IETF Logo Mail Archive

Re: [IPsec] New Version Notification for draft-amjads-ipsecme-ikev2-data-channel-01.txt

"Black, David" <david.black@emc.com> Tue, 27 May 2014 12:21 UTC

Return-Path: <david.black@emc.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D345B1A00FE for <ipsec@ietfa.amsl.com>; Tue, 27 May 2014 05:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.352
X-Spam-Level:
X-Spam-Status: No, score=-3.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-Rl0qZkD8yQ for <ipsec@ietfa.amsl.com>; Tue, 27 May 2014 05:21:46 -0700 (PDT)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D831A0037 for <ipsec@ietf.org>; Tue, 27 May 2014 05:21:45 -0700 (PDT)
Received: from maildlpprd03.lss.emc.com (maildlpprd03.lss.emc.com [10.253.24.35]) by mailuogwprd03.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s4RCLeCx029517 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 May 2014 08:21:41 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com s4RCLeCx029517
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1401193301; bh=a78r/frVFa5LkJrGENQfyEdbI38=; h=From:To:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=ks70qGwl+CvCbnRBGuRX3jdgDxNpNSUbu/eJamvS6lUk8FVXzAmzwZmjyOmaEw5Z2 KGwwAOVOWF9vXB44lTFEXLKXrIluxwPxXEaIUwK0YPs1TEIMdasUox4jLRHqHp3YB+ OXTF3DLWcLmfypmxoDRRydSHQ98810ysEqrjUZkE=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com s4RCLeCx029517
Received: from mailusrhubprd54.lss.emc.com (mailusrhubprd54.lss.emc.com [10.106.48.19]) by maildlpprd03.lss.emc.com (RSA Interceptor); Tue, 27 May 2014 08:21:32 -0400
Received: from mxhub25.corp.emc.com (mxhub25.corp.emc.com [10.254.110.181]) by mailusrhubprd54.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s4RCLVhb008025 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 27 May 2014 08:21:31 -0400
Received: from mx15a.corp.emc.com ([169.254.1.64]) by mxhub25.corp.emc.com ([10.254.110.181]) with mapi; Tue, 27 May 2014 08:21:30 -0400
From: "Black, David" <david.black@emc.com>
To: "Amjad Inamdar (amjads)" <amjads@cisco.com>, "IPsecme WG (ipsec@ietf.org)" <ipsec@ietf.org>
Date: Tue, 27 May 2014 08:21:29 -0400
Thread-Topic: New Version Notification for draft-amjads-ipsecme-ikev2-data-channel-01.txt
Thread-Index: AQHPPeiO1qUsOYKQVUCWirQNN+fFNJren44AgDhRGQCAExQE0IAAfquggChreXCAAeB1UA==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712076C66300C@MX15A.corp.emc.com>
References: <20140312114328.20101.44457.idtracker@ietfa.amsl.com> <AAB3D1882B58DF46B73D67CE475E7EA004CF0F91@xmb-rcd-x03.cisco.com> <8D3D17ACE214DC429325B2B98F3AE712076C2EC424@MX15A.corp.emc.com> <62922D1DB814EF458679925ECD8AA68D242A33ED@xmb-rcd-x10.cisco.com> <8D3D17ACE214DC429325B2B98F3AE712076C43817A@MX15A.corp.emc.com> <62922D1DB814EF458679925ECD8AA68D242D244C@xmb-rcd-x10.cisco.com>
In-Reply-To: <62922D1DB814EF458679925ECD8AA68D242D244C@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd54.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/AgsglEPOKZDlLeTVW7K-IoNg5Rw
Subject: Re: [IPsec] New Version Notification for draft-amjads-ipsecme-ikev2-data-channel-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 12:21:49 -0000

Hi Amjad,

> I glanced through RFC 5405 and I think the unacknowledged UDP based data
> transfer provided by IKEv2 data channel is similar to DTLS and IPSec-over-UDP
> (used with NAT-T). Please let me know if I am missing anything here.

Sure, Joe originally wrote:

> This mechanism lacks congestion control, and so needs to be used only
> where its load is known to be a small fraction of capacity. In specific,
> IKE's window mechanism allows for increasing the window size but not
> decreasing it, as is needed to react to network congestion.
> 
> The acknowledged data transfer mode uses IKE's window mechanism, which
> is presumably set to a small value, and may result in very low throughput.
> Attempts to increase this window size to overcome this limitation can
> easily increase burstiness and network loss.

I believe both comments continue to apply.  IKEv2 is self-limiting in its
use of UDP courtesy of IKEv2's exchange structure; this draft proposes to change
that.  If the intended use case really is IoT, then something can be said
about the limited amount/rate of traffic that is involved.

