Re: [IPsec] Comments: New Version Notification for draft-mglt-ipsecme-diet-esp-08
Daniel Migault <mglt.ietf@gmail.com> Tue, 07 June 2022 13:04 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3339C15BE8B for <ipsec@ietfa.amsl.com>; Tue, 7 Jun 2022 06:04:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SL94QpgfLj9U for <ipsec@ietfa.amsl.com>; Tue, 7 Jun 2022 06:04:40 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9792C14CF13 for <ipsec@ietf.org>; Tue, 7 Jun 2022 06:04:40 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id u23so28250477lfc.1 for <ipsec@ietf.org>; Tue, 07 Jun 2022 06:04:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f5nPqrUXd8mAdyuhBzMnutehwa9gTWzZKHJ9y++YvY4=; b=BlqcVdETqq42bX8tNDxtJbJJr/+/Lj0HEycDIf5skpvgNUp61y3sfODlb4cLZ23Eft VvMBIo1Z2CibG6LrRP6WsGOObFq5UZpemiSF34cbHZ0DSVqUGra285yk4yBJDfonIbZe YjfozBm5XLZDDGwzxVFhtA6eVqRZx3OLfz1lrJlH61vxXj+7KQ5AGdU3XV/NhZZ89dw/ 9INKrvWqskz1pcNGwjhPb69R0COiV0kvtFgFfoXGJhVim1wEPWBozx2ioT3aaPeAebue hyJOhb2GVr9+4Jle2IFuok+poW8LqtkObF3MLCbLN9SFYRXwIlCZ0tpi2ClO6eqDjPvg S8Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f5nPqrUXd8mAdyuhBzMnutehwa9gTWzZKHJ9y++YvY4=; b=0EPhzPa/fX5M/uKwj55koXBGftcalgZMHY2YQM/y/4BHK9k4Ze6a6w9h5Oe3y6Jv/8 Oa+yQR5XmvmY70sPBSjraNhxb7KsCep4207s5agQ6hJLBcnzQJUpoavBKwwZcq6NlJKn BOU6Rq8H3QLP3OsxWrv+ayE6xRied7PPmHUkw0XUmfp0m5ZMROjqR9kD8dFfwY9jAIzQ ywJ0nAhd18XyBGqvvLtGJZEglgNlm4jFQwgNt/qpcuHuPO2MjCGIIi55mZc/Pc+9tn6o 4Os9hbyBaMa4QeqKA5VkIDVymKByl/aTJXiOsa49yJCC7cHygcu7+K6IyOs/OHk3Plks MHTg==
X-Gm-Message-State: AOAM532SDYcx0FQ6oTjCNq13s1U5roB62qQYRuh/4uCeQTK1D9/EB9xS lco21hypfQTzaCyV/P6XGC3cqgOaSigbRjDteOs=
X-Google-Smtp-Source: ABdhPJxYgi47nEEfw5XkzkW4/y46eXhJp/Xz1v2hrmiLXA9/F04rTCMQ50mCeIhNnvIzVLJT2Z42ihiBhDGcsVC1PfU=
X-Received: by 2002:a05:6512:3501:b0:478:c864:8537 with SMTP id h1-20020a056512350100b00478c8648537mr19151682lfs.442.1654607076596; Tue, 07 Jun 2022 06:04:36 -0700 (PDT)
MIME-Version: 1.0
References: <165245934076.55873.10897274756238806359@ietfa.amsl.com> <DM6PR15MB36891F40C6CE592453EA70B7E3CA9@DM6PR15MB3689.namprd15.prod.outlook.com> <53e16b45-a7a0-dcbe-2303-81d438749912@htt-consult.com>
In-Reply-To: <53e16b45-a7a0-dcbe-2303-81d438749912@htt-consult.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 07 Jun 2022 09:04:25 -0400
Message-ID: <CADZyTkn83eDR1nu0cfn9++7LNuLEU7CJaWoW4VxhsDdARqBcdg@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000b1e9905e0db3b71"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HzMGB2RlokEs389XZakvSr2_O88>
Subject: Re: [IPsec] Comments: New Version Notification for draft-mglt-ipsecme-diet-esp-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 13:04:41 -0000
On Mon, May 16, 2022 at 4:47 PM Robert Moskowitz <rgm-sec@htt-consult.com> wrote: > Thanks, Daniel for the update. > > Now some comments. > > The necessary state is held within the IPsec Security Association and > > The document specifies the necessary parameters of the EHC Context to > allow compression of ESP and the most common included protocols, such > as IPv4, IPv6, UDP and TCP and the corresponding EHC Rules. > > Should any reference be made to cipher compression? At least reference > to 8750? Or since this is just the abs > sure we can, but the transform itself is a bit outside EHC. > > It also > defines the Diet-ESP EHC Strategy which compresses up to 32 bytes per > packet for traditional IPv6 VPN and up to 66 bytes for IPv6 VPN sent > over a single TCP or UDP session. > > > In UDP transport I am reducing 18 bytes (assuming cipher with zero > padding) to 4 bytes. Also worth noting here... > > we are saying up to which likely corresponds to an extreme case and something like 18 bytes seems reasonable. > > On the other hand, in IoT > communications, sending extra bytes can significantly impact the > battery life of devices and thus the life time of the device. The > document describes a framework that optimizes the networking overhead > associated to IPsec/ESP for these devices. > > > You say nothing about constrained comm links. This compression may make > ESP viable over links like LoRaWAN. > > yes. if that is not in the doc, it might be we said it too many times that we finally forgot ;-). > ESP Header Compression (EHC) chooses another form of context > agreement, which is similar to the one defined by Static Context > Header Compression (SCHC). > > Reference rfc 8724. > > And more than 'similar"? Maybe "based on the one"? > > currently not, but this is actually what we think we should do. > The context > itself can be negotiated during the key agreement, which allows only > minimal the changes to the actual ESP implementation. > > I don't get this. What only allows minimal changes? The key agreement > protocol or ECH? If the later then perhaps: > > no. whatever is used to describe the compression descripression will not be implemented by setting a compressor / decompressor for at least ESP software implementation. The changes are minor. On the other hand, things may be a bit more complex for hardware based ESP which cannot be modified. In that case, we probably need to implement the compression / decompression steps outside ESP. > The context > itself can be negotiated during the key agreement, which then needs > only > minimal the changes to the actual ESP implementation. > > More for introduction: > > Perhaps you can add that in transport mode, an SA may be for a single > transport/port to tune the ECH for that use and that multiple SAs could > be negotiated for this case. > > Question: Can a single IKE exchange produce multiple SAs? > > The context is per SA, so I suppos ethe suggestion is to make it per SA if that has not been clearly specified in the IKE extension document. > Here is my use case: > > Between the UA and GCS are two flows. One for Command and Control (C2) > the other streaming video. Both over UDP, but different ports. So > instead of having carry the UDP ports in all the messages, negotiate > separate SAs with the appropriate ECH. > > Ah, I see this in Sec 5. You should say something about this in the intro. > > sec 4. > > EHC is able to compress any protocol encapsulated in ESP and ESP > itself. > > No really true per other claims. Does it offer compressing RTP? I need > that, probably, for my streaming video app. > > We probably need to clarify this. It seems the baseline is pretty much any layer related to traffic selectors, which I think could theoretically be pretty high up in the layers though in practice this may be reduced to IP and transport. > to compress any IP and transport protocol... > > And only TCP and UDP are shown, what about, say, SCTP? > > BTW, I note that you use 'IKEv2'. At this point is that really needed? > Should just IKE be enough? Has not IKEv1 been depreicated? > could be. > > 6. EHC Context > > > The EHC Context is defined on a per-SA basis. A context can be > defined for any protocol encapsulated with ESP and for ESP itself. > > Should that be "any IP or Transport protocol"? To exclude layer 5 > protocols (CoAP, RTP,,,)? > > probably > Layer 5 protocols SHOULD be via standard SCHC with the SCHC Rule ID > included... > > I tend to agree. > Or maybe 'typically'? As some layer 5 might be easy? RTP maybe? > > So this is it for this round of comments. I am looking at Appdx A and > making a UDP example. Including IIV. > > Bob > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Ericsson
- [IPsec] Fw: New Version Notification for draft-mg… Daniel Migault
- [IPsec] Comments: New Version Notification for dr… Robert Moskowitz
- Re: [IPsec] Comments: New Version Notification fo… Robert Moskowitz
- Re: [IPsec] Comments: New Version Notification fo… Daniel Migault
- Re: [IPsec] Comments: New Version Notification fo… Robert Moskowitz
- Re: [IPsec] Comments: New Version Notification fo… Daniel Migault
- Re: [IPsec] Comments: New Version Notification fo… Daniel Migault
- Re: [IPsec] Comments: New Version Notification fo… Paul Wouters