Re: [Hipsec] Suresh Krishnan's Discuss on draft-ietf-hip-dex-13: (with DISCUSS)

Jeff Ahrenholz <j.ahrenholz@tempered.io> Wed, 04 March 2020 15:53 UTC

Return-Path: <j.ahrenholz@tempered.io>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F6A3A11B7; Wed, 4 Mar 2020 07:53:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uATL-3pAfI75; Wed, 4 Mar 2020 07:53:16 -0800 (PST)
Received: from out.west.exch081.serverdata.net (cas081-co-8.exch081.serverdata.net [199.193.204.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5EF3A1152; Wed, 4 Mar 2020 07:53:16 -0800 (PST)
Received: from MBX081-W5-CO-2.exch081.serverpod.net (10.224.129.85) by MBX081-W5-CO-1 (10.224.129.84) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 4 Mar 2020 07:53:15 -0800
Received: from MBX081-W5-CO-2.exch081.serverpod.net ([10.224.129.85]) by MBX081-W5-CO-2.exch081.serverpod.net ([10.224.129.85]) with mapi id 15.00.1497.006; Wed, 4 Mar 2020 07:53:15 -0800
From: Jeff Ahrenholz <j.ahrenholz@tempered.io>
To: Robert Moskowitz <rgm@labs.htt-consult.com>, Suresh Krishnan <suresh@kaloom.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-hip-dex@ietf.org" <draft-ietf-hip-dex@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: [Hipsec] Suresh Krishnan's Discuss on draft-ietf-hip-dex-13: (with DISCUSS)
Thread-Index: AQHV8eAGgMkmjXilYEGkvJM2YzFVyag48VWA//+k8QA=
Date: Wed, 04 Mar 2020 15:53:15 +0000
Message-ID: <820F683A-84D6-4BC2-B980-04DD45191EFA@tempered.io>
References: <158329724383.7687.5696211532188484676@ietfa.amsl.com> <a0ef66bb-ea77-c5b6-3a63-74d85dba2240@labs.htt-consult.com>
In-Reply-To: <a0ef66bb-ea77-c5b6-3a63-74d85dba2240@labs.htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [216.168.34.194]
Content-Type: text/plain; charset="utf-8"
Content-ID: <E98AE5394BE52F4CA3C10535A2FCBFE4@exch081.serverpod.net>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/L3-BppXv-ore7VD6MS0887H1hl8>
Subject: Re: [Hipsec] Suresh Krishnan's Discuss on draft-ietf-hip-dex-13: (with DISCUSS)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 15:53:19 -0000

>
> https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-5
>
> And nothing there that looks right. 
> 
> So what is done in HIP BEX implementations?  Both v1 and v2?

For our HIPv1 implementation:
IPv4 packets - we send ICMPv4-in-UDP with type 12 "parameter problem" code 0 "pointer indicates the error" and point to the first bytes of UDP payload. (https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-12)

IPv6 packets - we send ICMPv6-in-UDP with type 4 "parameter problem" code 0 "erroneous header field encountered" and point to the first bytes of UDP payload. 

Normally this would be if the SPI is unknown (e.g. one side forcefully reboots while the other continues to send it ESP-in-UDP data.) The pointer includes the first 8 bytes of the UDP payload so that the SPI is included in the ICMP message.

For IPv6 you could consider the "erroneous header field" to be the invalid SPI number, which is the bytes we point to.

-Jeff