[IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
Mirja Kühlewind <ietf@kuehlewind.net> Tue, 25 April 2017 12:48 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B203F12EC90; Tue, 25 Apr 2017 05:48:12 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Mirja Kühlewind <ietf@kuehlewind.net>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ipsecme-tcp-encaps@ietf.org, Tero Kivinen <kivinen@iki.fi>, ipsecme-chairs@ietf.org, kivinen@iki.fi, ipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.50.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com>
Date: Tue, 25 Apr 2017 05:48:12 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0YXOz_39QcEGAOlu_Bsnsirs7hA>
Subject: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2017 12:48:13 -0000
Mirja Kühlewind has entered the following ballot position for draft-ietf-ipsecme-tcp-encaps-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-tcp-encaps/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- This draft suggests that ports that are assigned to other services can simply be used. This is not okay. If a port is assigned to a certain service, this service and/or the respective RFC defines how this port is used. Simply changing the specified behavior by requiring a check for a magic number cannot be done without updating the RFC that the port assignment belongs to. Also for the use of 4500/tcp RFC3948 as well as the IANA registry would need to be updated. Further, as also mentioned in the tsv-art review (Thanks Wes!), this draft does not sufficiently handle the case of TCP in TCP encapsulation. Here a copy of the tsv-art review: Reviewer: Wesley Eddy Review result: On the Right Track This document is clear and well-written. It can easily be implemented based on the description. There are a few additional issues that should be considered with advice to implementers in Section 12 on performance considerations: 1) Invisibility of packet loss - Inner protocols that require packet losses as a signal of congestion (e.g. TCP) will have a challenge due to not being able to see any packet losses since the outer TCP will repair them (unless sending into a full outer TCP socket buffer shows up back to the inner TCP as a packet loss?). 2) Nesting of ECN - Inner TCP connections will not be able to use effectively ECN on the portion of the path covered by the outer TCP connection. 3) Impact of congestion response on aggregate - The general "TCP in TCP" problem is mentioned, and is mostly appropriate for a single flow. If an aggregate of flows is sharing the same outer TCP connection, there may be additional concerns about how the congestion response behavior impacts an aggregate of flows, since it may cause a shared delay spike even to low-rate flows rather than distributing losses proportional to per-flow throughput. 4) Additional potential for bufferbloat - Since TCP does not bound latency, some applications in the IPsec-protected aggregate could drive latency of the shared connection up and impact the aggregate of flows that may include real-time applications. The socket buffer for the outer TCP connection might need to be limited in size to ensure some bounds? Not addressing these could lead to poor experiences in deployment, if implementations make wrong assumptions or fail to consider them. In the security considerations section, there are several RFCs on mechanisms to increase robustness to RST attacks and SYN floods that could be mentioned if it's worthwhile.
- [IPsec] Mirja Kühlewind's Discuss on draft-ietf-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Kathleen Moriarty
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Eric Rescorla
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 u… Paul Wouters
- Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-… Tommy Pauly