Re: [IPsec] New Version Notification for draft-amjads-ipsecme-ikev2-data-channel-01.txt
"Black, David" <david.black@emc.com> Tue, 27 May 2014 12:21 UTC
Return-Path: <david.black@emc.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D345B1A00FE for <ipsec@ietfa.amsl.com>; Tue, 27 May 2014 05:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.352
X-Spam-Level:
X-Spam-Status: No, score=-3.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-Rl0qZkD8yQ for <ipsec@ietfa.amsl.com>; Tue, 27 May 2014 05:21:46 -0700 (PDT)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D831A0037 for <ipsec@ietf.org>; Tue, 27 May 2014 05:21:45 -0700 (PDT)
Received: from maildlpprd03.lss.emc.com (maildlpprd03.lss.emc.com [10.253.24.35]) by mailuogwprd03.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s4RCLeCx029517 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 May 2014 08:21:41 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com s4RCLeCx029517
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1401193301; bh=a78r/frVFa5LkJrGENQfyEdbI38=; h=From:To:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=ks70qGwl+CvCbnRBGuRX3jdgDxNpNSUbu/eJamvS6lUk8FVXzAmzwZmjyOmaEw5Z2 KGwwAOVOWF9vXB44lTFEXLKXrIluxwPxXEaIUwK0YPs1TEIMdasUox4jLRHqHp3YB+ OXTF3DLWcLmfypmxoDRRydSHQ98810ysEqrjUZkE=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com s4RCLeCx029517
Received: from mailusrhubprd54.lss.emc.com (mailusrhubprd54.lss.emc.com [10.106.48.19]) by maildlpprd03.lss.emc.com (RSA Interceptor); Tue, 27 May 2014 08:21:32 -0400
Received: from mxhub25.corp.emc.com (mxhub25.corp.emc.com [10.254.110.181]) by mailusrhubprd54.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s4RCLVhb008025 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 27 May 2014 08:21:31 -0400
Received: from mx15a.corp.emc.com ([169.254.1.64]) by mxhub25.corp.emc.com ([10.254.110.181]) with mapi; Tue, 27 May 2014 08:21:30 -0400
From: "Black, David" <david.black@emc.com>
To: "Amjad Inamdar (amjads)" <amjads@cisco.com>, "IPsecme WG (ipsec@ietf.org)" <ipsec@ietf.org>
Date: Tue, 27 May 2014 08:21:29 -0400
Thread-Topic: New Version Notification for draft-amjads-ipsecme-ikev2-data-channel-01.txt
Thread-Index: AQHPPeiO1qUsOYKQVUCWirQNN+fFNJren44AgDhRGQCAExQE0IAAfquggChreXCAAeB1UA==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712076C66300C@MX15A.corp.emc.com>
References: <20140312114328.20101.44457.idtracker@ietfa.amsl.com> <AAB3D1882B58DF46B73D67CE475E7EA004CF0F91@xmb-rcd-x03.cisco.com> <8D3D17ACE214DC429325B2B98F3AE712076C2EC424@MX15A.corp.emc.com> <62922D1DB814EF458679925ECD8AA68D242A33ED@xmb-rcd-x10.cisco.com> <8D3D17ACE214DC429325B2B98F3AE712076C43817A@MX15A.corp.emc.com> <62922D1DB814EF458679925ECD8AA68D242D244C@xmb-rcd-x10.cisco.com>
In-Reply-To: <62922D1DB814EF458679925ECD8AA68D242D244C@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd54.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/AgsglEPOKZDlLeTVW7K-IoNg5Rw
Subject: Re: [IPsec] New Version Notification for draft-amjads-ipsecme-ikev2-data-channel-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 12:21:49 -0000
Hi Amjad, > I glanced through RFC 5405 and I think the unacknowledged UDP based data > transfer provided by IKEv2 data channel is similar to DTLS and IPSec-over-UDP > (used with NAT-T). Please let me know if I am missing anything here. Sure, Joe originally wrote: > This mechanism lacks congestion control, and so needs to be used only > where its load is known to be a small fraction of capacity. In specific, > IKE's window mechanism allows for increasing the window size but not > decreasing it, as is needed to react to network congestion. > > The acknowledged data transfer mode uses IKE's window mechanism, which > is presumably set to a small value, and may result in very low throughput. > Attempts to increase this window size to overcome this limitation can > easily increase burstiness and network loss. I believe both comments continue to apply. IKEv2 is self-limiting in its use of UDP courtesy of IKEv2's exchange structure; this draft proposes to change that. If the intended use case really is IoT, then something can be said about the limited amount/rate of traffic that is involved. Thanks, --David > -----Original Message----- > From: Amjad Inamdar (amjads) [mailto:amjads@cisco.com] > Sent: Monday, May 26, 2014 3:37 AM > To: Black, David; Rajeshwar Singh Jenwar (rsj); IPsecme WG (ipsec@ietf.org) > Subject: RE: New Version Notification for draft-amjads-ipsecme-ikev2-data- > channel-01.txt > > Hi David, > > I glanced through RFC 5405 and I think the unacknowledged UDP based data > transfer provided by IKEv2 data channel is similar to DTLS and IPSec-over-UDP > (used with NAT-T). Please let me know if I am missing anything here. > > Thanks, > -Amjad > > -----Original Message----- > From: Black, David [mailto:david.black@emc.com] > Sent: Wednesday, April 30, 2014 7:53 PM > To: Amjad Inamdar (amjads); Rajeshwar Singh Jenwar (rsj); IPsecme WG > (ipsec@ietf.org) > Subject: RE: New Version Notification for draft-amjads-ipsecme-ikev2-data- > channel-01.txt > > Amjad, > > I'm sorry, but that would be incorrect; please read RFC 5405 and apply its > design