IETF Logo Mail Archive

Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Rafa Marin-Lopez <rafa@um.es> Tue, 01 December 2020 15:45 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A973A13B2; Tue, 1 Dec 2020 07:45:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DvcJhZbEd42R; Tue, 1 Dec 2020 07:45:49 -0800 (PST)
Received: from mx02.puc.rediris.es (outbound4sev.lav.puc.rediris.es [130.206.19.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAF973A13EA; Tue, 1 Dec 2020 07:44:43 -0800 (PST)
Received: from xenon42.um.es (xenon42.um.es [155.54.212.169]) by mx02.puc.rediris.es with ESMTP id 0B1FiaFM025928-0B1FiaFN025928; Tue, 1 Dec 2020 16:44:36 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id DEB7825631; Tue, 1 Dec 2020 16:44:36 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fXQcS00hWGGm; Tue, 1 Dec 2020 16:44:36 +0100 (CET)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id CFEEE20037; Tue, 1 Dec 2020 16:44:31 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <357BEF23-698E-4EC2-B402-DA7F175FC3F4@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B543B7F0-11B6-4E6A-929D-75662EE1C953"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Tue, 01 Dec 2020 16:44:31 +0100
In-Reply-To: <5a4ced1ef2a5c631f270296c66f57742c811ecbd.camel@ericsson.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "magnus.westerlund=40ericsson.com@dmarc.ietf.org" <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "i2nsf-chairs@ietf.org" <i2nsf-chairs@ietf.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
References: <160458812991.16036.6729267088975668048@ietfa.amsl.com> <9E65120A-D864-4E56-9954-BA536EF88363@um.es> <687e9ef3dcdc10e8f1e908a5c40156d48da8b75c.camel@ericsson.com> <71d91b42d5c20e41d8666f8ad0b9e541c046482a.camel@ericsson.com> <145F8F53-A9E7-4973-8578-26226170C2FE@um.es> <5a4ced1ef2a5c631f270296c66f57742c811ecbd.camel@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.169, helo=xenon42.um.es, mailFrom=rafa@um.es
Authentication-Results: mx02.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.169 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=gnLyJDmYmOmEOIRXv4TFRXqlnsEUzcvBs9qbegonUFo=; b=GFOs44KCzvdtQ0j/dHZwaFmz3j5lj5cws/Y0far4adEIcLJmuEYRZMwijJhimFW25TqJYWKoDhOC UvmFN0Bp7ajIURYPACgE2EJl0IyXHDYJ1nWtIyWR9aZvotSj2QvT7/+KFwYKEPQaGv8mX2+0Hnxz W2G9+qYcJOSXcOK5/103eXADIdVox/Hmy4aDRkAyxj1PLj8H1d9swNY7FKgZG+9ei5DEAPyIjWmt 1ijtjhz3Dg7wMYBya9zUBIBXRuHeS27rTvhQoez0rGejI7ItY1YzEULnyadxqpIhkDQUPDgJdR9D IMvcJyGu6vBjNC7i5cdFySNp+apZkkfgE8/kNQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/TdBomDCPGUNmDrVj2KBP8TdgtOc>
Subject: Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 15:45:54 -0000

Dear Magnus:

Please see our comments inline:

