IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-sprasad-ipsecme-labeled-ipsec-00.txt (fwd)

Paul Wouters <paul@nohats.ca> Wed, 07 March 2018 01:53 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA1D12E036 for <ipsec@ietfa.amsl.com>; Tue, 6 Mar 2018 17:53:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFK7ifujlvKc for <ipsec@ietfa.amsl.com>; Tue, 6 Mar 2018 17:53:03 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6DD4129C6C for <ipsec@ietf.org>; Tue, 6 Mar 2018 17:53:02 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3zwxVh0KX9z4Kc; Wed, 7 Mar 2018 02:53:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1520387580; bh=tlQ040bZqpH59ISWoVe+84g29xhUcDjDUPtHQUucY30=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=EuXX9RNcb5+i654r1niYcvWsyN7gwO48h49r+wCPxF2iuaKc7BQtgn+LyeePQuXyP dHSI3Xgw12ZFV8HDTJJI061qZvKa+V2qDiGgF+myTsEJoYbfE0r/KQ09RfurLvhQZ2 ob/wP1/sZWOIwkBg3pWyZgAflxqWJYs/BctnrocM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id I4ZgkrMtyJsM; Wed, 7 Mar 2018 02:52:57 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 7 Mar 2018 02:52:56 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 05AF7395AB6; Tue, 6 Mar 2018 20:52:55 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 05AF7395AB6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id EFF7E4023303; Tue, 6 Mar 2018 20:52:55 -0500 (EST)
Date: Tue, 06 Mar 2018 20:52:55 -0500
From: Paul Wouters <paul@nohats.ca>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Sahana Prasad <sahana.prasad07@gmail.com>
In-Reply-To: <AM4PR07MB3153B78E7DD0C4DE89144F1595D90@AM4PR07MB3153.eurprd07.prod.outlook.com>
Message-ID: <alpine.LRH.2.21.1803062039230.22758@bofh.nohats.ca>
References: <alpine.LRH.2.21.1803051033400.28097@bofh.nohats.ca> <AM4PR07MB3153B78E7DD0C4DE89144F1595D90@AM4PR07MB3153.eurprd07.prod.outlook.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/2hC58QtPg0kN0EA89O7GKbc3caU>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-sprasad-ipsecme-labeled-ipsec-00.txt (fwd)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 01:53:08 -0000

On Tue, 6 Mar 2018, Hu, Jun (Nokia - US/Mountain View) wrote:

> Some initial questions/comments:
> 1. security label is defined as opaque data in the draft, but then how would narrowing work in an inter-op way with opaque data? Or should we define the format for some common use cases (like security enforcement, QoS ...) , and adding a sub-type in TS_SECLABEL

The idea was that people should be able to define this outside of IKE as
they wish. And IKE just transports the label as-is. Of course, if IKE
can interpret it to do something, then it can possibly do more, like
narrowing.

I think usually the two endpoints will only have one type of SECLABEL,
so the type is implicit to the IKE protocol. If you have different
subtypes, then presumably if the subtype is wrong, you can't accept
it, so the type is already known on both ends and doesn't need to
have its own registry?

> 2. currently there are TSi (44) and TSr (45) payload, does it make sense to include TS_SECLABEL in either TSi or TSr? Is there semantic to have separate "initiator SECLABEL" and "responder SECLABEL"? Or does it make more sense to only allow single TS_SECLABEL per message/CHILD_SA, and create a new TS payload type , put TS_SECLABEL in it ?

That would be giving it another Payload Type. I think it is really a
traffic selector type payload, and not a non-traffic-selector payload.

Even if it is true that the label on both ends have to always match.
But that's kind of similar to address family always needing to match.

Although there might be a case where one end is allowed to send traffic
with SECLABEL Foo, but not allowed to receive traffic with that label,
where TSi could contain a TS_SECLABEL entry, and TSr would not.

Another case that probably needs some attention is when there is more
then one TS_SECLABEL. Does it mean two different types of security
labels are meant, and both have to match? Or is it okay to pick any one
of the labels?

Paul

v2.23.0 | Report a Bug | By Email