IETF Logo Mail Archive

Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 01 December 2020 13:56 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2ADE3A1244; Tue, 1 Dec 2020 05:56:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9I5pbaSF3-73; Tue, 1 Dec 2020 05:56:52 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2047.outbound.protection.outlook.com [40.107.20.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6BA43A0B15; Tue, 1 Dec 2020 05:56:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Maq0etHV8h0m+7eosNFOMXOyP0jVvrdlXJsp/z9W1jmDi1pRqDq6PYkG+vT3jObrd1dDJZ9d2Wo2U9ETu76DKQmpr6J+eg0pLmHWZ+fsr7ATMXDLGH5XLy2suVanqSO5b/q1W8xNezzxGlrjbTcAY90pW+uQ8PsBLmydzK4iwf0tmAnd1hKz7IYQ51i7rFclVfd3B4lkVW3JIGwuEWcxiyHQvUkziWQW3AS5bYITlf0YEyc2DhfXDaXgA7BHzKXgsYIO1ORAz8P8EwakpGP2NDN6s9SvKJwQ7+gtRcKKR81JKUBS4t5wfBFhnkL+B8JZe+81SfjnXkZNMnhjOSmeuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W7SvTGZXnuGpbUDpRumTbw3mLg1O1vZ6MZ3eqmXf5sY=; b=duq67QvZOs1wOqTE5R828z97mRlHoo9wsnXmxoAj6ehPzrK2rC7bTS2RRyYGACtJd/e3EniJistDV2pKfgMl02iMMVa5G84PGxnx+xBFIcKekrBZpXUiXBI/DkkNullQ8MrMzWwHCMgpmZFUl0mRCnC2ytl8JOuJvqm1TIOWTlsBY5PbUsrpVDG1F05G4xtxPIkia0dCWk9St/1Il3UBxukCf6fhKypA0ozhyOgRggm2Pm0dSRT0ziEJ76nak8ZUZy72HCsAcDjdomk6mduucnPqSDEtFCVCuZoi3qTNQ9FUxnpJ9to5WRufWmEuKeLJrkPZpHB8XZ6+PpYiEORTXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W7SvTGZXnuGpbUDpRumTbw3mLg1O1vZ6MZ3eqmXf5sY=; b=SjTOeytUX14CfR1qLdNTEWdmdGaDJ2Yf30141/gM0wRZOiEKg4C5GB7g+TB5JVHxFm7hCrbRAN6uIIEvCF3XISiR6rPawdpsS3x11OcIi4Mq/X0T59dDgvAN48DB5pbyr3BFF1oxzoYefB0IooX56GUUVbLHgXe5EbuiK0JiHyc=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.16; Tue, 1 Dec 2020 13:56:47 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%6]) with mapi id 15.20.3632.017; Tue, 1 Dec 2020 13:56:47 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "rafa@um.es" <rafa@um.es>
CC: "draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "magnus.westerlund=40ericsson.com@dmarc.ietf.org" <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "i2nsf-chairs@ietf.org" <i2nsf-chairs@ietf.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>
Thread-Topic: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
Thread-Index: AQHWs4O7uBqTMB1dq0C1v142YGiqrKnWI08AgALpz4CAAsIuAIAGiYsAgAATv4A=
Date: Tue, 01 Dec 2020 13:56:47 +0000
Message-ID: <5a4ced1ef2a5c631f270296c66f57742c811ecbd.camel@ericsson.com>
References: <160458812991.16036.6729267088975668048@ietfa.amsl.com> <9E65120A-D864-4E56-9954-BA536EF88363@um.es> <687e9ef3dcdc10e8f1e908a5c40156d48da8b75c.camel@ericsson.com> <71d91b42d5c20e41d8666f8ad0b9e541c046482a.camel@ericsson.com> <145F8F53-A9E7-4973-8578-26226170C2FE@um.es>
In-Reply-To: <145F8F53-A9E7-4973-8578-26226170C2FE@um.es>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: um.es; dkim=none (message not signed) header.d=none;um.es; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aea109bb-0961-4f34-2d25-08d89600f1fe
x-ms-traffictypediagnostic: HE1PR07MB4217:
x-microsoft-antispam-prvs: <HE1PR07MB4217385C899FF7E04F26D2A095F40@HE1PR07MB4217.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FfjIWXgmVdIPNuFhY+hwXg9p2RlAnwQMnyyyt7bFsOpV6Hcvw+idZVQxy2/mP9Xi1lLb+ixKNgQlvQOZt2phKKPNd/5Sc5AMs9zdAdqpX/8mb9rczxpMAD6QLneWgdsJoD3OGvboLr3BY65Bxa8Kkih3tmk+pHfnv7UtT+zPGj7xslcpoxdq/TIp2QIGd4YfO4CPU5Blb3jOsbbSXOag4HsGJLSOqbnXpfmE2FXOtpc5aP7sFAv6iUCee4sHHkszQZ2rS5ZmENjoFxk+felpPDvxoKUKmhv8/7KgQeS6iOCyr6XoNIgw4QYJ3XtbT8ygtX2j46FRaPBXDziBTURKK2tre8RaEUCsY5b7luqtX0zGha/uPPSdKHMzl+sy9Ok9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(366004)(396003)(376002)(346002)(44832011)(316002)(66946007)(2616005)(36756003)(5660300002)(54906003)(83380400001)(86362001)(76116006)(8676002)(66446008)(4326008)(8936002)(6506007)(186003)(66556008)(64756008)(66476007)(478600001)(26005)(6512007)(71200400001)(6916009)(99936003)(66616009)(6486002)(2906002)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: XWHyr+yjWb0+NJclBcbPIcTSNhadiJ2BhY4RI2nBrIPanHRVc6SDmOkb0Efh+LHtlfH35ZKBW1LULdCfnoxuawfTy+DKeZpZbMYKjqxQ0xKOTxbEk/Was5gbg5sQHFGhtzmiipX30lQc97l4UU2xlbzFIqgUWiO4LdGNrPBvE7DsNTC+tC8pDiK0xJQwvUkAEOXL/9BU4wRfYXnHu2BxXonX42wyVOK15gBWBG46oQJeoqCe7qV+Vj2pvoU35b/nBgk42P1Mv4NUubocGLgWBrwwYCHfzROw9SmIxQ0pDtrJLH+IVHvWB5MIgr49f27rGFAgHBJzWfh6n9ZJ/dz2To/WMJ6S8/Qnytb+NnL+k2HGn+E50A63+mmy46u4Ycqv/6pYX1AuiXY4zBvn33P3xlIP/dpnpr9YrKi59VXiMUNkzGQQHdydfRkgsTvr75hJhRPs6FnP5fPMFYXRm4+eAq30jQKRVSr0TJx1tQRowAF/GwVqqtN6Ik7Qo/j8pZmXs+qAJivZbWGi+O3Avd2oyhcpNSm6rnKPyoQr33SDBBABXF9WGq3ZBdhCVM3NwnnSz1R7OEe7mwLMzJKe5UedmWD1dpbXK0/M+GoqIbZxQ98kok6c0AD7oMj3dG6JHTR+QvdU06QO0lS+CZDI6dN/15Gnfr7MMtEwv7GkpVNn8rjGEcZhOE/umR69o1+2MVAhJeAjxmqaOr+4B31yDBtdml28uKX7u48SLu2RmwjjPQMmQU+fMS1VuAKOCC8qy3QOOefQHmrWpQ6P/y5514qknwflO5mTi+sXJ8kEt6rS2wySP98tIEkTIVlsBRrQ26CHJ2psEiDnsz8h5gzSc3oEiyFzltsKkutVXEO5ILiesGimJ+URONa13XZ/teAqUV4TicXPgzQPYsHHtrOlqQ5LBOWvHmYbaBnBydG+IUa2bZOYQOi4b9jD3hYDja6WZmE5kTRDoGYcREC+XEI4ThwplUmXmHAm02mxaT1K/mKRG/kXGY00sxqCbP6ODng41w7y
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-8uCufOlUZcC9sScqIZNt"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aea109bb-0961-4f34-2d25-08d89600f1fe
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2020 13:56:47.5599 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6bhxKtI8oDFGlDXDKVtQ84uDu4CqgcpWjmpK8EInuGD0nUsczDhPi5IR84fVbXzP16lVYiYYkJNkzjw62VL1Au16cHoPjja8tOSUqn9Ww28=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4217
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/P0lHp1wZu8C1z319ueRnwf9Ifew>
Subject: Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 13:56:54 -0000

