IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 14 October 2020 08:01 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21E7B3A13FA for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 01:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tWJCencFo8y for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 01:01:17 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30DB63A13F8 for <ipsec@ietf.org>; Wed, 14 Oct 2020 01:01:17 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id h6so2692544lfj.3 for <ipsec@ietf.org>; Wed, 14 Oct 2020 01:01:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=LBIe9NSPwtyeBQbRKPuqRuGR6fxSnkbfmiOwmdeG9R0=; b=bNuz+JtomoL4UINbzDtt2H3GTe+1MYdA46U5BMxovQgfihYZCxpG7EcaRlw+6Q9uW1 NrHMD/7Vhp0Xn5Q2ahuhg6njOaiD0NCe1EJNaxS5bx0u8imZs4tbuVcAs0qXFyW0x4is VEiM0hIf37cSwLQbZrioZqaEJd3cCm2+sIdbioxK5leqp2endJUJ80HfHecHCqUpFPGy lx/3DzJUoQ6YYN+S/MmDZhrFci0Oo88EMlP0bzTScql8B83R1qsNCJhjXW3vlDjzVD6p cpdr0re6g7YH80p9zTr/svBUyYOSMjDmcXqyuLYtsgibSxaqFlWUEBFcVM9wAJbdwjKA YmeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=LBIe9NSPwtyeBQbRKPuqRuGR6fxSnkbfmiOwmdeG9R0=; b=RPMD1s4bJ7efsDiWVQejRsUvubNgIFr4rsOliJJOlVNUv78JSmS2kf7dXo2z97GIb5 +r56ABBo0n2g72amRnEOPhf1/HED/a5aXVr4FUrfPgk8gbmwo6F7jpBjfMk2fuR3thCY x/Rwlu+ard+Cci1B7zLmeJpH342yI1XBItJipD3tFrsIJBr3UcIt1tyShfbot2xLbfGQ fP58UoPUGspSlnOSt1fAueXgr1vUsOk+1rovAGzldgx6RkOEGB7zswBtPC+Npw7kiByB JLCS2foQJRKATWMumli7GRcjHvqcLeF7ySDusBrpqmxwkdjOQysPINMoDeQikUbpmUxp Gzkg==
X-Gm-Message-State: AOAM5327VEuQ8mxSmkYSpRN8pALHU4YCDWVtBBoUN8zX1qejuvsO+xS+ 0zex0GKSZDifa1dvVHxD+9A=
X-Google-Smtp-Source: ABdhPJyJN/48DmNl6gY6evUpc4Sr/6vr+Si57kMj4a4L/C/takU0eag+o7NUrV2db+a3ClmLsaHF+Q==
X-Received: by 2002:ac2:51bb:: with SMTP id f27mr968020lfk.70.1602662475272; Wed, 14 Oct 2020 01:01:15 -0700 (PDT)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id t21sm845894lfl.64.2020.10.14.01.01.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Oct 2020 01:01:14 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Christian Hopps' <chopps@chopps.org>
Cc: 'Tero Kivinen' <kivinen@iki.fi>, 'Lou Berger' <lberger@labn.net>, ipsec@ietf.org
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <56F3A6E6-EDD6-46FA-8829-EC10FD9AD058@chopps.org>
In-Reply-To: <56F3A6E6-EDD6-46FA-8829-EC10FD9AD058@chopps.org>
Date: Wed, 14 Oct 2020 11:01:09 +0300
Message-ID: <003b01d6a200$2d70df80$88529e80$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLBR9Dg1QdoZI0c6Vo/AaLkIdpDHgLCxSxRAjbXs18B6rBqnQEamLQSAoWVN8MCQOm3xwKebyejAfAZezoCQHfUywFMuMbDAUR9UsACYJ5QqKb9O0vA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8yt0H6ozifSCRf5Ah_KcR9t46Ok>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 08:01:19 -0000

HI Chris,

> Indeed, this isn't about switching a pair of SAs to IPTFS in the middle of the tunnel operation. This is only
> about supporting the receipt of IPTFS as a payload in ESP.

I admit, that English is not my native language :-), but the text in the draft in my reading 
suggests exactly what you write it is not suggesting - switching to IP-TFS in the middle of tunnel operation
("on receipt of the first IP-TFS payload"):

2.4.  Zero-Conf Receive-Side Operation On The SA.

   Receive-side operation of IP-TFS does not require any per-SA
   configuration on the receiver; as such, an IP-TFS implementation
   SHOULD support the option of switching to IP-TFS receive-side
   operation on receipt of the first IP-TFS payload.

If you intention was to require that all implementations SHOULD just support receiving IP-TFS packets
(say, should implement IP-TFS), then the requirement is strange for me - 
in fact you require that all implementations support this extension.

So, if you really meant some other thing, then the current text 
must be completely rewritten, so that it is clear for non-native readers (like me).

Regards,
Valery.

> Zero conf (or globally config enabled) receive support of IPTFS payloads is seen by some as a real value add.
> I'm not sure what the kerfuffle is all about. :)
> 
> Thanks,
> Chris.
> 
> > On Oct 14, 2020, at 2:58 AM, Valery Smyslov <smyslov.ietf@gmail.com> wrote:
> >
> > Hi Tero,
> >
> >>> I'm not advocating ike vs ike-less, just trying to have a comprehensive
> >>> solution.  One example ikeless usecase is captured by the YANG model in
> >>> last call:
> >>> https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09
> >>
> >> Which will require similar behavior from the IPsec part than IKE,
> >> meaning you can't really change any parameters on the fly for existing
> >> SAs. You can't change for example the ciphers of the existing SA, and
> >> expect that to work.
> >
> > In fact, unlike changing e.g. cipher on the fly, that is not possible,
> > because the cipher used is not present in the ESP packet, so that you
> > cannot distinguish two ESP packets with different ciphers, you can distinguish
> > tunnel packets from IPTFS packets on receiving side
> > (by analyzing Next Header), so technically the proposed
> > switching is workable. That said, I fully agree with you
> > that it is a very bad idea and must be prohibited,
> > at least for traditional IPsec.
> >
> > I care less about other use cases (I recall that authors wanted
> > to use IPTFS not only for IPsec, but as more generic
> > mechanism to pack several IP packets into one). So, I may leave
> > with this option if it will be explicitly prohibited
> > for traditional IPsec. IKE-less (l2nsf) use case is a corner case,
> > I tend to agree with you that it should be prohibited
> > for this case too.
> >
> > Regards,
> > Valery.
> >
> >> My understanding for that is that ike-less will not change any
> >> parameters of the existing SAs in the SAD, as that would definitely
> >> break everything, but instead they will allocate new SPI, install new
> >> SAD entry, and then remove the old SAD entry which causes the traffic
> >> move to use the newly created SAD entry.
> >>
> >> So for that use, there is no point of having a way to turn on IPTFS in
> >> the middle of SA use time, exactly as there is no need to try to
> >> change algorithms of the existing SAs. If you do that kind of things,
> >> you just create new SA, and delete old one. I am not sure whether this
> >> should be reflected on the draft-ietf-i2nsf-sdn-ipsec-flow-protection
> >> somehow, i.e., indicating that most (if not all) of the items in the
> >> sad-entry are write once type of things, i.e., you can write them
> >> once, but you can't modify them once they have been set, and only way
> >> to change them is to delete the whole sad-entry and recreate it with
> >> new values (most likely doing it other way round, i.e., first create
> >> new and delete old).
> >> --
> >> kivinen@iki.fi
> >

v2.23.0 | Report a Bug | By Email