Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
Tom Henderson <tomhend@u.washington.edu> Tue, 14 March 2017 18:32 UTC
Return-Path: <tomhend@u.washington.edu>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8635E12997F for <hipsec@ietfa.amsl.com>; Tue, 14 Mar 2017 11:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZWU1KENSQ3j for <hipsec@ietfa.amsl.com>; Tue, 14 Mar 2017 11:32:23 -0700 (PDT)
Received: from mxout23.cac.washington.edu (mxout23.cac.washington.edu [140.142.32.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 659C112E799 for <hipsec@ietf.org>; Tue, 14 Mar 2017 11:32:22 -0700 (PDT)
Received: from hymn02.u.washington.edu (hymn02.u.washington.edu [140.142.8.71]) by mxout23.cac.washington.edu (8.14.4+UW14.03/8.14.4+UW16.03) with ESMTP id v2EITrqn014337 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Mar 2017 11:29:54 -0700
Received: from hymn02.u.washington.edu (localhost [127.0.0.1]) by hymn02.u.washington.edu (8.14.4+UW14.03/8.14.4+UW16.03) with ESMTP id v2EITqBQ023064; Tue, 14 Mar 2017 11:29:52 -0700
Received: from localhost (Unknown UID 5340@localhost) by hymn02.u.washington.edu (8.14.4+UW14.03/8.14.4+Submit-local) with ESMTP id v2EITqm2023036; Tue, 14 Mar 2017 11:29:52 -0700
X-Auth-Received: from [73.140.18.44] by hymn02.u.washington.edu via HTTP; Tue, 14 Mar 2017 11:29:52 PDT
Date: Tue, 14 Mar 2017 11:29:52 -0700
From: Tom Henderson <tomhend@u.washington.edu>
To: Jeff Ahrenholz <j.ahrenholz@temperednetworks.com>
cc: Miika Komu <miika.komu@ericsson.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, HIP <hipsec@ietf.org>
In-Reply-To: <E4E329A8-6B10-4037-8846-0A6079E102B7@temperednetworks.com>
Message-ID: <alpine.LRH.2.01.1703141129520.27473@hymn02.u.washington.edu>
User-Agent: Web Alpine 2.01 (LRH 1302 2010-07-20)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-1903409400-9170010-1489516192=:27473"
X-PMX-Version: 6.2.1.2493963, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2017.3.14.182117
X-PMX-Server: mxout23.cac.washington.edu
X-Uwash-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MIME_TEXT_ONLY_MP_MIXED 0.05, SUPERLONG_LINE 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, MULTIPLE_REAL_RCPTS 0, NO_CTA_URI_FOUND 0, NO_URI_FOUND 0, NO_URI_HTTPS 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CC_NAME 0, __CC_NAME_DIFF_FROM_ACC 0, __CC_REAL_NAMES 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __FORWARDED_MSG 0, __HAS_CC_HDR 0, __HAS_FROM 0, __HAS_MSGID 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __NO_HTML_TAG_RAW 0, __SANE_MSGID 0, __SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0, __TO_REAL_NAMES 0, __USER_AGENT 0'
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/0zQRgKFzxJ9pxoExZ8TPf-eVyBQ>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 18:32:24 -0000
On Thu, 9 Mar 2017, Jeff Ahrenholz wrote: >> Actually ICMPv6 would be my personal choice as a implementer instead of >> NOTIFY. You can also detect connectivity problems at the data plane this >> way and trigger a LOCATOR UPDATE. >> >> (ICMPv6 is not a control plane keepalive, but since the control and data >> plane share the same port, this does not matter.) > > I forgot about that ‘ping6 destination-HIT’ inside-the-tunnel option. > > Certainly, this would be a good test of tunnel liveliness. > > I’m a little concerned about implementation of this -- if you think about the control plane differing from the data plane (i.e. maybe userspace control daemon managing kernel IPsec state.) The control plane would be reaching into the data plane. What if sysadmin administratively turned off ping6 echo replies, local firewall blocks, etc.? > >> Only one side sending the UPDATE is possible because the CONTROLLED role >> remains throughout the session. > > OK, this makes sense. The controller [host having the larger HIT] can send the UPDATEs. > >>> What happens if you don’t receive keepalives? >>> - if your UPDATE goes unacknowledged, do something -- retransmit, or start an address check, rekey, or teardown procedure >> >> Good point. > > Note that just using NOTIFY, we’re NOT supposed to change state (RFC 7401 section 5.2.19). > So I guess reacting to lost NOTIFY-keepalives is forbidden (?). > >> UPDATE is certainly more heavy-weight especially since it occurs every >> 15 seconds. We have three choices of which we could select just one or >> two (probably three is too much): >> >> 1. ICMPv6 >> 2. NOTIFY >> 3. UPDATE >> >> What do you think? > > Maybe we could leave the door open for implementation flexibility? I might suggest to recommend NOTIFY (and define the keepalive) and state that other messages including ICMPv6 or UPDATE may be substituted. If there is a need for bi-directional connectivity checking, recommend to use UPDATE; if there are specific known scenarios where an ICMPv6 is recommended instead, state those scenarios. - Tom
- [Hipsec] WGLC: draft-ietf-hip-native-nat-traversa… Gonzalo Camarillo
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Tom Henderson
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Jeff Ahrenholz
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Jeff Ahrenholz
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Tom Henderson
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Tom Henderson
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Jeff Ahrenholz
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu