appropriate time.

* Clients may not support this attribute (does StrongSwan? We haven't yet looked)
* This requires a change to the API for all plugins which supply addresses, to return the lifetime along with the address.
* But it does seem most correct, since it does tell the client the lease is not eternal.

2) Add more state and a timer to the DHCP plugin such that it knows all addresses it's handled and tries to renew them itself.

* This is fairly heavy
* Not clear what to do if renewal fails

3) Artificially constrain the effective phase 1 SA lifetime server-side so that the server tries to renew the phase 1 before the DHCP lease expires. This should still trigger a new config pull by the client.

* This is an abstraction violation - the DHCP plugin would have to find the relevant client state and mess with it directly, unless the plugin's API were changed as per #1 above

4) Change the client to do a config pull at each Phase 2 renewal instead

* Some other clients do this (or so the comments in the standard say)
* But it isn't really a fix, just reduces the chance of an issue because the phase 2 lifetimes are shorter

++++++

What do others think the best path forwar
Tobias Brunner
2018-04-05 15:52:23 UTC
Permalink
Hi Thor,
Post by Thor Simon
2) Mode Config supports an "address lifetime" key but because of #1 above, we don't and can't easily feed this to the client -- it gets an address only, with no notion of expiry.
It's irrelevant anyway as IKEv1 is dead and the attribute
(INTERNAL_ADDRESS_EXPIRY) was removed from IKEv2 with RFC 5996, which
states (it's also repeated in RFC 7296):

This document removes discussion of the INTERNAL_ADDRESS_EXPIRY
configuration attribute because its implementation was very
problematic. Implementations that conform to this document MUST
ignore proposals that have configuration attribute type 5, the old
value for INTERNAL_ADDRESS_EXPIRY.

There are also some comments about it in RFC 4718, for instance:

Expiry times and explicit renewals are primarily useful in
environments like DHCP, where the server cannot reliably know when
the client has gone away. However, in IKEv2 this is known, and the
gateway can simply free the address when the IKE_SA is deleted.
Post by Thor Simon
3) IKEv2 Mode Config is pull-only, so the server can't later tell the client a new address
It's theoretically possible to push configuration attributes via
CFG_SET/CFG_ACK configuration payloads, but strongSwan does not support
that (not sure if any other implementation does). RFC 7296 says about this:

There are currently
no defined uses for the CFG_SET/CFG_ACK exchange, though they may be
used in connection with extensions based on Vendor IDs. An
implementation of this specification MAY ignore CFG_SET payloads.
Post by Thor Simon
3) We can _minimize_ this issue by configuring long DHCP lease times and short Phase 1 SA lifetimes, but not eliminate it. In failover DHCP configurations, per the standard, factors such as the MCLT (max client lead time) will result in some clients receiving shorter-than-default leases until their first renewal, and this will eventually trigger the pathology detailed above.
With IKEv2 you could request the client to reauthenticate before the
DHCP lease times out by configuring this appropriately (if the client
supports that extension, although, the server will close the SA if the
client does not reauthenticate in time, which releases the lease too).
Post by Thor Simon
1) Feed the client an address-lifetime attribute along with its address. Then the client will trigger a new DORA cycle at a more appropriate time.
* Clients may not support this attribute (does StrongSwan? We haven't yet looked)
No, and since it's IKEv1-only there is not much point considering this.
Post by Thor Simon
* This requires a change to the API for all plugins which supply addresses, to return the lifetime along with the address.
* But it does seem most correct, since it does tell the client the lease is not eternal.
It's very specific to DHCP, though, all other backends tie their leases
to the IKE_SA. The DHCP server could do that too, I guess, as the DHCP
plugin sends a DHCP RELEASE when the IKE_SA is terminated, so leases
wouldn't have to time out (there might be some refcounting required in
the plugin to handle IKEv2 make-before-break reauthentication properly,
though - not sure if anybody ever tested this combination).
Post by Thor Simon
2) Add more state and a timer to the DHCP plugin such that it knows all addresses it's handled and tries to renew them itself.
* This is fairly heavy
* Not clear what to do if renewal fails
The leases are cached in the plugin, so I guess this could be
implemented somehow. But yeah, if a renewal fails (why should it
though?) this could be tricky (I suppose, you'd have to close the SA
somehow, there is currently no direct link to them from the leases,
though). So not letting leases time out is preferable.
Post by Thor Simon
3) Artificially constrain the effective phase 1 SA lifetime server-side so that the server tries to renew the phase 1 before the DHCP lease expires. This should still trigger a new config pull by the client.
* This is an abstraction violation - the DHCP plugin would have to find the relevant client state and mess with it directly, unless the plugin's API were changed as per #1 above
The server can't reauthenticate in all cases (in particular with
asymmetric authentication, or with IKEv2 and virtual IPs). But with
IKEv2 you could pass the lease time to the IKE_SA (via
set_auth_lifetime() method), which would then request the client to
reauthenticate before this (if it supports RFC 4478, otherwise the
server will close the IKE_SA when it expires if the client did not
reauthenticate before that).
Post by Thor Simon
4) Change the client to do a config pull at each Phase 2 renewal instead
* Some other clients do this (or so the comments in the standard say)
What are you referring to? What comments? What standard? Anyway,
strongSwan currently only supports exchanging configuration attributes
during IKE_AUTH. And traffic selectors are not supposed to change this
way during a rekeying so you'd have to negotiate new CHILD_SAs instead.

Regards,
Tobias
Thor Simon
2018-04-05 16:22:42 UTC
Permalink
Post by Thor Simon
3) Artificially constrain the effective phase 1 SA lifetime server-side so that the server tries to renew the phase 1 before the DHCP lease expires. This should still trigger a new config pull by the client.
* This is an abstraction violation - the DHCP plugin would have to
find the relevant client state and mess with it directly, unless the
plugin's API were changed as per #1 above
The server can't reauthenticate in all cases (in particular with asymmetric authentication, or with IKEv2 and virtual IPs). But with
IKEv2 you could pass the lease time to the IKE_SA (via
set_auth_lifetime() method), which would then request the client to reauthenticate before this (if it supports > RFC 4478, otherwise the server will close the IKE_SA when it expires if the client did not reauthenticate before > that).
The DHCP provider's acquire method gets the ike_sa so it looks like this should be relatively straightforward. We'll give it a try!

My remarks on tying things to the phase 2 SA were based on what may have been a misunderstanding of 3.4 and 4 in the original mode config draft. In any case, it sounds like we may have a method that should work, at lea
Loading...