Re: [Idr] My mic comments on security

"Hu, Jun (Nokia - US/Mountain View)" <> Fri, 26 July 2019 02:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4CE77120261 for <>; Thu, 25 Jul 2019 19:20:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a4iiOhqbTKuO for <>; Thu, 25 Jul 2019 19:20:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80BD2120223 for <>; Thu, 25 Jul 2019 19:20:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=aLSYbwlqz2cEEiHecA402uwDrMprKCty+l3A3smqEuNEm05qR1Vcatt6bkc/QQgDXjaulI0btL2RHe3mSJxgqzM68gofLkxbE+0RNqk58UrvL0X9qoOfCQwCfRa1NtrLWFl8cA9lkG+OjXzJMtTL54Iu8+Sw5edbcCd/iVp7je8OsGM18zjcimsk0F0EfQg3AkpgdRc0NBn6/BWTAxQjg/LMgpv6jK4JAfnv3WZAx9yJxf/LVU0jVYySJPoIdEtE+UxlRPx+oyi+avWoxeUERGvDBPeOU0MD0Ew02eFLWFvi7aO9Uz2QQeMg6YcxGjWkM9A/Om4OUNVfgx0iS31fTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kW5sSEikL2mB5GRJ/vyO0S4c80sutFMxr+IZx3unlv8=; b=PkPX+sWnkU3RnBvT5wmSgQm6PKuxqXx3rXv4dsu2eojiWMkgpHz3ZLABwo9P6GMYADPkZp/DuSJP6yObgXvCL6KQjtc3kweHI3FdnV1s+znhiQ0tG040DsuE5X3n4pqVv8Or6Ayo1R4KP1nT17dDtVNUBw4FHeo5IysqVK/W1ExAMU65zPDnfirKFqAHgEtXqs9toV+M4qwp/BaGzNflAvRe0VHALhKCLPbW5tzn8BLYjwvcwEyhhvzYajM99tPWq+LMUYTRf8TKdg5pl/PO/tQqAp5YyrZC5VKLi7ADATuk7fYRgJj1AK0V0mSyIyrQ9aEB8Z/Drhih99SyvGOu/Q==
ARC-Authentication-Results: i=1; 1;spf=pass;dmarc=pass action=none;dkim=pass;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kW5sSEikL2mB5GRJ/vyO0S4c80sutFMxr+IZx3unlv8=; b=LXTsUsdKq2aFfUFNErSWAkUbRoYFP47pOOJRQKOaMefY4KOAFQZE4kDDWEKXrO4F8yvrmeWV8vxVFHRBC6291KKICZgyacxzysKm9/l1QfvtjHqPV1x8wyyZ7yM+jbb5fldjOVBCnleclyc7gEbs1Wtaa5UxXhQAzaeUzD1xEiY=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.13; Fri, 26 Jul 2019 02:20:23 +0000
Received: from ([fe80::b4b9:a6bd:67a4:95ae]) by ([fe80::b4b9:a6bd:67a4:95ae%12]) with mapi id 15.20.2115.005; Fri, 26 Jul 2019 02:20:23 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <>
To: Paul Wouters <>, "" <>
Thread-Topic: [Idr] My mic comments on security
Thread-Index: AQHVQvfCbrOxBtlcBU+RwwO4vfi6eqbcJyOQ
Date: Fri, 26 Jul 2019 02:20:23 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: [2601:646:8500:5f0:dd04:fb6c:3016:ed3c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d28a179b-3a55-4799-735d-08d7116fd0d3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM5PR0701MB2308;
x-ms-traffictypediagnostic: AM5PR0701MB2308:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01106E96F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(366004)(39860400002)(396003)(376002)(346002)(13464003)(189003)(199004)(305945005)(7736002)(81166006)(81156014)(15650500001)(110136005)(71190400001)(71200400001)(33656002)(25786009)(8936002)(99286004)(2906002)(74316002)(476003)(46003)(229853002)(478600001)(6116002)(966005)(186003)(14454004)(86362001)(256004)(14444005)(102836004)(53546011)(66476007)(446003)(11346002)(66946007)(2501003)(52536014)(6506007)(486006)(66446008)(316002)(55016002)(6306002)(8676002)(6246003)(53936002)(9686003)(76176011)(7696005)(6436002)(76116006)(5660300002)(64756008)(66556008)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0701MB2308;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PX70P3nY1gCR8oGqQEPVNVV3XH610Q3Xgz1Z+DpqrpA2TzfGSJYK9DnithRUSNidXVO8lPclvLWaPGWQlVH/54hpjYEnD7KGE0VFv19iK5gUfM/l7chSnYzYmghTBCq+2EdsWqupyBwvWE+0WYzY+cUr6ZVPR6pgosbJuyLBWoounN9ib+uUFPJQdLx3IO7HLx4tgSiVDNSIeDJlgLjnO4jDA2lQs89Z3sChONEElwfSp3DwUTpLrQFQmkhA278zl9LDCz1lRyQ1fTC00jVJijw+T0tpkHJjhB5i2U4qY8no3tz6h0lOG0/g+AoJwej88zcGpybJA6Zi+C46qM39qXeW7NPEyktfGvw4UW/GWSJPXB89ZaVXtFAeLuDzB4CSplV0PEdNJJo5inQjKMVcb4zHDd/eQdMerC53Z0BZP2c=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d28a179b-3a55-4799-735d-08d7116fd0d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2019 02:20:23.8155 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2308
Archived-At: <>
Subject: Re: [Idr] My mic comments on security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jul 2019 02:20:29 -0000

