Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
Miika Komu <miika.komu@ericsson.com> Thu, 09 March 2017 16:02 UTC
Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CD9D1293FC for <hipsec@ietfa.amsl.com>; Thu, 9 Mar 2017 08:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIKwvpefOmMZ for <hipsec@ietfa.amsl.com>; Thu, 9 Mar 2017 08:02:03 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A110129407 for <hipsec@ietf.org>; Thu, 9 Mar 2017 08:02:03 -0800 (PST)
X-AuditID: c1b4fb30-84e7298000007a5b-e7-58c17c79710c
Received: from ESESSHC019.ericsson.se (Unknown_Domain [153.88.183.75]) by (Symantec Mail Security) with SMTP id AF.3A.31323.97C71C85; Thu, 9 Mar 2017 17:02:01 +0100 (CET)
Received: from [131.160.51.186] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.77) with Microsoft SMTP Server id 14.3.319.2; Thu, 9 Mar 2017 17:01:57 +0100
To: Jeff Ahrenholz <j.ahrenholz@temperednetworks.com>, Tom Henderson <tomhend@u.washington.edu>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, HIP <hipsec@ietf.org>
References: <f70ecd7b-9558-806e-319c-9e85f263e1e3@ericsson.com> <alpine.LRH.2.01.1702190718360.26978@hymn03.u.washington.edu> <98E7B40F-8DB4-45C6-8550-9C1DA71BBF08@temperednetworks.com>
From: Miika Komu <miika.komu@ericsson.com>
Organization: Ericsson AB
Message-ID: <6c9e9624-537d-3355-772f-23212543c9d9@ericsson.com>
Date: Thu, 09 Mar 2017 18:01:45 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <98E7B40F-8DB4-45C6-8550-9C1DA71BBF08@temperednetworks.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrHLMWRmVeSWpSXmKPExsUyM2K7t25lzcEIgzv9chZTF01mtmidcpPZ Yub5g2wOzB5Llvxk8ti6p5PFo+V6TABzFJdNSmpOZllqkb5dAldG18UupoLlkhUtS46xNzC+ E+5i5OSQEDCR+PlsOksXIxeHkMA6Rond3xexQTirGSWazz9iBakSFnCSmNP/nhEkIQJSNXfS TqiqvYwSt3csYAOpYhPQklh15zoziM0vICmxoWE3mM0rYC/xaMtZJhCbRUBFYvffLWBxUYEI iflPVzFB1AhKnJz5BOgODg5OAQ+J3jWyIGFmAQuJmfPPM0LY2hLLFr5mBikRAhpz8VjwBEaB WUiaZyHpmIWkYwEj8ypG0eLU4qTcdCMjvdSizOTi4vw8vbzUkk2MwFA9uOW3wQ7Gl88dDzEK cDAq8fB+yD0YIcSaWFZcmXuIUYKDWUmEV7sSKMSbklhZlVqUH19UmpNafIhRmoNFSZzXbOX9 cCGB9MSS1OzU1ILUIpgsEwenVAOjltqcRu7usOttTCsMX6/u2brEkmNt0sJJflYmOseSL9QV LCmrv7F84tkgg41zb8zWPam37ZJqUnNM2WNd5Tz7yIVq/8zLph08pbS+db5/j79ej9sfxdWN BxlEl++wuym57vltbVf+fPGJ6xzlKw+VLeM/s1OaLX7WpJy7axtqdm1n+RUTeOOAEktxRqKh FnNRcSIA27yFlFECAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/eE8VZMhmt7yVVBxbulBUVU1Ewqs>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 16:02:05 -0000
Hi Jeff,
On 03/09/2017 05:39 PM, Jeff Ahrenholz wrote:
>> 3) In section 4.10 (NAT keepalives), it states:
>>
>> Both a registered client and relay server SHOULD
>> send a HIP NOTIFY packets to each other every 15 seconds (the so-
>> called Tr value in ICE) unless they have exchange some other traffic
>> over the used UDP ports.
>>
>> However, I couldn't find an explanation anywhere (also in RFC 5770) about
>> how to code this NOTIFY. Would it make sense to define also a "NAT_KEEPALIVE"
>> NOTIFY message type for this purpose?
>
> Tom has a good point here, about how to code the NOTIFY keepalive.
yes, I agree. The document lists also another option:
4.10. NAT Keepalives
Likewise, if a host has
not sent any data to another host it has established a host
association in the ICE-HIP_UDP mode within 15 seconds, it MUST send
either a HIP NOTIFY packet or, alternatively, an ICMPv6 echo request
inside the related ESP tunnel.
Actually ICMPv6 would be my personal choice as a implementer instead of
NOTIFY. You can also detect connectivity problems at the data plane this
way and trigger a LOCATOR UPDATE.
(ICMPv6 is not a control plane keepalive, but since the control and data
plane share the same port, this does not matter.)
> I have a more general question about NAT keepalives based on some recent experiences with implementing/fielding this approach.
> (My comments below shouldn’t hold up the publishing of this draft...)
>
> Have we considered using UPDATE packets versus NOTIFY?
> What are the tradeoffs?
This is possible, but probably three options is too much?
> I was thinking about the following advantages of the UPDATE:
> - SEQ protects against packet replays
> - instead of each endpoint periodically tx NOTIFY, one side could send an UPDATE and request acknowledgement (a bi-directional check)
> - you could send an UPDATE or an UPDATE acknowledgement every 15 seconds (no need for both)
> - if you’re not sending data, but only receiving, you can still do a bi-directional check to ensure liveness (and vice versa)
> - you can include ESP_INFO with SPI number (old SPI == new SPI), which will help HIP middleboxes, and will help endpoints know which SA is being kept alive
> - NOTIFY should not be used to change state (RFC 7401)
Only one side sending the UPDATE is possible because the CONTROLLED role
remains throughout the session.
> What happens if you don’t receive keepalives?
> - if your UPDATE goes unacknowledged, do something -- retransmit, or start an address check, rekey, or teardown procedure
Good point.
> Potential drawbacks:
> - is UPDATE considered too heavyweight?
> - UPDATE doesn’t have a purpose code, is the swiss army knife of HIP packets (rekey, readdress, address check, etc.)
> - UPDATE requires established state; NOTIFY does not
UPDATE is certainly more heavy-weight especially since it occurs every
15 seconds. We have three choices of which we could select just one or
two (probably three is too much):
1. ICMPv6
2. NOTIFY
3. UPDATE
What do you think?
- [Hipsec] WGLC: draft-ietf-hip-native-nat-traversa… Gonzalo Camarillo
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Tom Henderson
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Jeff Ahrenholz
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Jeff Ahrenholz
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Tom Henderson
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Tom Henderson
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Jeff Ahrenholz
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu
- Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-trav… Miika Komu