IETF Logo Mail Archive

Re: [IPsec] IPsec Digest, Vol 123, Issue 21

Les Leposo <leposo@gmail.com> Tue, 19 August 2014 17:42 UTC

Return-Path: <leposo@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4211A8929 for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 10:42:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsQkMToM_FZj for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 10:42:17 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403A61A066D for <ipsec@ietf.org>; Tue, 19 Aug 2014 10:42:17 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id m15so6685352wgh.15 for <ipsec@ietf.org>; Tue, 19 Aug 2014 10:42:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HGo43t9B3riwpZhTwV56VzpPXZlN8wGK6emXCx8hKOo=; b=V+7PruAPItc6gGk5ITe8bvBN2ezEpjq6jtgqpnYiaf9MhU7J6jmXCUxfs3wDsTl2gd SjsWyOOULP4nA9E/uOd8HQmt4PxU1up/0Pxc+FEs+MVbTtVONMfYuvOuGuuuEEV5h62A FNXOcvvi2L/mf0mE7+nnYJPKmqr58XiyTsk+LZwMoT7G99TkoWnclX6q7VHmgOz9aoOv VyInypi7pM3bh62C8y8nMPYxl+sAQh8WYmjuQgEcPiEiLTPOcso5YKf97j48OrNumoTv bf+YCPXM7+1/jRiPmdN4AJPuzRsGPrNyxgNN/72+iRYSY9PtQDK5GenMN1Vk4yOqh3ww bKJQ==
X-Received: by 10.180.184.99 with SMTP id et3mr8665768wic.31.1408470135927; Tue, 19 Aug 2014 10:42:15 -0700 (PDT)
Received: from [192.168.0.17] ([197.237.48.207]) by mx.google.com with ESMTPSA id ph10sm52001726wjb.25.2014.08.19.10.42.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 10:42:14 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Les Leposo <leposo@gmail.com>
In-Reply-To: <alpine.LFD.2.10.1408191042460.19423@bofh.nohats.ca>
Date: Tue, 19 Aug 2014 20:42:09 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <B368071B-C01A-476F-803D-8BC22C4D5C6E@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1408181229340.25715@bofh.nohats.ca> <50B02F3B-2DA2-42D1-865E-9635A4D928BA@gmail.com> <alpine.LFD.2.10.1408181351270.27621@bofh.nohats.ca> <EA6BA2C5-112E-431A-B128-B9E856641DB8@gmail.com> <alpine.LFD.2.10.1408191042460.19423@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/X5lEkvCFh8b1-TGGFzmCBunYrjE
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 17:42:18 -0000

On Aug 19, 2014, at 5:43 PM, Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 19 Aug 2014, Les Leposo wrote:
> 
>>> the entire ipsec system is brought down/up, eg racoon is completely
>>> killed and restarted all the time.
>> Sounds like a totally reproducible crash/signal.
>> 
>> I'm sure if you file a radar with the procedure of how to reproduce (including connection duration & user activity), may be even a test account on your server, a developer on that end can gdb their way to the fix.
>> 
>> You would also have to indicate how long this problem has been happening e.g. years/months, ios versions (to identify regressions).
> 
> Years ago I tried to file bug reports for IPsec to Apple. No feedback
> ever, and lots of "developer" spam email.
> 
> If Apple cares, they can contact me to convince me the process changed.
> But from what I'm hearing, if you're not doing millions in revenue, you
> don't really get their attention whatsoever.
> 
That's an interesting take.

Imho, generally, part of the issue with ikev2 (circa 2011-2012), no one really knew where ike/ipsec it was going in enterprise (aside from the 3GPP area which was considered niche and not worthy of the attention it deserved).

Back then, SSL VPN was the shiny toy that dev managers & customers wanted, especially because it was easy to develop, a new opportunity for revenue stream, and the enterprise server vendors had made it so easy to deploy (e.g. you install the app and go to a webpage to log in and download your configs); completely overlooking significant weaknesses (and those of its library implementations).

> Paul

v2.23.0 | Report a Bug | By Email