IETF Logo Mail Archive

Re: [IPsec] Some thoughts regarging draft-hopps-ipsecme-iptfs-01

Paul Wouters <paul@nohats.ca> Sun, 01 December 2019 07:52 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DD17120048 for <ipsec@ietfa.amsl.com>; Sat, 30 Nov 2019 23:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmsVLd6sYDu0 for <ipsec@ietfa.amsl.com>; Sat, 30 Nov 2019 23:52:53 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99150120044 for <ipsec@ietf.org>; Sat, 30 Nov 2019 23:52:53 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47QgTH6kTxzFPM; Sun, 1 Dec 2019 08:52:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1575186771; bh=KCFKodR5vwIFQgy9b4OgUeWqM2XZzM+b+7PHdvWlsIY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=b9ZM3NeaQmIBnk0hcTiGDLiKiDy9vioW4Npqp4SGOvJARRBYyx7kT62ftWo6Y/wvH LFWfIJBUO65qRKclxPfQlJFR+/eD5leSaPbxNQRyaZ+rAQ0XvfkLiaLIupUwe3wqI2 PUv9smd1D2s38x4cc2VydY2X4tqsrqY3Hc7NrbM4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id aP3r8y0VMqZt; Sun, 1 Dec 2019 08:52:50 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 1 Dec 2019 08:52:50 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id AE0AB600119F; Sun, 1 Dec 2019 02:52:49 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id AA3D866AA9; Sun, 1 Dec 2019 02:52:49 -0500 (EST)
Date: Sun, 01 Dec 2019 02:52:49 -0500
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: IPsecME WG <ipsec@ietf.org>
In-Reply-To: <039e01d5a5f2$ac51d350$04f579f0$@gmail.com>
Message-ID: <alpine.LRH.2.21.1912010246330.2378@bofh.nohats.ca>
References: <039e01d5a5f2$ac51d350$04f579f0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LMsIpsELWG-mGthufU_N6PWJmGc>
Subject: Re: [IPsec] Some thoughts regarging draft-hopps-ipsecme-iptfs-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Dec 2019 07:52:55 -0000

On Thu, 28 Nov 2019, Valery Smyslov wrote:

> after reading through draft-hopps-ipsecme-iptfs-01 I have some thoughts.
>
> 1. I think it's a wrong decision to support tunnel mode ESP only. IP-TFS for transport mode ESP
>    is equally important because one of the widely used scenario is to combine general purpose
>    tunneling (like GRE) with transport mode ESP. In this case traffic flowing over such SA
>    will in fact be tunnel traffic from several hosts, but the SA is created in transport mode.
>    For this reason I think that IP-TFS must support transport mode SA either.

I sadly agree. I was quite shocked to recently learn that Cisco prefers
GRE over Transport Mode for _all_ of their subnet to subnet configurations and
they consider their policy based VPN configs using cryptomap "obsolete".

> 3. I think that using new Transform Type for IP-TFS negotiation is a bad idea.

I also prefer to see a USE_IPTFS notify similar to USE_TRANSPORT and USE_COMPRESS.

> 7. I don't think that late-enabling of IP-TFS described in section 2.4
>    is really needed. It adds unnecessary complexity and somewhat contradicts
>    to what is stated in section 2.3.

I agree. It would also have to specify a PF_KEY/NETLINK type message
because the userland IKE daemon must know this has happened, to be
able to reject/accept or at least log this event. If the only goal is
debugging, then we should just not allow this. The same could be
achieved by rekeying the child sa with the USE_IPTFS notify (which
would be another reason not to use a transform, because those must
not change during rekey)

Paul

v2.29.0 | Report a Bug | By Email | System Status