IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 27 March 2024 07:08 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23411C14F71F for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 00:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSZCHIcvtGXM for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 00:07:55 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31E4CC14F748 for <ipsec@ietf.org>; Wed, 27 Mar 2024 00:07:33 -0700 (PDT)
Received: from dyas.sandelman.ca (60-240-91-174.static.tpgi.com.au [60.240.91.174]) by relay.sandelman.ca (Postfix) with ESMTPS id CE5861F448; Wed, 27 Mar 2024 07:07:31 +0000 (UTC)
Authentication-Results: relay.sandelman.ca; dkim=pass (2048-bit key; secure) header.d=sandelman.ca header.i=@sandelman.ca header.b="G4/J0YlW"; dkim-atps=neutral
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id 140E8A1914; Wed, 27 Mar 2024 18:07:27 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sandelman.ca; s=dyas; t=1711523247; bh=YOdj4wabyl7HfOpKlf3HNOo0GnIqzLaddR0u4Q1XUqg=; h=From:To:cc:Subject:In-reply-to:References:Date:From; b=G4/J0YlWsG5v6vqdQlsvuKRbNggaY0Z5W7WTe7RQj+ZaCMVmjo4Eo2MrneggErFwj 3myU0zS71JKtsBw146AoKiDRaa+cHsBCgGp6IvGBgx6cLtqhVS+GElqXoZyYhENgad RUR2wMcHcOm1N+iTBaTz8bUF4U6RaMtKl8wqxtElchmSUsLoqhRXM64P46ty0y3rdl Z7tU9CtZtV77cvobHobkPTWta0G5O8VdHL8ZdfDcPEhlfgamrvrEDqGVO8OVqQUvPT ZMaS44GE6U0GOme9o7XXdvD1HT9WQletdA8nUO8EIYnJu3e3Oq5AjJiNNbvFpR80BJ 2gsZkGwzl1JqA==
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id 11D7AA190E; Wed, 27 Mar 2024 18:07:27 +1100 (AEDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Panwei (William)" <william.panwei@huawei.com>
cc: "ipsec@ietf.org" <ipsec@ietf.org>
In-reply-to: <3f7b0380650a40e6b9cec4afb7f6d034@huawei.com>
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com> <476994.1711501928@dyas> <3f7b0380650a40e6b9cec4afb7f6d034@huawei.com>
Comments: In-reply-to "Panwei (William)" <william.panwei@huawei.com> message dated "Wed, 27 Mar 2024 03:06:57 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 27 Mar 2024 18:07:27 +1100
Message-ID: <497306.1711523247@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3ofOcbs60R0rvCfauqhV6DHTFrU>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 07:08:00 -0000

Panwei (William) <william.panwei@huawei.com> wrote:
    >> I'm not sure I understand how you get this from the Problem
    >> Statement.
    >> Clearly, we need to clarify the purpose.
    >> It's not about detecting NAT, it's about determining if ESP will work or
    >> not.
    >> It's not about detecting or avoiding *NAT* per-se.
    >> We prefer not to have to encapsulate.

    > Please forgive my ignorance of the scenarios. My understanding is that
    > ESP failure is usually because of the existence of NAT.
    > Do you mean ESP may not work even if there is no NAT between the two IPsec peers?
    > If yes, I'd like to know more about how ESP failed and in what kind of
    > situations ESP will fail.

usually, a bad firewall.
One that allows UDP traffic (port 500/4500), but not proto=50.
For IPv4, there will often be NAT, so the proto=50 firewall doesn't matter,
as one has to UDP encap anyway.

    >> I think that you are over-estimating the competency of some operators:
    >> the experience with IPv6 is often not there.
    >> Even when it is, not all equipment vendors are equally competent at
    >> implementing/documenting things.

    > Is this problem, i.e., IKE works but ESP doesn't work, only exist in
    > the IPv6 network? Does IPv4 network have the same problem?

Yes.
It could exist in IPv4, and I've seen it, but NAT44 means you seldom notice.

    > Second, will UDP encapsulated ESP get through in these circumstances?

Probably.

    >> The purpose of this protocol is to allow that debugging.
    >> The network operator people, who are not allowed into the billing
    >> system, can instead use an ESPping utility to send ESP traffic, adjusting
    >> their firewalls until they understand that UDP!=ESP.

    > When you find out that the IKEv2 negotiation succeeds but ESP traffic
    > can't get through, what more information will you get from sending the
    > ESPping and not receiving a response?

That there is a problem with proto=50... So:
a) do UDP encap (maybe by manual config, if you are clueful)
b) call network support and file a problem report.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-                      *I*LIKE*TRAINS*

v2.23.0 | Report a Bug | By Email