IETF Logo Mail Archive

Re: [IPsec] Virtual interim about re-designing ESP?

Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 22 November 2022 18:37 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410D9C14F736 for <ipsec@ietfa.amsl.com>; Tue, 22 Nov 2022 10:37:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5PkzbbbzTEI3 for <ipsec@ietfa.amsl.com>; Tue, 22 Nov 2022 10:37:16 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 706E4C14F606 for <ipsec@ietf.org>; Tue, 22 Nov 2022 10:37:16 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 82FB962780; Tue, 22 Nov 2022 13:36:40 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 3wXUs1pJquRQ; Tue, 22 Nov 2022 13:36:31 -0500 (EST)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 6DAAA626AF; Tue, 22 Nov 2022 13:36:29 -0500 (EST)
Message-ID: <ce9ca77f-575b-4e11-3e63-87c965bcc2f7@htt-consult.com>
Date: Tue, 22 Nov 2022 13:36:49 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1
To: Michael Richardson <mcr+ietf@sandelman.ca>, Steffen Klassert <steffen.klassert@secunet.com>, ipsec@ietf.org
References: <20221121124714.GA704954@gauss3.secunet.de> <14252.1669141751@localhost>
Content-Language: en-US
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <14252.1669141751@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/2bqVlFZiw-xzmgk4xWFUgVMChWw>
Subject: Re: [IPsec] Virtual interim about re-designing ESP?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 18:37:17 -0000

I want to add support of constrained communications and taking diet-esp 
to the next step as we work in lpwan with SCHC as a protocol.

The low byte overhead of DTLS makes it very attractive in constrained 
communications.  How can we best pair SCHC with ESP for efficient use of 
limited resources.

Also how to negotiate SCHC rules between parties.  In the lpwan session 
we discussed secure channel for SCHC rule negotiation. ike-diet-esp is a 
great starting point with the potential challenges.  Does this happen in 
IPsecme or lpwan?  How to coordinate?

A should also point out that SCHC provides ARQ and we are planning on 
adding FEC.  This should be transparent to ESP, but is there any 
considerations for improved transmission reliablity?

Bob

On 11/22/22 13:29, Michael Richardson wrote:
> Steffen Klassert <steffen.klassert@secunet.com> wrote:
>      > at the last working group meeting in London, it was quite some interest
>      > to work on a re-design of ESP to make it fit to the multi-cpu case, QoS
>      > classes, HW offloads etc.
>
> I agree with your idea in the subject, of a virtual interim on this.
>
>      > https://www.ietf.org/archive/id/draft-ponchon-ipsecme-anti-replay-subspaces-00.txt
>
> While there is a problem space section in this document, I found it a bit inadequate.
> I think that it is important to collect all of the challenges into a single
> set of goals.
>
>      > The Google PSP Security Protocol (PSP) is another new 'ESP like'
>      > protocol. There is some interest to standardize PSP, so the issues that
>      > are solved there should also be considered when designing a new ESP
>      > version. Most concepts that are used in PSP are taken from IPsec ESP,
>      > so IMO this should be integrated into the IPsec protocol suite.
>
> It would be great to have the problems/challenges that this aims to solve, as
> well as the RAVSI concepts there too.
>
>      > - What are the problems to solve?
>
> Let's get consensus on this aspect first.  Maybe there are things that we
> might agree are out-of-scope, or are really implementation specific issues.
> That might mean a document be written, and the WG do a consensus call.
>
>      > - How should the problems be solved?
>      > Please let me know if there is interest,
>
> Thank you for bringing this up.
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email