IETF Logo Mail Archive

Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15

Jeff Ahrenholz <j.ahrenholz@temperednetworks.com> Thu, 09 March 2017 16:23 UTC

Return-Path: <j.ahrenholz@temperednetworks.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670A012969F for <hipsec@ietfa.amsl.com>; Thu, 9 Mar 2017 08:23:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDsWpCNDxW_T for <hipsec@ietfa.amsl.com>; Thu, 9 Mar 2017 08:23:11 -0800 (PST)
Received: from out.west.exch081.serverdata.net (cas081-co-4.exch081.serverdata.net [199.193.204.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 617AE129430 for <hipsec@ietf.org>; Thu, 9 Mar 2017 08:23:11 -0800 (PST)
Received: from MBX081-W5-CO-2.exch081.serverpod.net (10.224.129.85) by MBX081-W5-CO-1 (10.224.129.84) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 9 Mar 2017 08:23:09 -0800
Received: from MBX081-W5-CO-2.exch081.serverpod.net ([10.224.129.85]) by MBX081-W5-CO-2.exch081.serverpod.net ([10.224.129.85]) with mapi id 15.00.1178.000; Thu, 9 Mar 2017 08:23:09 -0800
From: Jeff Ahrenholz <j.ahrenholz@temperednetworks.com>
To: Miika Komu <miika.komu@ericsson.com>, Tom Henderson <tomhend@u.washington.edu>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, HIP <hipsec@ietf.org>
Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
Thread-Index: AQHSfUUiMmMxzUu5xUyi7rZbLtB96aFxEnMAgBvJsoCAAIxTgP//f96A
Date: Thu, 09 Mar 2017 16:23:09 +0000
Message-ID: <E4E329A8-6B10-4037-8846-0A6079E102B7@temperednetworks.com>
References: <f70ecd7b-9558-806e-319c-9e85f263e1e3@ericsson.com> <alpine.LRH.2.01.1702190718360.26978@hymn03.u.washington.edu> <98E7B40F-8DB4-45C6-8550-9C1DA71BBF08@temperednetworks.com> <6c9e9624-537d-3355-772f-23212543c9d9@ericsson.com>
In-Reply-To: <6c9e9624-537d-3355-772f-23212543c9d9@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [216.168.34.194]
Content-Type: text/plain; charset="utf-8"
Content-ID: <89ACB3A95F488449B6F1A0D7CAB87E46@exch081.serverpod.net>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/jGMDGyIdynaKRaHvLiloxI4dGiE>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-nat-traversal-15
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 16:23:12 -0000

> Actually ICMPv6 would be my personal choice as a implementer instead of 
> NOTIFY. You can also detect connectivity problems at the data plane this 
> way and trigger a LOCATOR UPDATE.
>    
> (ICMPv6 is not a control plane keepalive, but since the control and data 
> plane share the same port, this does not matter.)

I forgot about that ‘ping6 destination-HIT’ inside-the-tunnel option.

Certainly, this would be a good test of tunnel liveliness.
 
I’m a little concerned about implementation of this -- if you think about the control plane differing from the data plane (i.e. maybe userspace control daemon managing kernel IPsec state.) The control plane would be reaching into the data plane. What if sysadmin administratively turned off ping6 echo replies, local firewall blocks, etc.?

> Only one side sending the UPDATE is possible because the CONTROLLED role
> remains throughout the session.

OK, this makes sense. The controller [host having the larger HIT] can send the UPDATEs.
    
>> What happens if you don’t receive keepalives?
>> - if your UPDATE goes unacknowledged, do something -- retransmit, or start an address check, rekey, or teardown procedure
>    
> Good point.

Note that just using NOTIFY, we’re NOT supposed to change state (RFC 7401 section 5.2.19).
So I guess reacting to lost NOTIFY-keepalives is forbidden (?).

> UPDATE is certainly more heavy-weight especially since it occurs every 
> 15 seconds. We have three choices of which we could select just one or 
> two (probably three is too much):
>    
>   1. ICMPv6
>   2. NOTIFY
>   3. UPDATE
>    
> What do you think?

Maybe we could leave the door open for implementation flexibility?

While three options is a bit much, it seems very flexible to allow for 1, 2, and/or 3.

(“Three shall be the number of the counting and the number of the counting shall be three.”)

-Jeff

v2.23.0 | Report a Bug | By Email