IETF Logo Mail Archive

Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

Martin Duke <martin.h.duke@gmail.com> Wed, 10 August 2022 03:52 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2BDDC14CF12; Tue, 9 Aug 2022 20:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCtMvQI2Zz9c; Tue, 9 Aug 2022 20:52:09 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB5C7C14CF0F; Tue, 9 Aug 2022 20:52:09 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id c16so863612qkk.10; Tue, 09 Aug 2022 20:52:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=lFY14GuG//zuHLYb5M7qqCwLglxUwuQa1XQNeko2if4=; b=HStv0RoMx3MopYkbs6j5avEX35grT9WWlD3OOCoI1HUZR5L4/FhG8TdhHB2OopiTap vuOeSjpJBCdAI1t0YpJSDKxCgrVQx7NTv4qFkXw3kzEoBJghXsn9pIVSyCn0+VNCwhl2 HBfSJLPEvawTyVdmTqaBOv5dLbWN8oEG7+fKAJR8LtnEIkdihOPFOlK2hZQ7m8KXOKRQ ZypHjJ+plOZI+AND4Yft4VenUPncz9nPmDYwxOSe2zBD+O/dcsKQrfwqj+5K+xgAcT1w Nq3oTCM1EMVx/LovcCctVUDZg1wa7C3C3P733WQZwusdC/eM2j80Mnm61eIph4TPTBRG tzVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=lFY14GuG//zuHLYb5M7qqCwLglxUwuQa1XQNeko2if4=; b=0FEkNzVIrSPJdEI0OUTpQSy9ZfrupeY66G0GKztPBxd0kBSbvkN7FlwVnECBobolzi qTnBnIgDLhp/769n6WJ4FIZVG/0fvhDoa8VjtIaoRaq8aDpapzr9RKZRR0+Qw1sskXO9 7Lfur/bouZPmlL07cqgh6IdKt1CJL7Q2zrEqDjjqyJInC3iWeJfH8ER2rutnmBap/ndT QoksYceG4Bp5nxzseTnb0QVPIO9gxpjpoqu5plDqMIJMnXMpo6RjIcT0AOQ6Ezh6Iz/0 mn9ZsWSv0/S1RmfpG/XbG+OU0dPoX5Jz/iwZFbRkaCRtDgUVX7zFdLHSvMk9cJxB4K0X 67AQ==
X-Gm-Message-State: ACgBeo21bNeHCMbKF7v3KNzSSGWU/5g7dXmsSwbxJZUtpDITWJ+OpwSY BeOAblFpRBTXvFmeaXPOZ4kiSQ1reSlCObnG+GrNTwj3VsM=
X-Google-Smtp-Source: AA6agR7nAT5RUaPMgrbLSkq8Eo2rCp1YuS6c25aST5xBgG3uhJjmQtCLLyfh1wIg+perh5bmNx+VHbGXimKiXjLN85I=
X-Received: by 2002:a05:620a:2297:b0:6b9:c0b:5859 with SMTP id o23-20020a05620a229700b006b90c0b5859mr19367369qkh.431.1660103528753; Tue, 09 Aug 2022 20:52:08 -0700 (PDT)
MIME-Version: 1.0
References: <165973261426.54808.11128651982166539913@ietfa.amsl.com> <051401d8ab20$28b98660$7a2c9320$@elvis.ru>
In-Reply-To: <051401d8ab20$28b98660$7a2c9320$@elvis.ru>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 09 Aug 2022 20:51:56 -0700
Message-ID: <CAM4esxR182_=Y+F6MC8Kk9czUvjepAQQAAFTjNZ1nsG955Yw+Q@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-rfc8229bis@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
Content-Type: multipart/alternative; boundary="0000000000001f2faa05e5daf96f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/T_EsJTusVC4CA0Xbus6cLGuvetM>
Subject: Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 03:52:13 -0000

On Mon, Aug 8, 2022 at 5:12 AM Valery Smyslov <svan@elvis.ru> wrote:

