IETF Logo Mail Archive

Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15

Miika Komu <miika.komu@ericsson.com> Wed, 15 March 2017 13:11 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38EC6131493 for <hipsec@ietfa.amsl.com>; Wed, 15 Mar 2017 06:11:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKsK3HRZH28n for <hipsec@ietfa.amsl.com>; Wed, 15 Mar 2017 06:11:11 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67283131492 for <hipsec@ietf.org>; Wed, 15 Mar 2017 06:11:11 -0700 (PDT)
X-AuditID: c1b4fb2d-2dacd98000006193-d3-58c93d6d74c0
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.183.24]) by (Symantec Mail Security) with SMTP id 37.4E.24979.D6D39C85; Wed, 15 Mar 2017 14:11:09 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.56]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0319.002; Wed, 15 Mar 2017 14:10:19 +0100
From: Miika Komu <miika.komu@ericsson.com>
To: Tom Henderson <tomhend@u.washington.edu>, Jeff Ahrenholz <j.ahrenholz@temperednetworks.com>
CC: HIP <hipsec@ietf.org>
Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
Thread-Index: AQHSfUUiv8rMzViTdEKgMh/yMEwd8qFwe5MAgBxPz4CAACe9gP//5HSAgAf/DwCAAT2T0A==
Date: Wed, 15 Mar 2017 13:10:18 +0000
Message-ID: <7110ABD9BA66454293AEE83D6D37016617B30AA9@ESESSMB109.ericsson.se>
References: <E4E329A8-6B10-4037-8846-0A6079E102B7@temperednetworks.com> <alpine.LRH.2.01.1703141129520.27473@hymn02.u.washington.edu>
In-Reply-To: <alpine.LRH.2.01.1703141129520.27473@hymn02.u.washington.edu>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.20]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_006C_01D29D9E.415FD9C0"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJIsWRmVeSWpSXmKPExsUyM2K7hG6u7ckIg+4fJhZTF01mtmidcpPZ Yub5g2wOzB5Llvxk8ti6p5PFo+V6TABzFJdNSmpOZllqkb5dAlfG4f5FTAWnkir+bj7D2MB4 P6qLkZNDQsBEYmX/G8YuRi4OIYF1jBLtX9ZDOYsZJV7uWcQKUsUmoCWx6s51ZhBbRCBRYvOG 2WwgNrOApMTyTb/AbGEBJ4n5808zQtQ4S7x5dp4Jwg6TWLv7BVgNi4CqxM9zZ8Bm8gr4Sqy+ eY8ZYlk7o8T+Oz/BFnAKeEl8OzcNrIhRQFZi5eZ/zBDLxCVuPZnPBHG2iMTDi6fZIGxRiZeP /7FC2IoSV6cvZwIZyizQyyixqHkXE8Q2QYmTM5+wTGAUmYVk1ixkdbOQ1EEUGUjM2z4TypaX 2P52DjOEbS0x49dBNghbUWJK90N2CNtU4vXRj4wLGDlWMYoWpxYX56YbGeulFmUmFxfn5+nl pZZsYgRG4sEtv3V3MK5+7XiIUYCDUYmHt4D1RIQQa2JZcWXuIUYVoDmPNqy+wCjFkpefl6ok wvuaASjNm5JYWZValB9fVJqTWnyIUZqDRUmc12zl/XAhgfTEktTs1NSC1CKYLBMHp1QDo/fT k74NJWIcAYe5ao/r9UTuumZofS9Cp1frya8STasJHGbna0/2NLvFzbvjsVolj1NPW7Px/KSO rwseZP+yMNMrLPEKvdVUMK+Zo70r7J9NSk3Jlpv6BRt3MJff+uw3J0B8kqaZiUxGnKFkorxF 0jn2SYkZmV/TzM/XPhSfOjOYuc+Uf4cSS3FGoqEWc1FxIgCxznxMzAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/D0H7Yz29OwDxExIcAlrpjHiZrEM>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 13:11:13 -0000

Hi Tom and Jeff,

> -----Original Message-----
> From: Tom Henderson [mailto:tomhend@u.washington.edu]
> Sent: Tuesday, March 14, 2017 8:30 PM
> To: Jeff Ahrenholz <j.ahrenholz@temperednetworks.com>
> Cc: Miika Komu <miika.komu@ericsson.com>; Gonzalo Camarillo
> <gonzalo.camarillo@ericsson.com>; HIP <hipsec@ietf.org>
> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
> 
> 
> 
> 
> On Thu, 9 Mar 2017, Jeff Ahrenholz wrote:
> 
> >> Actually ICMPv6 would be my personal choice as a implementer instead
> >> of NOTIFY. You can also detect connectivity problems at the data
> >> plane this way and trigger a LOCATOR UPDATE.
> >>
> >> (ICMPv6 is not a control plane keepalive, but since the control and
> >> data plane share the same port, this does not matter.)
> >
> > I forgot about that ?ping6 destination-HIT? inside-the-tunnel option.
> >
> > Certainly, this would be a good test of tunnel liveliness.
> >
> > I?m a little concerned about implementation of this -- if you think
about the
> control plane differing from the data plane (i.e. maybe userspace control
> daemon managing kernel IPsec state.) The control plane would be reaching
> into the data plane. What if sysadmin administratively turned off ping6
echo
> replies, local firewall blocks, etc.?

Jeff, this would occur *inside* the tunnel, so it would be prevented in the
end-host directly (which seems a bit unlikely scenario to me)

> >> Only one side sending the UPDATE is possible because the CONTROLLED
> >> role remains throughout the session.
> >
> > OK, this makes sense. The controller [host having the larger HIT] can
send
> the UPDATEs.

thinking about this option further, I think it's probably not a good idea
after all to enforce the controlling host send UPDATEs every 15 seconds:

1. A server connected to a large number of clients would get too much
unnecessary computational load
2. This option would trump the rest of the options
  - Detection logic would be become cumbersome (node has to decide based on
the other side if e.g. ICMPv6 keepalives are needed)
  - So it would be easier just to implement controlled host sending UPDATEs
(which leads to [1])

> >>> What happens if you don?t receive keepalives?
> >>> - if your UPDATE goes unacknowledged, do something -- retransmit, or
> >>> start an address check, rekey, or teardown procedure
> >>
> >> Good point.
> >
> > Note that just using NOTIFY, we?re NOT supposed to change state (RFC
> 7401 section 5.2.19).
> > So I guess reacting to lost NOTIFY-keepalives is forbidden (?).

NOTIFY messages are not acked anyway. They are sent every 15 secs, so couple
of them can be easily lost.

(ICE keepalives don't have acknowledgements either)

> >> UPDATE is certainly more heavy-weight especially since it occurs
> >> every
> >> 15 seconds. We have three choices of which we could select just one
> >> or two (probably three is too much):
> >>
> >>   1. ICMPv6
> >>   2. NOTIFY
> >>   3. UPDATE
> >>
> >> What do you think?
> >
> > Maybe we could leave the door open for implementation flexibility?
> 
> I might suggest to recommend NOTIFY (and define the keepalive) and state
> that other messages including ICMPv6 or UPDATE may be substituted.  If
> there is a need for bi-directional connectivity checking, recommend to use
> UPDATE;  if there are specific known scenarios where an ICMPv6 is
> recommended instead, state those scenarios.

Tom, this sounds fine to me. Normal UPDATEs over UDP should be fine, but I
think we shouldn't device a new UPDATE mechanism tied to controlled role
(sorry for thinking aloud :)

Jeff, is this ok for you?

v2.23.0 | Report a Bug | By Email