Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
Mirja Kühlewind <ietf@kuehlewind.net> Thu, 27 April 2017 14:03 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1192129512 for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 07:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=ietf@kuehlewind.net header.d=kuehlewind.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a9okq-bs6jXy for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 07:03:09 -0700 (PDT)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCC4129530 for <ipsec@ietf.org>; Thu, 27 Apr 2017 07:03:07 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=M6u93yaCTqfmrfcnGULHF6oO4Xg6scOvfXMgp05Sdm/7qKrTZVLaBAt0eeQeI4jbUmcRZ09WBDI2KeeYWQe4vUGbCAmt4r6qePwUnQYciz/hhfC+FwBsL76hyAiXwndWCPHZ/HFz61uCSiv+uFsmkuHgPST1bRSIZ1ecSt4Mtn8=; h=Received:Received:Subject:To:References:Cc:From:Message-ID:Date:User-Agent:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-PPP-Message-ID:X-PPP-Vhost;
Received: (qmail 28094 invoked from network); 27 Apr 2017 16:03:05 +0200
Received: from nb-10510.ethz.ch (HELO ?82.130.103.143?) (82.130.103.143) by kuehlewind.net with ESMTPSA (DHE-RSA-AES128-SHA encrypted, authenticated); 27 Apr 2017 16:03:05 +0200
To: Eric Rescorla <ekr@rtfm.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net> <CABcZeBMj9UpzD+CpvOMKOkUsYNSL-UQCwuYt__5XCXtH=zyesA@mail.gmail.com> <22fac532-f30b-03e3-0757-aed213e5a346@kuehlewind.net> <4f5900d2-a795-8bb4-a89d-dad51e4a6f09@kuehlewind.net> <CABcZeBPF+XEzsBFXGKJ25Hiqoos-tBXgu84HHjJO0DSvpMniww@mail.gmail.com>
Cc: ipsecme-chairs@ietf.org, Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-tcp-encaps@ietf.org, Tommy Pauly <tpauly@apple.com>
From: Mirja Kühlewind <ietf@kuehlewind.net>
Message-ID: <2d56db7e-7ffd-0bea-a6d7-a494d9cdda4e@kuehlewind.net>
Date: Thu, 27 Apr 2017 16:03:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBPF+XEzsBFXGKJ25Hiqoos-tBXgu84HHjJO0DSvpMniww@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-PPP-Message-ID: <20170427140305.28084.86125@lvps83-169-45-111.dedicated.hosteurope.de>
X-PPP-Vhost: kuehlewind.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/CsWhh4W5rFM9iXTLNdqn83MG1cM>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 14:03:11 -0000
Yes, just saying... On 27.04.2017 15:50, Eric Rescorla wrote: > > > On Thu, Apr 27, 2017 at 6:46 AM, Mirja Kühlewind <ietf@kuehlewind.net > <mailto:ietf@kuehlewind.net>> wrote: > > One more side comment on the magic number: actually the magic number > makes it easy for network operator to identify IKE/IPSec traffic on any > port and block all packets that below to a flow that started with this > pattern in the first payload packet. So if you really think you need a > magic number, you should probably always encrypt it. > > > My impression was that the point of this was not to evade future operators > who are trying to block IKE, but merely to deal with the problem of > over-aggressive > middleboxes which currently block IKE, mostly accidentally. Certainly that's how > we think of things over in WebRTC land. > > -Ekr > > > On 27.04.2017 15 <tel:27.04.2017%2015>:42, Mirja Kühlewind wrote: > > Hi Ekr, hi all, > > (not sure anymore which email best to reply to but I'm using this one > now to > partly also reply to others). > > See below. > > On 27.04.2017 14 <tel:27.04.2017%2014>:51, Eric Rescorla wrote: > > > > On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind > <ietf@kuehlewind.net <mailto:ietf@kuehlewind.net> > <mailto:ietf@kuehlewind.net <mailto:ietf@kuehlewind.net>>> wrote: > > I do see the problem you have and I understand why you > selected the > solution you have but that does contradict quite a bit the > idea of the > port registry and I don't think it's a safe and future prove > solution. > Even if people use this approach, I'm concern to publish it in an > Standards Track RFC, but I guess that's a discussion the IESG > would need > to have. > > > Mirja, > > I agree that this kind of port squatting is regrettable, but I > also don't > think it really > helps to not publish RFCs that document widely used protocols > because we > are sad they port-squatted. > > I proposed a way to deal with this in an earlier e-mail. Would > that be > satisfactory > to you. To retransmit, we add the following > > "Note: While port 4500 is the reserved port for this protocol, > some existing > implementations > also use port 443. The Stream Prefix provides some mitigation against > cross-protocol > attacks in this case, however, the use of port 443 is NOT > RECOMMENDED" > > We could do something similar for port 80. > > Would that work? > > > This already is good but I think it's not enough. As Tero noted the > working > group thought that they rather specify a generic scheme which I find > problematic. Currently the drafts says: > > "This document leaves the selection of TCP ports up to > implementations. It is suggested to use TCP port 4500, which is > allocated for IPsec NAT Traversal." > > Which sounds to me like an invitation to squat on any open port > regardless > what the port is supposed to be used for (hoping that the magic > number would > avoid any collision). I don't think that a good thing to right in an RFC. > > Now given the text you propose above, I actually assume that the text > I just > cited will be removed but the whole document is written with this > assumption > and therefore there are a couple more places where wording probably > needs to > change. > > I do understand well the problem and that 443 is used in practice. > However, > to