IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt

"Panwei (William)" <william.panwei@huawei.com> Wed, 27 March 2024 03:07 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0290AC14F61F for <ipsec@ietfa.amsl.com>; Tue, 26 Mar 2024 20:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E7gphnHFGQ3 for <ipsec@ietfa.amsl.com>; Tue, 26 Mar 2024 20:07:03 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14FCAC14F610 for <ipsec@ietf.org>; Tue, 26 Mar 2024 20:07:03 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4V4BQ164Ptz6JBGT; Wed, 27 Mar 2024 11:06:01 +0800 (CST)
Received: from lhrpeml100005.china.huawei.com (unknown [7.191.160.25]) by mail.maildlp.com (Postfix) with ESMTPS id 0010A140517; Wed, 27 Mar 2024 11:06:59 +0800 (CST)
Received: from kwepemi100009.china.huawei.com (7.221.188.242) by lhrpeml100005.china.huawei.com (7.191.160.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 27 Mar 2024 03:06:59 +0000
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by kwepemi100009.china.huawei.com (7.221.188.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 27 Mar 2024 11:06:57 +0800
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Wed, 27 Mar 2024 11:06:57 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
Thread-Index: AQHaayQFUr6vZiHeJEm4rFfwTHJng7FJ2NuAgACSVACAAJLA0A==
Date: Wed, 27 Mar 2024 03:06:57 +0000
Message-ID: <3f7b0380650a40e6b9cec4afb7f6d034@huawei.com>
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com> <476994.1711501928@dyas>
In-Reply-To: <476994.1711501928@dyas>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.106.141]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/74HPnXOQ8OXsH0mwG1q6pw995CQ>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 03:07:10 -0000

Michael Richardson <mcr+ietf@sandelman.ca> wrote:
    > I'm not sure I understand how you get this from the Problem
    > Statement.
    > Clearly, we need to clarify the purpose.
    > It's not about detecting NAT, it's about determining if ESP will work or
    > not.
    > It's not about detecting or avoiding *NAT* per-se.
    > We prefer not to have to encapsulate.

Please forgive my ignorance of the scenarios. My understanding is that ESP failure is usually because of the existence of NAT.
Do you mean ESP may not work even if there is no NAT between the two IPsec peers?
If yes, I'd like to know more about how ESP failed and in what kind of situations ESP will fail.

    > I think that you are over-estimating the competency of some operators:
    > the experience with IPv6 is often not there.
    > Even when it is, not all equipment vendors are equally competent at 
    > implementing/documenting things.

Is this problem, i.e., IKE works but ESP doesn't work, only exist in the IPv6 network? Does IPv4 network have the same problem?

    > Imagine a situation where IPsec will be used in a (sub)site to site
    > configuration.  For instance, between a billing system and an
    > outsourced credit card processor. {Not replacing TLS, but in addition to}
    > The administrators of the billing system request "IPsec" from their
    > (inhouse) network operator, and the operator looks up their howto list,
    > and enables UDP port 500 and 4500, because that's what IPv4 wanted.
    > Now the billing system people wonder why the it seems to work, but in
    > fact no traffic gets through.  It can be very hard to debug.

I have two questions here.
First, what kind of reasons (except of NAT) will cause that no traffic gets through?
Second, will UDP encapsulated ESP get through in these circumstances?

    > The purpose of this protocol is to allow that debugging.
    > The network operator people, who are not allowed into the billing
    > system, can instead use an ESPping utility to send ESP traffic, adjusting
    > their firewalls until they understand that UDP!=ESP.

When you find out that the IKEv2 negotiation succeeds but ESP traffic can't get through, what more information will you get from sending the ESPping and not receiving a response?
How does this draft help the adjustments and what kind of adjustments will be performed?

    > We also realized that one can write/modify traceroute to use ESPping
    > to determine how far ESP actually gets.

This sounds useful.

Regards & Thanks!
Wei PAN (潘伟)

    > There are also situations where there are ECMP routers in the way which
    > simply do not know what to do with ESP.  A network operator could
    > introduce such a sytem into a previously working site-to-site VPN and
    > suddenly things stop working, or get poor performance.
    > 
    > --
    > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
    > Works
    >  -= IPv6 IoT consulting =-                      *I*LIKE*TRAINS*
    > 
    >

v2.23.0 | Report a Bug | By Email