IETF Logo Mail Archive

Re: [IPsec] Labeled IPsec options

"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 27 December 2019 07:06 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC41B12004F for <ipsec@ietfa.amsl.com>; Thu, 26 Dec 2019 23:06:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6NG9FZyRF2Ye for <ipsec@ietfa.amsl.com>; Thu, 26 Dec 2019 23:06:25 -0800 (PST)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26B9C120025 for <ipsec@ietf.org>; Thu, 26 Dec 2019 23:06:25 -0800 (PST)
Received: by mail-wr1-x435.google.com with SMTP id c14so25300977wrn.7 for <ipsec@ietf.org>; Thu, 26 Dec 2019 23:06:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=rIcmVRe1Q8hrGP3iYK8eDw6wQMan9A5hUK+U7VKqRjw=; b=fjpPwnE9b5ih+nuRYOj9CWhh/PBhBd2vsGV2aLeMg0+H9IcxjsO069FP8WxohDunR8 GXIK4v1CT5ewllrJQQ8YT01RHgDkJYYKn+brjEmCSOnQdmECW5C5kHvsEwLrFBNdgkS3 J0GoUcMGJLbw1K/byd4s0c6Skn/E29w539DROrSwLfpNcwWLb3pW/1Ucgkr5YqaXYvpY Hmp0qtEa3H5BW3atWqMN4QCSrKbJxqPKsGAGif1lNwtH9JJW/pUxSLVTzDfd2qcQ0x7r 217ki9VSueXlJ1cbhKCeY4UN4ahTEdH9CzjUzmnGBtBrcYh64+idPE0FhPQayAZn7Dmb Pkiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=rIcmVRe1Q8hrGP3iYK8eDw6wQMan9A5hUK+U7VKqRjw=; b=oLaNyBIE14LhNyh/clELDXVU4Q2McCAwe9k1rXLHi04RlXvfmd7BdXSENEDzXtQPz5 K/Ely58axy1AFAzoY6IUaCwoGjvyqP3VIHLVldyxOD8xvQwut64p3XZbkh5jZWZf3jXX ZqfTDTTmV20bC9PLg+k4XwSIrfSx0EwXVkVH0FNUhAABwxNy3ngget8DDfl3LZE/HUPS IMbtjhaa4lf/iiUvP/5Z8mMm88QJPxNduR++NyEodfm/aJlcO29V4T5a5qaqllBYLGpn 3DeQh0BfTG0cwvJGQ7b8V4M0BJqWZ0sDXzUtuN+5WW4sHOKSDn3rk8lYGWsOb83drCC/ veZw==
X-Gm-Message-State: APjAAAVCaqkeerBbQuXeRTyrG7nfw4oucpFct24/Vw2CrBLW1zBwy9l7 KzapkjuAaX7RAINWD2RSHgisEEYW
X-Google-Smtp-Source: APXvYqyM/6SMoahVKROUzfG4yMxPbOWDhr+e0fU65clLVZRFuURH7BObxSjuiueodfKC+UUGlDkYXg==
X-Received: by 2002:a5d:484f:: with SMTP id n15mr24274565wrs.365.1577430383163; Thu, 26 Dec 2019 23:06:23 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id f127sm10221881wma.4.2019.12.26.23.06.21 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Dec 2019 23:06:22 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>
Cc: 'Tero Kivinen' <kivinen@iki.fi>, ipsec@ietf.org, 'Sahana Prasad' <sahana@redhat.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com> <24050.43728.115813.170898@fireball.acr.fi> <046401d5b1c6$98ed09d0$cac71d70$@gmail.com> <24055.63797.695416.153493@fireball.acr.fi> <032201d5bb30$7b70ec00$7252c400$@gmail.com> <alpine.LRH.2.21.1912261258470.11522@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912261258470.11522@bofh.nohats.ca>
Date: Fri, 27 Dec 2019 10:06:26 +0300
Message-ID: <044f01d5bc84$284b8300$78e28900$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLx+ZsZ28gCWkLjxf5xPWFraxjS5AGiqmCDANTXOjwB/YUU0gIxTZDgAjZptVYCZJBXO6U6/Rmg
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-ivcx_uVu1Yf7w1WWlxGlc8eCoU>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 07:06:27 -0000

Hi Paul,

> > Another approach - use some new status notification containing
> > seclabel that the initiator would include in any request to create
> > Child SA. This is easy to implement, but there is a possibility,
> > that unsupporting responder will just ignore this notification
> > and create SA w/o proposed seclabel. In this case the initiator
> > would need to immediately delete this SA.
> 
> That is a big problem but not the only one.
> 
> > My proposal only deals with this situation. If initiator and responder
> > exchange SECLABELS_SUPPORTED notifications at the time of
> > creating IKE SA (in IKE_SA_INIT), then the initiator will know,
> 
> During IKE_SA_INIT you do not fully know which configuration you are
> talking to, as no ID's have been exchanged. If a server has some
> connections with and some without security labels, it cannot guarantee
> success despite the notification. And that is assuming the notification
> does not indicate "support" but indicates "supported and required"

The successful exchange of SECLABELS_SUPPORTED notification only
ensures that the responder won't ignore SECLABEL notification
in requests to create IPsec SAs. In this case, if for any reason
the server cannot create IPsec Sa with proposed security label
(that is provided in SECLABEL notification), the server would 
return TS_UNACCEPTABLE (or NO_PROPOSAL_CHOSEN).

So, SECLABELS_SUPPORTED doesn't say that every 
IPsec SA created with this IKE SA will have security labels,
it only guarantees that notifications containing security
labels won't be silently ignored.

> > Again, I'm fine with either using new Traffic Selectors or Notify
> > for this purpose. Both have pros and contras.
> 
> I think the majority seems to be in favour of Traffic Selectors. While
> a combinatory explosion is a worry, we do not expect that many new types
> of traffic selectors, so it is unlikely to become a big problem I think.

OK, I think it's a right way to go. In fact I suggested it back in May 2018 :-)

Regards,
Valery.

> Paul

v2.29.0 | Report a Bug | By Email | System Status