IETF Logo Mail Archive

Re: [IPsec] ESP Signally to higher layers

Michael Richardson <mcr@sandelman.ca> Sat, 21 May 2022 11:13 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF100C185B11 for <ipsec@ietfa.amsl.com>; Sat, 21 May 2022 04:13:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jfi2Rjmp-Tq5 for <ipsec@ietfa.amsl.com>; Sat, 21 May 2022 04:13:26 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3792C185B10 for <ipsec@ietf.org>; Sat, 21 May 2022 04:13:25 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [209.171.88.119]) by relay.sandelman.ca (Postfix) with ESMTPS id 9F6511F479; Sat, 21 May 2022 11:13:23 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id D9BC71A0123; Sat, 21 May 2022 07:13:21 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
cc: IPsecME WG <ipsec@ietf.org>
In-reply-to: <76129f8a-9287-e19d-ec32-5c743a7afdf2@htt-consult.com>
References: <76129f8a-9287-e19d-ec32-5c743a7afdf2@htt-consult.com>
Comments: In-reply-to Robert Moskowitz <rgm-sec@htt-consult.com> message dated "Fri, 20 May 2022 09:03:14 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 21 May 2022 07:13:21 -0400
Message-ID: <886536.1653131601@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/F58xJbw9IQc1Aolme0YSoWttT2Y>
Subject: Re: [IPsec] ESP Signally to higher layers
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2022 11:13:29 -0000

Robert Moskowitz <rgm-sec@htt-consult.com> wrote:
    > This is an item that goes back to the beginning of ESP work:
    > Minimally, how does the higher level 'learn' that it is secure:

Are you asking how *TCP* learns of this, or how an application with an open
socket(2) learns of this?

    > Encrypted/Authenticated/CrCed...  ?
    > And as ESP has a seq#, how might it be convied to the higher layer?

Do you mean replay counter here, or did you mean SPI?

Preferably, never, because it will get rekeyed, so really, whatever you want
to do really needs to be communicated abstracted to the key daemon, who will
do the right thing, and keep track of updates to the SPI#

    > Case in point:  MAVlink has a 1-byte seq# in its payload.  How might
    > this be provided by ESP?

Now I think maybe you really do mean sequence/replay counter.

    > https://mavlink.io/en/guide/message_signing.html

    > So I have been thinking about this vis-a-vis diet-esp.  What is the
    > mechanism/trigger that can best work across a number of higher layers
    > to inform of operating environment and values available (seq#)?

    > Is this done anywhere now?

Doubtful.

v2.23.0 | Report a Bug | By Email