IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 27 April 2017 12:33 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AF8127909; Thu, 27 Apr 2017 05:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lk7hqiTjlJ09; Thu, 27 Apr 2017 05:33:51 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 000021273B1; Thu, 27 Apr 2017 05:33:50 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id k11so14650940ywb.1; Thu, 27 Apr 2017 05:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rBc/TMJmCjLs7bbNanFqTcFz/eXZlYsUWXVgwfjD77o=; b=tWVvKUXzfngX12wLAeLFM2hB+cyD/ABeF7ymhDmLRe2nwtUwDXfN/m/NXHvOTKcVRu jMAZ0NH2ni/JRZ3HQz7SbVMta5rv5ib+B9RJyITUGQZ6O5khXaVYjK2rItX2enN9aho9 99Qi48tQmQuh183ED+yF48yhwIjbghz/T6gCQoKnCQgB/dsZZ7Qrci+tB1v3Y9ATh5qH EylHmK3NIeS0tHWdjUtYIFtALRYr77IsDeh9quxhBgFGJu0mNKgFILMd6fWeo1PyO/8+ 05yVpQdAPX/D/5Ihglt0YsAeL8vn/lqXeCxthyynwIrwa9dkMBTXztTC7Zn2aX27YKuz 1GJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rBc/TMJmCjLs7bbNanFqTcFz/eXZlYsUWXVgwfjD77o=; b=HvKJb0bxWtFa7BvSmsmZ0EP8Fzl7v6k9QmnR5tq/9lIPpvU+sN+qWG+rHITUb1o/os NzuachA9dxHgDuHOGHZzdbolnXTE4SUlNM9bRfCV7AWRJC8RbK2ai2RcIDhnJzQz410c 30idfHkBV203lVVb9on3Nh72kA1ICp8lcrQBe9KHE9cT1kB9L+bHXAUDgsrtCCFWjMSf H9uVVEn9Gbm2VoB/uOgjhxNfvDP9CRu1EQZQJ4DVKITzdHscfakBs8vilqD89n7BBPaf jtgi7076MJ1eOLpbwPZh3Kny1J//ex6R/qz0ix4nuh6k+wwX36iqnqMaamyAc5fkxpAV ho7A==
X-Gm-Message-State: AN3rC/78v1Idg6LmiMUUiwrsskMLmJL4svrllUgVP915L34InqBxf4uN vN78W+ubtUT/SsLYyGxxM7j+HV0hFg==
X-Received: by 10.129.129.197 with SMTP id r188mr4044230ywf.289.1493296430138; Thu, 27 Apr 2017 05:33:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.161.198 with HTTP; Thu, 27 Apr 2017 05:33:49 -0700 (PDT)
In-Reply-To: <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 27 Apr 2017 07:33:49 -0500
Message-ID: <CAKKJt-eWifk8ReWLGUism13XAiOCAGO7H7iyEUTGTvMw9fT0kw@mail.gmail.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>
Cc: Tommy Pauly <tpauly@apple.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, The IESG <iesg@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="94eb2c081298434b71054e252b56"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ADbyvrDsJeVjo-FJpVnCC6WaIrA>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 12:33:54 -0000

Not my discuss, but since I'm also supposed to worry about ports :-)

On Thu, Apr 27, 2017 at 3:32 AM, Mirja Kühlewind <ietf@kuehlewind.net>
wrote:

> Hi Tommy,
>
> please see below, only on the first point for now.
>
> On 26.04.2017 05:28, Tommy Pauly wrote:
>
>>
>>
>> On Apr 25, 2017, at 5:48 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
>>>
>>> Mirja Kühlewind has entered the following ballot position for
>>> draft-ietf-ipsecme-tcp-encaps-09: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to https://www.ietf.org/iesg/stat
>>> ement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-tcp-encaps/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> This draft suggests that ports that are assigned to other services can
>>> simply be used. This is not okay. If a port is assigned to a certain
>>> service, this service and/or the respective RFC defines how this port is
>>> used. Simply changing the specified behavior by requiring a check for a
>>> magic number cannot be done without updating the RFC that the port
>>> assignment belongs to. Also for the use of 4500/tcp RFC3948 as well as
>>> the IANA registry would need to be updated.
>>>
>>
>> At this point, the only portion of the document that mentions a port
>> other than 500 and 4500 is the appendix. We recommend that 4500 is used as
>> the port for TCP encapsulation. The IANA registry for 4500/tcp is already
>> assigned to IPSec NAT Traversal in RFC 3947; that document does not explain
>> how TCP is to be used, so the reference should be updated to point to the
>> document on TCP encapsulation.
>>
>
> So at least section 11 talks about port 80 as well. It doesn't explicitly
> recommend to use it, but because it's discussed there I would say that this
> is implicitly the intention:
>
> "A network device that monitors up to the application layer will
>    commonly expect to see HTTP traffic within a TCP socket running over
>    port 80, if non-HTTP traffic is seen (such as TCP encapsulated IKE),
>    this could be dropped by the security device."
>

I understand Mirja's point, and I understand why the draft doesn't tie the
protocol to one assigned port.

