IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Eric Rescorla <ekr@rtfm.com> Thu, 27 April 2017 12:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E93FE1294D4 for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 05:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7sB6SAym_E-H for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 05:52:34 -0700 (PDT)
Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 424681294FF for <ipsec@ietf.org>; Thu, 27 Apr 2017 05:52:21 -0700 (PDT)
Received: by mail-yb0-x232.google.com with SMTP id p143so7623033yba.2 for <ipsec@ietf.org>; Thu, 27 Apr 2017 05:52:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WgN4gh8UVGwVL9o99UVI04Kz+UkJWyl1mMeqf02ud2c=; b=Lc5ywob38uzyTKlWmSWzKNIXYxwzCnZoTys6lY+KI0MsDMtoNH8qazUju+HxWhL2W2 CztAfHmqrisgWWmJfaQYCv6CcvEYj15usy7KZbPsolTQvwCOo36x3bHAi9JFGshd7S9M 7Yc1TjuZwBV4S5CiJdM2S7Hb+pyhuZB7l6Udbx6ZTI3qcAaRINhInIg3H/vVPPakxGrD qNGFHL0ix0txZS9oGxQyTXMZnuRH69mR7QkK/N48PjFW5Kw05RxtdkCPQ9oOEWc/Lmj3 n8aHGn+cO7UrPO1YT28hr7S+xa8k1f01PVZ7BEJ6NUjKsUwimmiG3hvdfd0gOdHhzGlt ItJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WgN4gh8UVGwVL9o99UVI04Kz+UkJWyl1mMeqf02ud2c=; b=hZ+484U2RShTDm75j0dkofDd8m6/bW4G5mhgDSgK6fouUdYKCqyqvsGUPm7Ek1l9c5 G+lzKA0LubLvwvcIXsx6EHqJNFIYYwICgvwKaKYUFt7pGBmNKRcMHJFnb3ouHDnJMCb8 orHT/+KnD3H7D5v/12zeJ6G+sdtCAIRGL+1Nd/dF+Q4RVPx9wdQPThJFbLxgFBUJiWY3 OyFblq9DIASLUccAL/j0TI9ozZVGlJu7SE3qdSMnabkK9PiAl920C4DraY4Bq639YF47 PGYO0CbBF8QhuoyQBI5kplFedP2l68Rf+nlsMaNweR1/s1QDQzmyrFecDMvSxbyDHwxV zVeQ==
X-Gm-Message-State: AN3rC/767FuZsMKS52+wqJUiZF8sHP1RTdznCSzE5YYCfirMwzsh6mFz E0kO830m0SxowWXfR3FsK6Y2+AKbvg==
X-Received: by 10.37.174.24 with SMTP id a24mr4247154ybj.50.1493297540197; Thu, 27 Apr 2017 05:52:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Thu, 27 Apr 2017 05:51:39 -0700 (PDT)
In-Reply-To: <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 27 Apr 2017 05:51:39 -0700
Message-ID: <CABcZeBMj9UpzD+CpvOMKOkUsYNSL-UQCwuYt__5XCXtH=zyesA@mail.gmail.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>
Cc: Tommy Pauly <tpauly@apple.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, The IESG <iesg@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="f403045da3586daa1f054e256d59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/TifV65-1LFF57RYD80jx9NTLY5U>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 12:52:36 -0000

On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind <ietf@kuehlewind.net>
wrote:
>
> I do see the problem you have and I understand why you selected the
> solution you have but that does contradict quite a bit the idea of the port
> registry and I don't think it's a safe and future prove solution. Even if
> people use this approach, I'm concern to publish it in an Standards Track
> RFC, but I guess that's a discussion the IESG would need to have.


Mirja,

I agree that this kind of port squatting is regrettable, but I also don't
think it really
helps to not publish RFCs that document widely used protocols because we
are sad they port-squatted.

I proposed a way to deal with this in an earlier e-mail. Would that be
satisfactory
to you. To retransmit, we add the following

"Note: While port 4500 is the reserved port for this protocol, some
existing implementations
also use port 443. The Stream Prefix provides some mitigation against
cross-protocol
attacks in this case, however, the use of port 443 is NOT RECOMMENDED"

We could do something similar for port 80.

Would that work?

-Ekr


>
>
> Mirja
>
>
>
>> We can soften the references in the appendix to the fact that other ports
>> may, in fact, be used. As for the configuration, it should state 4500 as
>> the default, but allow peers to configure something else out-of-band if
>> they want to modify behavior (which is standard even in UDP implementations
>> of IKE).
>>
>>
>>> Further, as also mentioned in the tsv-art review (Thanks Wes!), this
>>> draft does not sufficiently handle the case of TCP in TCP encapsulation.
>>> Here a copy of the tsv-art review:
>>>
>>> Reviewer: Wesley Eddy
>>> Review result: On the Right Track
>>>
>>> This document is clear and well-written.  It can easily be implemented
>>> based on the description.
>>>
>>> There are a few additional issues that should be considered with
>>> advice to implementers in Section 12 on performance considerations:
>>> 1) Invisibility of packet loss - Inner protocols that require packet
>>> losses as a signal of congestion (e.g. TCP) will have a challenge due
>>> to not being able to see any packet losses since the outer TCP will
>>> repair them (unless sending into a full outer TCP socket buffer shows
>>> up back to the inner TCP as a packet loss?).
>>>
>>
>> Yes, this is definitely true. We try to capture that with the line: "This
>> will make loss-
>>    recovery of the inner TCP traffic less reactive and more prone to
>>    spurious retransmission timeouts."
>>
>> However, this can certainly be expanded upon.
>>
>> 2) Nesting of ECN -  Inner TCP connections will not be able to use
>>> effectively ECN on the portion of the path covered by the outer TCP
>>> connection.
>>>
>>
>> Generally, IPsec tunnels will apply RFC 6040 for translating ECN markings
>> between inner/outer packets. Since TCP encapsulation places the inner IP
>> packets in a stream, there isn't a direct mapping.
>>
>> An implementation could try to roughly map, but it may be best to suggest
>> that the ECN markings for inner and outer packets be left separate. What is
>> your opinion?
>>
>> 3) Impact of congestion response on aggregate - The general "TCP in
>>> TCP" problem is mentioned, and is mostly appropriate for a single
>>> flow.  If an aggregate of flows is sharing the same outer TCP
>>> connection, there may be additional concerns about how the congestion
>>> response behavior impacts an aggregate of flows, since it may cause a
>>> shared delay spike even to low-rate flows rather than distributing
>>> losses proportional to per-flow throughput.
>>>
>>
>> Indeed. We can add further comments to that effect.
>>
>> 4) Additional potential for bufferbloat - Since TCP does not bound
>>> latency, some applications in the IPsec-protected aggregate could
>>> drive latency of the shared connection up and impact the aggregate of
>>> flows that may include real-time applications.  The socket buffer for
>>> the outer TCP connection might need to be limited in size to ensure
>>> some bounds?
>>>
>>
>> We can add a comment to suggest that the buffering should be limited on
>> the outer connection if possible.
>>
>>
>>> Not addressing these could lead to poor experiences in deployment, if
>>> implementations make wrong assumptions or fail to consider them.
>>>
>>
>> I do think all of these concerns go back to the overall recommendation of
>> "use direct ESP or UDP Encapsulation whenever possible". Anything to help
>> back up that point is great!
>>
>> Thanks,
>> Tommy
>>
>>>
>>> In the security considerations section, there are several RFCs on
>>> mechanisms to increase robustness to RST attacks and SYN floods that
>>> could be mentioned if it's worthwhile.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>
>>
>>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email