Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Mon, 08 August 2022 12:12 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4B9C13CCCE; Mon, 8 Aug 2022 05:12:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mtk7gEnFnWvJ; Mon, 8 Aug 2022 05:12:49 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6062FC13CCD5; Mon, 8 Aug 2022 05:12:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rh8WSTE9EGkZtOHGaPFVoWxbofyeUkLiA5aPK9J+1TQ=; b=PkMgssx8uuj0N8m5OiOITiudaW 87lWQCbRs3tx8XLnL8jpvqDXnkhgoUv/PK7pQq/YbE4viEvPVWAh/ZQ7zGRIxFuif9Xb3V5ivn0Yl zNYS+c+xlnGZpexQYdiv93bkAbfN7chnkKXtlfiHE0IF9l5veLQhbrd1eeViiV3z3GaA=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1oL1cg-0001s7-J2; Mon, 08 Aug 2022 15:12:42 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1oL1cg-0002aS-D9; Mon, 08 Aug 2022 15:12:42 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 8 Aug 2022 15:12:42 +0300
Received: from svannotebook (10.100.100.6) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Mon, 8 Aug 2022 15:12:41 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Martin Duke' <martin.h.duke@gmail.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-rfc8229bis@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <165973261426.54808.11128651982166539913@ietfa.amsl.com>
In-Reply-To: <165973261426.54808.11128651982166539913@ietfa.amsl.com>
Date: Mon, 08 Aug 2022 15:12:41 +0300
Message-ID: <051401d8ab20$28b98660$7a2c9320$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHF0YRJw8EkDTxqScqkLhJqLvUzTq3KVrug
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/08/08 11:53:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/08/08 06:45:00 #20075998
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/K7Qr6t2XPP9ysrulWBrDP1TrdEc>
Subject: Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2022 12:12:54 -0000
Hi Martin, thank you for your comments. Please see inline. > Martin Duke has entered the following ballot position for > draft-ietf-ipsecme-rfc8229bis-07: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling- > ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc8229bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks to Joe Touch for the TSVART review. There are no showstoppers in this > document, but some non-normative text makes inaccurate statements about > TCP and > RFC6040, and there are some odd decisions with respect to TLS that are worth > asking about: > > (Sec 9.1) > "TCP-in-TCP can also lead to "TCP meltdown", where stacked instances > of TCP can result in significant impacts to performance > [TCP-MELTDOWN]. For the case in this document, such meltdown can > occur when the window size of the outer TCP connection is smaller > than the window sizes of the inner TCP connections. The resulting > interactions can lead to packets backing up in the outer TCP > connection's send buffers. In order to limit this effect, the outer > TCP connection should have limits on its send buffer size and on the > rate at which it reduces its window size." > > Which "window" are you referring to? Receive window, congestion window, > or the > send buffer? My reading of [TCP-MELTDOWN] is that the tunnel ingress > should set > its send buffer size to the BDP of the tunnel, which is easier said than done. > It appears you are using "window" and "send buffer" interchangeably here in a > way that is confusing. This text was suggested by Joe Touch (https://mailarchive.ietf.org/arch/msg/ipsec/eD85hixrzfqwg4UhwRZ8WL5PkDA/) If you think it is unclear, can you please suggest how it can be improved? > (9.5) > Implementations SHOULD follow the ECN compatibility mode for tunnel > ingress as described in [RFC6040]. In compatibility mode, the outer > tunnel TCP connection marks its packet headers as not ECN-capable. > If upon egress, the arriving outer header is marked with CE, the > implementation will drop the inner packet, since there is not a > distinct inner packet header onto which to translate the ECN > markings. > > This is not an accurate summary of compatibility mode. In compatibility mode, > the outer packet is marked Not-ECT, which means it will not be marked CE. In > normal mode, the outer packet is marked as the inner, and this might result in > an outer CE marking. Can you please, clarify why the description is inaccurate? According to RFC 6040 in compatibility mode outer packet are marked as not ECN-capable (Not-ECT). On the other hand, since using compatibility mode is SHOULD here and currently it is assumed that IPsec tunnels are used with normal mode (RFC 4301, RFC 6040), then some additional guidelines are given what to do if peer still uses normal mode. Am I missing something? > It's a shame that there is no attempt to figure out a mapping between inner > and > outer that would make normal mode work, as this reviewer is optimistic that > ECN > marks will become increasingly important. But regardless, this section should > be clear and make correct statements. I'm not sure this is generally possible given that one outer TCP tunnel can include many inner TCP tunnels, so you have to decide which of them to inform. The things get worse if AggFrag mechanism is in use (draft-ietf-ipsecme-iptfs-13, in IESG evaluation). > (Appendix A) Why not provide an in-band way to determine TLS support? > There > could be another port number, or different magic bytes to indicate that TLS > handshake messages follow. Actually, with this draft in-band switching to TLS is really a downgrade, rather than an upgrade (surprise?). The reason is that actual protection of the traffic is provided by IPsec and both TCP and TLS are only used as transport mechanisms that allow IPsec to work in environments where it cannot be used otherwise. And TLS is worse, since it requires more resources and has bigger overhead. So, once you get through using plain TCP there is no sense to switch to TLS. Regards, Valery.
- [IPsec] Martin Duke's No Objection on draft-ietf-… Martin Duke via Datatracker
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov