Re: [Hipsec] Re-doing the IESG ballot for draft-ietf-hip-native-nat-traversal
Eric Rescorla <ekr@rtfm.com> Fri, 21 February 2020 14:53 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E83B0120829 for <hipsec@ietfa.amsl.com>; Fri, 21 Feb 2020 06:53:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDF9GohFzMfp for <hipsec@ietfa.amsl.com>; Fri, 21 Feb 2020 06:53:08 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC47312087F for <hipsec@ietf.org>; Fri, 21 Feb 2020 06:53:07 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id n18so2464305ljo.7 for <hipsec@ietf.org>; Fri, 21 Feb 2020 06:53:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=40SBCAGUSReCqvvb7x7R+JjOJFSBjydHAyuLSRj5z+w=; b=uJQavpAv9anWtLt2MWHvfI8kfF7kUf0oDSOz3Ks5s/fs8tRZN7+O3ClGtbJZOUJZA+ AtQlZGReuVj80L9bYTacThpQ0XRzY9TioS32M8I80jZF1kl582TBAq2af1Vj7XBDTBrD GEwzA4MluyDJo26+ejZ2jdMqaA1LgpoTK14gDx3qv3OP7pAm2Q8Y5w+bQHGHYOHK68Ty 0iYB9iAT2hzSEFbCWJYnI/WPDde6BsbED9IItJWzrAtDnEfAZp/XqKAG+v9Ywh7tBAeH HPNE4g/MxTnGfDDegBTcxGTyhLySZXUyAav1y+BrumDklPcq+yEHm3Q/PTX/A4Xxalj+ dkmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=40SBCAGUSReCqvvb7x7R+JjOJFSBjydHAyuLSRj5z+w=; b=aB+MTH7bBdfLJZPcnlFXz4Twpu+B33GeXganBg6aEIhAB4icLzo/B2J+LYcyxhV8xU RW/jccb1CVFW83G06RL1su10Zh7osIgvnUApvy8+EX5sLuCkDvycxvXbLcIgMC35hJTo CBCweUvvtQUSW9X5LzgRuzpRI270w18ah2IMF78yhvavQxZ5NJOFKfEdbXCRkMU3I+6x aKe3TPFCaJ+Y9hK6cYRxT37Qc53jUUDfmQIadTADae2U31VFSnnA4TlBAC/J5ZqjhmEp 13KKagT4WFwCuJdWltdFI99z+XNrNRJpE8Y5NT2dNLZJoDPBQxr6qO1t65L2E2PZ3dGf oerw==
X-Gm-Message-State: APjAAAVmBX2zT67oTmyw4tm/GaTXwPOm3HzQ+oYkfANqpRR6hz+DLRYG jVO7UE7gEB3gi3TUoQ8/QvgXPCzlQ/DAP2h6mc4otA==
X-Google-Smtp-Source: APXvYqxW36JEpAbU9II//xiZ3jvXrl65ZeICUFNXCxvVSz6fcfJMa2Dfm1narN/YpO6wQmC3c8Wtt68H0a8PJrg3n4o=
X-Received: by 2002:a05:651c:448:: with SMTP id g8mr22724180ljg.35.1582296785856; Fri, 21 Feb 2020 06:53:05 -0800 (PST)
MIME-Version: 1.0
References: <884374EF-7488-4C00-BDB7-CE203414197E@cisco.com> <CABcZeBOSEwMWhQrKsD19=-4k+gHcv=RyqzV12GXR_ySLY-oz=g@mail.gmail.com> <5af46503372ca0d50540abcb93c931231499aeb2.camel@ericsson.com>
In-Reply-To: <5af46503372ca0d50540abcb93c931231499aeb2.camel@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 21 Feb 2020 06:52:29 -0800
Message-ID: <CABcZeBN=wapf6g7YCdAu_1o0NPyz_1Y6AtDM=RwvXDci202nuQ@mail.gmail.com>
To: Miika Komu <miika.komu@ericsson.com>
Cc: "evyncke@cisco.com" <evyncke@cisco.com>, "ben@nostrum.com" <ben@nostrum.com>, "iesg@ietf.org" <iesg@ietf.org>, "spencerdawkins.ietf@gmail.com" <spencerdawkins.ietf@gmail.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d9cb74059f172d3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/pLt9ZsLsGpyK_UJhNhxpl92Pktc>
Subject: Re: [Hipsec] Re-doing the IESG ballot for draft-ietf-hip-native-nat-traversal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 14:53:24 -0000
On Fri, Feb 21, 2020 at 6:21 AM Miika Komu <miika.komu@ericsson.com> wrote: > Hi Eric, > > I disagree about the overhead occuring only during set up time because > STUN message format is incompatible with ESP formatting, so an > implementation needs to constantly monitor and intercept STUN packets > from the data-plane traffic. This causes a continuous overhead to the > data plane, so it is not only about set up time. Please check the draft > or hipsec mailing for more detailed discussion on this. > Assuming you're talking about Appendix B, this is just a bare assertion that is no more convincing than the one you make here. I would make several points here: 1. STUN packets are trivial to detect and that detection is *far* cheaper than doing any kind of cryptographic processing. Moreover, you only need to invoke it once you have determined that you don't have an ESP packet on your hands, which you have to do *anyway*, because you need to demux ESP packets from HIP setup packets. Failing that, you could just do STUN demuxing for packets which are unprocessable as ESP (which you would need to have some code for anyway). 