IETF Logo Mail Archive

Re: [IPsec] [saag] IETF 114 IPsecME report

Paul Wouters <paul@nohats.ca> Tue, 31 January 2023 13:32 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E92C151717 for <ipsec@ietfa.amsl.com>; Tue, 31 Jan 2023 05:32:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZX5AQzxy4I3 for <ipsec@ietfa.amsl.com>; Tue, 31 Jan 2023 05:32:26 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6210C1516E1 for <ipsec@ietf.org>; Tue, 31 Jan 2023 05:32:25 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4P5mF34KPMz1K1; Tue, 31 Jan 2023 14:32:23 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1675171943; bh=USaIOERvW3/qsKDDdn09NSgI8wJnwTh5xlf3wj+c+eE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=QUOSTCS651vil0d0/6cojZE7emKEccSJNCKoNFutOTsBNGP4U/5XdGJzFX6On0mfZ ZOTllISGHfPhkLvaCKad+tr9TNYG21TT2odnJikbaQc4Xo0XD/bjI4i1CsIkgdVHDf I31wf/mw0DkmCv/ziOZptmnQWm4pDNVIc9KCNOpc=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id QtcEmbhCTztB; Tue, 31 Jan 2023 14:32:22 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 31 Jan 2023 14:32:21 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 0CA95686972; Tue, 31 Jan 2023 08:32:21 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 0B3E9686971; Tue, 31 Jan 2023 08:32:21 -0500 (EST)
Date: Tue, 31 Jan 2023 08:32:21 -0500
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: 'Tero Kivinen' <kivinen@iki.fi>, 'Paul Wouters' <paul.wouters@aiven.io>, ipsec@ietf.org, 'Yoav Nir' <ynir.ietf@gmail.com>, 'Roman Danyliw' <rdd@cert.org>
In-Reply-To: <016301d93576$bb63c030$322b4090$@gmail.com>
Message-ID: <b3438e48-84b0-d8bc-b9ef-b0b3ae00794c@nohats.ca>
References: <25311.20490.971667.883557@fireball.acr.fi> <CAGL5yWbWUvqPPsC3e-rqEc5i00WWXAhe=_SurmiWDNzfF54rRg@mail.gmail.com> <CAGL5yWbpx2K3X7FpMVASUeTzQZ2A=tKDw9s5UBqWUKbGnTgxiw@mail.gmail.com> <25558.47779.655532.512440@fireball.acr.fi> <016301d93576$bb63c030$322b4090$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/DOqP7hg9U88BWj9l1_5Br1F884g>
Subject: Re: [IPsec] [saag] IETF 114 IPsecME report
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 13:32:30 -0000

On Tue, 31 Jan 2023, Valery Smyslov wrote:

>> This document should simply say that TS_SECLABEL MUST NOT be used
>> alone. This document must not try to do incompatible change to the
>> base RFC7296 which would make conforming implemntations
>> non-conforming.
>
> Unfortunately, this won't work. It is not enough to add new TS type,
> with security labels the semantics of TS types should be changed
> so, that there are "primary" TS types and "additional" ones.
>
> This is because in RFC 7296 individual Traffic Selectors in TS payload
> are combined with OR. In other words, traffic matching
> combination of any Traffic Selector in TSi and
> any Traffic Selector in TSr is protected.
>
> TS_SECLABEL cannot be treated with this semantics,
> it must be treated with AND (as additional condition for
> the traffic to match), which requires RFC 7296 update.

Right.

> I agree with you that current document text doesn't take into considerations
> the existence of other "primary" TS types, like TS_FC_ADDR_RANGE.

Yes, we assumed that one, which was not "regular IKEv2", was out of
scope but we can say something about it. As Tero pointed out, perhaps
people do want to use it there.

>> So I do not think this document should update RFC7296 at all, so most
>> of the section 3 is wrong.
>
> The "proper" way would be to introduce new TS types
> TS_IPV4_ADDR_RANGE_WITH_SECLABEL and TS_IPV6_ADDR_RANGE_WITH_SECLABEL.
> I recall that it was already tried before, but I don't remember
> why this way was abandoned.

The fear of combinatory explosion if something else got added. Eg lets
say we have a similar new TS TYPE that modifies like sec_label. Let's
call it FOO. We would end up with:

TS_IPV4_ADDR_RANGE
TS_IPV4_ADDR_RANGE_WITH_SECLABEL
TS_IPV4_ADDR_RANGE_WITH_FOO
TS_IPV4_ADDR_RANGE_WITH_SECLABEL_AND_FOO
TS_IPV6_ADDR_RANGE
TS_IPV4_ADDR_RANGE_WITH_FOO
TS_IPV6_ADDR_RANGE_WITH_SECLABEL
TS_IPV6_ADDR_RANGE_WITH_SECLABEL_AND_FOO

The WG thought this would be a worse solution.

Paul

v2.23.0 | Report a Bug | By Email