Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
"Valery Smyslov" <svanru@gmail.com> Sun, 19 March 2017 09:24 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDE6A12441E; Sun, 19 Mar 2017 02:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.26
X-Spam-Level:
X-Spam-Status: No, score=-2.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCED77BLmseL; Sun, 19 Mar 2017 02:24:29 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6E8124217; Sun, 19 Mar 2017 02:24:29 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id z15so46074660lfd.1; Sun, 19 Mar 2017 02:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:references:in-reply-to:subject:date:mime-version :content-transfer-encoding:importance; bh=pKgeN57TIt3nCX2FQuoT7cwPSLQrXrXdgeVMRju8dOU=; b=XR2nLFw9aYglkKNOsMIDJLI4Ex6AojOSN+eoAHuD5rP1Jsi6d3PDE7j/aDBbsq+50z xHT3l/fivKoLOxQ66fxUsJIFsMR0j3lfr0U3mYcTK93/R1sv6HL6fiwLdtSmqj0QKpx2 +yZpaDNn8pRet44tElXjKOzp4N3ziL8sbALVROdQz1YuLNzFPMkZE+D87T0ZdF991ayV aeEia4CcXeHprQ/OngsbV/VB17rhaH72398zNQnXpADM8i4C7cHF+t9cB1MU6V9QT+jq lTQ14GHW72kmEZLYTiVU+2qtNcVhyLTNu/dm+A4RzKtTZYPgo0nqLzwvOzOW+w5QEN+W Igcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=pKgeN57TIt3nCX2FQuoT7cwPSLQrXrXdgeVMRju8dOU=; b=klwySa0OO83Z1rfqCm7xqY5lCXD0a/T0myejTZq9j8kkHFaqbVY5gQpVeOS9BZHL+z c1SCFuNWkMgbger8N9sgmk/1OHV3IWLJNlWxTDvfuE0HoeJP9h5SnZq17tW3K1Vf6Els sLMtiAudP/Su/S7NrfAZEJXn9TPPB+jLMxNAUO9fVE/LrTzkdckoTXvrscm26GG23n+l Tw+gok5CupSxc2FZCRFgGR6gJ94wZ4kTpVcb81zdu9YqmPZjjEGNPDrqUhg30RktSQzX SVUCSTZdP2GRokAYHTlnTj6XMx8Yp2ffFY2mat5TqqlmI9A7QcuhFjvawvfXmCJ54iJb Z+fA==
X-Gm-Message-State: AFeK/H1NpC4oYT6OTqqdUF96a01qN43ea7hh6D0ByPhBqazQ6nNtkHyLDIutW3QmnTQHSA==
X-Received: by 10.25.219.213 with SMTP id t82mr6140029lfi.75.1489915467214; Sun, 19 Mar 2017 02:24:27 -0700 (PDT)
Received: from chichi (ppp83-237-175-1.pppoe.mtu-net.ru. [83.237.175.1]) by smtp.gmail.com with ESMTPSA id h7sm679783lji.10.2017.03.19.02.24.25 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 19 Mar 2017 02:24:26 -0700 (PDT)
Message-ID: <621CA73A71744D9AAA226100AE915285@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, draft-ietf-ipsecme-tcp-encaps@ietf.org, ipsec@ietf.org
References: <CABcZeBPMR9m8zPdhG4Bc3DHWj9UmVq22Z7G4ApYjBGJeC7MU=A@mail.gmail.com>
In-Reply-To: <CABcZeBPMR9m8zPdhG4Bc3DHWj9UmVq22Z7G4ApYjBGJeC7MU=A@mail.gmail.com>
Date: Sun, 19 Mar 2017 12:24:25 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/X-a8sulSeMne77ywepXTa4TIvOA>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 09:24:31 -0000
Hi Eric, > I just finished reading this document. Some comments below. > > - You have a uniform 16 bit length field followed by a 4 byte all-zeros > sentinel value to indicate that a packet is IKE rather than ESP. > Given that in S 3 graf 2 you have a SHOULD-level requirement > to use typical UDP payload lengths, why not instead explicitly > limit lengths to 15 bits and use the top bit to indicate IKE versus > ESP. This would be slightly more efficient and seems simpler. > I suppose that the counterargument is that IKE over UDP behaves > differently, but in terms of implementation, that doesn't seem like > much of an argument. That won't work. An application protocol running over UDP is free to send messages up to 64Kbytes. While in tunnel mode we can first fragment these messages and then apply ESP (so that each ESP packet is rather small) , in transport mode it's impossible, and the ESP datagram can reach 64Kbytes in size. I agree that in wild there are few protocols that send such long UDP messages, but it is not prohibited. > - It seems like IKE associations can span TCP connections (S 6) > so why not instead of doing UDP first then TCP, do happy eyeballs. I don't think it's a good idea. The TCP encapsulation has a lot of drawbacks in terms of performance (see Section 12), so it is considered as a last resort if UDP doesn't work. In general UDP (or no encapsulation) is a preferred transport. If we start trying TCP and UDP in parallel, then in some cases TCP will win even if UDP works, resulting in non-efficient connection, even when UDP could be used. > -Ekr Regards, Valery Smyslov. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Valery Smyslov
- [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Valery Smyslov
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Tommy Pauly
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Tommy Pauly
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Paul Wouters