IETF Logo Mail Archive

Re: [IPsec] ESP next payload number [Re: Some thoughts regarging draft-hopps-ipsecme-iptfs-01]

"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 29 November 2019 16:14 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A5E512099D for <ipsec@ietfa.amsl.com>; Fri, 29 Nov 2019 08:14:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDv9H9upSsFU for <ipsec@ietfa.amsl.com>; Fri, 29 Nov 2019 08:14:02 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D16120998 for <ipsec@ietf.org>; Fri, 29 Nov 2019 08:14:01 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id r15so20092598lff.2 for <ipsec@ietf.org>; Fri, 29 Nov 2019 08:14:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=Jsm889FrPL/JKO1ja69edkOWk1ywr/MAOrZrW5t5IZE=; b=cyWHBN/7P9LMJ95Ucq/TUPEbIyLpuWBT4ESnn4YSPQ0HjDZif5DABpyr4Pk3SV8hJY MMGcaoKFMF1cZXgf9ag4PD0xFcMNa8cF99w1pOgJQR6269AKibXg13DUIgDRnbkAFm9R oLVtRxOB1lxcaqCMHuKAMVcOd4G4SIczM/9v7RCZqHWrlDdFeQsi7ex5u1ktuhJRfIXs ScRwDnYLyGmKD0of6fuUmfroYPLY4YHXJz4hCeqluLPo2HizKir97cMwuKDUCIqIRnFP ErNes6GqPGNTkF75Flf0+wKNdRMPQoOJuqV6eXHnHY0a+1fQPg+elhjNuuC+qnY+lE+7 7ovw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=Jsm889FrPL/JKO1ja69edkOWk1ywr/MAOrZrW5t5IZE=; b=nhZhgo0vpt6lAg3/N+KGsz65mDGQmEBOpwEkN8Cn+/ot4dTrj4qRWDNovz/HHmXryA Cyosk64TWvyIiUkRDdB97FKcCdyvmlpPb1fuRQAerXjfn1/ELHPIoPNeUsL40PBPCmEl A8YEGnwkCvHBqFciz4/4utomwaoIt2N8WQrRlR9sgg0tju7O4SJ82fhKHm9ewiJHKFgy hnaHC7MccNkJP/yCr5UFP2wB/ghAUzYLpvmKvJXJMze5HhYSi4AjGSQN0wwfstSUWNto efHgW7EAbeiqlAwheVYxXtADF1RX5Cntjm6gFsIi+LucP3dRToDN9XN9SeohRkj30cx2 wCew==
X-Gm-Message-State: APjAAAU+GCM1NmowgSRvkbP///FEYRqHQLWxdU9lFxpkMk9OrU/yraMN VskL4Rx9o2SsMHL4py4VCO4=
X-Google-Smtp-Source: APXvYqyngNeuJ8z6dgaBG4PejD96t5LkbBQxgWTaCDfWxukki85nQ5krcOHvEaiWEHg/kB+uba7ylA==
X-Received: by 2002:ac2:410a:: with SMTP id b10mr9108135lfi.135.1575044039282; Fri, 29 Nov 2019 08:13:59 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id r20sm9792593lfi.91.2019.11.29.08.13.58 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 29 Nov 2019 08:13:58 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Christian Hopps' <chopps@chopps.org>
Cc: 'IPsecME WG' <ipsec@ietf.org>
References: <039e01d5a5f2$ac51d350$04f579f0$@gmail.com> <A8BDEB5B-332E-4767-9EC6-9AF4CFA2E34B@chopps.org> <042301d5a6b6$bc8e9fe0$35abdfa0$@gmail.com> <C6E9B9B8-EE15-4E86-8C39-77BCFF50ADC2@chopps.org>
In-Reply-To: <C6E9B9B8-EE15-4E86-8C39-77BCFF50ADC2@chopps.org>
Date: Fri, 29 Nov 2019 19:14:00 +0300
Message-ID: <044701d5a6d0$032d5a90$09880fb0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHtQTffgHTNPTWByX2TyLtNjmyTVQIQFEdcAazHshQCpl+r0qc//eow
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7lqvMzfvKhO3EbbesoSSjYPctLM>
Subject: Re: [IPsec] ESP next payload number [Re: Some thoughts regarging draft-hopps-ipsecme-iptfs-01]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 16:14:04 -0000

> > I envision a lively discussion with INT folks if we ask them for a "fake" protocol number :-)
> 
> I would not choose to refer to it as a fake protocol. The field is defined as an IPv4 or IPv6 protocol value to
> identify the ESP payload. IPsec/ESP is *the* standard for encrypting IP traffic so this field has a valid claim to
> make on that number space. Just b/c it may not (but see next point) be used outside of IPsec/ESP doesn't
> mean that IPsec should not be able to allocate a number from it.

