IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tommy Pauly <tpauly@apple.com> Thu, 27 April 2017 15:00 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE585129AD3 for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 08:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ju44rFYppOYd for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 08:00:02 -0700 (PDT)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 248AD129584 for <ipsec@ietf.org>; Thu, 27 Apr 2017 07:59:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1493305148; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Bu+V6axMUeJtAWTbjwaic1xmVtH+bNwRRF2ZhSF0tyc=; b=OrIe3oAi7NN44FXJYinN/XAozNwsjRT9jdnWD2EWBiGBUYvkncMmnjbdwrQfm6hj Po/KtzDjqZ1+syusuJRaw4CPLE3qnZu9eDdHrAuG0XR5EKGbWXHkSX+i0gjOn2+e xDeln+78Z0p5fgbfUPAMRQ6wkeBwNii+8x3Kp7YM6cs2yglEpmV4lOOej1LRgEEM lwD+4N5Jak9fxSPDIYMbI8BrwZCdvvdXMd12XMBmxw7uAMvEYO8Pu10jWO8BNknI HbDt8ga1j04znJohq54fH7/DT5ed3nopoddlwod2jHxfMDifAFlz3WuCS10Ytylq /W174iDuo4MymsfzAuzTtQ==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 17.9D.29279.C3702095; Thu, 27 Apr 2017 07:59:08 -0700 (PDT)
X-AuditID: 11973e11-0e8b49a00000725f-d4-5902073c3380
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by relay5.apple.com (Apple SCV relay) with SMTP id BB.1E.02326.C3702095; Thu, 27 Apr 2017 07:59:08 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.153.74.134] (unknown [17.153.74.134]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OP200B9IPMKTR40@nwk-mmpp-sz11.apple.com>; Thu, 27 Apr 2017 07:59:08 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <4f5900d2-a795-8bb4-a89d-dad51e4a6f09@kuehlewind.net>
Date: Thu, 27 Apr 2017 07:59:07 -0700
Cc: Eric Rescorla <ekr@rtfm.com>, ipsecme-chairs@ietf.org, Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-tcp-encaps@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <8B5EDA56-CE70-4AD7-AC52-643F288482F0@apple.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net> <CABcZeBMj9UpzD+CpvOMKOkUsYNSL-UQCwuYt__5XCXtH=zyesA@mail.gmail.com> <22fac532-f30b-03e3-0757-aed213e5a346@kuehlewind.net> <4f5900d2-a795-8bb4-a89d-dad51e4a6f09@kuehlewind.net>
To: Mirja Kühlewind <ietf@kuehlewind.net>
X-Mailer: Apple Mail (2.3424)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHLMWRmVeSWpSXmKPExsUi2FAYoWvDzhRpcPWoocX7P2cYLVa8Psdu MePPRGaLF9c/Mlvs3/KCzWLmnA8sFkfPP2dzYPdYsuQnk8fhrwtZPFo+LmT1mPy4jTmAJYrL JiU1J7MstUjfLoErY2X/U/aCn/4VT+4sYG5gPG3dxcjJISFgIrGgcRtbFyMXh5DAaiaJl+ue s8AkHrx8zwKROMQosePIQiaQBK+AoMSPyfeAEhwczALqElOm5ELUTGSS+DLlFzNIXFhAQmLz nkSQuLDABEaJ19dmsYP0sgmoSBz/toEZxOYUcJKY9HAB2DIWAVWJYxcmgtnMAusYJT795ISw tSWevLvACjKTV8BGYtavAIhd75kknuw6DXaPiICVRPP2R1BHy0pMWLeZGaRIQuA+m0Tj0w+M ExiFZyG5exbC3bOQrFjAyLyKUSg3MTNHNzPPSC+xoCAnVS85P3cTIyhCptsJ7mA8vsrqEKMA B6MSD2/EJ8ZIIdbEsuLK3EOM0hwsSuK8yjv+RwgJpCeWpGanphakFsUXleakFh9iZOLglGpg FHORmT6nb8qBfxLO/PvTbk4wbQvcmWjd68+423D24zuHdAO1px7dfeJ1nUjU2iy5r26d4fv+ PD11+2GiVExCX1aYzdQu6ypmrr2ZE3tTw98p+5dfmt7aWNN2IOv81tOG2z3Cvvm7F/tHVpau 0VY9nC7tbKKl7MywSa5X7EKMqP7LK/3bpb8qsRRnJBpqMRcVJwIAQTE5vHECAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrAIsWRmVeSWpSXmKPExsUi2FA8W9eGnSnS4FyfjsX7P2cYLVa8Psdu MePPRGaLF9c/Mlvs3/KCzWLmnA8sFkfPP2dzYPdYsuQnk8fhrwtZPFo+LmT1mPy4jTmAJYrL JiU1J7MstUjfLoErY2X/U/aCn/4VT+4sYG5gPG3dxcjJISFgIvHg5XuWLkYuDiGBQ4wSO44s ZAJJ8AoISvyYfA8owcHBLKAuMWVKLkTNRCaJL1N+MYPEhQUkJDbvSQSJCwtMYJR4fW0WO0gv m4CKxPFvG5hBbE4BJ4lJDxewgNgsAqoSxy5MBLOZBdYxSnz6yQlha0s8eXeBFWQmr4CNxKxf ARC73jNJPNl1GuweEQEriebtj1ggjpaVmLBuM/MERoFZSE6dhXDqLCRTFzAyr2IUKErNSaw0 1UssKMhJ1UvOz93ECA7owogdjP+XWR1iFOBgVOLhZfjAGCnEmlhWXJkLDAsOZiUR3swrQCHe lMTKqtSi/Pii0pzU4kOMVUC/TGSWEk3OB0ZbXkm8oYmJgYmxsZmxsbmJOVWElcR5V7YBbRZI TyxJzU5NLUgtglnOxMEp1cCYL2pUfLvs/vX3vx9M//Vu3tmbv2Qm/FJw31n1O9yISeXR4o0L Gh67Vn1T107J7WWSEf5wyf3hW7WLT3I27j+95/FHAfs39iedDm79sPHQvPppT5f++rAqTHty /e/+Y7OOKT8UZkpL11G6X8qTOolr2tesBOPcrA26K7YnuRuv3luvpWRkf8wmSYmlOCPRUIu5 qDgRANHWRhnDAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Lsk5eu5SAZ2yF_tKDFFZGBqGKkU>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 15:00:09 -0000

> On Apr 27, 2017, at 6:46 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
> 
> One more side comment on the magic number: actually the magic number makes it easy for network operator to identify IKE/IPSec traffic on any port and block all packets that below to a flow that started with this pattern in the first payload packet. So if you really think you need a magic number, you should probably always encrypt it.

The working group determined that the point of the protocol is not to evade any possibility for middleboxes to block the traffic, but instead to allow connectivity through middle boxes that are essentially 'accidentally' blocking IKE/ESP. If an operator wants to block this traffic explicitly, that is fine. However, it is very common that networks on public access points will block everything by default based on what they consider to be 'web' traffic; they do not inspect more deeply.

Thanks,
Tommy

> 
> 
> 
> On 27.04.2017 15:42, Mirja Kühlewind wrote:
>> Hi Ekr, hi all,
>> 
>> (not sure anymore which email best to reply to but I'm using this one now to
>> partly also reply to others).
>> 
>> See below.
>> 
>> On 27.04.2017 14:51, Eric Rescorla wrote:
>>> 
>>> 
>>> On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind <ietf@kuehlewind.net
>>> <mailto:ietf@kuehlewind.net>> wrote:
>>> 
>>>    I do see the problem you have and I understand why you selected the
>>>    solution you have but that does contradict quite a bit the idea of the
>>>    port registry and I don't think it's a safe and future prove solution.
>>>    Even if people use this approach, I'm concern to publish it in an
>>>    Standards Track RFC, but I guess that's a discussion the IESG would need
>>>    to have.
>>> 
>>> 
>>> Mirja,
>>> 
>>> I agree that this kind of port squatting is regrettable, but I also don't
>>> think it really
>>> helps to not publish RFCs that document widely used protocols because we
>>> are sad they port-squatted.
>>> 
>>> I proposed a way to deal with this in an earlier e-mail. Would that be
>>> satisfactory
>>> to you. To retransmit, we add the following
>>> 
>>> "Note: While port 4500 is the reserved port for this protocol, some existing
>>> implementations
>>> also use port 443. The Stream Prefix provides some mitigation against
>>> cross-protocol
>>> attacks in this case, however, the use of port 443 is NOT RECOMMENDED"
>>> 
>>> We could do something similar for port 80.
>>> 
>>> Would that work?
>> 
>> This already is good but I think it's not enough. As Tero noted the working
>> group thought that they rather specify a generic scheme which I find
>> problematic. Currently the drafts says:
>> 
>> "This document leaves the selection of TCP ports up to
>>    implementations.  It is suggested to use TCP port 4500, which is
>>    allocated for IPsec NAT Traversal."
>> 
>> Which sounds to me like an invitation to squat on any open port regardless
>> what the port is supposed to be used for (hoping that the magic number would
>> avoid any collision). I don't think that a good thing to right in an RFC.
>> 
>> Now given the text you propose above, I actually assume that the text I just
>> cited will be removed but the whole document is written with this assumption
>> and therefore there are a couple more places where wording probably needs to
>> change.
>> 
>> I do understand well the problem and that 443 is used in practice. However,
>> to match reality I would rather like to see a document that specifies the
>> approach of encapsulating in TLS/TCP on port 443 that is used today and pure
>> TCP encapsulation for use with port 4500 only. Again i think that's where
>> your proposed text is heading to but I think it needs more changes; in this
>> case it would also make sense to add the TLS part back in the main document
>> for 443 only.
>> 
>> Further, I have one more question: The document is written in a way that
>> allows the implementation of multiple services on the used port. Is that
>> actually done in reality? If we could restrict the use of this encapsulation
>> with servers that only are IKE servers (at least for the used port), you
>> would actually not need the magic number anymore. I guess you can still have
>> the magic number if you really want it because that makes it easier to
>> distinguish valid IKE/IPSec traffic from other random traffic that might be
>> send to this port but the other service running on this port (on other
>> servers) does not need to know about the magic number because it is supposed
>> to never see any IKe/IPSec TCP-encapsulated traffic.
>> 
>> Does that make sense?
>> 
>> Mirja
>> 
>> 
>> 
>>> 
>>> -Ekr
>>> 
>>> 
>>> 
>>> 
>>>    Mirja
>>> 
>>> 
>>> 
>>>        We can soften the references in the appendix to the fact that other
>>>        ports may, in fact, be used. As for the configuration, it should
>>>        state 4500 as the default, but allow peers to configure something
>>>        else out-of-band if they want to modify behavior (which is standard
>>>        even in UDP implementations of IKE).
>>> 
>>> 
>>>            Further, as also mentioned in the tsv-art review (Thanks Wes!), this
>>>            draft does not sufficiently handle the case of TCP in TCP
>>>            encapsulation.
>>>            Here a copy of the tsv-art review:
>>> 
>>>            Reviewer: Wesley Eddy
>>>            Review result: On the Right Track
>>> 
>>>            This document is clear and well-written.  It can easily be
>>>            implemented
>>>            based on the description.
>>> 
>>>            There are a few additional issues that should be considered with
>>>            advice to implementers in Section 12 on performance considerations:
>>>            1) Invisibility of packet loss - Inner protocols that require packet
>>>            losses as a signal of congestion (e.g. TCP) will have a challenge due
>>>            to not being able to see any packet losses since the outer TCP will
>>>            repair them (unless sending into a full outer TCP socket buffer shows
>>>            up back to the inner TCP as a packet loss?).
>>> 
>>> 
>>>        Yes, this is definitely true. We try to capture that with the line:
>>>        "This will make loss-
>>>           recovery of the inner TCP traffic less reactive and more prone to
>>>           spurious retransmission timeouts."
>>> 
>>>        However, this can certainly be expanded upon.
>>> 
>>>            2) Nesting of ECN -  Inner TCP connections will not be able to use
>>>            effectively ECN on the portion of the path covered by the outer TCP
>>>            connection.
>>> 
>>> 
>>>        Generally, IPsec tunnels will apply RFC 6040 for translating ECN
>>>        markings between inner/outer packets. Since TCP encapsulation places
>>>        the inner IP packets in a stream, there isn't a direct mapping.
>>> 
>>>        An implementation could try to roughly map, but it may be best to
>>>        suggest that the ECN markings for inner and outer packets be left
>>>        separate. What is your opinion?
>>> 
>>>            3) Impact of congestion response on aggregate - The general "TCP in
>>>            TCP" problem is mentioned, and is mostly appropriate for a single
>>>            flow.  If an aggregate of flows is sharing the same outer TCP
>>>            connection, there may be additional concerns about how the congestion
>>>            response behavior impacts an aggregate of flows, since it may cause a
>>>            shared delay spike even to low-rate flows rather than distributing
>>>            losses proportional to per-flow throughput.
>>> 
>>> 
>>>        Indeed. We can add further comments to that effect.
>>> 
>>>            4) Additional potential for bufferbloat - Since TCP does not bound
>>>            latency, some applications in the IPsec-protected aggregate could
>>>            drive latency of the shared connection up and impact the aggregate of
>>>            flows that may include real-time applications.  The socket buffer for
>>>            the outer TCP connection might need to be limited in size to ensure
>>>            some bounds?
>>> 
>>> 
>>>        We can add a comment to suggest that the buffering should be limited
>>>        on the outer connection if possible.
>>> 
>>> 
>>>            Not addressing these could lead to poor experiences in deployment, if
>>>            implementations make wrong assumptions or fail to consider them.
>>> 
>>> 
>>>        I do think all of these concerns go back to the overall
>>>        recommendation of "use direct ESP or UDP Encapsulation whenever
>>>        possible". Anything to help back up that point is great!
>>> 
>>>        Thanks,
>>>        Tommy
>>> 
>>> 
>>>            In the security considerations section, there are several RFCs on
>>>            mechanisms to increase robustness to RST attacks and SYN floods that
>>>            could be mentioned if it's worthwhile.
>>> 
>>> 
>>> 
>>> 
>>>            _______________________________________________
>>>            IPsec mailing list
>>>            IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>            https://www.ietf.org/mailman/listinfo/ipsec
>>>            <https://www.ietf.org/mailman/listinfo/ipsec>
>>> 
>>> 
>>> 
>>>    _______________________________________________
>>>    IPsec mailing list
>>>    IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>    https://www.ietf.org/mailman/listinfo/ipsec
>>>    <https://www.ietf.org/mailman/listinfo/ipsec>
>>> 
>>> 
>> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email