Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
Tero Kivinen <kivinen@iki.fi> Thu, 15 October 2020 20:06 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C593A133F for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:06:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.313
X-Spam-Level:
X-Spam-Status: No, score=-2.313 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkY-ISTRcsTx for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:06:54 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1063A1125 for <ipsec@ietf.org>; Thu, 15 Oct 2020 13:06:53 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id B1ACA20305; Thu, 15 Oct 2020 23:06:50 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602792410; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UDuBzqsw8Jv9UwJdxqTtAu26YgaLDrLdcc8XwJvFIkc=; b=PFAp51BxjhQyly4Eoy5TaR/3Zk/aU2z0HvdtCUaKQOFxdVYlEIkTVN2VV0QSzL9VmXiTQd Uq/bRPHX/hUy1EJqXWk81zDBEve39VAYZUA43MYPAb47mZBOKyxtlCXBaisPyTShOmJMH4 0CAqYggvyYhoeQAarKaN0wcPq6wY3OY=
Received: by fireball.acr.fi (Postfix, from userid 15204) id B4ABE25C0E1C; Thu, 15 Oct 2020 23:06:47 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24456.43991.701332.956314@fireball.acr.fi>
Date: Thu, 15 Oct 2020 23:06:47 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Christian Hopps <chopps@chopps.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
In-Reply-To: <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <24454.51962.50262.36523@fireball.acr.fi> <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 37 min
X-Total-Time: 63 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602792410; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UDuBzqsw8Jv9UwJdxqTtAu26YgaLDrLdcc8XwJvFIkc=; b=DVdYVqDIQjiyyhPCasYC6zS3HUmtCtU2E+YyjHYpn8+YIm6BwGY/Bpqdn35P95sHXKiM9L 8cuLCYOf7lAO5M9Iag3FjQwCpKg3agL/M3RdhG+XJAj4OFC38uTqnsSEcdWSKI9ZIPVy3s p+cKN6/Xyr8TWqRbYF/S3ASUv/xXtC8=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1602792410; a=rsa-sha256; cv=none; b=KZd64p1wNmMReI20O0GYz3m/LIMk7/jizbLBJ3xTdedUmOf5Q8mYfFA4R4/Or8NDGlZJEU 1jCSMyyuwXU66XPZDznn/hwN6kxBK601rhCv2rN/86AEQfGoPvhDb2yyqttZn0may5NLoq llGwonCeWJhhBBiga/aPJf3gvaAThgM=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/WniLNo8WPviOQgHD1_qZuekA-_c>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 20:06:57 -0000
Christian Hopps writes: > I really don't understand the extreme back pressure against using > ESP the way it was designed. The next-header field is supposed to > identify the payload, it does so for every other payload ESP > carries. Any other solution to somehow infer the payload type some > other way *has* to be seen as a hack. Why do we need a hack? Because the next-header field identifies the protocol DEFINED ELSEWHERE that ESP moves around. If we want to make modifications to the TCP protocol, and want to allocate new Protocol Number for it, we do not that in IPsecME WG even when that new version of TCP could be transmitted over IPsec also. When ESPv3 (RFC4303) added new features like support for combined mode algorithms we did not allocate new protocol number for that. We decided that we use IKE to identify whether Child SA negotiates anything that requires ESPv3, and if so then ESPv3 packet format is used, otherwise ESPv2 (RFC2406) is used. So the basic idea is that IPsec and ESP is transporting protocols defined elsewhere. That does not mean that content of the ESP protocol can't change, we "own" the ESP format, so we can change it in any ways we seem needed, and we can negotiate things using IKE to specify the format specific Child SA is using. Now if you are trying to define completely new protocol for generic IP use, and because it can also be used in the IPsec, you want to standarize that in the IPsecME WG, I do not think that belongs to the IPsecME charter. If this protocol is really going to be general use encapsulation protocol then it needs to be specified somewhere else (most likely in different Area than security). If this is not general use, but just optimization where we can put multiple IP packets inside one ESP packet to provide traffic flow security, then we can negotiate that in IKE, and we do not need extra protocol number for it, and we can do it here. I am still unclear which one of those protocols you are trying to define? > The fact that using a payload identifier the way ESP intended also > allows us to do things like handle receipt of said payload without > extra configuration, or use the payload outside of ESP are just > benefits from good design, they aren't indicative of doing something > incorrectly, the opposite in fact. They also shouldn't even be > needed to justify using ESP the way it was designed to be used. So then this belongs to different area, as it does not have any real connection to IPsec, it just one of the protocols we can encapsulate in ESP. Also now when I actually checked you draft, I noticed that it has some congestion control things in it too, and that is something that do require very careful checking by other areas. > This is all very strange to me, this want to not use the next-header > field to, you know, identify the next header. As I said that is fine by me if it is protocol defined outside the IPsecME. I just do not think it belongs to the IPsecME to define new internet protocol encapsulating multiple IP packets in, and fragmenting them, and doing congestion control on them. Our main charter says: Its purpose is to maintain the IPsec standard and to facilitate discussion of clarifications, improvements, and extensions to IPsec, mostly to ESP and IKEv2. meaning we work for ESP and IKEv2, not for making new generic IP protocols. Also the TFC section of charter says: The demand for Traffic Flow Confidentiality has been increasing in the user community, but the current method defined in RFC4303 (adding null padding to each ESP payload) is very inefficient in its use of network resources. The working group will develop an alternative TFC solution that uses network resources more efficiently. Which I did understood that we still work by modifying the ESP protocol and that we do not define new generic protocols for encapsulating IP packets and transport that inside ESP (which would not need any changes to the ESP or IKE, as we already have a way of negotiating the traffic selectors for any IP protocol we want to tranport inside ESP). Of course there would be some security implications for such protocol as you would need to specify exit tunnel checks for those packets coming out from the new protocol, which is why I think it is better done by modifying ESP. -- kivinen@iki.fi
- [IPsec] I-D Action: draft-ietf-ipsecme-iptfs-02.t… internet-drafts
- [IPsec] Update and WGLC request [Re: I-D Action: … Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Michael Richardson
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Paul Wouters
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger