Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
Tommy Pauly <tpauly@apple.com> Sun, 19 March 2017 18:45 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4021292FD for <ipsec@ietfa.amsl.com>; Sun, 19 Mar 2017 11:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSsrRRAhuonV for <ipsec@ietfa.amsl.com>; Sun, 19 Mar 2017 11:45:53 -0700 (PDT)
Received: from mail-in24.apple.com (mail-out24.apple.com [17.171.2.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA48B126C0F for <ipsec@ietf.org>; Sun, 19 Mar 2017 11:45:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1489949152; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=kEC44DF/3HMs9QE4wybB/VxtX/ZCKWBjPyhpg6/wDQE=; b=TNbYcVtPoYvVbhRlXLReFIFvXWXm5mEk4lU7nLdFEaIna4mxL+gKrLL2OlS2p222 m/ply7EKPLk7J/amyjESUl67Gu/QsFvmmyGnrKINt8lIisWtIx4ZLX07Gc/tdz+H 3UulCDWpigTTKkGZw9+1Z2K+SCHsMoTd0AJLhnC3RUN1NE0hTMwcO/WNvQko/O7U 0D4xoGNYVAe8DJ/7SP5GlwjDXmDsio0IJIcqQIYUS8qaBiXw4rgZQmQiQbXss5Xn StRXcNKYdhj3OdVl+v5PBLMKZoBYzMok98v7Gn2t90iMeFHHt2M+ZKhYQudyaima Ar8lEPD9IdwcwD8mHexMIA==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) by mail-in24.apple.com (Apple Secure Mail Relay) with SMTP id 8C.78.31801.0E1DEC85; Sun, 19 Mar 2017 11:45:52 -0700 (PDT)
X-AuditID: 11ab0218-d930d9a000007c39-eb-58ced1e00d01
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by relay6.apple.com (Apple SCV relay) with SMTP id 33.7A.31597.FD1DEC85; Sun, 19 Mar 2017 11:45:52 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from [17.153.68.99] by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0ON200ASDS4FW430@nwk-mmpp-sz12.apple.com>; Sun, 19 Mar 2017 11:45:51 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <CABcZeBM-83Q-j=VEQahJPer4w=Cve1h2seJRquZsrdhnXj1JqQ@mail.gmail.com>
Date: Sun, 19 Mar 2017 11:45:52 -0700
Cc: Yoav Nir <ynir.ietf@gmail.com>, ipsec@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org
Message-id: <D2E36F6D-C467-4CD7-8180-493FA82D36FE@apple.com>
References: <CABcZeBPMR9m8zPdhG4Bc3DHWj9UmVq22Z7G4ApYjBGJeC7MU=A@mail.gmail.com> <A5D592C8-AEE0-4675-88AE-0064FD52B49B@gmail.com> <CABcZeBPiZmWBJEW5PYFDafS_v3dumEkS285MAifme85-ziu=ig@mail.gmail.com> <08CAB6F1-EA5C-4FA6-A9E9-1D7A87997470@apple.com> <CABcZeBM-83Q-j=VEQahJPer4w=Cve1h2seJRquZsrdhnXj1JqQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3263)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrBLMWRmVeSWpSXmKPExsUi2FAYpfvg4rkIgyVdOhbv/5xhtFjx+hy7 xf4tL9gslh77wOTA4rFz1l12jyVLfjJ5TH7cxhzAHMVlk5Kak1mWWqRvl8CVMXWyQ0G7WMWm 1UeYGxh3CXYxcnJICJhI/H14hqmLkYtDSGAfo8Ss6XdZYRK/+rrAbCGBQ4wSLx5Ugdi8AoIS PybfY+li5OBgFpCXOHheFiTMLKAl8f1RKwvEnC+MEms3/AOrERaQkNi8JxGkRljATuLqmp3M IDabgIrE8W8bwGxOgWCJZw+uMYLYLAKqElevNLJDzIyR2DPzDivIGF4BG4mOk9IQ448xSWxc fwesXkRAQeLXnxMsECfLSnQvnMYMUiQhMINN4ur7n2wTGIVnITl7FsLZs5CcvYCReRWjcG5i Zo5uZp6RiV5iQUFOql5yfu4mRlDQr2aS2MH45bXhIUYBDkYlHt4d285FCLEmlhVX5h5ilOZg URLnfT7lbISQQHpiSWp2ampBalF8UWlOavEhRiYOTqkGxu1PlA5PN3+/Kqrtsd7TG7bzBTbf DkpeFKNucHHL1AdzJ4a95dbKkV3JO33rzDOnZqbckFn2XW7F7ZOPf6z37p970TCd16ep+fL3 Xdej0gIm3jm+5YYm79ry0mWbspccmlLeKKNZ9tBzR/b0/jq/XRqKBqIdZ1+8WsH97yKPi/GO Av2zawX/PKhQYinOSDTUYi4qTgQA36ssXlsCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrFLMWRmVeSWpSXmKPExsUi2FB8RvfBxXMRBvMesFq8/3OG0WLF63Ps Fvu3vGCzWHrsA5MDi8fOWXfZPZYs+cnkMflxG3MAcxSXTUpqTmZZapG+XQJXxtTJDgXtYhWb Vh9hbmDcJdjFyMkhIWAi8auvixXEFhI4xCjx4kEViM0rICjxY/I9li5GDg5mAXmJg+dlQcLM AloS3x+1AoW5gMq/MEqs3fAPrEZYQEJi855EkBphATuJq2t2MoPYbAIqEse/bQCzOQWCJZ49 uMYIYrMIqEpcvdLIDjEzRmLPzDusIGN4BWwkOk5KQ4w/xiSxcf0dsHoRAQWJX39OsECcLCvR vXAa8wRGgVlILp2FcOksJJcuYGRexShQlJqTWGmml1hQkJOql5yfu4kRHKKFUTsYG5ZbHWIU 4GBU4uENqDobIcSaWFZcmQsMCQ5mJRFetVPnIoR4UxIrq1KL8uOLSnNSiw8xSnOwKInz9h8B SgmkJ5akZqemFqQWwWSZODilGhjFhD8FSMcITpcVXCwUMTdcze/s0d0dE29ud+o9c+V4bMxH wSO5B3lVp8/deN9Or7JHRyA6/tKVBzfPLWfpMmh+/dn+M5PqKf33E5a+c/RefstVPDFHdsua q2df7V8ZWpn0327mz0dPtkx41t9s8mwi2+a3l/88zM+O4ZMtDFi77dRKg8N6t7+YKrEUZyQa ajEXFScCAA8MublNAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/91W_dVChfYMwF9-BSg7Ff4vZQBE>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 18:45:56 -0000
