IETF Logo Mail Archive

Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Rafa Marin-Lopez <rafa@um.es> Tue, 01 December 2020 12:46 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261E23A0140; Tue, 1 Dec 2020 04:46:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CYjiIo8hMCTt; Tue, 1 Dec 2020 04:46:20 -0800 (PST)
Received: from mx01.puc.rediris.es (outbound6mad.lav.puc.rediris.es [130.206.19.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B62C3A10A9; Tue, 1 Dec 2020 04:46:20 -0800 (PST)
Received: from xenon42.um.es (xenon42.um.es [155.54.212.169]) by mx01.puc.rediris.es with ESMTP id 0B1CkECO011290-0B1CkECP011290; Tue, 1 Dec 2020 13:46:14 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id 91501255FE; Tue, 1 Dec 2020 13:46:14 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id nZYEP21bsEwb; Tue, 1 Dec 2020 13:46:14 +0100 (CET)
Received: from [192.168.43.225] (29.red-95-127-187.staticip.rima-tde.net [95.127.187.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id 23F78255C2; Tue, 1 Dec 2020 13:46:06 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <145F8F53-A9E7-4973-8578-26226170C2FE@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_14F0BB64-0279-4FAE-9106-F194F16D0F58"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Tue, 01 Dec 2020 13:46:06 +0100
In-Reply-To: <71d91b42d5c20e41d8666f8ad0b9e541c046482a.camel@ericsson.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, "magnus.westerlund=40ericsson.com@dmarc.ietf.org" <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org" <draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "i2nsf-chairs@ietf.org" <i2nsf-chairs@ietf.org>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
References: <160458812991.16036.6729267088975668048@ietfa.amsl.com> <9E65120A-D864-4E56-9954-BA536EF88363@um.es> <687e9ef3dcdc10e8f1e908a5c40156d48da8b75c.camel@ericsson.com> <71d91b42d5c20e41d8666f8ad0b9e541c046482a.camel@ericsson.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.169, helo=xenon42.um.es, mailFrom=rafa@um.es
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.169 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=u9juCM1T9HoZbOhKW5UthXS8Hu6xGmm5P6+aRqOIVGw=; b=CqqB4beA1+lSxgTui7/vHgMaiEWM0bLZigg17TrlO1aV2or9OpjtSvJpJ+X/qVbGRwMU/mQWXJ42 SUVoC27LcpObA1JUOJdRY4uuh3Xi7vJ0XEYilfbXFEKfSCmeYusEtbD/aUWLbfPavdNp6nqV9Vj3 ibVVT0VOIh+opZ4B0gPkHjxRwNRhh+2QiZoejQAyYbWrryfEOJuNjH18CKcGY//5WcwMBMlO70jl T4kywibtdX0iUYPQ0u1UnF8i0Q9ghTes7nh1Bhvexw93zAHzwRg0GNe2sd/E55SKIf9IldbgF8lK hKtYE3EmXneLzD8P6Hrjitxb9MioUnLYkM1QKw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/mhezFIp8krTBGpjKYqtqnVSA1W8>
Subject: Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 12:46:23 -0000

Dear Magnus:

> El 27 nov 2020, a las 9:56, Magnus Westerlund <magnus.westerlund@ericsson.com> escribió:
> 
> Hi,
> 
> Please see below. 
> 
> On Wed, 2020-11-25 at 14:48 +0000, Magnus Westerlund wrote:
>> 
>> On Mon, 2020-11-23 at 19:19 +0100, Rafa Marin-Lopez wrote:
>>> Dear Magnus:
>>> 
>>> Thank you very much for your review. Please, see our comments below.
>>> 
>>>> ----------------------------------------------------------------------
>>>> DISCUSS:
>>>> ----------------------------------------------------------------------
>>>> 
>>>>       leaf ecn {
>>>>         type boolean;
>>>>         default false;
>>>>         description
>>>>           "Explicit Congestion Notification (ECN). If true
>>>>           copy CE bits to inner header.";
>>>>         reference
>>>>           "Section 5.1.2 and Appendix C in RFC 4301.";
>>>>       }
>>>> 
>>>> There is something wrong here, likely in the description of the option.
>>>> This
>>>> as
>>>> the outer IP header on sender side needs to set ECN field to ECT to enable
>>>> so
>>>> that any CE marks can be received. I think it is reasonable to have an
>>>> option
>>>> to just enable ECN, but that requires several things. Secondly with the
>>>> changes
>>>> in RFC 8311, there might be need to be more explicit in the configuration
>>>> of
>>>> ECN to actually indicate which ECT value that should be set on send side
>>>> for
>>>> the established IPsec tunnel. Due to under discussion experiments with ECT
>>>> values per RFC 8311 we should verify that just copying the inner header
>>>> value
>>>> to the external is fine and don't break anything as path and/or marking
>>>> behavior may not be the same.
>>> 
>>> [Authors] Yes, we agree with you that this is poorly explained and needs to
>>> be
>>> clarified.
>>> 
>>> On the one hand, RFC 6040 mentions:
>>> 
>>> "Modes:  RFC 4301 tunnel endpoints do not need modes and are not
>>> updated by the modes in the present specification.  Effectively,
>>> an  RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
>>> encapsulation, which is unchanged from RFC 4301 encapsulation. 
>>> It will never need the OPTIONAL compatibility mode as explained 
>>> in Section 4.3”.
>>> 
>>> Therefore, our interpretation is that for RFC 4301 tunnels we can only
>>> apply 
>>> Figure 3 ("Normal mode” column), which means copying the values of inner
>>> header to outer header.
>>> 
>>> On the other hand, regarding your comment about RFC 8311, our interpretation
>>> is that only specifying copy would be not enough for certain cases based on
>>> RFC 8311 so there might be a need to set an ECT(0) or ECT(1) when the inner
>>> packet could be ECT(0) or ECT(1) but copying is not valid. For example, if
>>> the
>>> inner packet has ECT(0) or ECT(1) but we want to set the outer IP header
>>> with
>>> ECT(0) for either case. Is this interpretation correct? If it is, we think
>>> we
>>> could accommodate this as:
>>> 
> 
> Sorry, I think I lead you astray due to no understanding the context here
> sufficiently.

