Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
Eric Rescorla <ekr@rtfm.com> Thu, 27 April 2017 13:01 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B301294CE for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 06:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbt0oIxPGBSC for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 06:01:03 -0700 (PDT)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EF5A1294A1 for <ipsec@ietf.org>; Thu, 27 Apr 2017 06:01:00 -0700 (PDT)
Received: by mail-yb0-x22d.google.com with SMTP id 8so7695067ybw.1 for <ipsec@ietf.org>; Thu, 27 Apr 2017 06:01:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=E3d9p2kTXDubZLBGwalP0+PEa930ut2X+8Tgg9QpC0c=; b=u9UUGwHfC617K8u2XAAsFYDQQQJIQQpCLExfuGCTnRdn/vqY4oHWnL5ELV1ctNj/8c Nw35Ygywwsr9eui8jV2UuyqvXYBK7ST+oZR0ArTaniw22yrRMgLsCYoYbZsKX9Jw2Ym1 QKMkgeSWy2v6HV8+rKldHD1JhS/7ZSkDbzRoxcVY7xDYk1i4A3BjYlN02HNeGYciPFdU InaCubI3g6qDrcKdePt8dwU/SuqTbV0tOWIUmLszHmVKwjiCUlTfDfeJqkJSL1s2QwhN B9+vg2X79Hq0PbZovZUP9SuX5+Jr0X429RESg60y31hva1blA23DdqRipxEOHwGRkACT wIEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=E3d9p2kTXDubZLBGwalP0+PEa930ut2X+8Tgg9QpC0c=; b=H8ACCUy25dgP9npCxgdyO3AuT9rnra06KqZdpncLnRhDHeoSbO6myGHIJoz0AJ6CpO NUrI0h1NvQpN3m9KdPWzk3a+GTHUVuDxN8b2GIuNCwpMeaMBtszl4aeLXoVSMOWy9lrR 0v5NJNzc03vbCJ3HJAHEQjPZv0xwnM1s0GhjPZ7oPVYZTKgE5av/DhklzmuWpZT6jtJ7 B7W4WJK+JAWx0nzNpyTX7EuH/HUpvYGrdISuQFou8xuRsXRRUn1ExlQTgPwNK++0jtPC O6E6ifs7WujknReM43jqBvUrX5i+5mely8FSSplcpvgck2y7Aq10Xbuq7raccA93x4ib itGg==
X-Gm-Message-State: AN3rC/4WGQr8uYUmTv9WpYY9VzRbEkS5nLV+tCVB6eLgif9OF4gRsH8u VXZCT2no7BdeMaK9SOdDkqekKh4nWQ==
X-Received: by 10.37.218.145 with SMTP id n139mr4132587ybf.117.1493298059180; Thu, 27 Apr 2017 06:00:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Thu, 27 Apr 2017 06:00:17 -0700 (PDT)
In-Reply-To: <89333EE4-4F8F-4206-AD61-6352C57AFBE7@apple.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <22784.31378.631303.102297@fireball.acr.fi> <CABcZeBOb3dD4tQbiYH9jABCXMKOGWNaWCNAyMzyKeiXnB5YAoQ@mail.gmail.com> <89333EE4-4F8F-4206-AD61-6352C57AFBE7@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 27 Apr 2017 06:00:17 -0700
Message-ID: <CABcZeBMn=NhAr=Wd-oU6ePkvko3LH7OjUb0kEGdsmx-0PEDYEA@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsecme-chairs@ietf.org, ipsec@ietf.org, Mirja Kuehlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-tcp-encaps@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c07e8205cc00f054e258ccc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8C8T3U85yX7V1ZaeQagoUJXHvGo>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 13:01:09 -0000
On Wed, Apr 26, 2017 at 2:29 PM, Tommy Pauly <tpauly@apple.com> wrote: > > On Apr 26, 2017, at 12:51 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > - The use of 443, which seems more complicated > > WRT 443, I would assert the following facts: > > - It's not awesome that people use 443 (though understandable because of > overly-aggressive firewalls) > - People aren't going to stop using 443 (because it goes through NATs well) > > Generally, I think it's more useful for documents to reflect reality, even > if we don't like that reality, > and 443 only appears in the appendix, so that seems fairly innocuous to > me. Perhaps we can > leave the 443 in the appendix with some note like: > > "Note: While port 4500 is the reserved port for this protocol, some > existing implementations > also use port 443. The Stream Prefix provides some mitigation against > cross-protocol > attacks in this case, however, the use of port 443 is NOT RECOMMENDED" > > > What would people think about that? > > > That sounds good to me. I think we may want to mention that the Stream > Prefix is used to distinguish from any other protocols running on port > 4500, etc, not really specifically to 443. > Good point. Tommy, Tero, the stream prefix doesn't seem totally ideal. Would there be > wiggle room > to specify ALPN here? Or maybe a longer prefix? > > > The document's text regarding ALPN is in section 4: > > "Although some framing protocols do support negotiating inner protocols, > the stream prefix should always be used in order for implementations to be > as generic as possible and not rely on other framing protocols on top of > TCP." > > The idea is that we don't want to use TLS as a wrapper whenever possible. > An implementation on an IKE server may be behind a proxy or another process > that's terminating the TLS or raw TCP, and passing the inner stream along. > In that case, we wanted a standard way to put IKE and ESP in a stream, not > relying on an outer protocol's details. > I get that, but it is a bit unfortunate to be relying on this inband signaling. > I'm perfectly open to using another prefix value; if you have a suggestion > for a longer value, that would be great! > I think I'd probably ask MT or mnot, but my instinct would be to use some randomly chosen string that started with IKETCP. E.g., IKETCP + 8ish random bytes. This just reduces the chance of any kind of accidental collision. I don't think it's a dealbreaker. -Ekr > Thanks, > Tommy > > > -Ekr > > > On Wed, Apr 26, 2017 at 3:46 AM, Tero Kivinen <kivinen@iki.fi> wrote: > >> Tommy Pauly writes: >> > > ------------------------------------------------------------ >> ---------- >> > > DISCUSS: >> > > ------------------------------------------------------------ >> ---------- >> > > >> > > This draft suggests that ports that are assigned to other services can >> > > simply be used. This is not okay. If a port is assigned to a certain >> > > service, this service and/or the respective RFC defines how this port >> is >> > > used. Simply changing the specified behavior by requiring a check for >> a >> > > magic number cannot be done without updating the RFC that the port >> > > assignment belongs to. Also for the use of 4500/tcp RFC3948 as well as >> > > the IANA registry would need to be updated. >> > >> > At this point, the only portion of the document that mentions a port >> > other than 500 and 4500 is the appendix. We recommend that 4500 is >> > used as the port for TCP encapsulation. The IANA registry for >> > 4500/tcp is already assigned to IPSec NAT Traversal in RFC 3947; >> > that document does not explain how TCP is to be used, so the >> > reference should be updated to point to the document on TCP >> > encapsulation. >> >> I already explained this in long email to the Joe and Paul, but >> noticed that those emails did not go to to the IESG, so this is mostly >> cut & paste of my previous email. This does not cover anything about >> using any other ports, but covers the case about the IANA allocations >> for TCP/4500 and UPD/4500. >> >> ---------------------------------------------------------------------- >> Paul Wouters writes: >> > On Tue, 25 Apr 2017, Joe Touch wrote: >> > > Every bit pattern, including those using magic numbers, is already >> > > owned and under the control of each assigned port. It is not >> > > appropriate for any new service to hijack that pattern as having a >> > > different meaning UNLESS explicitly updating the service on >> > > that port. >> > > >> > > A simple summary of what needs to change, in 2119-language: >> > > >> > > - this approach MUST NOT be described as applying to any >> > > assigned number unless also updating the associated RFC >> > >> > So it should add an Updates: RFC-3947 >> >> Not really. It does not update RFC3947 as it does not change the >> obsoleted protocol defined in the RFC3947. It does define way to >> extend things in IKE in similar way than RFC3948 (UDPENCAPS) does. On >> the other hand RFC3947 should have been obsoleted when we obsoleted >> IKEv1, as that document only defines how to do IKEv1 NAT traversal >> negotiation, and the IKEv2 NAT traversal negotation is described in >> main IKEv2 RFC (RFC7296). >> >> > It's a little weird. 3947 reserved TCP 4500, but did not specify how >> > to actually use TCP at all. It seems it was mostly preventatively >> > reserved. >> >> The reason RFC3947 reserved TCP/4500 was that it updated both TCP/4500 >> and UDP/4500 references from individual user to the RFC3947, so that >> IETF will have change control over the ports. I.e., those ports were >> allocated before RFC3947 came out, and they were used for several >> different non-interoperable versions of the NAT traversals, which then >> evolved to the standard version we define in RFC3947. We decided to >> reassign both TCP and UDP port 4500 to RFC3947 so it would be clear >> for what use they will be used. Also we commonly reserve both TCP and >> UDP ports for same number just in case someone defines a way to run >> the protocol over other transport protocol in the future... >> >> RFC3947 does not define anything over TCP/4500. Actually RFC3947 does >> not define anything over the UDP/4500 either, it is the RFC3948 that >> does that. The RFC3947 just says, we use the format defined in the >> RFC3948 over the UDP/4500, but is silent about the TCP/4500. >> >> RFC3947 is efficiently obsoleted, as it only defines the way to do NAT >> traversal on IKEv1, and IKEv1 is obsoleted and replaced with IKEv2 >> (originally RFC4306, and now RFC7296). So the RFC3947 should have been >> marked as obsoleted by RFC4306. I am not sure if we want to do that in >> this late. >> >> So my proposal is update the IANA port registry for both UDP/4500 and >> TCP/4500 as follows: >> >> Keyword Decimal Description Reference >> ------- ------- ----------- --------- >> ipsec-nat-t 4500/tcp IPsec NAT-Traversal [RFCXXXX] >> ipsec-nat-t 4500/udp IPsec NAT-Traversal [RFC3948], >> [RFC7296] >> >> (RFCXXXX being this RFC). >> >> Note, that the RFC3947 on the 4500/UDP was changed to RFC3948 as the >> RFC3948 actually defines the protocol used over the port. RFC3947 >> defines the IKEv1 negotiation over the UDP port 500 and 4500, but for >> IKEv2 this is already defined in the RFC7296. >> >> The RFC3947 could either be left as it is now, or marked as being >> obsoleted by this or RFC4306, or RFC7296 or whatever. Updating >> document which is effectively already obsoleted, is just wrong... >> -- >> kivinen@iki.fi >> >> > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > >
- [IPsec] Mirja Kühlewind's Discuss on draft-ietf-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Kathleen Moriarty
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Eric Rescorla
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 u… Paul Wouters
- Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-… Tommy Pauly