Re: [Anima] RFC8994's IPsec tunnel description
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 20 February 2024 22:28 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97E8BC17C884 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 14:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6s9GuxD49e7 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 14:28:17 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A2D1C151993 for <anima@ietf.org>; Tue, 20 Feb 2024 14:28:16 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id E8C8238991; Tue, 20 Feb 2024 17:28:14 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wQa5e08oxJ8f; Tue, 20 Feb 2024 17:28:14 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 39BFF38990; Tue, 20 Feb 2024 17:28:14 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1708468094; bh=28LAG+cVh++goeoAelxYcBhLbIuTlahq0cbOsGONUa8=; h=From:To:Subject:In-Reply-To:References:Date:From; b=hkdodj7T1RDK+HZjr+8pdA9RWhB1VunzYqB8AOWu/2SYWMFVZCYJ0k27gM8MJL+L6 TYVHoJoDHyuomajGni+OS+TPMgCj1XHTVGUXjwklIUKCxjm0Durxv/G8EsVz+hzu5g 3I4704WBOK5CWw4pKHTGkpziLQtJTVkVNwPsZguyNvpEvN/QxTNEMWY+DZEI48f/GO 8ntKJo7iuVzQbjDrWzPegEUHbCOmLV7Cmf0UAr4+P5SZqQVJ1E8y/yoHypo7oeXQvD aM+0YUgi3tZIMuT21j1Ua9dpFg+5fRZ4hvYJY2OzIoAdmVDj32ZqL6uYy/nj3tk4HW is3EBJFYAdC7g==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 32F62A5; Tue, 20 Feb 2024 17:28:14 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org
In-Reply-To: <ZYAsbB7QAuSzJs4Y@faui48e.informatik.uni-erlangen.de>
References: <8822.1702309737@localhost> <ZYAsbB7QAuSzJs4Y@faui48e.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 20 Feb 2024 17:28:14 -0500
Message-ID: <26341.1708468094@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/PxHw_bOuCo3DsCrcHhwFfCb9O5U>
Subject: Re: [Anima] RFC8994's IPsec tunnel description
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 22:28:21 -0000
{clearing out inbox}
Toerless Eckert <tte@cs.fau.de> wrote:
>> I know that we did many rounds to get this right, but I feel that
>> maybe we did it wrong.
>>
>> The goal are packets that look like:
>>
>> (a) IPv6-LL ESP[nh=41] IPv6-ULA[1] ULP
> What is "ULP" ?
If I didn't answer somewhere, it's "Upper Layer Protocol" (e.g., "TCP")
>> The TS are "everything", so one in fact needs policy based routing on
>> top of this in order to make anything work.
> What you want to have is some form of virtual IPsec interface, which in
> Cisco IOS was introduced in 2007, e.g.:
Yes, the kicker is how packets from that interface are fit into the PAD/SPD.
Ideally, they skip the PAD entirely, and have a (pair of) linked SPD (IPsec
SA) entries. One for outgoing. And the incoming one is linked so that
anything coming out appears to come out the Interface. There should be no
enforcement of Traffic Selectors (TS). I think Cisco got this right all
those years ago.
> In Linux this is less clear to me. There where much later IPsec VTI
> interfaces, but they seemed to have some limitations.
The VTI and XFRM Tunnel interfaces are seemingly identical in most ways,
except that VTI is created/managed by ioctl (which are a pain from languages
other than C), while XFRM Tunnel ocurrs via the NETLINK socket.
The problem that I see is that the packets still seems to go through the
PAD, when it really shouldn't.
> Given how ACP is designed to support different secure channel option,
> worst case we have to amend our stack with one more IPsec option, if
> thats what's easier in Linux. But it would be quite annoying if Linux
> choose a different stack option than what commercial routers had for a
> decade.
Agreed.
> If on the other hand we made a mistake and didn't match what the
> commercial router implementations use, then of course, we can obsolete
> our currently documented option and replace it. But i don't think/hope
> that that is the case.
WHen someone shows up with hardware that can't be used, we should have this
discussion.
I will attempt to put together some slides for 119 that address the ULA
addressing on the ACP DULL side that I am attempting to implement.
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] RFC8994's IPsec tunnel description Michael Richardson
- Re: [Anima] RFC8994's IPsec tunnel description Toerless Eckert
- Re: [Anima] RFC8994's IPsec tunnel description Michael Richardson