IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Tero Kivinen <kivinen@iki.fi> Thu, 15 October 2020 20:06 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C593A133F for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:06:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.313
X-Spam-Level:
X-Spam-Status: No, score=-2.313 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkY-ISTRcsTx for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:06:54 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1063A1125 for <ipsec@ietf.org>; Thu, 15 Oct 2020 13:06:53 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id B1ACA20305; Thu, 15 Oct 2020 23:06:50 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602792410; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UDuBzqsw8Jv9UwJdxqTtAu26YgaLDrLdcc8XwJvFIkc=; b=PFAp51BxjhQyly4Eoy5TaR/3Zk/aU2z0HvdtCUaKQOFxdVYlEIkTVN2VV0QSzL9VmXiTQd Uq/bRPHX/hUy1EJqXWk81zDBEve39VAYZUA43MYPAb47mZBOKyxtlCXBaisPyTShOmJMH4 0CAqYggvyYhoeQAarKaN0wcPq6wY3OY=
Received: by fireball.acr.fi (Postfix, from userid 15204) id B4ABE25C0E1C; Thu, 15 Oct 2020 23:06:47 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24456.43991.701332.956314@fireball.acr.fi>
Date: Thu, 15 Oct 2020 23:06:47 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Christian Hopps <chopps@chopps.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
In-Reply-To: <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <24454.51962.50262.36523@fireball.acr.fi> <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 37 min
X-Total-Time: 63 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602792410; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UDuBzqsw8Jv9UwJdxqTtAu26YgaLDrLdcc8XwJvFIkc=; b=DVdYVqDIQjiyyhPCasYC6zS3HUmtCtU2E+YyjHYpn8+YIm6BwGY/Bpqdn35P95sHXKiM9L 8cuLCYOf7lAO5M9Iag3FjQwCpKg3agL/M3RdhG+XJAj4OFC38uTqnsSEcdWSKI9ZIPVy3s p+cKN6/Xyr8TWqRbYF/S3ASUv/xXtC8=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1602792410; a=rsa-sha256; cv=none; b=KZd64p1wNmMReI20O0GYz3m/LIMk7/jizbLBJ3xTdedUmOf5Q8mYfFA4R4/Or8NDGlZJEU 1jCSMyyuwXU66XPZDznn/hwN6kxBK601rhCv2rN/86AEQfGoPvhDb2yyqttZn0may5NLoq llGwonCeWJhhBBiga/aPJf3gvaAThgM=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/WniLNo8WPviOQgHD1_qZuekA-_c>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 20:06:57 -0000

Christian Hopps writes:
> I really don't understand the extreme back pressure against using
> ESP the way it was designed. The next-header field is supposed to
> identify the payload, it does so for every other payload ESP
> carries. Any other solution to somehow infer the payload type some
> other way *has* to be seen as a hack. Why do we need a hack?

Because the next-header field identifies the protocol DEFINED
ELSEWHERE that ESP moves around.

If we want to make modifications to the TCP protocol, and want to
allocate new Protocol Number for it, we do not that in IPsecME WG even
when that new version of TCP could be transmitted over IPsec also.

When ESPv3 (RFC4303) added new features like support for combined mode
algorithms we did not allocate new protocol number for that. We
decided that we use IKE to identify whether Child SA negotiates
anything that requires ESPv3, and if so then ESPv3 packet format is
used, otherwise ESPv2 (RFC2406) is used.

So the basic idea is that IPsec and ESP is transporting protocols
defined elsewhere. That does not mean that content of the ESP protocol
can't change, we "own" the ESP format, so we can change it in any ways
we seem needed, and we can negotiate things using IKE to specify the
format specific Child SA is using. 

Now if you are trying to define completely new protocol for generic IP
use, and because it can also be used in the IPsec, you want to
standarize that in the IPsecME WG, I do not think that belongs to the
IPsecME charter. If this protocol is really going to be general use
encapsulation protocol then it needs to be specified somewhere else
(most likely in different Area than security).

If this is not general use, but just optimization where we can put
multiple IP packets inside one ESP packet to provide traffic flow
security, then we can negotiate that in IKE, and we do not need extra
protocol number for it, and we can do it here.

I am still unclear which one of those protocols you are trying to
define? 

> The fact that using a payload identifier the way ESP intended also
> allows us to do things like handle receipt of said payload without
> extra configuration, or use the payload outside of ESP are just
> benefits from good design, they aren't indicative of doing something
> incorrectly, the opposite in fact. They also shouldn't even be
> needed to justify using ESP the way it was designed to be used.

So then this belongs to different area, as it does not have any real
connection to IPsec, it just one of the protocols we can encapsulate
in ESP.

Also now when I actually checked you draft, I noticed that it has some
congestion control things in it too, and that is something that do
require very careful checking by other areas. 

> This is all very strange to me, this want to not use the next-header
> field to, you know, identify the next header.

As I said that is fine by me if it is protocol defined outside the
IPsecME. I just do not think it belongs to the IPsecME to define new
internet protocol encapsulating multiple IP packets in, and
fragmenting them, and doing congestion control on them.

Our main charter says:

	Its purpose is to maintain the IPsec standard and to
	facilitate discussion of clarifications, improvements, and
	extensions to IPsec, mostly to ESP and IKEv2.

meaning we work for ESP and IKEv2, not for making new generic IP
protocols. Also the TFC section of charter says:

	The demand for Traffic Flow Confidentiality has been
	increasing in the user community, but the current method
	defined in RFC4303 (adding null padding to each ESP payload)
	is very inefficient in its use of network resources. The
	working group will develop an alternative TFC solution that
	uses network resources more efficiently.

Which I did understood that we still work by modifying the ESP
protocol and that we do not define new generic protocols for
encapsulating IP packets and transport that inside ESP (which would
not need any changes to the ESP or IKE, as we already have a way of
negotiating the traffic selectors for any IP protocol we want to
tranport inside ESP).

Of course there would be some security implications for such protocol
as you would need to specify exit tunnel checks for those packets
coming out from the new protocol, which is why I think it is better
done by modifying ESP.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email