2. Once the ICE handshake has completed, the only reason to send STUN packets is for keepalives, which ICE explicitly permits to be able to sent by non-STUN mechanisms, so you could simply profile ICE to use a non-STUN keepalive. Beyond that, you can simply ignore STUN as long as there aren't any connections being set up. To the extent to which your argument relies one endpoint performance, I really think that some measurements and a demonstration that you attempted to optimize the code in the obvious ways are in order. More generally, this sort of non-specific performance argument is often adduced in favor of designing something new, but ICE is a very complicated piece of machinery that has taken the IETF quite a lot of time to build and refine. This protocol is subtly different in ways that don't seem entirely obvious and so I think we should be quite cautious about issuing it as a Proposed Standard when we have a pre-existing protocol at hand, given that the arguments for doing so seem to rest on a rather thin set of arguments about performance. -Ekr > pe, 2020-02-21 kello 05:38 -0800, Eric Rescorla kirjoitti: > > I would like to note for the record that I do not find the arguments > > in the applicability statement at all persuasive. They are > > principally about performance but ICE occurs at setup time (so CPU > > performance is not much of an issue) and is inherently so, with > > pacing and RTT the dominant factors (and so the system architecture > > issues are unpersuasive). As I am no longer an AD, this is just > > opinion, but were I the AD, I would insist on a strong rationale. > > > > -Ekr > > > > > > On Fri, Feb 21, 2020 at 4:35 AM Eric Vyncke (evyncke) < > > evyncke@cisco.com> wrote: > > > Hi, > > > > > > The first IESG ballot for the draft-ietf-hip-native-nat-traversal > > > was done in May 2018 and was blocked by a couple of DISCUSS by the > > > 2018 IESG. The main issue IMHO was around “why not reusing plain > > > ICE?”; the authors in discussion with Adam Roach have provided an > > > applicability statement and a justification on why “plain ICE” does > > > not work efficiently when combined with HIP + additional text or > > > replies for the remaining DISCUSS & COMMENT. > > > > > > The diff are > > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-hip-native-nat-traversal-30&url1=draft-ietf-hip-native-nat-traversal-28 > > > > > > I have reviewed all COMMENT and DISCUSS from 2 years ago and it > > > appears to me that they are all addressed (including those from > > > 2018 AD who are no more AD in 2020 – they are in cc). The changes > > > in the document are minor and I am confident that neither a WG Last > > > Call not an IETF Last Call is required. I am therefore placing the > > > document in the next IESG telechat and opening a new IESG ballot. > > > > > > Thank you for the authors on their energy to keep the document > > > useful, > > > > > > Regards, > > > > > > -éric > > > > > > > _______________________________________________ > > Hipsec mailing list > > Hipsec@ietf.org > > https://www.ietf.org/mailman/listinfo/hipsec >
- [Hipsec] Re-doing the IESG ballot for draft-ietf-… Eric Vyncke (evyncke)
- Re: [Hipsec] Re-doing the IESG ballot for draft-i… Eric Rescorla
- Re: [Hipsec] Re-doing the IESG ballot for draft-i… Eric Vyncke (evyncke)
- Re: [Hipsec] Re-doing the IESG ballot for draft-i… Miika Komu
- Re: [Hipsec] Re-doing the IESG ballot for draft-i… Eric Rescorla