IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-xu-risav-02.txt

Ben Schwartz <bemasc@google.com> Sun, 23 October 2022 21:46 UTC

Return-Path: <bemasc@google.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D5EFC14F732 for <ipsec@ietfa.amsl.com>; Sun, 23 Oct 2022 14:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.607
X-Spam-Level:
X-Spam-Status: No, score=-22.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewZLrCRwYlSQ for <ipsec@ietfa.amsl.com>; Sun, 23 Oct 2022 14:46:26 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66065C14F731 for <ipsec@ietf.org>; Sun, 23 Oct 2022 14:46:26 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id e19so1729558ili.4 for <ipsec@ietf.org>; Sun, 23 Oct 2022 14:46:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vaXlQ2y4B02Qq8CTNjpqZuALj8LcTBKQvbNxH+IYfXo=; b=ffP5jHzW7BVjizmyKifoIZoWKqrrxsHx7R80bcXtVz+uTrkc2WIl9Zs0iciqJCkbxs 9e2QYKoS21zGxUXPSiYMk2xjilONdkeshUzLcnQbZS8OH4PSDZjVAQPTChf21TeZhbOo ZXEzxgGwh9ULCusAfIWlcLbbSrXFnjPUxgIwvGHBhqgt5w0Pw2yAMXeibNZuoRND3u7B PUm+vBUzPZXi9+mMDIXt4+SVNWI5anPk/Gm7KXbsaF2CGBE3qNpPml0LwGvt9+tUCGdp slJErwCrDH2uc8/5xNth2yz1HoiCVxfMc/U35jn6oxWntbbZHtKauzkcwyLxFr0CTUK1 hD/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vaXlQ2y4B02Qq8CTNjpqZuALj8LcTBKQvbNxH+IYfXo=; b=1jcnZX1JVP6Xm+G1Ff5BvWNyyV/c155FbilNAjKspX+MGLO0oKK9ivJbbeIM/cqVQr 77z2LpLJvyCOQ+TIl/4xQtTfDfMz+QrnIEFsPO403IAIusi+2j2bqjAIxlHnnhMo5ElK K5yfQla5eKHgC9N4KH5FhIdFD07MbMMh/bYbbKrTK3uBJio347YRyUD0zVGeM7tyazqC hZoSMMN3BA0YBHsGanXXgcs5VHPoZFcy67BkLUXDD3H5N1xiAtbKPlak7vyeA7epuQdB nC3DD9vhxuX3+KCocd3yE3XsYv5pz2CEHKDVfkUL849H7S0sUeCjRVI8PuSbZ9o9NTHV Ka1Q==
X-Gm-Message-State: ACrzQf0VElwFEf9NctiN6t8i1caz9rs6c8jrOhqm8WY7ogGaf468Wgbo d1zT7qS9qCOw4cVfGBj2MY7cqrpbX6UUGi95bBYt5oEjVKq1eQ==
X-Google-Smtp-Source: AMsMyM4WOGTQ1oZIaRPuc4pDYL7Pgc5Mqtb9JMXUb8c7V2sBYrSd7cU9aPtW6v3rs+JbXhe1zdUlPsiUQJxGMeLkYVw=
X-Received: by 2002:a05:6e02:15c9:b0:2e1:a5b6:7e25 with SMTP id q9-20020a056e0215c900b002e1a5b67e25mr18513602ilu.185.1666561585636; Sun, 23 Oct 2022 14:46:25 -0700 (PDT)
MIME-Version: 1.0
References: <166627504630.62717.5060565830910515294@ietfa.amsl.com> <CAHbrMsCZR6_a2QJmh5CWVPzhepbktFQmvWJAAVRBqEfbdELZKA@mail.gmail.com> <516851.1666381420@dyas> <CAHbrMsBOO2DEafqVFJk-r98s1_XuVBaXrz5kz6GdB5ZW2ueMkA@mail.gmail.com> <949169.1666530528@dyas>
In-Reply-To: <949169.1666530528@dyas>
From: Ben Schwartz <bemasc@google.com>
Date: Sun, 23 Oct 2022 17:46:12 -0400
Message-ID: <CAHbrMsCOZMaBX3xk_BEc60OkCuYR2DpzSqj7ogyo9TO5AHauHg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: ipsec@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000054b80a05ebba9b32"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4cbMsdMQ8WV9lJIXZQBIQNs9Cb0>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-xu-risav-02.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2022 21:46:30 -0000

On Sun, Oct 23, 2022 at 9:08 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Ben Schwartz <bemasc@google.com> wrote:
>
....

>     > The real motivation to support AH in this draft comes down to MTU
>     > overhead.  Going from 24 bytes of MTU loss to 73 bytes seems
>     > potentially significant, especially because:
>
> Where will you put the original src/dst IPs?
> 24 bytes is the AH overhead only.  The v6 src/dst requires 32 bytes,
> at which point you might as well just have an IPIP header at 44 bytes.
>

They're in the outer IP header, unchanged, so it really is just 24 bytes.

...

>     > I actually think RISAV uses RPKI for exactly the thing that RFC 9255
>     > wants: directing IP packets to the corresponding AS number.
>
> I'm not convinced it will fly.
> I agree with you, but I feel like I'm in the rough.
>

I think we can set this aside until we've ironed out the technical wrinkles.

    >> It seems that one would want many ACS systems. If successful, all of
>     >> the
>     >> traffic between AS A and B would go through, and that could easily
>     >> exceed the bandwidth of a single system (or a single cluster).
>
>
>     > Yes, I believe the ACS can probably be implemented as a global
> anycast,
>     > so long as route flapping doesn't make IKEv2 impossible.
>
> Yes, it would, but I'd implement it as IKEv2 init to anycast, followed by
> immediate mobileIKE to the non-anycast address of the ACS.
>

Looks like that's RFC 4555.  More homework...

    > Maybe not.  A single shared secret between the two networks, known to
>     > all their border routers, ought to be enough to encrypt and decrypt
>     > each packet, and the packets can be routed however they are routed.
>
> No, that does't work because of replay, and because of AEAD and GCM modes
> where replay == loss of key.
>

Yeah, the draft mentions the replay problem in Section 4.2, but I had
forgotten about the nonce reuse problem.  Unfortunately, it looks like
changing the "associated data" for AEAD is not sufficient to isolate the
nonce.  A custom key derivation (hashing the secret together with the
source IP) seems like it would work though.

    > The draft notes some interesting questions about how sequence numbers
>     > work in this situation.  The best solution I came up with was to put
>     > the source IP into the "Additional Data" of the AEAD (or equivalent),
>     > but this seems like it would need a new IKEv2 extension.
>
> yes, that's an entirely new cipher mode.
>

How big a deal is a new cipher mode? It doesn't sound so bad.


> You have, btw, just re-invented SKIP.  And maybe that's what you actually
> want, btw.
>

Oh, wow.  SKIP (https://datatracker.ietf.org/doc/draft-ietf-ipsec-skip/ for
those following along) looks like exactly the "proposed extensions"
mentioned in Section 5.2 and Section 5.3 of RISAV, so it's definitely
relevant.  Too bad it doesn't exist...

<snip>

v2.23.0 | Report a Bug | By Email