> El 1 dic 2020, a las 14:56, Magnus Westerlund <magnus.westerlund@ericsson.com> escribió:
> 
> Hi,
> 
> Please see inline. 
> 
> On Tue, 2020-12-01 at 13:46 +0100, Rafa Marin-Lopez wrote:
>> Dear Magnus:
>> 
>>> El 27 nov 2020, a las 9:56, Magnus Westerlund <
>>> magnus.westerlund@ericsson.com> escribió:
>>> 
>>> So as long as the option is to turn on "Normal Mode" for tunnel
>>> processing of the ECN bits or not then you can disregard the whole thing
>>> about
>>> RFC 8311. The applications that will use alternative behaviors for ECN will
>>> have
>>> to know that the consumer understand the semantics. So in this case as the
>>> IPSec
>>> tunnel only copies the bits back and forth no additional action is needed. 
>> 
>> [Authors] We have a comment about this and regarding RFC 6040. As we mentioned
>> in our previous e-mail, the RFC 6040 states:
>> 
>> "Modes:  RFC 4301 tunnel endpoints do not need modes and are not
>> updated by the modes in the present specification.  Effectively,
>> an RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
>> encapsulation, which is unchanged from RFC 4301 encapsulation. 
>> It will never need the OPTIONAL compatibility mode as explained 
>> in Section 4.3”.
>> 
>> Therefore an IPsec tunnel ALWAYS copy the ecn bits from the inner to the outer
>> header (normal mode). We do not see any other alternative.
>> 
>> In consequence, after this discussion, our proposal would be just to remove
>> the leaf ecn since, according to this text, there is a single option: copy.
>> 
>> Does it sound reasonable?
> 
> I might be missing something here but I don't think removing the leaf is the
> correct option unless you plan to mandate ECN processing by both endpoints to be
> always on.

[Authors] We think we may also be missing something. Your sentence “to mandate ECN processing by both endpoints to be always on.” is the key. It turns out that (under our interpretation of) RFC 6040 - section 4.3 mentions precisely that that you have ECN in both endpoints for IPsec tunnels: 

"Therefore, both endpoints of an RFC 4301
 tunnel can be sure that the other end is compatible with 
RFC 4301, because the tunnel is only formed after IKEv2 key
management has completed, at which point both ends will be
compliant with RFC 4301 by definition.  Therefore an IPsec tunnel
ingress does not need compatibility mode, as it will never
interact with legacy ECN tunnels.  To comply with the present
specification, it only needs to implement the required normal
mode, which is identical to the pre-existing RFC 4301 behaviour.

Moreover, related with this,  Section 2.24 Explicit Congestion Notification (ECN) in RFC 7296 mentions

2.24.  Explicit Congestion Notification (ECN)

When IPsec tunnels behave as originally specified in [IPSECARCH-OLD],
   ECN usage is not appropriate for the outer IP headers because tunnel
   decapsulation processing discards ECN congestion indications to the
   detriment of the network.  ECN support for IPsec tunnels for
   IKEv1-based IPsec requires multiple operating modes and negotiation
   (see [ECN]).  IKEv2 simplifies this situation by requiring that ECN
   be usable in the outer IP headers of all tunnel mode Child SAs
   created by IKEv2.  Specifically, tunnel encapsulators and
   decapsulators for all tunnel mode SAs created by IKEv2 MUST support
   the ECN full-functionality option for tunnels specified in [ECN] and
   MUST implement the tunnel encapsulation and decapsulation processing
   specified in [IPSECARCH] to prevent discarding of ECN congestion
   indications.


[Authors] Therefore , it seems from both texts above, that it is assumed that ECN would be always on for the IPsec tunnels. Are we missing something here?

> So I think there is a binary configuraiton option between enabling
> the RFC6040 processing between inner and outer headers, and to not have ECN
> enabled at all, i.e. set ECN bits to Not-ECN on the outer encapsulation. Copying
> the bits on the ingress and not have the egress do the corresponding operation
> have some negative consequences to fairness. 

[Authors] Our doubt is that, according to the text pasted above, what would be the case where we have to set ECN bits to Not-ECN if the assumption from these two RFCs is that both endpoints are ECN capable? Are we missing something regarding to IPsec tunnels according to RFC 6040?

In the IKE less case, the I2NSF Controller can assume (and know) that these NSFs have ECN full-functionality as happens with IKEv2. In any case, if you foresee a case where one of the endpoints is not ECN, adding the leaf ecn is not major problem at all. 

What do you think?

> Also, I cringe a bit when you says copy. Becasue that what 6040 + 4301 defines
> in not strictly copying. That is why it is important to have the right
> formulation and not call it copy. 

[Authors] We understand. Does “setting” sound better?

Many thanks.
> 
> 
> Cheers
> 
> Magnus

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email