IETF Logo Mail Archive

Re: [IPsec] TCP and MOBIKE

Tero Kivinen <kivinen@iki.fi> Wed, 14 November 2018 07:56 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4D61293FB for <ipsec@ietfa.amsl.com>; Tue, 13 Nov 2018 23:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3D0PJjzfn9Q8 for <ipsec@ietfa.amsl.com>; Tue, 13 Nov 2018 23:56:24 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 842F7130DD9 for <ipsec@ietf.org>; Tue, 13 Nov 2018 23:56:23 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id wAE7u2ah009225 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 14 Nov 2018 09:56:02 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id wAE7u1DH001410; Wed, 14 Nov 2018 09:56:01 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23531.54545.136222.41944@fireball.acr.fi>
Date: Wed, 14 Nov 2018 09:56:01 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'David Schinazi' <dschinazi.ietf@gmail.com>, ipsec@ietf.org
In-Reply-To: <032c01d47724$f906d6d0$eb148470$@gmail.com>
References: <031f01d47720$e9fb8220$bdf28660$@gmail.com> <CAPDSy+6V3dVkrcX=Lgd-G47RaLug8fhR=SZcD-cBdAmXJeCXvA@mail.gmail.com> <032c01d47724$f906d6d0$eb148470$@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 25 min
X-Total-Time: 38 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/SFgkrUHmJXX5haGCLCwS-iun0Mc>
Subject: Re: [IPsec] TCP and MOBIKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 07:56:27 -0000

Valery Smyslov writes:
> Hmm, maybe. Or maybe not. Or maybe just ignore it in case of TCP?

I would say that is better approach. I.e., ignore NO_NATS_ALLOWED and
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP o receiver
when connection comes in with TCP.

There is nothing we want to do even if detected NAT on the tcp path,
we are not going to switc to switch to another port, we are not going
to allow dynamic updates (as they would not work with TCP anyways),
there is no point of sending keepalives on TCP etc.

So on tcp just ignore those payloads. 

> I think that in general the co-existence of MOBIKE and TCP must be
> elaborated in more detail in the draft.

I agree. There are also several cases where we some of the mobike
processing does not really make sense. Things like return routability
checks, changing nat mappings, etc. The initial UPDATE_SA_ADDRESSES
should be enough to just say that use this connection for return
traffic. I do not think there is anything else for the responder to do
for it. 
> 
>     request. Probably we could clarify in TCP guidelines draft that the content
>     of NO_NATS_ALLOWED MUST be recalculated in this case? Or is it obvious?

Modifying the packet after it has been sent over any transport once,
is impossible, and will break things.

I.e., if client send packet using UDP and it did reach the destination
correctly, but return packet got lost, and then client decided to move
to TCP, and resend the packet.

If the packet is modified, then responder will see it as an attack, as
it is using message-id that where it has already processed and
responded to, but the content of the frame is not same. As the content
is not same, it will not retransmit its reply, so both ends just stop
and finally the connection times out.

>From the RFC7296 section 2.1:

   A retransmission from the initiator MUST be bitwise identical to
   the original request. That is, everything starting from the IKE
   header (the IKE SA initiator's SPI onwards) must be bitwise
   identical; items before it (such as the IP and UDP headers) do not
   have to be identical.

That is the reason why mobike for example does the processing so that
if it needs to change address during UPDATE_SA_ADDRESSES it will not
modify packet it is sending out, it will simply run the process to
end, and then redo it again from the start. It needs to do if it ever
used more than one address, regardless which of them succeeded. I.e.,
if it send UPDATE_SA_ADDRESSES using source IP1 and does not get
reply, moves to IP2, does not get reply, moves back IP1, and now do
get reply, it still needs to do UPDATE_SA_ADDRESSES again because it
did not know which of his frames got to the other end. It could have
been that first packet ever reaching responder was sent from IP2, but
the reply got lost, and then when initiator resent the packet from
IP1, the responder just repeated the reply generated earlier packet
from IP2... 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email