Thanks,
--David

> -----Original Message-----
> From: Amjad Inamdar (amjads) [mailto:amjads@cisco.com]
> Sent: Monday, May 26, 2014 3:37 AM
> To: Black, David; Rajeshwar Singh Jenwar (rsj); IPsecme WG (ipsec@ietf.org)
> Subject: RE: New Version Notification for draft-amjads-ipsecme-ikev2-data-
> channel-01.txt
> 
> Hi David,
> 
> I glanced through RFC 5405 and I think the unacknowledged UDP based data
> transfer provided by IKEv2 data channel is similar to DTLS and IPSec-over-UDP
> (used with NAT-T). Please let me know if I am missing anything here.
> 
> Thanks,
> -Amjad
> 
> -----Original Message-----
> From: Black, David [mailto:david.black@emc.com]
> Sent: Wednesday, April 30, 2014 7:53 PM
> To: Amjad Inamdar (amjads); Rajeshwar Singh Jenwar (rsj); IPsecme WG
> (ipsec@ietf.org)
> Subject: RE: New Version Notification for draft-amjads-ipsecme-ikev2-data-
> channel-01.txt
> 
> Amjad,
> 
> I'm sorry, but that would be incorrect; please read RFC 5405 and apply its
> design guidance.
> 
> Thanks,
> --David (Transport Directorate member and tsvwg WG co-chair)
> 
> > -----Original Message-----
> > From: Amjad Inamdar (amjads) [mailto:amjads@cisco.com]
> > Sent: Wednesday, April 30, 2014 2:52 AM
> > To: Black, David; Rajeshwar Singh Jenwar (rsj); IPsecme WG
> > (ipsec@ietf.org)
> > Subject: RE: New Version Notification for
> > draft-amjads-ipsecme-ikev2-data- channel-01.txt
> >
> > Hi David,
> >
> > In the new version (version 1) of the draft, unlike IKEv2 control
> > packets the data packets are not acknowledged and hence the comments
> > on congestion and windowing no longer apply.
> >
> > Thanks,
> > -Amjad
> >
> > -----Original Message-----
> > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Black, David
> > Sent: Friday, April 18, 2014 3:58 AM
> > To: Rajeshwar Singh Jenwar (rsj); IPsecme WG (ipsec@ietf.org)
> > Subject: Re: [IPsec] New Version Notification for
> > draft-amjads-ipsecme-ikev2- data-channel-01.txt
> >
> > Well, Joe Touch's comments on congestion still apply:
> >
> > http://www.ietf.org/mail-archive/web/ipsec/current/msg08654.html
> >
> > I suggest consulting RFC 5405 on this topic, and applying its guidance.
> >
> > Thanks,
> > --David
> >
> > > -----Original Message-----
> > > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Rajeshwar
> > > Singh Jenwar (rsj)
> > > Sent: Wednesday, March 12, 2014 10:27 PM
> > > To: IPsecme WG (ipsec@ietf.org)
> > > Subject: [IPsec] FW: New Version Notification for
> > > draft-amjads-ipsecme-ikev2- data-channel-01.txt
> > >
> > > Hi,
> > >
> > > We (Amjad and I) have published new version of "Data over IKEv2 for
> > > application security" draft based on inputs/comments received.
> > > Please review and provide comments/inputs/questions.
> > >
> > > Kind Regards,
> > > Raj
> > >
> > > -----Original Message-----
> > > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > > Sent: Wednesday, March 12, 2014 5:13 PM
> > > To: Amjad Inamdar (amjads); Rajeshwar Singh Jenwar (rsj); Rajeshwar
> > > Singh Jenwar (rsj); Amjad Inamdar (amjads)
> > > Subject: New Version Notification for
> > > draft-amjads-ipsecme-ikev2-data-channel-
> > > 01.txt
> > >
> > >
> > > A new version of I-D, draft-amjads-ipsecme-ikev2-data-channel-01.txt
> > > has been successfully submitted by Amjad S. Inamdar and posted to
> > > the IETF repository.
> > >
> > > Name:		draft-amjads-ipsecme-ikev2-data-channel
> > > Revision:	01
> > > Title:		IKEv2 based lightweight secure data communication draft-
> > > amjads-ipsecme-ikev2-data-channel-01 (D-IKE)
> > > Document date:	2014-03-12
> > > Group:		Individual Submission
> > > Pages:		15
> > > URL:            http://www.ietf.org/internet-drafts/draft-amjads-ipsecme-
> ikev2-data-channel-01.txt
> > > Status:         https://datatracker.ietf.org/doc/draft-amjads-ipsecme-
> ikev2-
> > > data-channel/
> > > Htmlized:       http://tools.ietf.org/html/draft-amjads-ipsecme-ikev2-
> data-
> > > channel-01
> > > Diff:           http://www.ietf.org/rfcdiff?url2=draft-amjads-ipsecme-
> ikev2-
> > > data-channel-01
> > >
> > > Abstract:
> > >    The Internet Key Exchange (IKEv2) protocol provides authentication,
> > >    confidentiality, integrity, data-origin authentication and anti-
> > >    replay.  Currently, IKEv2 is mainly used as a control channel to
> > >    negotiate IPsec SA(s).  IPsec is not well suited to provide transport
> > >    layer security for applications as it resides at the network layer
> > >    and most of the IPsec implementations require integration into
> > >    operating systems making it difficult to deploy.  IPsec uses
> > >    different sessions for control and data traffic which is not NAT and
> > >    load balancer friendly.  TLS/DTLS, the other popular security
> > >    mechanism to provide the above security services does not mandate
> > >    mutual peer authentication and Diffie Hellman exchange.
> > >
> > >    This document describes an IKEv2 based lightweight secure data
> > >    communication protocol and a way to provide transport layer security
> > >    for UDP client/server applications.  The protocol provides integrity
> > >    protected encryption and integrity-only protection based on
> > >    application needs.  As most of the IoT applications are UDP based,
> > >    IKEv2 can be used for key management as well secure data
> > >    communication in IoT due to its simplicity, scalability,
> > >    lightweightedness and ease of deployment.
> > >
> > >
> > >
> > >
> > > Please note that it may take a couple of minutes from the time of
> > > submission until the htmlized version and diff are available at
> > tools.ietf.org.
> > >
> > > The IETF Secretariat
> > >
> > > _______________________________________________
> > > IPsec mailing list
> > > IPsec@ietf.org
> > > https://www.ietf.org/mailman/listinfo/ipsec
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email