Re: [IPsec] Labeled IPsec options
"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 13 December 2019 14:25 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AE7120131 for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 06:25:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dfnK8NUcyLni for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 06:25:18 -0800 (PST)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EA5812011D for <ipsec@ietf.org>; Fri, 13 Dec 2019 06:25:18 -0800 (PST)
Received: by mail-lj1-x231.google.com with SMTP id 21so2880117ljr.0 for <ipsec@ietf.org>; Fri, 13 Dec 2019 06:25:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=Iddu3kimKnVt0P6uwRRgvE4IRmfM2+WUUBPfSfMxzeA=; b=B/J0SWWxNtsCcWGyszTGK7ZrZKwmZdk7W91HW3UtTGJK1uWmKgBKkltkM6D5X9DFHz 62A0NJJ3tlFLVWSFbWHLxsAcaa9LsLECGPA79T02hRGzw1+dMhvnpI4Qk/tc1l623tKs Rhi87YBCzVvUwGiJc6kVBAuYFL1g9O2laN1UifDnCj9+ZnhHQN6BLRU7FwVEUdtP76Wg WAihF3STVIDriWPOzk08xIHTuy3MLDkGj15iTa73ZLly54eAyb5S/jk0YJ/HIYi7aCSq MnAmW7bC945FC6K28LY9WFgECjr3FrK1OxGsdhkCvj6n3k2GCx1h0YlllCRLWhJdBJ36 IYfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=Iddu3kimKnVt0P6uwRRgvE4IRmfM2+WUUBPfSfMxzeA=; b=V6h8oWRUCtoRceCISav5OWPFmhJCc4GwyNtsQMJgmrI1vWncSqVpDVECOXgHRW8TxS PXnGVDq3WffGLstU38/nghZyXcN50dklBoF5AUKRKmLVPp2mg/53BLGZML/5D9yxVX+p 4TCG264EtWHxF9PWtPS65n0Q03AHjJ8mPBqTsfFu0EYq7T1q0prfRGoiq7BzB23D4xjy 7nXLB/OX08qlREf4EeuGQUhPYyzZC9Quw546BOGRtpAJBNOXE2f6iqN2vL9oBRnH/e84 I4Bz9fpXUufZ/uhhiHmrd4vwJ2Pj+T5qkysb0r/DNaGbcE/ViFSZ4OAXml/FAKTnqfOH JEOg==
X-Gm-Message-State: APjAAAXiBkicSyUdsG02o8I0WFa5Ru3EBJsy5FQygfho7KpXA9JjNVe8 oqao3mUYjHNDGSEDV3U43ucCMtSQ
X-Google-Smtp-Source: APXvYqzz5QtGDt8Zsr+Jz+1/Apa7K9UiV0crsvjZwVZHxvvRlKkDQcwJb9CZQCXE20N+i2qd2ogTng==
X-Received: by 2002:a2e:b045:: with SMTP id d5mr9874146ljl.184.1576247116170; Fri, 13 Dec 2019 06:25:16 -0800 (PST)
Received: from svannotebook ([185.48.36.95]) by smtp.gmail.com with ESMTPSA id g14sm4928711ljj.37.2019.12.13.06.25.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Dec 2019 06:25:15 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>
Cc: ipsec@ietf.org, 'Sahana Prasad' <sahana@redhat.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com> <alpine.LRH.2.21.1912121606130.22484@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912121606130.22484@bofh.nohats.ca>
Date: Fri, 13 Dec 2019 17:25:14 +0300
Message-ID: <046001d5b1c1$232c7be0$698573a0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLx+ZsZ28gCWkLjxf5xPWFraxjS5AGiqmCDAKLVkHulbV650A==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Ugcs9dgsvU_2D77L-ExmxB4lCCI>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 14:25:20 -0000
Hi Paul, > > I don't think option 4 is a good idea. If old responder encounters an > > unknown payload with Critical bit set in IKE_AUTH, it will return back > > UNSUPPORTED_CRITICAL_PAYLOAD and IKE SA won't be set up. > > See section 2.21.2 of RFC7296. This would require initiator to retry > > from IKE_SA_INIT, doubling the work. Or it can create childless IKE SA > > and then try CREATE_CHILD_SA - not an optimal solution too. > > I don't think that matters. Security labels are never optional but always > mandatory. And it seems very unlikely to have a mix of child sa's with and > without label. So they will all have a label, and then failing the IKE SA is fine, Do you want to say, that it's impossible to have two SGWs with multiple networks behind them so, that traffic from some networks will have security labels and traffic from the others won't have? If such a configuration is possible, then it's perfectly OK to have a mix of labelled and non-labelled IPsec SAs created by one IKE SA. Regards, Valery. > since no single child sa will be able to be setup anyway. It's better than the > responder setting up an SA that needs to be torn down by the initiator sending > a delete. > > > Option 1 looks like the clearest from pure theoretical point of view, > > however I agree that it could lead to TS types explosion in future. > > > > Option 3 looks like a compromise from practical point of view. > > You can solve the problem of imperfect error handling by adding a new > > SECLABES_SUPPORTED notification, that must be exchanged in > > IKE_SA_INIT. If both peers support seclabels, then > > But you really mean SECLABEL_REQUIRED? The "supported" > keyword here is misleading. The problem of doing this in IKE_SA_INIT is that it > could result in a spoofed answers omiting the payload? > > > the responder must not ignore seclabel notifications in IKE_AUTH and > > CREATE_CHILD_SA. The drawback is that we need one more notification > > and it must be exchanged in IKE_SA_INIT, increasing its message size. > > Not a big deal. > > So I'm not sure I trust this design. > > Paul
- [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Russ Housley
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters