IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery Smyslov <smyslov.ietf@gmail.com> Tue, 13 October 2020 13:16 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3779D3A1036; Tue, 13 Oct 2020 06:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0JhEIAwj9nZ; Tue, 13 Oct 2020 06:16:42 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EED73A1034; Tue, 13 Oct 2020 06:16:41 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id v6so6396953lfa.13; Tue, 13 Oct 2020 06:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=7bsM6/Wz/Qa7NRrXcBHk/xhvWHXSsJmrFjRsk+hT3/o=; b=aC5MGCKoHdRuqRnJPaUQkNzCH/fsVEIIXweM3+7nj6Uvsexl/bXfnCnljUMvAjbjE+ wkBbQg9RGpNRAN2Wlo0ZAahmly1XQL91lL3Qp2TTBXtQSTYGLDUlObe2JKrvRgTINYOY 0sGXOD+VZJzuJKaRLFZB6z7mdcydboaft2So+SQ47Y6l796BG1B6HLdmBsAwr+hjITG0 evcknclE01GLuDUM3lya/lUkuUVh29k2vPC0ZI23fNoSfElObggNT9kw1rEEC6qT3o4m gYVd5TNjtydbhSlpGCfGomBIqCBXWrtJLoHCuQMjeAG1y017+e9QdTDfOinh1R8ZZrNR wrvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=7bsM6/Wz/Qa7NRrXcBHk/xhvWHXSsJmrFjRsk+hT3/o=; b=ipoaECEqQ0jSEgMD+wiIXXMu42HLiiZNVSeWAePrSPY5CLW1zWg931aPVCJJHCuTPm 5cuOjKiGgyccX7Hm1ahYMmbwOjkO0G7qEf6NydbIf/X1R0BdHSd6aQIEcKEIluQHj1sJ ybRjc8uvJqEiptjjn+ihd1mTm60U91sKICQ+IAPsv0ngqFDMwMXAcogPSQvEajukIACM LZa392KslYtcob8R7F/0PHKOuaNGmEilGXleOvvKFhSroqU/oKDRF0XoODlDbOH7WdrD TwpTxl28crFVDFsQY+DVueDbM4/Hf6bOF8L97SgfKK9QzVa3FoDSjICeg/hQ06y3LKhe Qyqw==
X-Gm-Message-State: AOAM533KhoZvUN5QmTYFp1J4PfB7BurospQ+8DV8g5ZXQzISW9dBPXhR yS+cBfU+MfYs0pXigmbSxTk=
X-Google-Smtp-Source: ABdhPJzdPc/WJMqkWm22k2M1QS9s7/9X3qX+ejRFmaHR7MpI/9aedinb68yl0Q4us1KrFzRHw3C1uA==
X-Received: by 2002:a19:f517:: with SMTP id j23mr5580500lfb.152.1602594999078; Tue, 13 Oct 2020 06:16:39 -0700 (PDT)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id 65sm4380095lfb.260.2020.10.13.06.16.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Oct 2020 06:16:38 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Lou Berger' <lberger@labn.net>, 'Christian Hopps' <chopps@chopps.org>, ipsec@ietf.org
Cc: ipsecme-chairs@ietf.org
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net>
In-Reply-To: <ab981da9-9735-b6a9-851d-736330748ce6@labn.net>
Date: Tue, 13 Oct 2020 16:16:39 +0300
Message-ID: <1b0b01d6a163$15ddcce0$419966a0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLBR9Dg1QdoZI0c6Vo/AaLkIdpDHgLCxSxRAjbXs18B6rBqnaeI/wkQ
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3FoyxnaxQAGW5J0vEp0zb2J_YGo>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2020 13:16:51 -0000

Hi Lou,

> Valery,
> 
> Please see below.
> 
> On 10/13/2020 3:22 AM, Valery Smyslov wrote:
> > Hi Chris,
> >
> >> Hi ipsecme and chairs,
> >>
> >> This is a small update to the IPTFS draft which incorporates the last 2 changes that had been requested
> over
> >> the last year or so.
> >>
> >> 1. As requested last year, it dispenses with the late-enabled functionality, replacing it with a SHOULD
> clause
> >> supporting receiving IPTFS encapsulated ESP payloads w/o extra configuration.
> > I prefer this functionality to be removed. Either you are doing classical tunnel/transport in the SA or you are
> doing IPTFS.
> 
> I agree that there is added code complexity, but have you considered the
> operational benefit of having this?  Specifically (a) adding yet another
> required configuration parameter that must match at both ends to get an
> ipsec tunnels up and (b) what it takes to go from an operational non-TFS
> configuration to a TFS configuration in one or both directions?

I can't buy these arguments. Using IPTFS is negotiated in IKEv2 via 
exchange of USE_IPTFS notify (BTW, note a typo in Section 5.1 title: USE_TFS instead of USE_IPTFS).
So, unless you upgrade both ends and update configuration IPTFS won't be used at all.
Once you upgrade one end you can add a configuration parameter to it to 
propose using IPTFS while being initiator. Until the other end is upgraded too,
it will ignore the USE_IPTFS notify and SA will be established in tunnel mode.
Once the other end is upgraded and its configuration is changed they 
will start using IPTFS.