>
> Further it's clear that the whole intention on the existence of section 4
> is that you want to (mis)use ports that have been assigned for other
> services and are for that reason potentially not blocked.
>
> The (processing) problem here is that even if the bit pattern in section 4
> is currently not used and unlikely to ever be used by the protocol that is
> officially assigned to the port, there is nothing that excludes a future
> protocol spec to use these bits (and there is also nothing that makes
> designer of these protocols aware that these bits are already in use by a
> different protocol on the same port). So the minimum you basically would
> need to do is to update all RFCs for protocols on ports that you may want
> to use (and probably also the IANA registry for these ports to add a
> refernce to this document) and say that it is not possible to use this bit
> patter for the protocol itself and all future version of it. Of course you
> probably would need to involve those working groups that maintain these
> protocols and I also not sure how happy those groups would be about such an
> update.
>

What I'm thinking, is that this isn't a problem we can solve, draft by
draft.

Assuming that https://datatracker.ietf.org/doc/rfc3986/referencedby/ is a
reasonable proxy, the datatracker returns 775 documents that reference the
RFC that defines the URI scheme, which includes
https://tools.ietf.org/html/rfc3986#section-3.2.3, allowing the application
to specify a port which (of course) could be assigned to another protocol
in
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
.

That's a worst-case scenario, of course (some RFCs weren't deployed, some
are probably obsoleted by other RFCs, etc.), but I'm betting the number of
protocols with the same issue as HTTP(S) has here is somewhere in the
hundreds.

>
> I personally think that that is not a nice solution and if you e.g. want
> to use port 80 for IKE, you would need to define an IKE variant over
> HTTP/TCP. That doesn't sound great and I'm not sure if that a solution
> anybody would like to implement.
>
> I do see the problem you have and I understand why you selected the
> solution you have but that does contradict quite a bit the idea of the port
> registry and I don't think it's a safe and future prove solution. Even if
> people use this approach, I'm concern to publish it in an Standards Track
> RFC, but I guess that's a discussion the IESG would need to have.


So, yes, I agree with this, and suggest that we start that discussion on
next week's informal telechat.

But, to try to make progress on this Discuss ...

The reason optional ports in URIs work, is that someone handed you a URI
with that port number who has some reason to believe that the port number
is OK to use with the host included in the URI.

Is that a reasonable assumption about the way IPsec and IKE over TCP will
be deployed? That no Initiator would assume that another host is an IKE
Responder, without being configured to use that host?

Curiously,

Spencer


> Mirja
>
>
>
>> We can soften the references in the appendix to the fact that other ports
>> may, in fact, be used. As for the configuration, it should state 4500 as
>> the default, but allow peers to configure something else out-of-band if
>> they want to modify behavior (which is standard even in UDP implementations
>> of IKE).
>>
>>
>>> Further, as also mentioned in the tsv-art review (Thanks Wes!), this
>>> draft does not sufficiently handle the case of TCP in TCP encapsulation.
>>> Here a copy of the tsv-art review:
>>>
>>> Reviewer: Wesley Eddy
>>> Review result: On the Right Track
>>>
>>> This document is clear and well-written.  It can easily be implemented
>>> based on the description.
>>>
>>> There are a few additional issues that should be considered with
>>> advice to implementers in Section 12 on performance considerations:
>>> 1) Invisibility of packet loss - Inner protocols that require packet
>>> losses as a signal of congestion (e.g. TCP) will have a challenge due
>>> to not being able to see any packet losses since the outer TCP will
>>> repair them (unless sending into a full outer TCP socket buffer shows
>>> up back to the inner TCP as a packet loss?).
>>>
>>
>> Yes, this is definitely true. We try to capture that with the line: "This
>> will make loss-
>>    recovery of the inner TCP traffic less reactive and more prone to
>>    spurious retransmission timeouts."
>>
>> However, this can certainly be expanded upon.
>>
>> 2) Nesting of ECN -  Inner TCP connections will not be able to use
>>> effectively ECN on the portion of the path covered by the outer TCP
>>> connection.
>>>
>>
>> Generally, IPsec tunnels will apply RFC 6040 for translating ECN markings
>> between inner/outer packets. Since TCP encapsulation places the inner IP
>> packets in a stream, there isn't a direct mapping.
>>
>> An implementation could try to roughly map, but it may be best to suggest
>> that the ECN markings for inner and outer packets be left separate. What is
>> your opinion?
>>
>> 3) Impact of congestion response on aggregate - The general "TCP in
>>> TCP" problem is mentioned, and is mostly appropriate for a single
>>> flow.  If an aggregate of flows is sharing the same outer TCP
>>> connection, there may be additional concerns about how the congestion
>>> response behavior impacts an aggregate of flows, since it may cause a
>>> shared delay spike even to low-rate flows rather than distributing
>>> losses proportional to per-flow throughput.
>>>
>>
>> Indeed. We can add further comments to that effect.
>>
>> 4) Additional potential for bufferbloat - Since TCP does not bound
>>> latency, some applications in the IPsec-protected aggregate could
>>> drive latency of the shared connection up and impact the aggregate of
>>> flows that may include real-time applications.  The socket buffer for
>>> the outer TCP connection might need to be limited in size to ensure
>>> some bounds?
>>>
>>
>> We can add a comment to suggest that the buffering should be limited on
>> the outer connection if possible.
>>
>>
>>> Not addressing these could lead to poor experiences in deployment, if
>>> implementations make wrong assumptions or fail to consider them.
>>>
>>
>> I do think all of these concerns go back to the overall recommendation of
>> "use direct ESP or UDP Encapsulation whenever possible". Anything to help
>> back up that point is great!
>>
>> Thanks,
>> Tommy
>>
>>>
>>> In the security considerations section, there are several RFCs on
>>> mechanisms to increase robustness to RST attacks and SYN floods that
>>> could be mentioned if it's worthwhile.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email