Re: [Hipsec] Mirja Kühlewind's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
Mirja Kuehlewind <ietf@kuehlewind.net> Wed, 26 February 2020 17:27 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 337303A0DA7; Wed, 26 Feb 2020 09:27:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6X_Ylt-6cA_o; Wed, 26 Feb 2020 09:27:48 -0800 (PST)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FE43A0DB5; Wed, 26 Feb 2020 09:27:48 -0800 (PST)
Received: from p200300dee7239a0050446727618d4332.dip0.t-ipconnect.de ([2003:de:e723:9a00:5044:6727:618d:4332]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1j70TJ-0005Cg-Im; Wed, 26 Feb 2020 18:27:45 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <1d27170060587d173d26e66e11896f7ee2d643e3.camel@ericsson.com>
Date: Wed, 26 Feb 2020 18:27:44 +0100
Cc: "iesg@ietf.org" <iesg@ietf.org>, "hipsec@ietf.org" <hipsec@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA9658DC-37A5-4B63-B11C-0AE9BCC3267D@kuehlewind.net>
References: <152594644511.10319.6725951114596483825.idtracker@ietfa.amsl.com> <1d27170060587d173d26e66e11896f7ee2d643e3.camel@ericsson.com>
To: Miika Komu <miika.komu=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1582738068;7c9078d3;
X-HE-SMSGID: 1j70TJ-0005Cg-Im
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/Z1Rq5uPPxmIR3H0gio0OtD_NRvg>
Subject: Re: [Hipsec] Mirja Kühlewind's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 17:27:50 -0000
Hi Miika, Thanks for addressing my discuss points and comments. I just enter “No Objection” as my new ballot position. Reading point 4 below: Yes I was referencing the wrong section. However, I still think it would be good to provide more guidance about who long a timeout should be. Mirja > On 19. Feb 2020, at 19:39, Miika Komu <miika.komu=40ericsson.com@dmarc.ietf.org> wrote: > > Hi Mirja, > > thanks for your comments! My response is below, let me know if you have > further concerns. > > to, 2018-05-10 kello 03:00 -0700, Mirja Kühlewind kirjoitti: >> Mirja Kühlewind has entered the following ballot position for >> draft-ietf-hip-native-nat-traversal-28: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut >> this >> introductory paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ >> >> >> >> ------------------------------------------------------------------- >> --- >> DISCUSS: >> ------------------------------------------------------------------- >> --- >> >> 1) This document should also update the IANA port registry to add a >> reference >> to this RFC-to-be to the existing entry for port 10500 (eventually >> even with >> note that this RFC-to-be discusses how to distinguish the services >> using >> NAT_TRAVERSAL_MODE). > > IANA section should describe this: > > This document reuses the same default UDP port number 10500 as > specified by Legacy ICE-HIP [RFC5770] for tunneling both HIP control > plane and data plane traffic. The selection between Legacy ICE-HIP > and Native ICE-HIP mode is negotiated using NAT_TRAVERSAL_MODE > parameter during the base exchange. > > Let me know if something needs to be added. > >> 2) Sec 4.4: "Hosts SHOULD NOT use values smaller than 5 ms for the >> minimum >> Ta,..." In rfc5245bis this is a MUST. Why is this a SHOULD here? > > Because it used to be like that in an earlier version of ICE. Good > catch, I have now changed SHOULD to MUST now. > >> Also in sec 4.6.2.: >> "If neither one of the hosts announced a minimum pacing value, a >> value of 50 ms >> SHOULD be used." This must be a MUST to be inline with sec 4.4. > > thanks, both are now "MUST"s. > >> 3) Appendix A: "Ta value so that only two connectivity check messages >> are sent >> on every RTT." Why two? RFC8085 recommends (SHOULD) at may one packet >> per RTT >> for non-congestion control transmissions > > aligned with RFC8085 as you requested: > > In this case, it is recommended that the hosts > estimate the round-trip time (RTT) between them and SHOULD set the > minimum Ta value so that at most a single connectivity check message > is sent on every RTT. > >> ------------------------------------------------------------------- >> --- >> COMMENT: >> ------------------------------------------------------------------- >> --- >> >> I agree with other ADs that it is not clear to me why this mechanism >> is needed >> in addition RFC5770. This is a use case for ICE and I would think >> that re-using >> existing code and library would make implementation easier, fast and >> less-error-prone. I especially agree to the comments from Adam! > > ICE was not designed with IPsec in mind, so the performance overhead is > unacceptable. I have also some additional reasoning for Adam Roach > here: > > > https://mailarchive.ietf.org/arch/msg/hipsec/Lx3SLQVaHI2ZKsMP8xxT27RMEn8 > > and here: > > > https://mailarchive.ietf.org/arch/msg/hipsec/tJ4evwlPEWOEHsRXLjFVlQS-ykE > >> Other comments/nits: >> >> 1) sec 4.6.2: "Upon successful nomination an address pair, a host MAY >> immediately stop sending such retransmissions." Not sure I understand >> this >> sentence; why MAY? > > It should read "nomination *of* an address". I changed the MAY to > SHOULD: > > Upon successful nomination of an > address pair, a host MUST immediately stop sending such > retransmissions. > >> 2) sec 4.1: The registration to the Control Relay Server can be >> achieved using >> RELAY_UDP_ESP parameter as explained later in this section." >> I guess that should be RELAY_UDP_HIP? > > good catch, corrected this. > >> 3) sec 4.1: "It is RECOMMENDED that the Relay Client select a random >> port >> number..." Please say source port -> s/random port number/random >> source port >> number/ > > done! > >> 4) sec 4.8: "When a host does not receive >> acknowledgments, e.g., to an UPDATE or CLOSE packet after a >> timeout >> based on local policies, a host SHOULD resend the packet through >> the >> associated Data Relay Server of the peer (if the peer listed it in >> its LOCATOR_SET parameter in the base exchange." >> I did not really find anything about this in section 5.10 of RFC5770. >> In think >> the timeout needs to be further specified. > > section 4.8 is "Sending Control Packets after the Base Exchange". Do > you mean section 4.10 in RFC57700: > > https://tools.ietf.org/html/rfc5770#section-4.10 > > ...which is also suggests "timeout based on local policies". > >> 5) sec 5.3: "It is worth noting that sending of such a HIP NOTIFY >> message MAY be omitted if the host is actively (or passively) >> sending >> some other traffic (HIP or ESP) " >> This should really be a SHOULD (at least). > > agreed, changed to SHOULD. > >> 6) Appendix A: "One way to estimate the RTT is to use the time that >> it takes >> for the Control Relay Server registration exchange to complete;" That >> does >> estimate the RTT between the endhost... I not aware of a good way to >> estimate >> that, so I'm actually not convinced that the recommendation in >> appendix A is >> that useful at all. > > I reflected your concerns by adding a disclaimer: > > In general, estimating RTT can be difficult and error prone; further > experimentation is required for reliable RTT estimation. >
- [Hipsec] Mirja Kühlewind's Discuss on draft-ietf-… Mirja Kühlewind
- Re: [Hipsec] Mirja Kühlewind's Discuss on draft-i… Miika Komu
- Re: [Hipsec] Mirja Kühlewind's Discuss on draft-… Mirja Kuehlewind