IETF Logo Mail Archive

Re: [IPsec] Some thoughts regarging draft-hopps-ipsecme-iptfs-01

Steffen Klassert <steffen.klassert@secunet.com> Mon, 02 December 2019 08:49 UTC

Return-Path: <Steffen.Klassert@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8BCB1200A1 for <ipsec@ietfa.amsl.com>; Mon, 2 Dec 2019 00:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_EpVqKIn_uu for <ipsec@ietfa.amsl.com>; Mon, 2 Dec 2019 00:49:34 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15ABA120013 for <ipsec@ietf.org>; Mon, 2 Dec 2019 00:49:32 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 263BD20571; Mon, 2 Dec 2019 09:49:31 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCWUPERRgHOz; Mon, 2 Dec 2019 09:49:30 +0100 (CET)
Received: from mail-essen-01.secunet.de (mail-essen-01.secunet.de [10.53.40.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id AE1CD20561; Mon, 2 Dec 2019 09:49:30 +0100 (CET)
Received: from gauss2.secunet.de (10.182.7.193) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server id 14.3.439.0; Mon, 2 Dec 2019 09:49:30 +0100
Received: by gauss2.secunet.de (Postfix, from userid 1000) id 43DF03180271; Mon, 2 Dec 2019 09:49:30 +0100 (CET)
Date: Mon, 02 Dec 2019 09:49:30 +0100
From: Steffen Klassert <steffen.klassert@secunet.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
CC: 'IPsecME WG' <ipsec@ietf.org>
Message-ID: <20191202084930.GN13225@gauss3.secunet.de>
References: <039e01d5a5f2$ac51d350$04f579f0$@gmail.com> <20191202080154.GM13225@gauss3.secunet.de> <050701d5a8ea$72651b20$572f5160$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <050701d5a8ea$72651b20$572f5160$@gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/N2wPbjQh9_T3t2o4yX6ilwQ3nAg>
Subject: Re: [IPsec] Some thoughts regarging draft-hopps-ipsecme-iptfs-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 08:49:36 -0000

Hi Valery,

On Mon, Dec 02, 2019 at 11:28:16AM +0300, Valery Smyslov wrote:
> Hi Steffen,
> 
> > >     It seems to me that it can be done pretty easy by linking the reassembly logic
> > >     with replay protection window.
> > 
> > While it looks like doing the reassembling based on ESP sequence numbers
> > might be an easy approach, it could be also dangerous.
> > 
> > Consider a system that encapsulates two flows on different cpus
> > with the same SA. This system can TX packets in the following
> > order:
> > 
> > TX cpu0 inner flow0 SA0:
> > 
> >       Offset: 0                               Offset: 100
> >       [ ESP1  (1500) ]                        [ ESP3  (1500) ]
> >       [--800--][--800-                        -][-----1400---]
> > 
> > --------------------------------------------------------------------------------------
> > TX cpu1 inner flow1 SA0:
> >                           Offset: 0                                Offset: 100
> >                           [ ESP2  (1500) ]                        [ ESP4  (1500) ]
> >                           [--800--][--800-                        -][----1400----]
> > 
> > 
> > On the receive side, it is not that clear how to reassemble the fragments
> > from ESP3 and ESP4 into the fragments from ESP1 and ESP2. Maybe some
> > packet ID in the IP-TFS header could help to identify related fragments.
> 
> I'm probably missing something here, but I think that sending side assigns 
> every outgoing IP packet to some SA. Then the packet is added to the ESP message 
> (that may already contain previous packets). If the packet cannot fit into the
> left space, it is split and the rest of the packet is sent in the next
> ESP message of the same SA.

All packets are sent over the same SA, but on different cpus. This means
that the 'rest' might not be in the next ESP message. The other cpu
could have TXed some ESP packets before, it is a race.

In this example, flow0 is encapsulated on cpu0, flow1 is encapsulated on cpu1,
both on the same SA.

ESP1 contains flow0, but ESP2 contains flow1. The 'rest' from flow0 is
encapsulated in ESP3, the 'rest' from flow1 is encapsulated in ESP4. 
So I think it is not clear how to do a correct reassembling here.

Steffen

v2.29.0 | Report a Bug | By Email | System Status