Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
Eric Rescorla <ekr@rtfm.com> Thu, 27 April 2017 12:52 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E93FE1294D4 for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 05:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7sB6SAym_E-H for <ipsec@ietfa.amsl.com>; Thu, 27 Apr 2017 05:52:34 -0700 (PDT)
Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 424681294FF for <ipsec@ietf.org>; Thu, 27 Apr 2017 05:52:21 -0700 (PDT)
Received: by mail-yb0-x232.google.com with SMTP id p143so7623033yba.2 for <ipsec@ietf.org>; Thu, 27 Apr 2017 05:52:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WgN4gh8UVGwVL9o99UVI04Kz+UkJWyl1mMeqf02ud2c=; b=Lc5ywob38uzyTKlWmSWzKNIXYxwzCnZoTys6lY+KI0MsDMtoNH8qazUju+HxWhL2W2 CztAfHmqrisgWWmJfaQYCv6CcvEYj15usy7KZbPsolTQvwCOo36x3bHAi9JFGshd7S9M 7Yc1TjuZwBV4S5CiJdM2S7Hb+pyhuZB7l6Udbx6ZTI3qcAaRINhInIg3H/vVPPakxGrD qNGFHL0ix0txZS9oGxQyTXMZnuRH69mR7QkK/N48PjFW5Kw05RxtdkCPQ9oOEWc/Lmj3 n8aHGn+cO7UrPO1YT28hr7S+xa8k1f01PVZ7BEJ6NUjKsUwimmiG3hvdfd0gOdHhzGlt ItJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WgN4gh8UVGwVL9o99UVI04Kz+UkJWyl1mMeqf02ud2c=; b=hZ+484U2RShTDm75j0dkofDd8m6/bW4G5mhgDSgK6fouUdYKCqyqvsGUPm7Ek1l9c5 G+lzKA0LubLvwvcIXsx6EHqJNFIYYwICgvwKaKYUFt7pGBmNKRcMHJFnb3ouHDnJMCb8 orHT/+KnD3H7D5v/12zeJ6G+sdtCAIRGL+1Nd/dF+Q4RVPx9wdQPThJFbLxgFBUJiWY3 OyFblq9DIASLUccAL/j0TI9ozZVGlJu7SE3qdSMnabkK9PiAl920C4DraY4Bq639YF47 PGYO0CbBF8QhuoyQBI5kplFedP2l68Rf+nlsMaNweR1/s1QDQzmyrFecDMvSxbyDHwxV zVeQ==
X-Gm-Message-State: AN3rC/767FuZsMKS52+wqJUiZF8sHP1RTdznCSzE5YYCfirMwzsh6mFz E0kO830m0SxowWXfR3FsK6Y2+AKbvg==
X-Received: by 10.37.174.24 with SMTP id a24mr4247154ybj.50.1493297540197; Thu, 27 Apr 2017 05:52:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Thu, 27 Apr 2017 05:51:39 -0700 (PDT)
In-Reply-To: <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 27 Apr 2017 05:51:39 -0700
Message-ID: <CABcZeBMj9UpzD+CpvOMKOkUsYNSL-UQCwuYt__5XCXtH=zyesA@mail.gmail.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>
Cc: Tommy Pauly <tpauly@apple.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, The IESG <iesg@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="f403045da3586daa1f054e256d59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/TifV65-1LFF57RYD80jx9NTLY5U>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 12:52:36 -0000
On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote: > > I do see the problem you have and I understand why you selected the > solution you have but that does contradict quite a bit the idea of the port > registry and I don't think it's a safe and future prove solution. Even if > people use this approach, I'm concern to publish it in an Standards Track > RFC, but I guess that's a discussion the IESG would need to have. Mirja, I agree that this kind of port squatting is regrettable, but I also don't think it really helps to not publish RFCs that document widely used protocols because we are sad they port-squatted. I proposed a way to deal with this in an earlier e-mail. Would that be satisfactory to you. To retransmit, we add the following "Note: While port 4500 is the reserved port for this protocol, some existing implementations also use port 443. The Stream Prefix provides some mitigation against cross-protocol attacks in this case, however, the use of port 443 is NOT RECOMMENDED" We could do something similar for port 80. Would that work? -Ekr > > > Mirja > > > >> We can soften the references in the appendix to the fact that other ports >> may, in fact, be used. As for the configuration, it should state 4500 as >> the default, but allow peers to configure something else out-of-band if >> they want to modify behavior (which is standard even in UDP implementations >> of IKE). >> >> >>> Further, as also mentioned in the tsv-art review (Thanks Wes!), this >>> draft does not sufficiently handle the case of TCP in TCP encapsulation. >>> Here a copy of the tsv-art review: >>> >>> Reviewer: Wesley Eddy >>> Review result: On the Right Track >>> >>> This document is clear and well-written. It can easily be implemented >>> based on the description. >>> >>> There are a few additional issues that should be considered with >>> advice to implementers in Section 12 on performance considerations: >>> 1) Invisibility of packet loss - Inner protocols that require packet >>> losses as a signal of congestion (e.g. TCP) will have a challenge due >>> to not being able to see any packet losses since the outer TCP will >>> repair them (unless sending into a full outer TCP socket buffer shows >>> up back to the inner TCP as a packet loss?). >>> >> >> Yes, this is definitely true. We try to capture that with the line: "This >> will make loss- >> recovery of the inner TCP traffic less reactive and more prone to >> spurious retransmission timeouts." >> >> However, this can certainly be expanded upon. >> >> 2) Nesting of ECN - Inner TCP connections will not be able to use >>> effectively ECN on the portion of the path covered by the outer TCP >>> connection. >>> >> >> Generally, IPsec tunnels will apply RFC 6040 for translating ECN markings >> between inner/outer packets. Since TCP encapsulation places the inner IP >> packets in a stream, there isn't a direct mapping. >> >> An implementation could try to roughly map, but it may be best to suggest >> that the ECN markings for inner and outer packets be left separate. What is >> your opinion? >> >> 3) Impact of congestion response on aggregate - The general "TCP in >>> TCP" problem is mentioned, and is mostly appropriate for a single >>> flow. If an aggregate of flows is sharing the same outer TCP >>> connection, there may be additional concerns about how the congestion >>> response behavior impacts an aggregate of flows, since it may cause a >>> shared delay spike even to low-rate flows rather than distributing >>> losses proportional to per-flow throughput. >>> >> >> Indeed. We can add further comments to that effect. >> >> 4) Additional potential for bufferbloat - Since TCP does not bound >>> latency, some applications in the IPsec-protected aggregate could >>> drive latency of the shared connection up and impact the aggregate of >>> flows that may include real-time applications. The socket buffer for >>> the outer TCP connection might need to be limited in size to ensure >>> some bounds? >>> >> >> We can add a comment to suggest that the buffering should be limited on >> the outer connection if possible. >> >> >>> Not addressing these could lead to poor experiences in deployment, if >>> implementations make wrong assumptions or fail to consider them. >>> >> >> I do think all of these concerns go back to the overall recommendation of >> "use direct ESP or UDP Encapsulation whenever possible". Anything to help >> back up that point is great! >> >> Thanks, >> Tommy >> >>> >>> In the security considerations section, there are several RFCs on >>> mechanisms to increase robustness to RST attacks and SYN floods that >>> could be mentioned if it's worthwhile. >>> >>> >>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >> >> > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Mirja Kühlewind's Discuss on draft-ietf-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Kathleen Moriarty
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Eric Rescorla
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 u… Paul Wouters
- Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-… Tommy Pauly