Hi,

Please see inline. 

On Tue, 2020-12-01 at 13:46 +0100, Rafa Marin-Lopez wrote:
> Dear Magnus:
> 
> > El 27 nov 2020, a las 9:56, Magnus Westerlund <
> > magnus.westerlund@ericsson.com> escribió:
> > 
> > So as long as the option is to turn on "Normal Mode" for tunnel
> > processing of the ECN bits or not then you can disregard the whole thing
> > about
> > RFC 8311. The applications that will use alternative behaviors for ECN will
> > have
> > to know that the consumer understand the semantics. So in this case as the
> > IPSec
> > tunnel only copies the bits back and forth no additional action is needed. 
> 
> [Authors] We have a comment about this and regarding RFC 6040. As we mentioned
> in our previous e-mail, the RFC 6040 states:
> 
> "Modes:  RFC 4301 tunnel endpoints do not need modes and are not
> updated by the modes in the present specification.  Effectively,
> an RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
> encapsulation, which is unchanged from RFC 4301 encapsulation. 
> It will never need the OPTIONAL compatibility mode as explained 
> in Section 4.3”.
> 
> Therefore an IPsec tunnel ALWAYS copy the ecn bits from the inner to the outer
> header (normal mode). We do not see any other alternative.
> 
> In consequence, after this discussion, our proposal would be just to remove
> the leaf ecn since, according to this text, there is a single option: copy.
> 
> Does it sound reasonable?

I might be missing something here but I don't think removing the leaf is the
correct option unless you plan to mandate ECN processing by both endpoints to be
always on. So I think there is a binary configuraiton option between enabling
the RFC6040 processing between inner and outer headers, and to not have ECN
enabled at all, i.e. set ECN bits to Not-ECN on the outer encapsulation. Copying
the bits on the ingress and not have the egress do the corresponding operation
have some negative consequences to fairness. 

Also, I cringe a bit when you says copy. Becasue that what 6040 + 4301 defines
in not strictly copying. That is why it is important to have the right
formulation and not call it copy. 


Cheers

Magnus

v2.23.0 | Report a Bug | By Email