Re: [IPsec] Fwd: New Version Notification for draft-xu-risav-02.txt
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 24 October 2022 01:50 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06807C14F74E for <ipsec@ietfa.amsl.com>; Sun, 23 Oct 2022 18:50:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxGA2yO3pq07 for <ipsec@ietfa.amsl.com>; Sun, 23 Oct 2022 18:50:45 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85028C14F745 for <ipsec@ietf.org>; Sun, 23 Oct 2022 18:50:45 -0700 (PDT)
Received: from dyas.sandelman.ca (cable-24-135-63-90.dynamic.sbb.rs [24.135.63.90]) by relay.sandelman.ca (Postfix) with ESMTPS id 09AE91F450; Mon, 24 Oct 2022 01:50:43 +0000 (UTC)
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id 086B2A02E9; Sun, 23 Oct 2022 21:50:43 -0400 (EDT)
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id 0606EA01A0; Mon, 24 Oct 2022 03:50:43 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ben Schwartz <bemasc@google.com>, ipsec@ietf.org
In-reply-to: <CAHbrMsCOZMaBX3xk_BEc60OkCuYR2DpzSqj7ogyo9TO5AHauHg@mail.gmail.com>
References: <166627504630.62717.5060565830910515294@ietfa.amsl.com> <CAHbrMsCZR6_a2QJmh5CWVPzhepbktFQmvWJAAVRBqEfbdELZKA@mail.gmail.com> <516851.1666381420@dyas> <CAHbrMsBOO2DEafqVFJk-r98s1_XuVBaXrz5kz6GdB5ZW2ueMkA@mail.gmail.com> <949169.1666530528@dyas> <CAHbrMsCOZMaBX3xk_BEc60OkCuYR2DpzSqj7ogyo9TO5AHauHg@mail.gmail.com>
Comments: In-reply-to Ben Schwartz <bemasc@google.com> message dated "Sun, 23 Oct 2022 17:46:12 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 24 Oct 2022 03:50:43 +0200
Message-ID: <1133806.1666576243@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HOMJeO3cDtlweeecx1evJxfoBtM>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-xu-risav-02.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 01:50:50 -0000
Ben Schwartz <bemasc@google.com> wrote: >> Ben Schwartz <bemasc@google.com> wrote: >> > .... >> > The real motivation to support AH in this draft comes down to MTU >> > overhead. Going from 24 bytes of MTU loss to 73 bytes seems >> > potentially significant, especially because: >> >> Where will you put the original src/dst IPs? >> 24 bytes is the AH overhead only. The v6 src/dst requires 32 bytes, >> at which point you might as well just have an IPIP header at 44 bytes. >> > They're in the outer IP header, unchanged, so it really is just 24 bytes. No, that's not legal or practical. Even assuming that you can insert an AH header (which I think you can legally do in IPv4, but not in IPv6), then you have to use a SPI# allocated by destination ASBR, so you have to put the dstip= ASBR. Really, you need to change the srcip= as well, because otherwise, ICMPs go to the wrong place. If you want do something else, then it's relly not IPsec. >> > I actually think RISAV uses RPKI for exactly the thing that RFC 9255 >> > wants: directing IP packets to the corresponding AS number. >> >> I'm not convinced it will fly. >> I agree with you, but I feel like I'm in the rough. >> > I think we can set this aside until we've ironed out the technical wrinkles. I actually think thta you need to do this up-front, otherwise, you are wasting your time. >> The draft notes some interesting questions about how sequence numbers >> > work in this situation. The best solution I came up with was to put >> > the source IP into the "Additional Data" of the AEAD (or equivalent), >> > but this seems like it would need a new IKEv2 extension. >> >> yes, that's an entirely new cipher mode. >> > How big a deal is a new cipher mode? It doesn't sound so bad. It's not that big deal, but I assume you'd like to use commodity off the shelf hardware. >> You have, btw, just re-invented SKIP. And maybe that's what you actually >> want, btw. >> > Oh, wow. SKIP (https://datatracker.ietf.org/doc/draft-ietf-ipsec-skip/ for > those following along) looks like exactly the "proposed extensions" > mentioned in Section 5.2 and Section 5.3 of RISAV, so it's definitely > relevant. Too bad it doesn't exist... I think that SKIP is probably the best direction to think about. Some ex-SUN people will buy you drinks until you die if you go that way. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [IPsec] Fwd: New Version Notification for dra… Erik Kline
- [IPsec] Fwd: New Version Notification for draft-x… Ben Schwartz
- Re: [IPsec] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Erik Kline
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Paul Wouters
- Re: [IPsec] Fwd: New Version Notification for dra… Erik Kline
- Re: [IPsec] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [IPsec] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [IPsec] Fwd: New Version Notification for dra… Paul Wouters
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Ben Schwartz