IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-xu-risav-02.txt

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 24 October 2022 01:50 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06807C14F74E for <ipsec@ietfa.amsl.com>; Sun, 23 Oct 2022 18:50:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxGA2yO3pq07 for <ipsec@ietfa.amsl.com>; Sun, 23 Oct 2022 18:50:45 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85028C14F745 for <ipsec@ietf.org>; Sun, 23 Oct 2022 18:50:45 -0700 (PDT)
Received: from dyas.sandelman.ca (cable-24-135-63-90.dynamic.sbb.rs [24.135.63.90]) by relay.sandelman.ca (Postfix) with ESMTPS id 09AE91F450; Mon, 24 Oct 2022 01:50:43 +0000 (UTC)
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id 086B2A02E9; Sun, 23 Oct 2022 21:50:43 -0400 (EDT)
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id 0606EA01A0; Mon, 24 Oct 2022 03:50:43 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ben Schwartz <bemasc@google.com>, ipsec@ietf.org
In-reply-to: <CAHbrMsCOZMaBX3xk_BEc60OkCuYR2DpzSqj7ogyo9TO5AHauHg@mail.gmail.com>
References: <166627504630.62717.5060565830910515294@ietfa.amsl.com> <CAHbrMsCZR6_a2QJmh5CWVPzhepbktFQmvWJAAVRBqEfbdELZKA@mail.gmail.com> <516851.1666381420@dyas> <CAHbrMsBOO2DEafqVFJk-r98s1_XuVBaXrz5kz6GdB5ZW2ueMkA@mail.gmail.com> <949169.1666530528@dyas> <CAHbrMsCOZMaBX3xk_BEc60OkCuYR2DpzSqj7ogyo9TO5AHauHg@mail.gmail.com>
Comments: In-reply-to Ben Schwartz <bemasc@google.com> message dated "Sun, 23 Oct 2022 17:46:12 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 24 Oct 2022 03:50:43 +0200
Message-ID: <1133806.1666576243@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HOMJeO3cDtlweeecx1evJxfoBtM>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-xu-risav-02.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 01:50:50 -0000

Ben Schwartz <bemasc@google.com> wrote:
    >> Ben Schwartz <bemasc@google.com> wrote:
    >>
    > ....

    >> > The real motivation to support AH in this draft comes down to MTU
    >> > overhead.  Going from 24 bytes of MTU loss to 73 bytes seems
    >> > potentially significant, especially because:
    >>
    >> Where will you put the original src/dst IPs?
    >> 24 bytes is the AH overhead only.  The v6 src/dst requires 32 bytes,
    >> at which point you might as well just have an IPIP header at 44 bytes.
    >>

    > They're in the outer IP header, unchanged, so it really is just 24 bytes.

No, that's not legal or practical.

Even assuming that you can insert an AH header (which I think you can legally
do in IPv4, but not in IPv6), then you have to use a SPI# allocated by
destination ASBR, so you have to put the dstip= ASBR.

Really, you need to change the srcip= as well, because otherwise, ICMPs go to
the wrong place.

If you want do something else, then it's relly not IPsec.

    >> > I actually think RISAV uses RPKI for exactly the thing that RFC 9255
    >> > wants: directing IP packets to the corresponding AS number.
    >>
    >> I'm not convinced it will fly.
    >> I agree with you, but I feel like I'm in the rough.
    >>

    > I think we can set this aside until we've ironed out the technical wrinkles.

I actually think thta you need to do this up-front, otherwise, you are
wasting your time.

    >> The draft notes some interesting questions about how sequence numbers
    >> > work in this situation.  The best solution I came up with was to put
    >> > the source IP into the "Additional Data" of the AEAD (or equivalent),
    >> > but this seems like it would need a new IKEv2 extension.
    >>
    >> yes, that's an entirely new cipher mode.
    >>

    > How big a deal is a new cipher mode? It doesn't sound so bad.

It's not that big deal, but I assume you'd like to use commodity off the
shelf hardware.

    >> You have, btw, just re-invented SKIP.  And maybe that's what you actually
    >> want, btw.
    >>

    > Oh, wow.  SKIP (https://datatracker.ietf.org/doc/draft-ietf-ipsec-skip/ for
    > those following along) looks like exactly the "proposed extensions"
    > mentioned in Section 5.2 and Section 5.3 of RISAV, so it's definitely
    > relevant.  Too bad it doesn't exist...

I think that SKIP is probably the best direction to think about.
Some ex-SUN people will buy you drinks until you die if you go that way.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email