[IPsec] Comments on draft-mglt-ipsecme-diet-esp-07
Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 06 May 2022 21:02 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7EE5C157B48 for <ipsec@ietfa.amsl.com>; Fri, 6 May 2022 14:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Sw8zKzrUGYq for <ipsec@ietfa.amsl.com>; Fri, 6 May 2022 14:02:37 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2010BC14F749 for <ipsec@ietf.org>; Fri, 6 May 2022 14:02:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 7647D62653 for <ipsec@ietf.org>; Fri, 6 May 2022 17:01:48 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dAWcCHggR+UQ for <ipsec@ietf.org>; Fri, 6 May 2022 17:01:45 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id E73A862620 for <ipsec@ietf.org>; Fri, 6 May 2022 17:01:42 -0400 (EDT)
Message-ID: <b510dbad-fa37-7591-ebf6-e3af2a31c140@htt-consult.com>
Date: Fri, 06 May 2022 17:02:25 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
To: ipsec@ietf.org
Content-Language: en-US
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/OZt6G8UUjuARqW9VOSvis5vlK-E>
Subject: [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2022 21:02:37 -0000
First read-through. Is there an implementation of this draft? Obviously it being last published in '19 some drafts are now RFCs and thus need updating. Page 5 at top: Non ESP fields may be compressed by ESP under certain circumstances, but EHC is not intended to provide a generic way outside of ESP to compress these protocols. How does EHC work with SCHC CoAP compression, rfc 8824? I would think this is a must work with... As depicted in Figure 1, the EHC Strategy - Diet-ESP in our case - and the EHC Context are agreed upon between the two peers, e.g. during key exchange. The EHC Rules are to be implemented on the peers and do not require further agreement. Can the EHC Strategy, Context, and Rules be static between two hosts? This is of interest to me with Network Remote ID where these will always be the same (I think so far) between the UA and Service Provider. In fact if aligned with SCHC, static is the norm which can be overridden during a key exchange. This approach would allow the key exchange to be unmodified to support diet-esp. With EHC, the agreement of the level or occurrence of compression is left the negotiation protocol (e.g. IKEv2), contradicting the signalization of the level of compression for a certain packet send over the wire. This is a sentence fragment and I don't get what is being said here. Taking out the comma delimited: With EHC, contradicting the signalization of the level of compression for a certain packet send over the wire. ? This leads to multiple SAs, and thus, multiple SPIs for different levels of compression agreed with the EHC Context. This can lead to multiple... I think If the sender detects the de-compression can not be guaranteed with a given EHC Context and EHC Strategy, it MUST NOT apply compression. If the sender detects that the de- ? Made it through sec 6, stopping for now a 6.1 where I will continue Monday? I see that with ESP Next Header compression and ony UDP in the SA, that SCHC for UDP is not needed so don't need an IP Protocol number for SCHC here. But what about SCHC for CoAP over UDP? Anyway, stopping for now. More, I suspect, later. Oh, and NIST is having their 4th LWC workshop M-W, so I am busy with that too! Bob
- [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07 Robert Moskowitz
- [IPsec] For authors of draft-mglt-ipsecme-diet-esp Robert Moskowitz
- [IPsec] More comments on draft-mglt-ipsecme-diet-… Robert Moskowitz
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Daniel Migault
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Robert Moskowitz
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Daniel Migault
- Re: [IPsec] More comments on draft-mglt-ipsecme-d… Daniel Migault