Re: [IPsec] TCP and MOBIKE
Tero Kivinen <kivinen@iki.fi> Wed, 14 November 2018 07:56 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4D61293FB for <ipsec@ietfa.amsl.com>; Tue, 13 Nov 2018 23:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3D0PJjzfn9Q8 for <ipsec@ietfa.amsl.com>; Tue, 13 Nov 2018 23:56:24 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 842F7130DD9 for <ipsec@ietf.org>; Tue, 13 Nov 2018 23:56:23 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id wAE7u2ah009225 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 14 Nov 2018 09:56:02 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id wAE7u1DH001410; Wed, 14 Nov 2018 09:56:01 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23531.54545.136222.41944@fireball.acr.fi>
Date: Wed, 14 Nov 2018 09:56:01 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'David Schinazi' <dschinazi.ietf@gmail.com>, ipsec@ietf.org
In-Reply-To: <032c01d47724$f906d6d0$eb148470$@gmail.com>
References: <031f01d47720$e9fb8220$bdf28660$@gmail.com> <CAPDSy+6V3dVkrcX=Lgd-G47RaLug8fhR=SZcD-cBdAmXJeCXvA@mail.gmail.com> <032c01d47724$f906d6d0$eb148470$@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 25 min
X-Total-Time: 38 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/SFgkrUHmJXX5haGCLCwS-iun0Mc>
Subject: Re: [IPsec] TCP and MOBIKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 07:56:27 -0000
Valery Smyslov writes: > Hmm, maybe. Or maybe not. Or maybe just ignore it in case of TCP? I would say that is better approach. I.e., ignore NO_NATS_ALLOWED and NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP o receiver when connection comes in with TCP. There is nothing we want to do even if detected NAT on the tcp path, we are not going to switc to switch to another port, we are not going to allow dynamic updates (as they would not work with TCP anyways), there is no point of sending keepalives on TCP etc. So on tcp just ignore those payloads. > I think that in general the co-existence of MOBIKE and TCP must be > elaborated in more detail in the draft. I agree. There are also several cases where we some of the mobike processing does not really make sense. Things like return routability checks, changing nat mappings, etc. The initial UPDATE_SA_ADDRESSES should be enough to just say that use this connection for return traffic. I do not think there is anything else for the responder to do for it. > > request. Probably we could clarify in TCP guidelines draft that the content > of NO_NATS_ALLOWED MUST be recalculated in this case? Or is it obvious? Modifying the packet after it has been sent over any transport once, is impossible, and will break things. I.e., if client send packet using UDP and it did reach the destination correctly, but return packet got lost, and then client decided to move to TCP, and resend the packet. If the packet is modified, then responder will see it as an attack, as it is using message-id that where it has already processed and responded to, but the content of the frame is not same. As the content is not same, it will not retransmit its reply, so both ends just stop and finally the connection times out. >From the RFC7296 section 2.1: A retransmission from the initiator MUST be bitwise identical to the original request. That is, everything starting from the IKE header (the IKE SA initiator's SPI onwards) must be bitwise identical; items before it (such as the IP and UDP headers) do not have to be identical. That is the reason why mobike for example does the processing so that if it needs to change address during UPDATE_SA_ADDRESSES it will not modify packet it is sending out, it will simply run the process to end, and then redo it again from the start. It needs to do if it ever used more than one address, regardless which of them succeeded. I.e., if it send UPDATE_SA_ADDRESSES using source IP1 and does not get reply, moves to IP2, does not get reply, moves back IP1, and now do get reply, it still needs to do UPDATE_SA_ADDRESSES again because it did not know which of his frames got to the other end. It could have been that first packet ever reaching responder was sent from IP2, but the reply got lost, and then when initiator resent the packet from IP1, the responder just repeated the reply generated earlier packet from IP2... -- kivinen@iki.fi
- [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE David Schinazi
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen