Re: [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07
Daniel Migault <mglt.ietf@gmail.com> Fri, 13 May 2022 15:24 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 744E3C1594A7 for <ipsec@ietfa.amsl.com>; Fri, 13 May 2022 08:24:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1sqlwIDBu2b for <ipsec@ietfa.amsl.com>; Fri, 13 May 2022 08:23:58 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33826C157B4B for <ipsec@ietf.org>; Fri, 13 May 2022 08:23:58 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id l19so10672598ljb.7 for <ipsec@ietf.org>; Fri, 13 May 2022 08:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iHISui/4i9WVDZC45IJF10N6TpHSGVl7AocjHcRLQPA=; b=cP+W7CK3Du0KJGHClqCk4CHStiXU9IeNK6L5+xsmrRggQY7nNDAmlt1Mjs6RmPFuQx D3W1QJP9C+S9HGnHr+inggGKNqvQYyIrjAr+CcIdvfvbJ4BMleR+pVZAIH/u0vFdVn0/ g81HOrXlUXj3n3prprNQkDsYVTQPsLEfNJpd4g7Lo4522Ha19soY8kQA+/z4klwAEvSp gjCYR5JsD8LeZR1FxHUCQ1Gv6+H+Or8UFix8Whh+hKzINcv3+RVuPclJWb3YwnKKSbEE 63HX3R45bbkFrfeEIiNzKwG5/AYC9ZLIIJSQF1aPa6KHDvHPheqJlSzzrkwTunYu2Tf2 1K0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iHISui/4i9WVDZC45IJF10N6TpHSGVl7AocjHcRLQPA=; b=L5XrqOTnvMB5UCkc3pFlGD4Shav9me/wbNbNCUCLvG11wvZrBU55SoQrNOqQqsxG7s SUNzprD5tHvc0dhHdyhdyvXYJgAjmV9LoKa0P7KKxehDve7vAw0s/IrzoCUsLl01lNCQ V68a4xnUvjCtsP8o3Y9lpzw8XPh0JBjessbBSZuysWDlvUIhzdTSvvKPOW9H4dlffXEs njG4t+lW9uu1zq7L6Zq/b+xC5pY+bNRSpE5QmrCd0q2ofUl6l/wVl6nbiVJLDDwibzW/ hF+kLrJbGfmJe69vKAKz1ULNCT+8boH70WoZ3R4/ryWpxUNpFzcNIti30j49byYn3yUY e34w==
X-Gm-Message-State: AOAM532oRSwdwe6QivYbXu6QeKnTSrsHJTNtj5Wzfo8H+fJXgUF5mpxN ICADtBtGCW61TVChixX97GmNaJPEwAiFRqJ9/40t7AHt
X-Google-Smtp-Source: ABdhPJyA9Gr0HdqcRroLVEUiGtpggqEjw9M+5KPKC2qF1gY2ykYsvWsxUzHXGUEFSDS3NeBRVVZviCapiLChlo+nJ2w=
X-Received: by 2002:a2e:b894:0:b0:250:5ced:75bd with SMTP id r20-20020a2eb894000000b002505ced75bdmr3505278ljp.53.1652455435509; Fri, 13 May 2022 08:23:55 -0700 (PDT)
MIME-Version: 1.0
References: <b510dbad-fa37-7591-ebf6-e3af2a31c140@htt-consult.com> <CADZyTkkMTALCRzBquTZZQOoAgeFbvyqML3pCnTSommxr5U0sRg@mail.gmail.com> <e115463f-0aee-a29a-78e9-e658eb34ae61@htt-consult.com>
In-Reply-To: <e115463f-0aee-a29a-78e9-e658eb34ae61@htt-consult.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Fri, 13 May 2022 11:23:44 -0400
Message-ID: <CADZyTk=2YH-kyybgnMePviftjRnX_kUWPH6+tiu3czzdA_nN_Q@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003da4d005dee643f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/M4gNvBs89SXinsCOz9WzL9s67jA>
Subject: Re: [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 15:24:02 -0000
I applied your comments on my local copy. Please see some additional comments inline. Yours, Daniel On Thu, May 12, 2022 at 12:30 PM Robert Moskowitz <rgm-sec@htt-consult.com> wrote: > > > On 5/12/22 11:58, Daniel Migault wrote: > > Hi Bob, > > I apologize for the delayed response. I am happy to go back to this > document. > > > Good and thank you. > > I also see a tunnel application, but that will be for later. > > First UDP Transport and UDP BEET mode. > > I checked previous versions and did not find a UDP Transport mode example. The current version is limited to UDP in tunnel mode. I do not expect much changes, but that is something we can add. I also believe that BEET mode - though no a standard might be good but that one I am pretty sure I never drafted it. > > Yours, > Daniel > > On Fri, May 6, 2022 at 5:02 PM Robert Moskowitz <rgm-sec@htt-consult.com> > wrote: > >> First read-through. >> >> Is there an implementation of this draft? >> >> yes we do have an implementation on contiki, as well as in python. > > The implementation is available here: > https://bitbucket.org/sylvain_www/diet-esp-contiki > > You can also find a description of the implementation as well as some > experimental measurements we performed there: > > https://www.researchgate.net/publication/316348221_Diet-ESP_IP_layer_security_for_IoT > > Obviously it being last published in '19 some drafts are now RFCs and >> thus need updating. >> >> Sure ;-) > >> Page 5 at top: >> >> Non ESP fields may be compressed by ESP under >> certain circumstances, but EHC is not intended to provide a generic >> way outside of ESP to compress these protocols. >> >> How does EHC work with SCHC CoAP compression, rfc 8824? I would think >> this is a must work with... >> >> I agree that is something we should consider and probably clarify. > Diet-ESP is not intended to provide some compression beyond what is being > used for TS. I do not see CoAP as part of these TS, and as such, I would > expect the compression associated to CoAP to be handled "after Diet-ESP". > Not having read how SCHC compresses CoAP, I Assume that SCHC CoAP > compresses also the UDP/IP part which ends in the compressed CoAP packet > not being an IP packet. On the sender side, when IPsec is applied to such > packet, there is a need that this compressed CoAP packet matches the SPD TS > - unless these are set to ANY. So my first question would be how SCHC > CoAP works with IPsec ? > > > Most of the SCHC CoAP rfc deals with the CoAP headers, and any UDP > consideration is out-of-scope. Even with UDP/DTLS, 8824 is silent. I > think. > > So this draft can easily ignore CoAP. It took me a bit of reading to get > to this point.. > > > Assuming the compressed packet is protected by IPsec, only the ESP fields > will be subject to compression. On the other hand, if IPsec requires some > fields, there is probably a need to request Diet-ESP to compress what > SCHC(CoAP) has not compressed to make IPsec work. > > > As far as diet-esp is concerned any 8824 CoAP compression is just data > payload. The SCHC RuleID is the first field either in the UDP data or the > DTLS data. > > > > > >> As depicted in Figure 1, the EHC Strategy - Diet-ESP in our case - >> and the EHC Context are agreed upon between the two peers, e.g. >> during key exchange. The EHC Rules are to be implemented on the >> peers and do not require further agreement. >> >> Can the EHC Strategy, Context, and Rules be static between two hosts? >> This is of interest to me with Network Remote ID where these will always >> be the same (I think so far) between the UA and Service Provider. >> >> In fact if aligned with SCHC, static is the norm which can be overridden >> during a key exchange. This approach would allow the key exchange to be >> unmodified to support diet-esp. >> >> Rules are static and require only to agree on a very small number of > parameters via IKEv2. What I do not think we considered is the exchange of > additional SCHC rules. > > > I just asked this again in my latest missive. I think you need the IKE > payloads. > yes, I am wondering if adding some SCHC IDs would be sufficient or if something more would be needed. > > And I will somewhere have to do the matching HIP payloads. ;) > > > >> With EHC, the agreement of the level or occurrence of compression is >> left the negotiation protocol (e.g. IKEv2), contradicting the >> signalization of the level of compression for a certain packet send >> over the wire. >> >> This is a sentence fragment and I don't get what is being said here. >> Taking out the comma delimited: >> >> With EHC, contradicting the >> signalization of the level of compression for a certain packet send >> over the wire. >> >> ? >> >> Good I will need to review the doc. > >> This >> leads to multiple SAs, and thus, multiple SPIs for different levels >> of compression agreed with the EHC Context. >> >> This can lead to multiple... >> >> Sure, Thanks. > >> I think >> >> If the sender detects the de-compression can not be guaranteed with a >> given EHC Context and EHC Strategy, it MUST NOT apply compression. >> >> If the sender detects that the de- >> >> ? >> >> Made it through sec 6, stopping for now a 6.1 where I will continue >> Monday? >> >> I see that with ESP Next Header compression and ony UDP in the SA, that >> SCHC for UDP is not needed so don't need an IP Protocol number for SCHC >> here. But what about SCHC for CoAP over UDP? >> >> I think there is a need to define which layers will compress the inner > UDP, and this is likely to depend on the TS values. > > > After more reading, I think for Transport/BEET, it will always be > diet-esp. For Tunnel, it may well be 8724. The diet-esp rules will > establish this. Also the RuleID for the 8724 tunnel could be implicit in > the packet, only being in the SA. Compared to 9011. > > > Next I will write up the UDP example. Unless you have one and just did > not include it in the appendix? > > Bob > > -- Daniel Migault Ericsson
- [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07 Robert Moskowitz
- [IPsec] For authors of draft-mglt-ipsecme-diet-esp Robert Moskowitz
- [IPsec] More comments on draft-mglt-ipsecme-diet-… Robert Moskowitz
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Daniel Migault
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Robert Moskowitz
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Daniel Migault
- Re: [IPsec] More comments on draft-mglt-ipsecme-d… Daniel Migault