Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 16:32 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E761274D0; Wed, 21 Nov 2018 08:32:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VyjscveQs3CL; Wed, 21 Nov 2018 08:32:38 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC360130F86; Wed, 21 Nov 2018 08:32:30 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430Slv3wy9zLMX; Wed, 21 Nov 2018 17:32:27 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542817947; bh=HEs+UBdFMYBjrngkMe0t9F9w1hIZB/aRUeeLQBG9E5M=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=P2nmcSCDCeBbC8H9Cp8hheFqgCoztP1KpEJwnwEPfewWeRs6fj6O8mB+n4BIxlwEN 94d/czhTYHDQW8LtRTpPO/8taqUjNXLhAU0imh6Kyrdc9cLLbArEjgcjSaTo3GZFAn kv32d2eMSsvBvUcQuQo+w6ed8wTc5KQ53w6eP7ng=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id PB39nPNJYFrv; Wed, 21 Nov 2018 17:32:25 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 17:32:24 +0100 (CET)
Received: from [192.168.1.10] (node-11u3.pool-118-173.dynamic.totbb.net [118.173.191.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 9562549ED70; Wed, 21 Nov 2018 11:32:23 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 9562549ED70
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16A405)
In-Reply-To: <25704.1542816043@localhost>
Date: Wed, 21 Nov 2018 23:32:19 +0700
Cc: Warren Kumari <warren@kumari.net>, ipsec@ietf.org, The IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3A9700FB-EF0B-415B-9338-72070DE8A335@nohats.ca>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <25704.1542816043@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RsQSUVz9tZ11G-az0Rp-4IFz2vs>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 16:32:40 -0000

On Nov 21, 2018, at 23:00, Michael Richardson <mcr+ietf@sandelman.ca>; wrote:

> Sadly, very few regular users use IPsec/IKEv2 for this kind of access.

This is very incorrect.

Almost all VPN providers for apple (OSX and iOS) use IKEv2 with CP. Based on numbers of concurrent users I have seen from some vendors using libreswan, we are talking in the orders of 100’s of thousands of users.

And more and more Windows L2TP/IPsec and XAUTH deployments are moving to IKEv2. 

One of the main reasons: MOBIKE with phones using wifi and 4/5G and network switching.

For Android, the situation is bad. Due to the OS not properly supporting IKEv2, most VPN services bundle openvpn apps for android and very few bundle strongswan with its userland ESP that can do IKEv2.


> In almost all cases the VPN provider is in control of the software that is
> installed on the client system, so they can hijack paypal already.

This is also incorrect. All OSX and iOS provisioning happens via .mobileconfig profiles or apps using apple API’s that are equivalent. None of their apps can do weird things like hijacking paypal.com domain other then modifying the DNS stream after IPsec decryption. Any installed root CA as part of the VPN provisioning is limited to that VPN profile only and does not affect HTTPS.


> Few support IPv6 or DNSSEC for the VPN either.

That is correct but with SNAFUs like NAT64 breaking IPsec the telcos have helped greatly in that situation being addressed for IPv6.

> 
> I think the document does a good job of making it clear that there
> are issues the client implementer needs to worry about.
> ****

I have improved the text but I am waiting for my co-author to proofread and agree to my changes. It hopefully addresses Warrens concerns as best we can.

> But, this seems terribly unlikely since just getting two VPNs installed
> (and compatible) and running at the same time is such deep VPN-fu, that it's
> like only half the IPsec WG members that could ever make this work anyway.

It is currently uncommon indeed but I think and hope we will see more of this, especially when we all want a continuous VPN link up to our home network.

Paul