Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
"Panwei (William)" <william.panwei@huawei.com> Wed, 27 March 2024 11:24 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD69C14F694 for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 04:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtQNFy0MY475 for <ipsec@ietfa.amsl.com>; Wed, 27 Mar 2024 04:24:29 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DECE4C14F614 for <ipsec@ietf.org>; Wed, 27 Mar 2024 04:24:28 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4V4PMy05V0z6K91S; Wed, 27 Mar 2024 19:19:58 +0800 (CST)
Received: from lhrpeml100005.china.huawei.com (unknown [7.191.160.25]) by mail.maildlp.com (Postfix) with ESMTPS id 0E07C140594; Wed, 27 Mar 2024 19:24:25 +0800 (CST)
Received: from kwepemi100009.china.huawei.com (7.221.188.242) by lhrpeml100005.china.huawei.com (7.191.160.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 27 Mar 2024 11:24:24 +0000
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by kwepemi100009.china.huawei.com (7.221.188.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 27 Mar 2024 19:24:22 +0800
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Wed, 27 Mar 2024 19:24:22 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Lorenzo Colitti <lorenzo@google.com>
CC: Jen Linkova <furry13@gmail.com>, "ipsec@ietf.org WG" <ipsec@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
Thread-Index: AQHaayQFUr6vZiHeJEm4rFfwTHJng7FJ2NuAgADDKgCAAPqJcA==
Date: Wed, 27 Mar 2024 11:24:22 +0000
Message-ID: <09b9dc48f12d4636b106df9544706e1d@huawei.com>
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com> <CAKD1Yr3CbS7KHn-MYm0Wos2mq3BUPFteas3SZQyRqXSxa5cqcw@mail.gmail.com>
In-Reply-To: <CAKD1Yr3CbS7KHn-MYm0Wos2mq3BUPFteas3SZQyRqXSxa5cqcw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.106.141]
Content-Type: multipart/alternative; boundary="_000_09b9dc48f12d4636b106df9544706e1dhuaweicom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/N2qj83BuZ9zjRZik9yFSXlMwJKs>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 11:24:33 -0000
Thanks for your and Michael’s clarifications. I’m much clearer now and I’m convinced this is an useful draft. I think it would be useful to add one or two sentences in the introduction. An example is given below. However, because ESP packets do not share fate with IKE packets, it is possible for the network to allow IKE packets but not ESP packets. For example, the on-path firewall may allow UDP packets but discard ESP packets, and IKE negotiation isn’t able to detect this. When NAT function is not used as well, which is common in IPv6 networks, the IPsec session will by default use unencapsulated IPv6 ESP. This leads to the IPsec session not being able to exchange any packets even though IKE negotiation succeeded. Regards & Thanks! Wei PAN (潘伟) From: Lorenzo Colitti <lorenzo@google.com> Sent: Wednesday, March 27, 2024 12:07 PM To: Panwei (William) <william.panwei@huawei.com> Cc: Jen Linkova <furry13@gmail.com>; ipsec@ietf.org WG <ipsec@ietf.org>; Michael Richardson <mcr+ietf@sandelman.ca> Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt Yes, the idea is to make it possible to leverage native ESP. Pretty much all IPv6 networks (at least commercial networks) don't do NAT. But some of them drop ESP packets. On these networks, NAT detection will say there is no NAT, and the ESP session will be established, but no traffic will flow. On Tue, Mar 26, 2024 at 6:24 PM Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>> wrote: Hi, I've read the draft and I think I can understand the solution part. But please allow me to ask a stupid question about the motivation or use case, because I'm a little confused about that. I feel that the problem of IPv6 ESP traverse failure, as described in the draft and presentation slides, is because of NAT. IKEv2 already supports the detection of NAT. After the detection of NAT, the peers can use IP + UDP (4500) + ESP to traverse the NAT. Are there some use cases that this existing solution doesn't work and this draft tries to solve? Or, are there some use cases that IKEv2 fails in detecting the existence of NAT? I can understand the advantages of native ESP described in the draft: 1) no keepalives or fewer keepalives, 2) no overhead of UDP header. Does this draft target the use cases where IP + UDP + ESP and IP + ESP can both work in the existence of NAT, and try to benefit from the native ESP? Regards & Thanks! Wei PAN (潘伟) > -----Original Message----- > From: IPsec <ipsec-bounces@ietf.org<mailto:ipsec-bounces@ietf.org>> On Behalf Of Jen Linkova > Sent: Thursday, February 29, 2024 11:28 PM > To: ipsec@ietf.org<mailto:ipsec@ietf.org> > Cc: Lorenzo Colitti <lorenzo@google.com<mailto:lorenzo@google.com>>; Michael Richardson > <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>> > Subject: [IPsec] Fwd: New Version Notification for > draft-colitti-ipsecme-esp-ping-01.txt > > -01 version shall address comments received since -00. > The main change is that payload format is defined similarly to ICMPv6 > echo, and the draft now updates RFC4303, so ESP packets with SPI == 7 > or 8 and next header==59 are not considered to be dummy packets. > > Comments are appreciated! > > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> > Date: Fri, Mar 1, 2024 at 2:24 AM > Subject: New Version Notification for > draft-colitti-ipsecme-esp-ping-01.txt > To: Jen Linkova <furry13@gmail.com<mailto:furry13@gmail.com>>, Lorenzo Colitti > <lorenzo@google.com<mailto:lorenzo@google.com>>, Michael Richardson > <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>> > > > A new version of Internet-Draft draft-colitti-ipsecme-esp-ping-01.txt > has been successfully submitted by Jen Linkova and posted to the IETF > repository. > > Name: draft-colitti-ipsecme-esp-ping > Revision: 01 > Title: ESP Echo Protocol > Date: 2024-02-29 > Group: Individual Submission > Pages: 7 > URL: > https://www.ietf.org/archive/id/draft-colitti-ipsecme-esp-ping-01.txt > Status: > https://datatracker.ietf.org/doc/draft-colitti-ipsecme-esp-ping/ > HTML: > https://www.ietf.org/archive/id/draft-colitti-ipsecme-esp-ping-01.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-colitti-ipsecme-esp-ping > Diff: > https://author-tools.ietf.org/iddiff?url2=draft-colitti-ipsecme-esp-ping- > 01 > > Abstract: > > This document defines an ESP echo function which can be used to > detect whether a given network path supports IPv6 ESP packets. > > > > The IETF Secretariat > > > > > -- > Cheers, Jen Linkova > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org<mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Fwd: New Version Notification for draft-c… Jen Linkova
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Paul Wouters
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Lorenzo Colitti
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Kan-Ru Chen