IETF Logo Mail Archive

Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 update 7296 ?

Tommy Pauly <tpauly@apple.com> Thu, 01 June 2017 23:35 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A3DA126CD8 for <ipsec@ietfa.amsl.com>; Thu, 1 Jun 2017 16:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C1hz91885qNM for <ipsec@ietfa.amsl.com>; Thu, 1 Jun 2017 16:35:02 -0700 (PDT)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 106F612945B for <ipsec@ietf.org>; Thu, 1 Jun 2017 16:35:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1496360100; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jOVpN2JVJXePFnIAeTOImoer5/xxTG8gWN+4HDjRdDE=; b=jxnRySUx5uRKxLZMvYGGiVs4G6+QGt66bskBPSobjeK6YRYR7pDJXCZFMkouZaME kOR0KcY5CbhYfRxNVC1nxb82s5ME/j/Tkpjmpd9aAGLhcuLMH+sdmTGmp0mYPSRM WFx4Jl0yRwWuB1h6VsBQNvZHPqluNKsfKOSsehZv4VhsGF1iWaxWoR26Wg4cgd5V u7lM1hviDa+nChbgBbhVub+7H8e4OleQKaNDL4bzi9Y51XIY2Yn8k0kCwADduKtV zq5VF3mCmlikymAO2HiHFWMdxxEgnMdbLjLNocQ2HAm1vc5Z6AS9pRQsC8hwJepz ip8XPxaUMKXJahPpP0Y6EQ==;
Received: from relay3.apple.com (relay3.apple.com [17.128.113.83]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 24.93.07949.4A4A0395; Thu, 1 Jun 2017 16:35:00 -0700 (PDT)
X-AuditID: 11973e16-0c7789a000001f0d-81-5930a4a4a057
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by relay3.apple.com (Apple SCV relay) with SMTP id D7.E8.15148.4A4A0395; Thu, 1 Jun 2017 16:35:00 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.153.75.119] (unknown [17.153.75.119]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OQW00EUQ6UBMO20@nwk-mmpp-sz12.apple.com>; Thu, 01 Jun 2017 16:35:00 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <alpine.LRH.2.20.999.1706011914200.15292@bofh.nohats.ca>
Date: Thu, 01 Jun 2017 16:34:58 -0700
Cc: IPsecME WG <ipsec@ietf.org>
Content-transfer-encoding: quoted-printable
Message-id: <E799F2C5-FD45-4524-92DE-4D551EFE6346@apple.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <22785.64570.259658.376130@fireball.acr.fi> <277aa94d-5aa1-7a28-94c7-81da0966c172@kuehlewind.net> <41594727-9667-42BD-ABB1-4583A3B00EA2@apple.com> <CAKKJt-fb1vx=SzpJ_9gvtJ+SEH08nyBRGqb7F36PGw0EyJ6zmA@mail.gmail.com> <853700CB-D5DD-4BC7-A1F5-5AB61330E70D@apple.com> <22792.20148.255067.132946@fireball.acr.fi> <82B5E72F-C518-420B-B941-E4CE4DD1BF87@kuehlewind.net> <22792.31378.769444.232365@fireball.acr.fi> <78A72CF3-E011-4E8D-9F66-63C7918A8236@kuehlewind.net> <22793.40707.624092.66793@fireball.acr.fi> <c0fad3b5-54b1-a347-0ea1-bec24dab0e36@kuehlewind.net> <CAKKJt-ceDuYKWGBFb6RKc8K_AcB55doOXMf11Ke807f6kc+UFA@mail.gmail.com> <CABcZeBPz0BN5643j9QHQx-5LfxXLbTGj2XmUrOfkU7PsHpcZcg@mail.gmail.com> <F1859DB7-AB24-49DA-A5B1-AAE74201368A@kuehlewind.net> <A078B858-687C-42E2-A1A2-8123949DC317@apple.com> <34C32236-D200-421F-AF6E-F953DA79A869@apple.com> <alpine.LRH.2.20.999.1706011914200.15292@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3430.2)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrOLMWRmVeSWpSXmKPExsUi2FAYrLtkiUGkwbuTuhb7t7xgs3h/6xKT A5PHkiU/mTy+z2MKYIrisklJzcksSy3St0vgylhwbiJjwTL2iiUbFRsYn7F2MXJySAiYSFxq P8LSxcjFISSwmkli+tM3jDCJBbtvMUIkDjFKrLu2D6yDV0BQ4sfke0AdHBzMAuoSU6bkQtRM ZJKY+qoJLC4sICGxeU8iSLmwgJNEU88BFhCbTUBF4vi3DcwgNqeAq8St67PBylkEVCWaDvOA hJkF5CV6/29khLC1JZ68u8AKUsIrYCNx5XUhxKYf7BLrtveDjRQRUJSYdOYRC8TJ8hLbnl5n AymSEFjCJrFi/jfGCYzCs5BcPQvh6llIVixgZF7FKJSbmJmjm5lnrpdYUJCTqpecn7uJERTS 0+3EdjA+XGV1iFGAg1GJh9dCwSBSiDWxrLgy9xCjNAeLkjivUQJQSCA9sSQ1OzW1ILUovqg0 J7X4ECMTB6dUA2PW9EqRg88Lizfwnoo9sWf9vcbYUpbfyxlXS67qSms7kXxVS/z9uZtX9f5M lOna2Piv9NHz1DuztqwL5Pgm81TG4LRkxAElxZh/Zx79Dz97634LO1/FvaVWs7cEMU35YMCV rPsh1CApK68x2Fws/nTe2dTcgLdLGjbxV0kHqn4LPTg/pCfG+4sSS3FGoqEWc1FxIgAYSY/i SgIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkkeLIzCtJLcpLzFFi42IRbCg+o7tkiUGkwYmVMhb7t7xgs3h/6xKT A5PHkiU/mTy+z2MKYIrisklJzcksSy3St0vgylhwbiJjwTL2iiUbFRsYn7F2MXJySAiYSCzY fYuxi5GLQ0jgEKPEumv7wBK8AoISPybfY+li5OBgFlCXmDIlF6JmIpPE1FdNYHFhAQmJzXsS QcqFBZwkmnoOsIDYbAIqEse/bWAGsTkFXCVuXZ8NVs4ioCrRdJgHJMwsIC/R+38jI4StLfHk 3QVWkBJeARuJK68LITb9YJdYt70fbKSIgKLEpDOPWCBOlpfY9vQ62wRGgVlIDp2FcOgsJFMX MDKvYhQoSs1JrDTWSywoyEnVS87P3cQIDsHC4B2Mf5ZZHWIU4GBU4uG1UDCIFGJNLCuuzAWG BAezkgjvuvlAId6UxMqq1KL8+KLSnNTiQ4xVQK9MZJYSTc4HxkdeSbyhiYmBibGxmbGxuYk5 VYSVxHkPeQFtFkhPLEnNTk0tSC2CWc7EwSnVwBjY8fLEBiYLb69vcl0mL+/0sUdHn3v7a0nR 89URc2Y9XiIq/Kjyc9H5plU5N5/uYikJCZhX0up35unpV/o9sof0o+pPhT6V0nw/Zbf+lSvn nW+2121uLnn44jHTjCPZjLZWG4UWeOzTN/F8l5x5ZtWMmJK0ikXTPmv/y5yW+olfvere5fyb 9uuUWIozEg21mIuKEwG1GfMQnAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/13tZWu3Ip85szxPVx1MdyegbN70>
Subject: Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 update 7296 ?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 23:35:04 -0000


> On Jun 1, 2017, at 4:17 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Wed, 31 May 2017, Tommy Pauly wrote:
> 
>> I've posted a new version of the draft that incorporates the changes discussed in this thread. Please review!
>> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-tcp-encaps-10
> 
> I just noticed this in RFC 7296:
> 
> 	However, if a NAT is detected, both devices MUST use UDP encapsulation for ESP.
> 
> I'm not sure if this one sentence really qualifies as this draft needing
> a formal "Updates 7296", but it currently does not seem to do that.

Technically, one should only do TCP encapsulation if UDP couldn't go through at all—so you couldn't even get the IKE_SA_INIT response to do NAT detection. That means that we aren't in this case. However, I'm happy to add a line to clarify this if we'd prefer that =)

Thanks,
Tommy

> 
> Paul

v2.23.0 | Report a Bug | By Email