Re: [Hipsec] HIP Native NAT Traversal
"Dan Wing" <dwing@cisco.com> Tue, 13 April 2010 19:31 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5BEC3A6A63 for <hipsec@core3.amsl.com>; Tue, 13 Apr 2010 12:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.134
X-Spam-Level:
X-Spam-Status: No, score=-10.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VoqPsuAyqWOX for <hipsec@core3.amsl.com>; Tue, 13 Apr 2010 12:31:30 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 611413A6A4F for <hipsec@ietf.org>; Tue, 13 Apr 2010 12:31:30 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjIIANVjxEurR7Hu/2dsb2JhbACHWoEUhkWMEXGiZJoehQ0Egyc
X-IronPort-AV: E=Sophos;i="4.52,199,1270425600"; d="scan'208";a="114674277"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-4.cisco.com with ESMTP; 13 Apr 2010 19:31:24 +0000
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o3DJVO2X009979; Tue, 13 Apr 2010 19:31:24 GMT
From: Dan Wing <dwing@cisco.com>
To: 'frogsir' <frogsir@gmail.com>
References: <4BBF283A.9080408@ericsson.com> <4BBF8C33.8050203@cs.hut.fi> <4BC2E8D6.6030404@nomadiclab.com> <010501cada94$b4cbcab0$ada56b80@cisco.com> <i2lc0c97aa91004122021h4a4911d7r1868d84cec7c2a75@mail.gmail.com>
Date: Tue, 13 Apr 2010 12:31:24 -0700
Message-ID: <05a901cadb3f$e7506a30$ada56b80@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <i2lc0c97aa91004122021h4a4911d7r1868d84cec7c2a75@mail.gmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: AcrauHZ5TGmtmGCFSviWX1K3amtcaAAh1guA
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] HIP Native NAT Traversal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2010 19:31:32 -0000
> -----Original Message----- > From: frogsir [mailto:frogsir@gmail.com] > Sent: Monday, April 12, 2010 8:22 PM > To: Dan Wing > Cc: Ari Keranen; hipsec@ietf.org > Subject: Re: [Hipsec] HIP Native NAT Traversal > > > > On Tue, Apr 13, 2010 at 2:05 AM, Dan Wing <dwing@cisco.com> wrote: > > > > > > -----Original Message----- > > From: hipsec-bounces@ietf.org > > [mailto:hipsec-bounces@ietf.org] On Behalf Of Ari Keranen > > Sent: Monday, April 12, 2010 2:33 AM > > To: hipsec@ietf.org > > Subject: Re: [Hipsec] HIP Native NAT Traversal > > > > > Hi, > > > > On 04/09/2010 11:21 PM, Miika Komu wrote: > > > On 04/09/2010 04:14 PM, Gonzalo Camarillo wrote: > > >> in Anaheim, we decided to continue discussing on the list > > the following > > >> draft: > > >> > > >> > > https://datatracker.ietf.org/doc/draft-keranen-hip-native-nat- > > traversal/ > > >> > > >> In particular, I would like to see discussions on the > > lessons learned > > >> from the STUN-based implementations and potential > benefits of > > >> implementing STUN-like functionality in HIP. > > > > > > from a protocol design perspective, demultiplexing of HIP, > > ESP and STUN > > > packets is complicated. At implementation level, > this introduced an > > > additional requirement of packet capture using iptables. I > > believe this > > > part would become cleaner design and implementation-wise by > > replacing > > > STUN with HIP. > > > > This is indeed a problem if you don't want to patch kernel > > code. While > > HIP packets can be simply demultiplexed using the non-ESP > > marker, STUN > > packets can't and therefore you need to either use some > > filtering before > > the IPsec processing (e.g., iptables) or process all the > > packets at user > > space, which causes some performance penalty. > > > Has there been a discussion to send STUN directly over > HIP, rather > than replacing STUN with STUN-mimicing HIP messages? Sending > STUN messages directly over HIP would remove the need to demux > STUN/HIP/ESP -- you would only need to demux HIP/ESP in > the kernel > (as with today's HIP), and deal with a single HIP > 'container' for > the STUN messages. > > > > > We have made such implementation. The whole STUN message is > encapsulate into HIP_STUN parameter which is carried by > HIP_UPDATE packets. it solves most of the demultiplexing > problems indeed. Is that preferable to re-inventing STUN and ICE as HIP messages? -d > > > It actually took quite a lot effort to hook in a standalone > > > ICE library > > > to the base exchange code. I believe it would also further > > > complicate > > > the mobility code. > > > > Also, using TURN for relaying IPsec ESP is not all that > > simple since you > > need to add and remove the TURN framing when sending > data via a TURN > > relay. > > > IPsec ESP native (IP protocol 50) across a NAT? This isn't > going to work well with large scale NATs with lots of clients > going to the same destination (e.g., the same TURN server), > as I understand IPsec rekeying changes the SPI and the large > scale NAT won't know which IPsec session just got rekeyed. > > -d > > > > With an ESP relay you don't need any framing at all > > and all the > > ESP processing can be done as if no relay was used. That > > said, also TURN > > relaying can be used with the native NAT traversal > mode and only the > > host using TURN relay needs to implement TURN. > > > > I think the amount of implementation effort needed > for integrating an > > ICE library into a HIP implementation turned out to > be quite a bit > > higher that initially estimated. Also, the amount of extra > > code (some 10 > > kLoC) needed for all the new parsers, state machines, > etc., is quite > > high and by re-using the HIP code one should be able > to do with much > > less. This should result in smaller binary size, less bugs, > > and easier > > debugging. > > > > > +1 for the new draft, I believe having a single control > > plane instead of > > > two makes things simpler. I would suggest the new draft to > > replace the > > > existing one for standards track. > > > > Considering the experiences with the STUN-based approach, the > > native HIP > > mode does sound like a better idea for the standards track. > > > > > > Cheers, > > Ari > > _______________________________________________ > > Hipsec mailing list > > Hipsec@ietf.org > > https://www.ietf.org/mailman/listinfo/hipsec > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > > > > > > -- > Best Regards > > Santtu (Nick name) > Xiang Liu > > Operation Manager > Frosmo Ltd. > http://www.frosmo.com > twitter.com/Frosmo > > Erottajankatu 15-17A > 00130 Helsinki, > Finland > > mobile: +358 44 3688809 > fax: +358 20 7419 9099 > Email: santtu.liu@frosmo.com > MSN: frogsir@hotmail.com > >
- [Hipsec] HIP Native NAT Traversal Gonzalo Camarillo
- Re: [Hipsec] HIP Native NAT Traversal Miika Komu
- Re: [Hipsec] HIP Native NAT Traversal Ari Keranen
- Re: [Hipsec] HIP Native NAT Traversal Dan Wing
- Re: [Hipsec] HIP Native NAT Traversal frogsir
- Re: [Hipsec] HIP Native NAT Traversal frogsir
- Re: [Hipsec] HIP Native NAT Traversal Miika Komu
- Re: [Hipsec] HIP Native NAT Traversal Ari Keranen
- Re: [Hipsec] HIP Native NAT Traversal Dan Wing
- Re: [Hipsec] HIP Native NAT Traversal Dan Wing
- Re: [Hipsec] HIP Native NAT Traversal Dan Wing