> > >From my understanding it's just another encapsulation mode. Otherwise we have the following problems:
> > - Since this functionality is optional its capability must be negotiated (or indicated by the peers) in IKEv2.
> >     And negotiation of IPTFS features is already complex enough.
> 
> I'm not sure what needs to be negotiated here -- without negotiation the
> behavior is the same as would be seen with a miss-configured  endpoint
> or mismatch in TFS config that will occur without the option.

Not true. If peers are misconfigured, then IPTFS won't be negotiated and SA will be established in tunnel mode
(if using IPTFS is optional for both) or not established at all (if using PFS is mandatory for the peer suggesting it).
On the contrary, if switching from tunnel to IPTFS on live SA is not negotiated, and one of the peers doesn't
support it, then when the other peer switches from tunnel mode to IPTFS on live IPsec SA and starts sending
IPTFS packets, then the first peer will most probably drop them. We'll get a classical "black hole", and the worst
thing that it won't be detected by liveness checks, since IKE SA will be perfectly workable.

> > - It complicates processing in the kernel. E.g, it's not clear for me what "on receipt of the first IP-TFS
> payload" means.
> >     If packets are reordered in the network and the first received IPTFS packet is not the first sent IPTFS
> packet?
> >     What to do with the non-IPTFS packets sent before first IPTFS packet but received after it? And so on.
> 
> This is an implementation choice, right?  Why not just drop it or
> process it as the implementation sees fit?

Right, but it complicates processing. Currently I uniformly process all the packets within window.
Now I have to remember on which E(SN) the switching occured and process previous
packets as tunnel (or start dropping them) and subsequent packets as IPTFS.

> >     IPTFS processing in the kernel is already quite complex, let's not introduce additional complexity.
> > - I see no value in this functionality apart from the debugging and I don't want debugging capability to
> >     be present in the RFC, so that people, who really don't need it, implement it in
> >     their products introducing new bugs. You may argue, that you made it optional, but SHOULD is very close
> >     to MUST and in addition making it optional only complicates negotiation of IPTFS.
> 
> My view is that the main benefit is simpler configuration and removing a
> requirement for timing manual configuration changes at each end of a
> tunnel.  Configuring IPsec is complex enough,  from the operational
> perspective, I'd prefer to see this as a MUST, but can live with
> SHOULD.  (IMO - Getting the code right once per implementation is
> greatly outweighed by the returns in not having to impose more
> configuration and configuration timing burdens.)

Please, see above. Since using IPTFS is negotiated, I see no simplification
in configuring. You still need to upgrade and configure properly both ends
before you can use it.

If you badly need this feature, then please make it MAY and negotiable,
so that people can ignore it. SHOULD is too strong for it,
leaving it non-negotiable is just unacceptable, IMHO.

Regards,
Valery.

> Thanks,
> 
> Lou
> 
> > So, please, remove it.
> >
> >> 2. It highlights that one must send payloads that carry inner packet fragments using consecutive ESP
> >> sequence numbered packets (with a caveat for all pad payload insertion).
> > That's useful clarification, thanks.
> >
> > Regards,
> > Valery.
> >
> >> We feel the document is quite stable at this point and would thus like to ask for moving to WG Last Call.
> >>
> >> Thanks,
> >> Chris.
> >>
> >>> On Sep 30, 2020, at 12:25 PM, internet-drafts@ietf.org wrote:
> >>>
> >>>
> >>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >>> This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.
> >>>
> >>>         Title           : IP Traffic Flow Security
> >>>         Author          : Christian Hopps
> >>> 	Filename        : draft-ietf-ipsecme-iptfs-02.txt
> >>> 	Pages           : 26
> >>> 	Date            : 2020-09-30
> >>>
> >>> Abstract:
> >>>    This document describes a mechanism to enhance IPsec traffic flow
> >>>    security by adding traffic flow confidentiality to encrypted IP
> >>>    encapsulated traffic.  Traffic flow confidentiality is provided by
> >>>    obscuring the size and frequency of IP traffic using a fixed-sized,
> >>>    constant-send-rate IPsec tunnel.  The solution allows for congestion
> >>>    control as well.
> >>>
> >>>
> >>> The IETF datatracker status page for this draft is:
> >>> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-iptfs/
> >>>
> >>> There are also htmlized versions available at:
> >>> https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-02
> >>> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-iptfs-02
> >>>
> >>> A diff from the previous version is available at:
> >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-iptfs-02
> >>>
> >>>
> >>> Please note that it may take a couple of minutes from the time of submission
> >>> until the htmlized version and diff are available at tools.ietf.org.
> >>>
> >>> Internet-Drafts are also available by anonymous FTP at:
> >>> ftp://ftp.ietf.org/internet-drafts/
> >>>
> >>>
> >>> _______________________________________________
> >>> IPsec mailing list
> >>> IPsec@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/ipsec
> >>>
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >

v2.23.0 | Report a Bug | By Email