IETF Logo Mail Archive

Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes

<mohamed.boucadair@orange.com> Fri, 03 May 2019 06:57 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B828B120044 for <ipsec@ietfa.amsl.com>; Thu, 2 May 2019 23:57:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uabCptRHw49a for <ipsec@ietfa.amsl.com>; Thu, 2 May 2019 23:57:55 -0700 (PDT)
Received: from orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D19F12006B for <ipsec@ietf.org>; Thu, 2 May 2019 23:57:55 -0700 (PDT)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) by opfedar24.francetelecom.fr (ESMTP service) with ESMTP id 44wNHj3tQCz5wlt; Fri, 3 May 2019 08:57:53 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.26]) by opfedar05.francetelecom.fr (ESMTP service) with ESMTP id 44wNHj2z6zz2xCJ; Fri, 3 May 2019 08:57:53 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM31.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0439.000; Fri, 3 May 2019 08:57:53 +0200
From: mohamed.boucadair@orange.com
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes
Thread-Index: AQHU/qYb3HfUY8UNAEyhkEccw2niI6ZUOIFAgABdCwCAACGpIIADUrcAgADu0QA=
Date: Fri, 03 May 2019 06:57:52 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA6A854@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <23734.7331.402882.289451@fireball.acr.fi> <01b201d4f4f1$e617eb90$b247c2b0$@gmail.com> <636D1D4B-3E3F-47F1-B64C-A266BF871010@nohats.ca> <787AE7BB302AE849A7480A190F8B93302EA67B69@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.21.1904300938050.17071@bofh.nohats.ca> <787AE7BB302AE849A7480A190F8B93302EA67EB7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.21.1905021420360.1269@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1905021420360.1269@bofh.nohats.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3iS-FnifCLKsznGgMXIZdYvOA6U>
Subject: Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 06:57:58 -0000

Hi Paul, 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Paul Wouters [mailto:paul@nohats.ca]
> Envoyé : jeudi 2 mai 2019 20:25
> À : BOUCADAIR Mohamed TGI/OLN
> Cc : ipsec@ietf.org
> Objet : Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes
> 
> On Tue, 30 Apr 2019, mohamed.boucadair@orange.com wrote:
> 
> >> Why would the initiator that is allowed by policy to do both v4 and v6
> >> not ask for both at once?
> >
> > [Med] I do fully agree that requesting both when supported would be
> straightforward, but I'm afraid that some implementations may not follow that
> behavior.
> 
> Do we currently have a large scale implementation issue, or are you
> predicting that this may happen in the future. While I am okay with
> doing it if it fixes a large deployment issue, I'm not okay with it
> to pre-emptively support expected implementation issues.
> 
> >  Such implementations may do that:
> > * for arbitrary reasons given that existing specs do not forbid such
> separate requests.
> 
> So what is the problem with bad implementations doing bad things?

[Med] This may double the load on the responder. Sending systematically a second request while a responder will discard it because it does support only one AF is suboptimal (think about IPv6-only voice over WLAN for example).

 Why
> would this notify tell them to do things differently next time?

[Med] The notification message will provide an information to the initiator whether it is useful or not to send a request for the other AF.

> 
> > * or, in some contexts such cellular devices, mimic a similar behavior for
> requesting separate PDP contexts instead of a dual-stack one.
> 
> Is this actually happening at scale, or is this just a feared bad way
> things will get implemented?
> 
> >> I don't see the "use of separate requests" as a real use case. Can you
> >> explain how this would actually happen in a real world?
> >
> > [Med] See the cases above. There is also the case of a responder that wants
> (for policy reasons) requests to be made as separate IKE SAs. For this case,
> requests will need to be done separately.
> 
> If the "policy reason" is there, why would a notify change their
> behaviour? If they are already sending a v4 and a separate v6
> request, what value does the notify add?

[Med] I'm not sure to understand your comment. The policy is at the responder side. The responder will honor one AF per request. Returning the supported AFs to the initiator will trigger a separate request from the initiator to get the other AF (if needed). 

> 
> Paul

v2.23.0 | Report a Bug | By Email