Re: [Hipsec] Magnus Westerlund's Discuss on draft-ietf-hip-native-nat-traversal-30: (with DISCUSS and COMMENT)

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 03 April 2020 09:17 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BECA73A1569; Fri, 3 Apr 2020 02:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uRjJU6tcIuz9; Fri, 3 Apr 2020 02:17:18 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00081.outbound.protection.outlook.com [40.107.0.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F92B3A1568; Fri, 3 Apr 2020 02:17:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eKa6sA0wDViTegJt+N5SDGCtSzxHamwybVMQKleMkkwGnl/X7EBRgxVgAVPjTdpOQEkj/EFaeU6EP0Op1UndUIGH/dwNxbwKT9Eb+FaWzuAbWgnuSkNeU8snFMV4KiKKC4AcPqb0in6OE/0aq5Px06eFlYkvg3RXO0Ru9pShyDpX/poKKVDb8ZRc5S4o7wjVQ02o/3K0ZsaxpN/pSEkFZdftB+0oL1duyUK498J9X9znXVPvnIw0W7yor3gGgcgGyEpDqpo04kEZHg+7StGiQfj1M8EqOrhRRzdPGZYAmyEe6J7/BGUAl4mcM9LRyvaWXPM4sxifxeYlwrdHtyWFEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eJbM+FixjWwM9b5VS1/xxZBW5TXZDEdVkaC8tXWgqCo=; b=UWZaJmDOoY0EWkL4pmmDU5fsuhKQ0UMY2oiwlBR6BDvhr5o+sD9+hytuVg/fybSCiS7dQiOhPmlNpAvaqoHjJdfh6LIQ2ad8hJUMDMkRNPBmk1bSyYWSBSvikdnMpSsGPCHtbo0slIIf2hBr28yOnqbGKowCCwomRP5vP8zF6zOLGddAkXM4czli6xPCp3PH8O6P8cS5CmNC9cV2/sqllOceg8RwGJa0GyxocN7VJh228H6XbtIM4TAfG87ssC7zOrWf/uwokRg6nxu/FHGmcDqDnUZiiMrnZjA8H6IYZlL+pTp6SogbZc+4e8f092HF4C8IsPNZR3GrQxe7ifRpEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eJbM+FixjWwM9b5VS1/xxZBW5TXZDEdVkaC8tXWgqCo=; b=HUdbOYLx2Pe4pU1Oum9p8Dy3nOcf1klDE6yFm3E/v9KVjNEG/VGmW3MoAiRoLEDVXbOti+djjesearElkV9dSQ7j48h4BNIn4gtypzt/NXiZrL+9PAlsKe6DYhBwF+/On6dBOXEN4Yzguqi+/beQSoEUJEP4/Q3jQCup6gS0WxI=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (52.133.7.14) by HE1PR0702MB3594.eurprd07.prod.outlook.com (10.167.126.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16; Fri, 3 Apr 2020 09:17:14 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a%2]) with mapi id 15.20.2878.014; Fri, 3 Apr 2020 09:17:14 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "iesg@ietf.org" <iesg@ietf.org>, Miika Komu <miika.komu@ericsson.com>
CC: "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Magnus Westerlund's Discuss on draft-ietf-hip-native-nat-traversal-30: (with DISCUSS and COMMENT)
Thread-Index: AQHV8t5jpwo8AfrnzU6oGxAW8ZOYmqhma8gAgADfzYA=
Date: Fri, 3 Apr 2020 09:17:14 +0000
Message-ID: <326b5dfa75824f82e990b4b990c51accbfbf4d72.camel@ericsson.com>
References: <158340648969.14566.11476213026719970345@ietfa.amsl.com> <ef83276e8b16e138f08b19747c54977989bcc1d8.camel@ericsson.com>
In-Reply-To: <ef83276e8b16e138f08b19747c54977989bcc1d8.camel@ericsson.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [158.174.118.23]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6bd9cf90-cbd1-4dcc-27c8-08d7d7afccae
x-ms-traffictypediagnostic: HE1PR0702MB3594:|HE1PR0702MB3594:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0702MB35942A4D44A1D9847E2B24B495C70@HE1PR0702MB3594.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0362BF9FDB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(346002)(39860400002)(376002)(366004)(396003)(136003)(36756003)(66556008)(66616009)(30864003)(2616005)(64756008)(8936002)(71200400001)(44832011)(66446008)(6506007)(66476007)(76116006)(54906003)(450100002)(6486002)(4326008)(66946007)(110136005)(81166006)(2906002)(26005)(86362001)(6636002)(6512007)(316002)(5660300002)(186003)(478600001)(99936003)(8676002)(966005)(81156014)(99106002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GTAeQUbF34z+LxwU9LFoKz5pPhHj50z78u/E3Zsn4dNa2KfS4My4UZbN7t4TMwwy89euzRgPAKXzVZDFiy1JtdkG4SGI/RO0VjloXQiA2FYHIktJfdsGo75A1iZNk8EsaixMjcX46cpva1DZ9veExIwxOEequbXE+e/n2XP6sLnfqwNsa4NSsWHp7o1qryxHMChDuyC0jXx9WOaUMG3NCBMzHSVTpCePQxqEUL3bpIK2rOygaaEJ8YXV/tF+mDTvtPi0cbJZp8MQ85oQtTBLwavq0YCsDnky1Vl+kaJ8rx5MxhNwdEO6DRKmJKBHm9ORBykzYX9631k3EJpgegFTZtGWT9WjmivmUja/JMCy2g766BhgFSAVyugKaJtGfX10XuqebQUJZ6yUYA4TZFvVJkLaKyPB6FpdQH1h5UvrsxehfhihgfU/7Rz1Hl52Ip/sh7yRzATTnrV3+OHItiuaIJDulDlejxUzh98Zbpt01fDTvqVvM/6WjIzn3CDelMZMQMtbFuD2sjQBsxyxhle4cm2AwFzlCutbwIhRa3FbV9wAa3YTXEq2RBenFdxfP23M
x-ms-exchange-antispam-messagedata: lHTIJJErv1rB7aIootXsivyd40jl6AQRa6c4bmMqB8nSUjzdZ0Fa3t71khafG+HNX7arMqt7C0jIhXg95IjWkCu3p+TmFUS9he6PHCclQ2pd0aaBxgoeUY7PYMl6exHdWlp6h6vu2YsoeQ/iC2J2xQ==
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-puWjvMJX4YbvLLjOqn0F"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6bd9cf90-cbd1-4dcc-27c8-08d7d7afccae
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2020 09:17:14.7439 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MJ7T0R5xAM7fqY3+NVzvCT/YvgJyuI1QaMqwcaZjgSnH2eofN49uk83LEifhfeB5SDqEpfhv7+Po8bI6HFtwAgCcmovdCGhdo274SfHV1hs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3594
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/oxkNB4mh7ia-qK_TjdacSA0gxuk>
Subject: Re: [Hipsec] Magnus Westerlund's Discuss on draft-ietf-hip-native-nat-traversal-30: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 09:17:23 -0000

Hi Miika,

Please see inline. 


On Thu, 2020-04-02 at 19:56 +0000, Miika Komu wrote:
> Hi Magnus,
> 
> to, 2020-03-05 kello 03:08 -0800, Magnus Westerlund via Datatracker
> kirjoitti:
> > Magnus Westerlund has entered the following ballot position for
> > draft-ietf-hip-native-nat-traversal-30: Discuss
> > 
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this
> > introductory paragraph, however.)
> > 
> > 
> > Please refer to 
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> > 
> > 
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/
> > 
> > 
> > 
> > -------------------------------------------------------------------
> > ---
> > DISCUSS:
> > -------------------------------------------------------------------
> > ---
> > 
> > So I think the below are important things that needs to be discussed
> > before
> > proceeding. However, I might have missed things as I didn't have time
> > to read
> > the whole document in detail. Several of the issues are pieces for
> > discussion
> > to ensure that the right thing really is done.
> > 
> > 1. So this document recommends the usage of port 10500 as default
> > listening
> > port. A port registered by Ari and also used for RFC 5770. I get the
> > impression
> > that the port was registered separately from RFC 5770. So the port is
> > assigned
> > to Ari. Would Ari be willing to release the port for re-assignment to
> > IESG
> > control. RFC 6335 has the recommendation for ports for IETF protocols
> > that the
> > assignee is IESG and the contact chair@ietf.org. This to have the
> > change
> > control with IETF as body rather than with individuals.
> > 
> > If Ari agrees to this, I think it would be good to have the IANA
> > section be
> > updated to note the re-assignment and provide the necessary
> > information.
> 
> This document reuses the same default UDP port number 10500 as
> specified by Legacy ICE-HIP [RFC5770] for tunneling both HIP control
> plane and data plane traffic.  The port was was registered 
> separately for RFC5770 to co-author Ari Keranen but should now be re-
> assigned for IESG control.  With the permission of Ari Keranen, the new
> assignee is IESG and contact "chair@ietf.org".org".  In addition, IANA is
> requested to add a reference to this document in the entry for UDP port
> 10500 in the Transport Protocol Port Number Registry.  The selection
> between Legacy ICE-HIP and Native ICE-HIP mode is negotiated using
> NAT_TRAVERSAL_MODE parameter during the base exchange.  By default,
> hosts listen this port for incoming UDP datagrams and can use it also
> for sending UDP datagrams.  Other emphemeral port numbers are
> negotiated and utilized dynamically.

