IETF Logo Mail Archive

Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tcp-00.txt

Tero Kivinen <kivinen@iki.fi> Sun, 04 November 2012 20:25 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134E121F885B for <ipsec@ietfa.amsl.com>; Sun, 4 Nov 2012 12:25:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AA5EAY9BjEbi for <ipsec@ietfa.amsl.com>; Sun, 4 Nov 2012 12:25:03 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 264D621F8805 for <ipsec@ietf.org>; Sun, 4 Nov 2012 12:25:02 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qA4KP00c013293 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 4 Nov 2012 22:25:00 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qA4KP0eb028681; Sun, 4 Nov 2012 22:25:00 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20630.53020.522052.651631@fireball.kivinen.iki.fi>
Date: Sun, 04 Nov 2012 22:25:00 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Michael Richardson <mcr+ietf@sandelman.ca>
In-Reply-To: <25304.1352050845@sandelman.ca>
References: <20629.51761.388715.484632@fireball.kivinen.iki.fi> <25304.1352050845@sandelman.ca>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 6 min
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tcp-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 20:25:04 -0000

Michael Richardson writes:
> Tero Kivinen <kivinen@iki.fi> wrote:
>     TK> In addition to the IKE_AUTH there is another big class of UPD
>     TK> packets which can be large, and which might get fragmented, i.e
>     TK> udp encapsulated nat traversal IPsec UDP packets. If the
> 
> I don't think you are suggesting any specific technical change to
> support this.  I think that you are saying that we need to be more clear
> that we aren't proposing anything here.  And that if TCP gets used for
> the AUTH payload, that might be a clue to the IPsec layer that it should
> do:

No, I was just pointing out that IKE_AUTH is not the only packet which
can be big packets, and UDP encapsulated packets might also have
problems bypassing the NATs dropping all fragments. 

>     TK> For tunnel mode IPsec traffic, the gateway can fragment inner
>     TK> packets before wrapping them to ESP, so the outer ESP packets
>     TK> visible to nat box are not fragmented.
> 
> which the gateway machine might not otherwise do. But, this can't be
> done for IPv6.
> (There isn't really any significant downside to doing this.  If
> anything, this moves the memory expense of fragment reassembly from
> gateways to end nodes.)

On the other hand I am not sure NAT boxes do drop IPv6 fragments...
IPv6 and NAT are not used that often together.

>     TK> which means we cannot modify the NAT_DETECTION_*_IP payloads
>     TK> when switching from UPD to TCP. This might cause NAT to be
>     TK> detected even when there is none there (i.e. the UDP source port
>     TK> is 500, but TCP source port is most likely going to be random).
> 
> The document does not tell us if we have to originate from port-500.
> I don't think that we can.

I think it says for TCP we use random port, but for UDP the IKEv2
RFC5996 says you use port 500 (but must allow source port to be other
than 500). With TCP there is problems if we try to use source and dest
port of 500 for all requests, as there might still be old connections
waiting for cleanup in the system when we start next one.

>     TK> Also I think this document should tell the justifications why
>     TK> the TCP session is not kept alive all the time, but only created
>     TK> for sending one packet and then immediately teared down. I
>     TK> assume the idea there is that open TCP session actually requires
>     TK> quite a lot of resources from the SGW, i.e. maintaining the send
>     TK> and receive windows requires tens of kilobytes of memory. Of
>     TK> course the downside of such short TCP sessions is that sending
>     TK> one exchange over TCP now requires 2 round trips of delay, and
>     TK> most likely around 10 packets, compared to the 1 round trip and
>     TK> 2 packets.  
> 
> Yes.  I think that the congestion window argument is probably not
> relevant. I don't think the congestion window will open much even if the
> first round trip goes through.   

In most systems just opening the TCP session will reserve 32 kB
buffers for sending and receiving immediately when you open tcp
connection. Earlier that was one of the parameters you needed to tune
down for web servers if you wanted to support lots of clients.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email