match reality I would rather like to see a document that specifies the > approach of encapsulating in TLS/TCP on port 443 that is used today > and pure > TCP encapsulation for use with port 4500 only. Again i think that's where > your proposed text is heading to but I think it needs more changes; > in this > case it would also make sense to add the TLS part back in the main > document > for 443 only. > > Further, I have one more question: The document is written in a way that > allows the implementation of multiple services on the used port. Is that > actually done in reality? If we could restrict the use of this > encapsulation > with servers that only are IKE servers (at least for the used port), you > would actually not need the magic number anymore. I guess you can > still have > the magic number if you really want it because that makes it easier to > distinguish valid IKE/IPSec traffic from other random traffic that > might be > send to this port but the other service running on this port (on other > servers) does not need to know about the magic number because it is > supposed > to never see any IKe/IPSec TCP-encapsulated traffic. > > Does that make sense? > > Mirja > > > > > -Ekr > > > > > Mirja > > > > We can soften the references in the appendix to the fact > that other > ports may, in fact, be used. As for the configuration, it > should > state 4500 as the default, but allow peers to configure > something > else out-of-band if they want to modify behavior (which > is standard > even in UDP implementations of IKE). > > > Further, as also mentioned in the tsv-art review > (Thanks Wes!), this > draft does not sufficiently handle the case of TCP in TCP > encapsulation. > Here a copy of the tsv-art review: > > Reviewer: Wesley Eddy > Review result: On the Right Track > > This document is clear and well-written. It can > easily be > implemented > based on the description. > > There are a few additional issues that should be > considered with > advice to implementers in Section 12 on performance > considerations: > 1) Invisibility of packet loss - Inner protocols that > require packet > losses as a signal of congestion (e.g. TCP) will have > a challenge due > to not being able to see any packet losses since the > outer TCP will > repair them (unless sending into a full outer TCP > socket buffer shows > up back to the inner TCP as a packet loss?). > > > Yes, this is definitely true. We try to capture that with > the line: > "This will make loss- > recovery of the inner TCP traffic less reactive and > more prone to > spurious retransmission timeouts." > > However, this can certainly be expanded upon. > > 2) Nesting of ECN - Inner TCP connections will not > be able to use > effectively ECN on the portion of the path covered by > the outer TCP > connection. > > > Generally, IPsec tunnels will apply RFC 6040 for > translating ECN > markings between inner/outer packets. Since TCP > encapsulation places > the inner IP packets in a stream, there isn't a direct > mapping. > > An implementation could try to roughly map, but it may be > best to > suggest that the ECN markings for inner and outer packets > be left > separate. What is your opinion? > > 3) Impact of congestion response on aggregate - The > general "TCP in > TCP" problem is mentioned, and is mostly appropriate > for a single > flow. If an aggregate of flows is sharing the same > outer TCP > connection, there may be additional concerns about > how the congestion > response behavior impacts an aggregate of flows, > since it may cause a > shared delay spike even to low-rate flows rather than > distributing > losses proportional to per-flow throughput. > > > Indeed. We can add further comments to that effect. > > 4) Additional potential for bufferbloat - Since TCP > does not bound > latency, some applications in the IPsec-protected > aggregate could > drive latency of the shared connection up and impact > the aggregate of > flows that may include real-time applications. The > socket buffer for > the outer TCP connection might need to be limited in > size to ensure > some bounds? > > > We can add a comment to suggest that the buffering should > be limited > on the outer connection if possible. > > > Not addressing these could lead to poor experiences > in deployment, if > implementations make wrong assumptions or fail to > consider them. > > > I do think all of these concerns go back to the overall > recommendation of "use direct ESP or UDP Encapsulation > whenever > possible". Anything to help back up that point is great! > > Thanks, > Tommy > > > In the security considerations section, there are > several RFCs on > mechanisms to increase robustness to RST attacks and > SYN floods that > could be mentioned if it's worthwhile. > > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > <mailto:IPsec@ietf.org <mailto:IPsec@ietf.org>> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec> > <https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec>> > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> <mailto:IPsec@ietf.org > <mailto:IPsec@ietf.org>> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec> > <https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec>> > > > >
- [IPsec] Mirja Kühlewind's Discuss on draft-ietf-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Kathleen Moriarty
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Eric Rescorla
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 u… Paul Wouters
- Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-… Tommy Pauly