Thanks, this is exactly what I wanted to here. 

> 
> > 2. Secondly, as this solution is different from the RFC 5770 should
> > this
> > solution have a different service name? The reason I am asking is
> > that it
> > depends on how for example how an initiator determine which of the
> > NAT
> > traversal solution. If there is any intention to use DNS SRV for
> > example
> > different service name would make sense. This is primarily to verify
> > that this
> > has been considered.
> 
> I am not an expert on the topic but based on some discussions with some
> colleagues, the SRV records seem to more suitable for infrastructure
> discovery, not really for end-host discovery. Since you asked for this,
> I wrote a new section in the appendix:

So the main reason for my question was to ensure that you have not forgoetten
that you actually have some dependnecy on the service name that would in fact be
incompatible. That could include some supporting document, for example usage of
SRV records. However, with the below text written, I do find it informative. And
the statement at the end that you don't use SRV records currently is also good
and part to answer one aspect of my question. To conclude, it appears to be no
issues with having the two mechanisms share service name and port. 

From my perspective it appears to be some benefit in including the below
appendix in the specificaiton, but you should seek consensus on it in the WG
before the document is approved in my opinion. 

> 
> Appendix E.  DNS Considerations
> 
> [RFC5770] did not specify how an end-host can look up another end-
> host via DNS and initiate an UDP-based HIP base exchange with it, so
> this section makes an attempt to fill this gap.
> 
> [RFC8005] specifies how an HIP end-host and its Rendezvous server is
> registered to DNS.  Essentially, the public key of the end-host is
> stored as HI record and its Rendezvous Server as A or AAAA record.
> This way, the Rendezvous Server can act as an intermediary for the
> end-host and forward packets to it based on the DNS configuration.
> Control Relay Server offers similar functionality as Rendezvous
> Server, with the difference that the Control Relay Server forwards
> all control messages, not just the first I1 message.
> 
> Prior to this document, the A and AAAA records in the DNS refer
> either to the HIP end-host itself or a Rendezvous Server [RFC8005],
> and control and data plane communication with the associated host has
> been assumed to occur directly over IPv4 or IPv6.  However, this
> specification extends the records to be used for UDP-based
> communications.
> 
> Let us consider the case of a HIP Initiator with the default policy
> to employ UDP encapsulation and the extensions defined in this
> document.  The Initiator looks up the FQDN of a Responder, and
> retrieves its HI, A and AAAA records.  Since the default policy is to
> use UDP encapsulation, the Initiator MUST send the I1 message over
> UDP to destination port 10500 (either over IPv4 in the case of a A
> record or over IPv6 in the case of a AAAA record).  It MAY send an I1
> message both with and without UDP encapsulation in parallel.  In the
> case the Initiator receives R1 messages both with and without UDP
> encapsulation from the Responder, the Initiator SHOULD ignore the R1
> messages without UDP encapsulation.
> 
> The UDP encapsulated I1 packet could be received by three different
> types of hosts:
> 
> 1.  HIP Control Relay Server: in this case the A/AAAA records refers
>     to a Control Relay Server, and it will forward the packet to the
>     corresponding Control Relay Client based on the destination HIT
>     in the I1 packet.
> 
> 2.  HIP Responder supporting UDP encapsulation: in this case, the the
>     A/AAAA records refers to the end-host.  Assuming the destination
>     HIT belongs to the Responder, it receives and processes it
>     according to the negotiated NAT traversal mechanism.  The support
>     for the protocol defined in this document vs [RFC5770] is
>     dynamically negotiated during the base exchange.  The details are
>     specified in Section 4.3.
> 
> 3.  HIP Rendezvous Server: this entity is not listening to UDP port
>     10500, so it will drop the I1 message.
> 
> 4.  HIP Responder not supporting UDP encapsulation: the targeted end-
>        host is not listening to UDP port 10500, so it will drop the I1
>        message.
> 
> The A/AAAA-record MUST NOT be configured to refer to a Data Relay
> Server unless the host in question supports also Control Relay Server
> functionality.
> 
> It also worth noting that SRV records are not employed in this
> specification.  While they could be used for more flexible UDP port
> selection, they are not suitable for end-host discovery but rather
> would be more suitable for the discovery of HIP-specific
> infrastructure.  Further extensions to this document may define SRV
> records for Control and Data Relay Server discovery within a DNS
> domain.
> 
> > 3. So I don't quite understand what the co-existance story are for
> > the relay
> > having an listener on port 10500? Is that port only used for
> > UDP/HIPv1
> > (RFC5770) and UDP/HIPv2 (This doc).
> 
> Yes (by relays or end-hosts)
> 
> > And the listening stack can determine which
> > version is used to determine which of the protocol is run.
> 
> HIP version is in the header. If a middlebox or end-host does not
> support the HIP version, it will respond to with an ICMP:
> 
> https://tools.ietf.org/html/rfc7401#section-5.4.1
> 
> Then there is RFC5770 vs "native NAT traversal" (this spec)
> specification issues:
> 
> 1. Client registration to a Relay:
> 
> - RELAY_UDP_HIP in both specs
> - New RELAY_UDP_ESP service in Native NAT traversal
> 
> 
> https://tools.ietf.org/html/draft-ietf-hip-native-nat-traversal-30#section-4.1
> 
> This is simple. The Relay Server offers services and the Client chooses
> from them. The Control Relay Service is the same in both specs.
> 
> 2. Base exchange between the actual end-hosts:
> 
> - NAT_TM: ICE-STUN-UDP (RFC5770) vs ICE-HIP-UDP (native NAT traversal) 
> 
> 
> https://tools.ietf.org/html/draft-ietf-hip-native-nat-traversal-30#section-4.5
> https://tools.ietf.org/html/rfc5770#section-4.3
> 
> The end-hosts negotiate RFC5770 vs native NAT traversal support during
> the base exchange.
> 
> > And the issue with
> > multiplexing is only existing for the ports that one gathers?
> 
> What do you exactly mean by this? Is there an issue between NAT
> traversal versions? Or are you referring to:
> 
> 6.4.  Demultiplexing Different HIP Associations
> 
> OR
> 
> 4.12.3.  Handling Conflicting SPI Values (note two scenarios here)
> 
> ...which both talk about multiplexing. The latter section deals with the new
> service added in this specification (Data Relay Service) and port gathering
> with that.
> 

Deciphering my own comment, I think it was primarily the question how the relay
can separate the different traffic on that port, primarily from supporting old
version at the same time. I think the seperation of the difference client's
streams appears sufficiently well defined. 



> > Can you please
> > add a paragraph or two somewhere in the document.
> 
> I can add some text if you can confirm if I have answered to the right
> questions?
> 
> > I think it should be
> > referenced by the port registration update.
> 
> This was handled already my response to question 1?
> 
> > 4. MTU impact of NAT traversal.
> > 
> > Section 5.1 states
> > "It is worth noting that UDP encapsulation of HIP packets reduces the
> >    Maximum Transfer Unit (MTU) size of the control plane by 12
> > bytes."
> > 
> > There is also a similar text in Section 5.11:
> > 
> >    It is worth noting that UDP encapsulation of ESP reduces the MTU
> > size
> >    of data plane by 8 bytes.
> > 
> > I think the document needs a discussion and impact on MTU which this
> > NAT
> > traversal has on the HIP packets being sent. - First of all there
> > appears to be
> > more packet expansions happening in some cases, for example the
> > RELAY_HMAC
> > option expands packets on one leg. - Secondly, HIP requires IP
> > fragementation
> > support, however IP fragmentation through NAT is commonly not
> > working. Thus an
> > HIP packet being UDP encapsulated that results in packet exceeding
> > MTU will
> > likely end up in an MTU black hole on path.
> > 
> > The addition of the NAT traversal encapsulation actually increases
> > the need for
> > MTU discovery or care in MTU handling by the HIP initiator. I think
> > there need
> > to be discussion of that in the document.
> 
> I am stil iterating some text on this, I hope Jeff Ahrenholz can help
> with this.
> 

Will answer the other email with text on this. 

> > -------------------------------------------------------------------
> > ---
> > COMMENT:
> > -------------------------------------------------------------------
> > ---
> > 
> > May I inquire about the reasoning why this document do not obsolete
> > RFC 5770?
> 
> This was discussed earlier but the working group decided to keep both,
> and let implementor's to choose between reusing existing STUN/TURN
> infra (RFC5770) vs faster data plane (native NAT traversal).
> 

Ok. 

 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------