Hi Paul,
I just replied to your other email regarding my draft;
My comments for this are in line below as [Hu Jun]

-----Original Message-----
From: Idr <> On Behalf Of Paul Wouters
Sent: Thursday, July 25, 2019 7:45 AM
Subject: [Idr] My mic comments on security

Note I had some questions in my previous post, that related to
draft-hujun-idr-bgp-ipsec-00 but also applies to some of the other proposed solutions.

At the mic I had the following questions/comments:

- IPsecGW's vs Routes

Depending on the amount of IPsec hosts versus the amount of routes (aka IPsec SA's), there are two different models that might apply better.

1) A host to host IPsec connection in transport mode, using GRE or
    similar to add/remote routes without needing to update IPsec state
2) A host to host IPsec connection un tunnel mode, which a single IPsec
    SA per route object.
[Hu Jun] yes, there are use case for both; however using IPsec transport mode does raise a interesting point, currently my draft doesn't include transport mode; using transport with another tunnel type like GRE is kind special, since it is not tunnel stack/nest, I think currently there is no existing mechanism in the framework of draft-ietf-idr-tunnel-encaps to support transport mode; we need to define a new one; I could include this in next revision of my draft

There are likely scenarios where either one will perform better.

- Optional vs Mandatory

My question was whether an indication for IPsec is a commitment to require it or a suggestion to use it. That will cause some implementation differences. For example, kernel ACQUIRES can only be generated when the policy is mandatory - that is plaintext packets will be dropped until an IPsec tunnel is up.
[Hu Jun] as I replied in the other email, this depends on if there is other tunnel type TLV in the same BGP update, if yes, then based on local policy user could chose another type; but if user want to enforce of using IPsec, then just only include IPsec tunnel TLV 

- MTU issues

By adding another layer of encapsulation with IPsec, the MTU is slightly reduced. I did not find text about this in the drafts. Should the administrator or implementation do something to counter the slightly smaller usable MTU or is it expected that each flow handles this itself in the normal path mtu discovery?
[Hu Jun] this is a general understood issue whenever tunnel is involved, but I agree some text in draft-ietf-idr-tunnel-encaps won't hurt 

- Round Trip Time

One can setup a childless IKEv2 SA (two roundtrips) between hosts in anticipation of routes. Then the first route that would need an IPsec tunnel only requires one roundtrip instead of two round trips.

This might not matter at the scale things happen, but often in a mesh of nodes doing crypto, the majority of nodes do not talk to each other and this work might be overkill for theoretical saving of 1 RTT upon route object change.
[Hu Jun] this could be local decision 

- Multicast IPsec

While it was supported in IKEv1 (which you should not use), work for this is still in progress for IKEv2. If you need this support, it would be good to let the authors of draft-yeung-g-ikev2 know that they have some new potential customers and please proceed with the work.
[Hu Jun] multicast is important for Ipsec, we need group key for IKEv2, will send a email to the authors 

- Session resumption

I'm not sure if this can be applicable but using session resumption instead of deleting and starting from scratch for a new IKE SA would save precious CPU time.
[Hu Jun] agree

- Tunnel inactivity

Please do not start using liveness/DPD at the once per second time frame. There are other methods to detect tunnel inactivity, such as using a PFKEY/NETLINK API call that installs a soft-idle timer within the kernel.

[Hu Jun] another faster, and commonly implemented mechanism would be DPD; just run DPD over Ipsec 

Please note I'm not on this list. If you wish to get my attention, feel free to CC: to messages to the idr list.


Idr mailing list