> >
> > (Sec 9.1)
> > "TCP-in-TCP can also lead to "TCP meltdown", where stacked instances
> >    of TCP can result in significant impacts to performance
> >    [TCP-MELTDOWN].  For the case in this document, such meltdown can
> >    occur when the window size of the outer TCP connection is smaller
> >    than the window sizes of the inner TCP connections.  The resulting
> >    interactions can lead to packets backing up in the outer TCP
> >    connection's send buffers.  In order to limit this effect, the outer
> >    TCP connection should have limits on its send buffer size and on the
> >    rate at which it reduces its window size."
> >
> > Which "window" are you referring to? Receive window, congestion window,
> > or the
> > send buffer? My reading of [TCP-MELTDOWN] is that the tunnel ingress
> > should set
> > its send buffer size to the BDP of the tunnel, which is easier said than
> done.
> > It appears you are using "window" and "send buffer" interchangeably here
> in a
> > way that is confusing.
>
> This text was suggested by Joe Touch (
> https://mailarchive.ietf.org/arch/msg/ipsec/eD85hixrzfqwg4UhwRZ8WL5PkDA/)
> If you think it is unclear, can you please suggest how it can be improved?
>

OK, I'll start a separate thread with Joe and you.


>
> > (9.5)
> > Implementations SHOULD follow the ECN compatibility mode for tunnel
> >    ingress as described in [RFC6040].  In compatibility mode, the outer
> >    tunnel TCP connection marks its packet headers as not ECN-capable.
> >    If upon egress, the arriving outer header is marked with CE, the
> >    implementation will drop the inner packet, since there is not a
> >    distinct inner packet header onto which to translate the ECN
> >    markings.
> >
> > This is not an accurate summary of compatibility mode. In compatibility
> mode,
> > the outer packet is marked Not-ECT, which means it will not be marked
> CE. In
> > normal mode, the outer packet is marked as the inner, and this might
> result in
> > an outer CE marking.
>
> Can you please, clarify why the description is inaccurate?
>
> According to RFC 6040 in compatibility mode outer packet are marked as not
> ECN-capable
> (Not-ECT). On the other hand, since using compatibility mode is SHOULD here
> and currently it is assumed that IPsec tunnels are used with normal mode
> (RFC 4301, RFC 6040), then some
> additional guidelines are given what to do if peer still uses normal mode.
>
> Am I missing something?
>

I think my confusion here was that I read the second sentence ("If upon
egress...") as also describing RFC6040,
which I see now it does not. My apologies; perhaps splitting it into two
paragraphs would help. However, the need
for this text is related to difficulty mapping outer to inner; see also
below.


> > It's a shame that there is no attempt to figure out a mapping between
> inner
> > and
> > outer that would make normal mode work, as this reviewer is optimistic
> that
> > ECN
> > marks will become increasingly important. But regardless, this section
> should
> > be clear and make correct statements.
>
> I'm not sure this is generally possible given that one outer TCP tunnel
> can include many inner TCP tunnels, so you have to decide which
> of them to inform. The things get worse if AggFrag mechanism
> is in use (draft-ietf-ipsecme-iptfs-13, in IESG evaluation).
>

This isn't a DISCUSS, so you can choose to ignore this advice or not.
However, my concern is that IPSec is going to miss
out on the low-latency services operators are now enabling through ECN.

If it were me I would design it this way:

1) Encapsulators SHOULD NOT mix ECT(0), Not-ECT, and ECT(1) inner packets
in the same outer packet.
2) If they do, the outer packet MUST be marked Not-ECT.
3) If all packets are marked CE, mark the outer packet CE.
4) If CE packets are mixed with "something else", mark it "something else".
5) Decapsulators follow Figure 4 in RFC6040, except they SHOULD NOT log an
event or raise an alarm when
the outer packet is ECT(1) and one of the inner packets is CE.

Per 3168, if an inner packet is fragmented, any CE applied to a fragment is
applied to the reassembled packet.


>
> > (Appendix A) Why not provide an in-band way to determine TLS support?
> > There
> > could be another port number, or different magic bytes to indicate that
> TLS
> > handshake messages follow.
>
> Actually, with this draft in-band switching to TLS is really a downgrade,
> rather than an upgrade (surprise?).
> The reason is that actual protection of the traffic is provided by IPsec
> and both TCP and TLS
> are only used as transport mechanisms that allow IPsec to work in
> environments where it cannot
> be used otherwise. And TLS is worse, since it requires more resources and
> has bigger overhead.
> So, once you get through using plain TCP there is no sense to switch to
> TLS.
>

Thanks for the info. It might be good to explicitly state this in Appendix
A, but feel free to ignore that suggestion.


>
> Regards,
> Valery.
>
>
>

v2.23.0 | Report a Bug | By Email