Re: [IPsec] Labeled IPsec options
"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 13 December 2019 14:52 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28BA31208E2 for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 06:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5LNJC-73CLf for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 06:52:53 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2300A12011D for <ipsec@ietf.org>; Fri, 13 Dec 2019 06:52:53 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id m6so2878317ljc.1 for <ipsec@ietf.org>; Fri, 13 Dec 2019 06:52:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=FWKiHBxKIO6BIX3VM+tE/jGt7NdGVijEP9HZtsWiZzI=; b=rkYl413U5vk2etB47+zGUe1pNCOntKtTCCL6vHisUwhwGEEagbt2Gf0I2Yh+yq0UTf J9w2n83jbc5xvya+e+LZYHtlFw2yyBY1Di4Fncnv1Tbob2/LnRfkUNjZUJk/60nC9xdB wfSLFWcjdkwpWN9f25FutpAYteOx4d68IN6DNY+K/yJSVRK5BkzhFZNWHGr/QwwQlFlr 6kyc0zGMCvR26uImuVvnGSi2gPrDsnfn6Iaa2sMtbVs8E0khwM1uqdSJ8Bm9dxIk2hqF r3Y9iFynGZsYALi6iMb0vCmAaCc6B+TEsotLfG2z0SvrOusewhzCfD+bnotdUig5yYM9 Zn/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=FWKiHBxKIO6BIX3VM+tE/jGt7NdGVijEP9HZtsWiZzI=; b=I8k7ypWOrrJFsIYuWfEXzYcjlM+Q1XjM9YFRgAQkLkZsipSoxfhIJJZyu1ywKquyTs J0Cb8rnIMHNQ94LawLo4gClt/nkM/tVr/BbhngSey2aICs3l0e4rQXqV760GWqyfCOPq eKbPRJhGexziqN7XKk0PqW90bEUo5mDUw23y8mhAEWyzNvdhzrVL2sgqMks+xtjghCaU Ff+LEWttvtGu6MBfSFbOAmUFqtmJpCSpV8yvi+J6VeJOdcULNGzFtxAtWUwHZ0zjfj4P 2AsEpnT7NWU92m2dVHd3kiBBQ04b4GCeJPid/I9tZ6upuRKAvdjPPSbLi5P8GNDGmgRU I/ZA==
X-Gm-Message-State: APjAAAWo3HKnGLQ0D1JCHFG8ErlRXBVBScQnAegYESwxlSgiMLzW+isJ v8VjWKu0/LfeSMxNJY0gEshEuGlr
X-Google-Smtp-Source: APXvYqwqQjxR9GVcEzPJNYQmKcSkd0fD7Qg80gFcwnlE5rKL0pmczR9Zcxb8vfYgSBsVPRT/tR3/tg==
X-Received: by 2002:a2e:8698:: with SMTP id l24mr10135298lji.94.1576248771042; Fri, 13 Dec 2019 06:52:51 -0800 (PST)
Received: from svannotebook ([185.48.36.95]) by smtp.gmail.com with ESMTPSA id y25sm4673742lfy.59.2019.12.13.06.52.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Dec 2019 06:52:50 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>
Cc: ipsec@ietf.org, 'Sahana Prasad' <sahana@redhat.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com> <alpine.LRH.2.21.1912121606130.22484@bofh.nohats.ca> <046001d5b1c1$232c7be0$698573a0$@gmail.com> <alpine.LRH.2.21.1912130928540.8529@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912130928540.8529@bofh.nohats.ca>
Date: Fri, 13 Dec 2019 17:52:49 +0300
Message-ID: <046301d5b1c4$fdad5840$f90808c0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLx+ZsZ28gCWkLjxf5xPWFraxjS5AGiqmCDAKLVkHsB/ZSllADlO9DtpVZRu8A=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Jpxc4HnchUnlIKWpjZbmaOVT6g4>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 14:52:55 -0000
> >> I don't think that matters. Security labels are never optional but > >> always mandatory. And it seems very unlikely to have a mix of child > >> sa's with and without label. So they will all have a label, and then > >> failing the IKE SA is fine, > > > > Do you want to say, that it's impossible to have two SGWs with > > multiple networks behind them so, that traffic from some networks will > > have security labels and traffic from the others won't have? > > I'm not saying it is impossible. I am saying it is not likely to be a real life > configuration. If you classify network traffic with labels, your goal is to not > have unlabeled traffic come in at all. You might have a label SEC_WHATEVER, > but it still seems far more likely you would mark the traffic as having come > from SGWx with some kind of LABELx to track the origin throughout your > network. > > > If such a configuration is possible, then it's perfectly OK to have a > > mix of labelled and non-labelled IPsec SAs created by one IKE SA. > > I'd argue the reverse. It would likely be better not to allow such an awful > configuration :) So, am I right that you want all IPsec SAs created from a single IKE SA to either have labels or not? If so, then it looks like an IKE SA property, and thus an ability to use labels should really be negotiated when IKE SA is created (well, I don't care whether it is SECLABELS_SUPPORTED or SECLABELS_REQUIRED notification :-)). And since peers know that seclabels are supported, we won't have any problems with legacy implementations (for example, the responder cannot ignore label in notification in option 3). Regards, Valery. > > Paul
- [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Russ Housley
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters