Re: [IPsec] IPTFS and transport mode.
Christian Hopps <chopps@chopps.org> Sun, 03 May 2020 21:39 UTC
Return-Path: <chopps@chopps.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 304573A0A7D for <ipsec@ietfa.amsl.com>; Sun, 3 May 2020 14:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3snrwQIOTdB for <ipsec@ietfa.amsl.com>; Sun, 3 May 2020 14:39:23 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 10D1E3A0A73 for <ipsec@ietf.org>; Sun, 3 May 2020 14:39:22 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 62533610CF; Sun, 3 May 2020 21:39:22 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Christian Hopps <chopps@chopps.org>
In-Reply-To: <7081.1588525696@localhost>
Date: Sun, 03 May 2020 17:39:21 -0400
Cc: Christian Hopps <chopps@chopps.org>, ipsec@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <91FC4B2D-4190-45A5-B681-705365658999@chopps.org>
References: <sa6sggh8a9d.fsf@chopps.org> <7081.1588525696@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/USdJ5rpi00NlK64TmUjZpxZ5xDI>
Subject: Re: [IPsec] IPTFS and transport mode.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2020 21:39:25 -0000
> On May 3, 2020, at 1:08 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Christian Hopps <chopps@chopps.org> wrote: >> non-TFS tunnel mode as the IP header was leaking user information so it >> hadn't been a consideration for us; however, it was later pointed out >> (by Paul W. I believe), that transport mode is (unfortunately?) >> commonly used with GRE tunnels in lieu of IPsec tunnel mode so we >> probably still needed to handle this case. > > If there will be changes to the GRE/IPsec mode, then maybe BEET mode could be > considered rather than transport mode. BEET mode looks like transport mode > on the wire, but is treated virtually like tunnel mode. This is essentially > what you describe: > >> For the common case of GRE/tunnel (which is the main justification for >> use of transport mode IMO), the GRE header information should be >> stable, and relatively easy to cache/consolidate for >> regeneration/aggregation. Handling only this case is relatively easy, >> We should be able to use the last received header information to >> generate new headers for empty packets, likewise aggregating headers >> should also work as each IP header should be the same. > > You have described essentially BEET mode :-) > It is described in RFC7402. > >> We believe that there's enough complexity in the handling and >> specification of TFS for transport mode that we should address this >> mode in a separate draft. This will allow us to get the less complex >> TFS tunnel mode specified while we continue to work on the various >> aspects of how best to handle TFS transport mode. > > I am not convinced that you really want to handle the generic transport mode > case. I think that you want to handle the GRE case specifically. > I'm unclear if your above description is a hack to make GRE/tunnel fit into > your current situation, or if you are describing a new situation that would > handle in a new draft. The primary thing I'm suggesting here is that we define TFS transport mode in a separate draft. Whether we support generic transport or only a subset of transport configurations (e.g., tunnels) or both, the reasons we make whatever choices we make, and the mechanisms for how to implement TFS with whatever is chosen, is what this new draft would cover. I see this building on top of the TFS tunnel mode draft. The rest of what I put above was really just ideas for what would go in that new draft. My thinking that if we wanted to support a subset of transport mode configurations (e.g., for use with GRE, SRv6, IP-IP, etc) we could specify that by defining a set of restrictions on the user IP headers. I'm not sure if that's what you mean is a hack or not, but I figured if we define it by the restrictions rather than specifically only for GRE it's more broadly useful for little extra cost. In any case the discussion of this and definition is what I think would go well in the context of it's own draft. Thanks, Chris. > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] IPTFS and transport mode. Christian Hopps
- Re: [IPsec] IPTFS and transport mode. Michael Richardson
- Re: [IPsec] IPTFS and transport mode. Christian Hopps
- Re: [IPsec] IPTFS and transport mode. Paul Wouters
- Re: [IPsec] IPTFS and transport mode. Michael Richardson
- Re: [IPsec] IPTFS and transport mode. Valery Smyslov