IETF Logo Mail Archive

Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt

Paul Wouters <paul@nohats.ca> Wed, 27 March 2024 12:27 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D404C14F71B for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 05:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.404
X-Spam-Level:
X-Spam-Status: No, score=-4.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nly2AVbw3Han for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 05:27:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D2CC14F708 for <ipsec@ietf.org>; Wed, 27 Mar 2024 05:27:41 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4V4Qt20x35zFPq; Wed, 27 Mar 2024 13:27:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1711542458; bh=akl2bahreIXQK1EInjBR31S5bSjRP7neuiZz2kyhN/g=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ir3aTqvjB7vcPmCKaniAsD37NUVempi+geFNfRGVlvn/z/kb5YznyJXBbPs6FV5eb H3I1xBw7LG2RMkRbCK9SfxMV46nTAr5ZaCO6QKpwLw6Jh3/u19dVUhAmVILtPDHVCe S+JRFJqtVEpImpNsWfL2ZcQlIOBUKyAvOy3ohTmQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id yxjVHDbmNp-H; Wed, 27 Mar 2024 13:27:37 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 27 Mar 2024 13:27:37 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3768211A4315; Wed, 27 Mar 2024 08:27:36 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 33EFE11A4314; Wed, 27 Mar 2024 08:27:36 -0400 (EDT)
Date: Wed, 27 Mar 2024 08:27:36 -0400
From: Paul Wouters <paul@nohats.ca>
To: "Panwei (William)" <william.panwei=40huawei.com@dmarc.ietf.org>
cc: Michael Richardson <mcr+ietf@sandelman.ca>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <57bd1510e66b45c7af60513fbba3051c@huawei.com>
Message-ID: <343238de-93c9-ed85-2c9d-2d783e3a38ca@nohats.ca>
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com> <476994.1711501928@dyas> <3f7b0380650a40e6b9cec4afb7f6d034@huawei.com> <497306.1711523247@dyas> <57bd1510e66b45c7af60513fbba3051c@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MzwYpqpjXHwUL_aaphsYf2dHUPw>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 12:27:46 -0000

On Wed, 27 Mar 2024, Panwei (William) wrote:

> Thanks for your clarification. I'm much clearer about the problems now.
>
>    > > When you find out that the IKEv2 negotiation succeeds but ESP
>    > > traffic can't get through, what more information will you get
>    > > from sending the ESPping and not receiving a response?
>    >
>    > That there is a problem with proto=50... So:
>    > a) do UDP encap (maybe by manual config, if you are clueful)
>    > b) call network support and file a problem report.
>
> I mean, when you find out that the IKEv2 negotiation succeeds but ESP traffic can't get through, you can already guess there may be a problem with ESP packet.

Waiting for failure and timeouts afterwards, eg once the IPsec SA is up,
is costly and now you have to try to setup udp-encap or try ipv4. The
idea is to send an ESP-ping beforehand to your server that is known to
support this, and test for a reply. If you don't get it, initiate IKEv2
using IPv4 (basically also guaranteeing NAT and UDP-encap), not native IPv6.

> If you want to use ESPping to determine the problem is really because of the on-path firewalls or routers discard the ESP packets, you need to make sure the IPsec peer also supports the ESPping.

It would be part of the client configuration I guess to try this.

> If you want to do the traceroute to determine how far ESP actually gets, you need to make sure every node supports the ESPping.

I think people meant to extend traceroute to use an ESP packet instead
of an ICMP or UDP packet. The machines in the middle do not need any
special support because any packet that hits TTL=0 should solicite
an ICMP response.

Paul

v2.23.0 | Report a Bug | By Email