Some servers may support that, but some may not. These sessions are often used for VPN access, and we've seen cases in which a particular user/certificate combination is only allowed to be connected once-at-a-time. That makes switching more complicated. Also, since the recommendation is to try sending the UDP first packet at least twice, the amount of time required for the user to wait before the fallback would kick in is only on the order of a few RTT. I think if these session were more likely to be used for user-interactive, short-lived connections, I'd see more value in a nuanced racing algorithm. However, we often see IKE brought up in the background and stay associated for a very long time, making the protocol that wins the race more important, and the time to wait to establish slightly less important. Thanks, Tommy > On Mar 19, 2017, at 11:40 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > I haven't fully thought this through, but if yu can switch-hit between TCP > and UDP, > why can't you just race the setup between TCP and UDP and then if you start > getting packets on UDP, cut over to that. > > Maybe I'm just too influenced by ICE :) > > -Ekr > > > On Sun, Mar 19, 2017 at 11:25 AM, Tommy Pauly <tpauly@apple.com> wrote: > >> >> On Mar 19, 2017, at 6:47 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> >> >> On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: >> >>> Hi, Eric. >>> >>> On 19 Mar 2017, at 4:04, Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> [Now with the right address] >>> >>> I just finished reading this document. Some comments below. >>> >>> >>> - You have a uniform 16 bit length field followed by a 4 byte all-zeros >>> sentinel value to indicate that a packet is IKE rather than ESP. >>> Given that in S 3 graf 2 you have a SHOULD-level requirement >>> to use typical UDP payload lengths, why not instead explicitly >>> limit lengths to 15 bits and use the top bit to indicate IKE versus >>> ESP. This would be slightly more efficient and seems simpler. >>> I suppose that the counterargument is that IKE over UDP behaves >>> differently, but in terms of implementation, that doesn't seem like >>> much of an argument. >>> >>> >>> Another counter-argument is that we sometimes need the entire theoretical >>> length of a UDP packet. The IKE_AUTH messages typically carry a certificate >>> chain and sometimes even a CRL. And there is no way to split a certificate >>> chain over several messages. With remote access VPN you also get a CFG >>> payload with configuration information that can also encode an unbounded >>> amount of data. So I would not want to constrain the certificate chains >>> that we are able to send any more than the IP packet length already does
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Valery Smyslov
- [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Valery Smyslov
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Tommy Pauly
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Tommy Pauly
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Paul Wouters