IETF Logo Mail Archive

Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Rafa Marin-Lopez <rafa@um.es> Mon, 14 December 2020 16:41 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AED983A1591; Mon, 14 Dec 2020 08:41:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nyGVARmBJHWa; Mon, 14 Dec 2020 08:41:12 -0800 (PST)
Received: from mx02.puc.rediris.es (outbound6sev.lav.puc.rediris.es [130.206.19.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D53053A15A5; Mon, 14 Dec 2020 08:41:11 -0800 (PST)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by mx02.puc.rediris.es with ESMTP id 0BEGf6xs004013-0BEGf6xt004013; Mon, 14 Dec 2020 17:41:06 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id 4B9C222338; Mon, 14 Dec 2020 17:41:06 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6HAM2wGk-MJm; Mon, 14 Dec 2020 17:41:06 +0100 (CET)
Received: from [192.168.1.33] (155.red-88-20-209.staticip.rima-tde.net [88.20.209.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id 8422A20DFC; Mon, 14 Dec 2020 17:41:02 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <2C6A1A48-6F96-4326-9DE4-CCB2B4EFF613@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D7127157-3E15-495E-920B-2C5A4217B451"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Mon, 14 Dec 2020 17:41:01 +0100
In-Reply-To: <82a207320ed37ba5f025fa8b14cbb02f4e48ba98.camel@ericsson.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "iesg@ietf.org" <iesg@ietf.org>, "i2nsf-chairs@ietf.org" <i2nsf-chairs@ietf.org>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
References: <160458812991.16036.6729267088975668048@ietfa.amsl.com> <9E65120A-D864-4E56-9954-BA536EF88363@um.es> <687e9ef3dcdc10e8f1e908a5c40156d48da8b75c.camel@ericsson.com> <71d91b42d5c20e41d8666f8ad0b9e541c046482a.camel@ericsson.com> <145F8F53-A9E7-4973-8578-26226170C2FE@um.es> <5a4ced1ef2a5c631f270296c66f57742c811ecbd.camel@ericsson.com> <357BEF23-698E-4EC2-B402-DA7F175FC3F4@um.es> <82a207320ed37ba5f025fa8b14cbb02f4e48ba98.camel@ericsson.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.171, helo=xenon44.um.es, mailFrom=rafa@um.es
Authentication-Results: mx02.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.171 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=H+ETx0yv1xjir4Ji75NQTCGxeRl9FkqOSyDOO7O7T5M=; b=MboaN2zO8vDg3osZRM0+dPiEQTnZzKQkq8ZExzSt29VM39nWD3CsXQEhD8dPRZ7czlgnC/Dnii4f ZcyfU6ZOlRKNu9d1QRiMOenLYyQ+sQZQOs6DM+PdKOPswDeJP5WB2dPNitMkP0dB6ESEfB2ZCw5U nbJL57PsS+knZ/OE6+CNvRh1bsCIuwkgqSNJYABpNqRLBXK/EukmrdALyUC1l2D69xbeSN5M9kgt ZRAYbG9uAlQOCdE4qzGDx2qOR0cPSb1hMJH6wi1TBmZIqYZh1coXRoQ8pHk7ivipoXOkKk7hY0U3 2rMrDQKRxyTA5Sekr2Ywi/9wwCvYHbbEUmSaqg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/EB_8by0X4xIEABVob4Ovy95cyXk>
Subject: Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 16:41:15 -0000

Dear Magnus:

Just to check we came to a conclusion to this discussion. Please see below.

> El 1 dic 2020, a las 18:28, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> escribió:
> 
> Hi,
> 
> See inline. 
> 
> On Tue, 2020-12-01 at 16:44 +0100, Rafa Marin-Lopez wrote:
>> Dear Magnus:
>> 
>> Please see our comments inline:
>> 
>>> El 1 dic 2020, a las 14:56, Magnus Westerlund <
>>> magnus.westerlund@ericsson.com> escribió:
>>> 
>>> Hi,
>>> 
>>> Please see inline. 
>>> 
>>> On Tue, 2020-12-01 at 13:46 +0100, Rafa Marin-Lopez wrote:
>>>> Dear Magnus:
>>>> 
>>>>> El 27 nov 2020, a las 9:56, Magnus Westerlund <
>>>>> magnus.westerlund@ericsson.com> escribió:
>>>>> 
>>>>> So as long as the option is to turn on "Normal Mode" for tunnel
>>>>> processing of the ECN bits or not then you can disregard the whole thing
>>>>> about
>>>>> RFC 8311. The applications that will use alternative behaviors for ECN
>>>>> will
>>>>> have
>>>>> to know that the consumer understand the semantics. So in this case as
>>>>> the
>>>>> IPSec
>>>>> tunnel only copies the bits back and forth no additional action is
>>>>> needed. 
>>>> 
>>>> [Authors] We have a comment about this and regarding RFC 6040. As we
>>>> mentioned
>>>> in our previous e-mail, the RFC 6040 states:
>>>> 
>>>> "Modes:  RFC 4301 tunnel endpoints do not need modes and are not
>>>> updated by the modes in the present specification. Effectively,
>>>> an RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
>>>> encapsulation, which is unchanged from RFC 4301 encapsulation. 
>>>> It will never need the OPTIONAL compatibility mode as explained 
>>>> in Section 4.3”.
>>>> 
>>>> Therefore an IPsec tunnel ALWAYS copy the ecn bits from the inner to the
>>>> outer
>>>> header (normal mode). We do not see any other alternative.
>>>> 
>>>> In consequence, after this discussion, our proposal would be just to
>>>> remove
>>>> the leaf ecn since, according to this text, there is a single option:
>>>> copy.
>>>> 
>>>> Does it sound reasonable?
>>> 
>>> I might be missing something here but I don't think removing the leaf is the
>>> correct option unless you plan to mandate ECN processing by both endpoints
>>> to be
>>> always on.
>> 
>> [Authors] We think we may also be missing something. Your sentence “to mandate
>> ECN processing by both endpoints to be always on.” is the key. It turns out
>> that (under our interpretation of) RFC 6040 - section 4.3 mentions precisely
>> that that you have ECN in both endpoints for IPsec tunnels: 
>> 
>> "Therefore, both endpoints of an RFC 4301
>> tunnel can be sure that the other end is compatible with 
>> RFC 4301, because the tunnel is only formed after IKEv2 key
>> management has completed, at which point both ends will be
>> compliant with RFC 4301 by definition.  Therefore an IPsec tunnel
>> ingress does not need compatibility mode, as it will never
>> interact with legacy ECN tunnels.  To comply with the present
>> specification, it only needs to implement the required normal
>> mode, which is identical to the pre-existing RFC 4301 behaviour.
>> 
>> Moreover, related with this,  Section 2.24 Explicit Congestion Notification
>> (ECN) in RFC 7296 mentions
>> 
>> 2.24.  Explicit Congestion Notification (ECN)
>> 
>> When IPsec tunnels behave as originally specified in [IPSECARCH-OLD],
>>   ECN usage is not appropriate for the outer IP headers because tunnel
>>   decapsulation processing discards ECN congestion indications to the
>>   detriment of the network.  ECN support for IPsec tunnels for
>>   IKEv1-based IPsec requires multiple operating modes and negotiation
>>   (see [ECN]).  IKEv2 simplifies this situation by requiring that ECN
>>   be usable in the outer IP headers of all tunnel mode Child SAs
>>   created by IKEv2.  Specifically, tunnel encapsulators and
>>   decapsulators for all tunnel mode SAs created by IKEv2 MUST support
>>   the ECN full-functionality option for tunnels specified in [ECN] and
>>   MUST implement the tunnel encapsulation and decapsulation processing
>>   specified in [IPSECARCH] to prevent discarding of ECN congestion
>>   indications.
>> 
>> 
>> [Authors] Therefore , it seems from both texts above, that it is assumed that
>> ECN would be always on for the IPsec tunnels. Are we missing something here?
> 
> It is great that support is mandated. I think I am making a difference between
> supporting and using. But it looks like this would work without any
> configuration, thus you might be correct that this is not a necessary and it can
> be removed.

[Authors] Ok, good. So let’s remove it, then.
>  
> 
> 
> 
>> 
>>> So I think there is a binary configuraiton option between enabling
>>> the RFC6040 processing between inner and outer headers, and to not have ECN
>>> enabled at all, i.e. set ECN bits to Not-ECN on the outer encapsulation.
>>> Copying
>>> the bits on the ingress and not have the egress do the corresponding
>>> operation
>>> have some negative consequences to fairness. 
>> 
>> [Authors] Our doubt is that, according to the text pasted above, what would be
>> the case where we have to set ECN bits to Not-ECN if the assumption from these
>> two RFCs is that both endpoints are ECN capable? Are we missing something
>> regarding to IPsec tunnels according to RFC 6040?
>> 
>> In the IKE less case, the I2NSF Controller can assume (and know) that these
>> NSFs have ECN full-functionality as happens with IKEv2. In any case, if you
>> foresee a case where one of the endpoints is not ECN, adding the leaf ecn is
>> not major problem at all. 
>> 
>> What do you think?
> 
> I think that requires domain knowledge of the IPSec endpoints to know if they
> usually are fully compliant or if this needs configuration anyway. I don't know
> this. So this I think is a consideration if one can remove the leaf or nto.

[Authors] Our point was to highlight that both endpoints have ECN full-funcionality as per section 4.3 in RFC 6040. In fact, we only consider that NSFs are complaint with RFC 4301. In conclusion, it is safe to remove the leaf. Therefore, there is no choice for the I2NSF Controller to configure ECN support since the NSFs are assumed to be ECN full-functional. After this discussion, we believe it is important to mention this in the I-D in section 6 as follows:

"It is assumed that NSFs involved in this document provide ECN full-functionality to prevent discarding of ECN congestion indications." 

We believe this clarifies the point. What do you think?

> 
> 
>> 
>>> Also, I cringe a bit when you says copy. Becasue that what 6040 + 4301
>>> defines
>>> in not strictly copying. That is why it is important to have the right
>>> formulation and not call it copy. 
>> 
>> [Authors] We understand. Does “setting” sound better?
> 
> "Setting it per RFC 6040" is more to my liking. 

[Authors] Noted.

Thank you very much.
> 
> Cheers
> 
> Magnus
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org <mailto:I2nsf@ietf.org>
> https://www.ietf.org/mailman/listinfo/i2nsf <https://www.ietf.org/mailman/listinfo/i2nsf>
------------------------------------------------------- Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email