Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE extension for Transport mode
Paul Wouters <paul@nohats.ca> Fri, 12 September 2014 18:03 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33DCE1A86E5 for <ipsec@ietfa.amsl.com>; Fri, 12 Sep 2014 11:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.652
X-Spam-Level:
X-Spam-Status: No, score=-3.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EM1niT2HcmMs for <ipsec@ietfa.amsl.com>; Fri, 12 Sep 2014 11:03:01 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B30DA1A82E2 for <ipsec@ietf.org>; Fri, 12 Sep 2014 11:02:41 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6640A80111; Fri, 12 Sep 2014 14:02:40 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1410544960; bh=TPCWD9dIAN/keuqLQz0zWtXdAT82MeQqFqrAjflYAVQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=MepO6qszQiBUI5VNG2/XATlkwfjxg59UD86qjMTsxr38T+DBnQGcg5ECZ5XiPGQyh EaCmf2ibEs/hCWPh03GMru6ASITmRBFck/ip+EVwJvWyIAT8kQNZEJerByblOYs05b X3o8+iyWRnbq0RSWYzUCuQH3HgOFEZtv/3v+BVBU=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s8CI2dl0031993; Fri, 12 Sep 2014 14:02:39 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 12 Sep 2014 14:02:39 -0400
From: Paul Wouters <paul@nohats.ca>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
In-Reply-To: <54131C57.2060605@gmail.com>
Message-ID: <alpine.LFD.2.10.1409121350180.31178@bofh.nohats.ca>
References: <54131C57.2060605@gmail.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Q_mGwDJJ42ROBvp4bOM2LyZJ11Q
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE extension for Transport mode
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 18:03:07 -0000
On Fri, 12 Sep 2014, Yaron Sheffer wrote: > This is a call for adopting draft-mglt-ipsecme-mobikev2 as a WG document. Please respond to this mail with a Yes or No and a short > rationale, at latest by Friday Sep. 19. This document confuses me. It seems section 4 to 7 are about much more than just transport mode. It seems to (re?)introduce versioning, non-transport notify payloads, etc. MOBIKE is about keeping your assigend address with you, making your inner IP consistent regardless of the outer IP. That makes no sense with transport mode, which is tied to your ephemeral outer address. Transport mode IPsec is terrible idea in todays NATed world. It should die, not see more use. The NAT issues are not at all mentioned in this draft. What if two clients connect to the same MOBIKE VPN server with the same internal IP of 10.1.2.3? The use case is "saving a few bytes", which to me seems very weak. It would only work with UDP, not TCP. For UDP, doesn't recvfrom() and recvmsg() family deal with changing IPs? IKE and DNS servers already use this to listen on ANY and reply to the address of the received packet. This is a lot of specification and code and possible interop problems for a use case of "saving a few bytes on some UDP packets". It is possible further discussion might convince me otherwise, although not likely. I'm happy to discuss this item further as a working group if adoption now means we can still decide it is not a good idea later. If adoption to the WG now means we must end up with some kind of spec, than I would rather not see adoption now. Paul
- [IPsec] Call for adoption: MOBIKEv2: MOBIKE exten… Yaron Sheffer
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Paul Wouters
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Daniel Migault
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Paul Wouters
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Daniel Palomares
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Joe Touch
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Valery Smyslov
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Frederic Detienne (fdetienn)
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Manish Kumar (manishkr)