IETF Logo Mail Archive

Re: [IPsec] [Last-Call] [secdir] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

"touch@strayalpha.com" <touch@strayalpha.com> Thu, 02 June 2022 15:21 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 361A9C157B35; Thu, 2 Jun 2022 08:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.324
X-Spam-Level:
X-Spam-Status: No, score=-1.324 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WfT_7VSxvFm9; Thu, 2 Jun 2022 08:21:54 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85CDDC15AAF8; Thu, 2 Jun 2022 08:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=rkg85M5Dm6MhF2fNFD6/ukZgO3dJc/rc/yvmMXLfgoc=; b=aDpjJ+N+tuX5PfFPXdcgkQZUmP dWy5qHoOM9W8a3WU6ZLZGW2rbnQjJ8Bgh3byoKKjpzkj3wNBKYiFpo7ukxak4WGaRxmk4hU/T36HF rxsaqKt1rtcjNyn0d2OWC8UYKi3F6mcJCxPPX+BihBHcqUoeuob/T97c4pWFfIuDgn+kdLW0vUyAN nrOiZZnRcJaYWorLjHp6K1H2EKy+ZA0WykIlq6lMS4sME2LTX//VhuoiagqS0/jp1dJEZfuthLqdp 5Tuw0TwfFBZcr1C9/a2fufwZG23EXf/oJZ1amRpstfs86EkpR1r4yabYYePGojSjnntflpxlP46AN D7pNb7Jw==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:59555 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1nwmdw-000AY6-QW; Thu, 02 Jun 2022 11:21:53 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D2BBC9F-225B-4748-A963-A48C96039D97"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <005301d87691$ecb1f250$c615d6f0$@elvis.ru>
Date: Thu, 02 Jun 2022 08:21:47 -0700
Cc: draft-ietf-ipsecme-rfc8229bis.all@ietf.org, secdir@ietf.org, ipsec@ietf.org, last-call@ietf.org
Message-Id: <0D1CCD9E-8696-46CA-9BD9-D62AFC42E116@strayalpha.com>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi> <08f501d874df$90e95750$b2bc05f0$@elvis.ru> <25238.13419.293263.562580@fireball.acr.fi> <0a1601d8750e$051083f0$0f318bd0$@elvis.ru> <25239.24036.317688.539399@fireball.acr.fi> <0b4301d875b9$ae525320$0af6f960$@elvis.ru> <C215CCAA-62D6-4C8D-88A1-248D17AB7E54@strayalpha.com> <0ba801d875d8$2c7a7c00$856f7400$@elvis.ru> <0c4501d87656$30543680$90fca380$@elvis.ru> <FBE7881A-92AB-47F3-9465-5DC97B0E2BBC@strayalpha.com> <005301d87691$ecb1f250$c615d6f0$@elvis.ru>
To: Valery Smyslov <svan@elvis.ru>
X-Mailer: Apple Mail (2.3696.100.31)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/NPJvyld_MaIeW3QA6Gp_z8kuFXA>
Subject: Re: [IPsec] [Last-Call] [secdir] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 15:21:58 -0000

See below...
—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Jun 2, 2022, at 8:03 AM, Valery Smyslov <svan@elvis.ru> wrote:
> 
> HI Joe,
>  
> On Jun 2, 2022, at 12:55 AM, Valery Smyslov <svan@elvis.ru <mailto:svan@elvis.ru>> wrote:
>>  
>> HI Joe,
>>  
>> one more question:
>>  
>>           You can also note that there are ways to mitigate the cost of resync when
>>           this implementation is tightly coupled with TCP, e.g., by ensuring every Nth
>>           IPsec packet starts at the beginning of a new TCP packet.
>>  
>>          How would this help? Can you please elaborate?
>  
> If every 4th IPsec packet is always aligned to the TCP segment data start, then resync checks could be simple and rapid - check only the first bytes for a known pattern.
>  
> That makes resync happen with lower overhead, i.e., rather than searching the whole payload.
>  
>           Interesting idea, but how the receiving node would know that sending node employs this method?

They don’t need to. Basically the receiver should “check a few places until it wants to give up”. There’s no rule that resync must be exhaustive, but if it succeeds, it averts the need for a new connection.

>           And, in my understanding some middleboxes can re-arrange TCP segments, merging and splitting them,

They DO this, as do some offloading devices, sometimes in ways that break TCP. But that doesn’t matter here - again, at the receiver, it either works or it doesn’t.

>           so the beginning of IPsec packet may still appear in the middle of TCP segment (the same can happen
>           with retransmissions, but I guess you assume that sending TCP/IP stack would take care in this case, but it adds complexity).

Retransmissions don’t need to realign; the sender can just do this on first transmission. It’s just an optimization that helps the receiver potentially resync faster or not need to give up on resync as quickly.

>  
>          So, I think that the idea is interesting, but the additional complexity and unreliability makes it not so attractive.

It doesn’t need to be reliable to be useful, as per above.

>  
>           Regards,
>           Valery.
>  
> Joe
> -- 
> last-call mailing list
> last-call@ietf.org <mailto:last-call@ietf.org>
> https://www.ietf.org/mailman/listinfo/last-call <https://www.ietf.org/mailman/listinfo/last-call>

v2.23.0 | Report a Bug | By Email