guidance. > > Thanks, > --David (Transport Directorate member and tsvwg WG co-chair) > > > -----Original Message----- > > From: Amjad Inamdar (amjads) [mailto:amjads@cisco.com] > > Sent: Wednesday, April 30, 2014 2:52 AM > > To: Black, David; Rajeshwar Singh Jenwar (rsj); IPsecme WG > > (ipsec@ietf.org) > > Subject: RE: New Version Notification for > > draft-amjads-ipsecme-ikev2-data- channel-01.txt > > > > Hi David, > > > > In the new version (version 1) of the draft, unlike IKEv2 control > > packets the data packets are not acknowledged and hence the comments > > on congestion and windowing no longer apply. > > > > Thanks, > > -Amjad > > > > -----Original Message----- > > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Black, David > > Sent: Friday, April 18, 2014 3:58 AM > > To: Rajeshwar Singh Jenwar (rsj); IPsecme WG (ipsec@ietf.org) > > Subject: Re: [IPsec] New Version Notification for > > draft-amjads-ipsecme-ikev2- data-channel-01.txt > > > > Well, Joe Touch's comments on congestion still apply: > > > > http://www.ietf.org/mail-archive/web/ipsec/current/msg08654.html > > > > I suggest consulting RFC 5405 on this topic, and applying its guidance. > > > > Thanks, > > --David > > > > > -----Original Message----- > > > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Rajeshwar > > > Singh Jenwar (rsj) > > > Sent: Wednesday, March 12, 2014 10:27 PM > > > To: IPsecme WG (ipsec@ietf.org) > > > Subject: [IPsec] FW: New Version Notification for > > > draft-amjads-ipsecme-ikev2- data-channel-01.txt > > > > > > Hi, > > > > > > We (Amjad and I) have published new version of "Data over IKEv2 for > > > application security" draft based on inputs/comments received. > > > Please review and provide comments/inputs/questions. > > > > > > Kind Regards, > > > Raj > > > > > > -----Original Message----- > > > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > > > Sent: Wednesday, March 12, 2014 5:13 PM > > > To: Amjad Inamdar (amjads); Rajeshwar Singh Jenwar (rsj); Rajeshwar > > > Singh Jenwar (rsj); Amjad Inamdar (amjads) > > > Subject: New Version Notification for > > > draft-amjads-ipsecme-ikev2-data-channel- > > > 01.txt > > > > > > > > > A new version of I-D, draft-amjads-ipsecme-ikev2-data-channel-01.txt > > > has been successfully submitted by Amjad S. Inamdar and posted to > > > the IETF repository. > > > > > > Name: draft-amjads-ipsecme-ikev2-data-channel > > > Revision: 01 > > > Title: IKEv2 based lightweight secure data communication draft- > > > amjads-ipsecme-ikev2-data-channel-01 (D-IKE) > > > Document date: 2014-03-12 > > > Group: Individual Submission > > > Pages: 15 > > > URL: http://www.ietf.org/internet-drafts/draft-amjads-ipsecme- > ikev2-data-channel-01.txt > > > Status: https://datatracker.ietf.org/doc/draft-amjads-ipsecme- > ikev2- > > > data-channel/ > > > Htmlized: http://tools.ietf.org/html/draft-amjads-ipsecme-ikev2- > data- > > > channel-01 > > > Diff: http://www.ietf.org/rfcdiff?url2=draft-amjads-ipsecme- > ikev2- > > > data-channel-01 > > > > > > Abstract: > > > The Internet Key Exchange (IKEv2) protocol provides authentication, > > > confidentiality, integrity, data-origin authentication and anti- > > > replay. Currently, IKEv2 is mainly used as a control channel to > > > negotiate IPsec SA(s). IPsec is not well suited to provide transport > > > layer security for applications as it resides at the network layer > > > and most of the IPsec implementations require integration into > > > operating systems making it difficult to deploy. IPsec uses > > > different sessions for control and data traffic which is not NAT and > > > load balancer friendly. TLS/DTLS, the other popular security > > > mechanism to provide the above security services does not mandate > > > mutual peer authentication and Diffie Hellman exchange. > > > > > > This document describes an IKEv2 based lightweight secure data > > > communication protocol and a way to provide transport layer security > > > for UDP client/server applications. The protocol provides integrity > > > protected encryption and integrity-only protection based on > > > application needs. As most of the IoT applications are UDP based, > > > IKEv2 can be used for key management as well secure data > > > communication in IoT due to its simplicity, scalability, > > > lightweightedness and ease of deployment. > > > > > > > > > > > > > > > Please note that it may take a couple of minutes from the time of > > > submission until the htmlized version and diff are available at > > tools.ietf.org. > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > > > IPsec mailing list > > > IPsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] FW: New Version Notification for draft-am… Rajeshwar Singh Jenwar (rsj)
- Re: [IPsec] New Version Notification for draft-am… Black, David
- Re: [IPsec] New Version Notification for draft-am… Amjad Inamdar (amjads)
- Re: [IPsec] New Version Notification for draft-am… Black, David
- Re: [IPsec] New Version Notification for draft-am… Amjad Inamdar (amjads)
- Re: [IPsec] New Version Notification for draft-am… Black, David
- Re: [IPsec] New Version Notification for draft-am… Amjad Inamdar (amjads)