I meant that this IP protocol number will never be seen (and used) outside ESP. 
So, it's an ESP-only protocol number, thus for INT folks it's a "fake" one.

> >> Additionally, I'm not sure that we should be so quick to say that the IP-TFS payload would never be used
> >> outside of ESP; as was pointed out by Michael using this payload does solve the PMTU issue with (IPsec)
> >> tunnels, it could be re-used for this purpose outside of ESP as well.
> >
> > Please, elaborate.
> 
> The IP-TFS payload format allows for any-sized IP packet to be encapsulated inside an MTU sized outer
> header. Thus something like a GRE tunnel (with sequence numbers) with PMTU size-limited packets would not
> limit the inner payload packet size to the PMTU of the GRE tunnel. I'm not proposing this right now, but it's
> not hard to envision this use in the future, especially if IP-TFS is widely adopted by vendors.

Ah, I see - you want to use the same technique inside some other tunneling protocol.
This is doable, but in my opinion you should have control layer to set up such a tunnel
(like IKEv2 does for ESP), and you'll probably have this tunnel dedicated to IP-TFS traffic only,
and the peers would negotiate this feature over the control layer. So, new protocol
number seems redundant in this case too. I can't buy this argument.

> >> The next-header value is not always redundant, the use case where IP-TFS is enabled in only one direction
> >> with congestion control enabled requires being able to differentiate IPv[46] packets from IP-TFS CC
> >> information which is now sent in-band in the return direction. The CC information was moved in-band out
> of
> >> IKEv2 from the original -00 document based on comments from the WG (and I agree is a much better
> solution
> >> :)
> >
> > It's a strange use case. Both peers must support IP-TFS, but it is used only in one direction, so its usefulness
> > is limited (you can gain quite a lot information from timing of return packets). Do we really need to
> complicate
> > things to allow such asymmetric use case? BTW, you cannot negotiate it with your current spec :-)
> 
> I do not think this is strange, consider uni-directional data streams, e.g., telemetry.

ESP SAs are always created in pairs. And whether IP-TFS is enabled or not is common for both SAs.
Even if you use only one SA for IP-TFS traffic, the other will have IP-TFS enabled too.
How are you going with your spec to create a pair of SAs where IP-TFS is enabled in one direction and 
disabled in the other? Am I missing something? Even if you are able to create such a pair of SAs, is it justified?

> >>> 7. I don't think that late-enabling of IP-TFS described in section 2.4
> >>>   is really needed. It adds unnecessary complexity and somewhat contradicts
> >>>   to what is stated in section 2.3.
> >>
> >> Having the late-enable could be useful for debugging tunnels during bring-up. This does rely on having a
> way
> >> to identify the payload, but as mentioned above this isn't the only thing that relies on that. It didn't add
> much
> >> complexity to my code, but I'm certainly curious on other opinions on this.
> >
> > Color me unconvinced. Debugging is a local matter and should not be reflected in the spec.
> 
> ICMP echo request/reply? :)

It's not for debugging, it's for testing network connectivity.

>From what's written in you draft I made a conclusion that you want to help debugging
implementations, that's completely different thing. 

> More apropos, adding things to a protocol to make it easier to deploy/debug is not uncommon, we certainly
> have examples of this in routing (e.g., host identifier TLV in IS-IS etc)...
> 
> If this were the only reason for using the next header field I'd say the case is not strong for keeping it, but we
> still have the uni-directional CC case, so this second use doesn't cost much IMO.

Hmm, see above about uni-directional CC.

Regards,
Valery.

> Thanks,
> Chris.
> 
> >
> > Regards,
> > Valery.
> >
> >> Thanks,
> >> Chris.=
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >

v2.29.0 | Report a Bug | By Email | System Status