[Authors] No worries.

> So as long as the option is to turn on "Normal Mode" for tunnel
> processing of the ECN bits or not then you can disregard the whole thing about
> RFC 8311. The applications that will use alternative behaviors for ECN will have
> to know that the consumer understand the semantics. So in this case as the IPSec
> tunnel only copies the bits back and forth no additional action is needed. 

[Authors] We have a comment about this and regarding RFC 6040. As we mentioned in our previous e-mail, the RFC 6040 states:

"Modes:  RFC 4301 tunnel endpoints do not need modes and are not
updated by the modes in the present specification.  Effectively,
an RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
encapsulation, which is unchanged from RFC 4301 encapsulation. 
It will never need the OPTIONAL compatibility mode as explained 
in Section 4.3”.

Therefore an IPsec tunnel ALWAYS copy the ecn bits from the inner to the outer header (normal mode). We do not see any other alternative.

In consequence, after this discussion, our proposal would be just to remove the leaf ecn since, according to this text, there is a single option: copy.

Does it sound reasonable?

> 
> So please remove the whole second sentence and the RFC8311 reference.
> 
> In addition to the first part of the below description. It only mentions the
> encapsulation action. So my quesiton, is this configuration only for the
> encapsulating entity, or for a whole tunnel and applied to both ends? If it is
> the later, then I think you should take note of the need to process the outer
> ECN field and remark per RFC6040. 

[Authors] For the outer ECN, we do not have any alternative either: according to RFC 6040, the decapsulator applies the table in Figure 4. 

Best Regards.

> 
> Cheers
> 
> Magnus
> 
> 
>>> container ecn {
>>>       leaf copy-or-set { 
>>>         type boolean;
>>>         default true; 
>>>         description 
>>>           "If True the ECN field of the incoming IP header
>>>           is copied to the outer IP header of the tunnel following
>>>           RFC 6040 normal mode. If False, it is possible to set
>>>           a specific ECT value (ECT (0) or ECT (1) to the outer
>>>           header of the tunnel.";
>>>         reference 
>>>           "RFC 6040. RFC 8311.";
>>>       }
>>>       leaf set {
>>>         when "../copy-or-set = 'true'";
>>> 
>>>         type enumeration {         
>>>           enum ect0 {
>>>             value 0;
>>>             description 
>>>               "ECT(0)";
>>>           }
>>>           enum ect1 {
>>>             value 1; 
>>>             description 
>>>               "ECT(1)";
>>>           }
>>>         }
>>>         description 
>>>           "To set an specific ECT value in the 
>>>           outer IP header when the inner IP header contains ECT(0)
>>>           or ECT(1) value.";
>>>         reference 
>>>           "RFC 8311";
>>>       }
>>>       description 
>>>         "Explicit Congestion Notification (ECN) management.";
>>>       reference 
>>>         "RFC 6040. RFC 8311";
>>>     } 
>>> 
>>> 
>>> Does this reflect what you had in mind?
>>> 
>>>> I think there is also the question if RFC 6040 needs to be referenced in
>>>> this
>>>> context to ensure that people pick up on that RFC 6040 updates RFC 4301.
>>> 
>>> [Authors] Correct. RFC 6040 is the proper reference.
>>> 
>>> Best Regards.
>>> 
>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> I2nsf mailing list
>>>> I2nsf@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/i2nsf
>>> 
>>> -------------------------------------------------------
>>> Rafa Marin-Lopez, PhD
>>> Dept. Information and Communications Engineering (DIIC)
>>> Faculty of Computer Science-University of Murcia
>>> 30100 Murcia - Spain
>>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>>> -------------------------------------------------------
>>> 
>>> 
>>> 
>>> 

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email