Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE extension for Transport mode
Daniel Migault <mglt.ietf@gmail.com> Sat, 13 September 2014 18:20 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE9921A006D for <ipsec@ietfa.amsl.com>; Sat, 13 Sep 2014 11:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXThUoSDJ0dr for <ipsec@ietfa.amsl.com>; Sat, 13 Sep 2014 11:20:14 -0700 (PDT)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3858E1A0060 for <ipsec@ietf.org>; Sat, 13 Sep 2014 11:20:14 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id q58so2200317wes.21 for <ipsec@ietf.org>; Sat, 13 Sep 2014 11:20:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dCDdW8E4IZBW7qVFChppJMC7f0PoEVjxO+EeyfLG0Uw=; b=UlUBLIbC2OkTwhM/kuoqQi9+YhONyKHAaTS/eecq9woIA/Eh5WaOJRb3x3VXow0PRE 8AXIW3O5RENKaa/ZCX+Fe7ZJfddzsLi+Fjgpa7AENRU+Bzc97ofHRmzd3vOx7xmJUYRm LsyUq0SK7QgJVwcVMrRmBMzZp4WOxOm6iOQ0EthanuVhVzjlyouKXGIOPH3vVlhceJWZ qdqjFXbc5VDYXNeSzZPpx3dVo7Op2e2fIIWb/zqpS9TjWhenfbwZ5aPkshbSX8dNT8nW 8w0nIx+ZuyAF/cSTibwDJ17DvwIKGkywESUx0zBTYd/rPdqucptBvgGdHn7/x8FcGqH8 5wvA==
MIME-Version: 1.0
X-Received: by 10.194.9.228 with SMTP id d4mr20382770wjb.99.1410632412879; Sat, 13 Sep 2014 11:20:12 -0700 (PDT)
Received: by 10.194.137.67 with HTTP; Sat, 13 Sep 2014 11:20:12 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.10.1409121350180.31178@bofh.nohats.ca>
References: <54131C57.2060605@gmail.com> <alpine.LFD.2.10.1409121350180.31178@bofh.nohats.ca>
Date: Sat, 13 Sep 2014 20:20:12 +0200
Message-ID: <CADZyTkm0BpZGviYHoYOK8o3JgRBzmAgnm5W8jEoQCZ+mS+T=5w@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="047d7b4508a8e0de9f0502f67327"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/XYTWf8WN39_7hEU2tQ77IF_ch6k
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE extension for Transport mode
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2014 18:20:18 -0000
Hi Paul, Thank you for raising the questions, that gives me he opportunity to clarify what have been discussed/agreed in Toronto. As an author I am supporting the adoption of the document as a WG document. In the Toronto meeting, we agreed that MOBIKE versionning must be removed in the next version of the draft. We also agreed that Security Consideration should discuss more in detail the exposure of the IP addresses. All these will be part of the next version. The next version of the draft will define how MOBIKE and the USE_TRANSPORT_MODE Notify Payload work together. As a result, they will be no MOBIKE versions, the spec will be much simpler, and we will still be fully interoperable / compatible with existing code of MOBIKE -- i.e. code that has not been updated. >From RFC5996 section 1.3.1, the default IPsec mode is the Tunnel mode. When a USE_TRANSPORT_MODE Notify Payload is received. "It requests that the Child SA use transport mode rather than tunnel mode for the SA created. If the request is accepted, the response MUST also include a notification of type USE_TRANSPORT_MODE. If the responder declines the request, the Child SA will be established in tunnel mode. " As a result, currently, when one receives USE_TRANSPORT_MODE and MOBIKE_SUPPORTED, it has to chose between supporting MOBIKE or the transport mode. The next version of the draft, will make possible to respond USE_TRANSPORT_MODE and MOBIKE_SUPPORTED. In all other cases, nothing is changed. Motivations for this are UDP (mostly DNS) but also GRE tunnels. In our opinion, for the DNS use case, saving bytes matters especially when only the responses is returned over a degraded link like WLAN. BR, Daniel On Fri, Sep 12, 2014 at 8:02 PM, Paul Wouters <paul@nohats.ca> wrote: > On Fri, 12 Sep 2014, Yaron Sheffer wrote: > > This is a call for adopting draft-mglt-ipsecme-mobikev2 as a WG document. >> Please respond to this mail with a Yes or No and a short >> rationale, at latest by Friday Sep. 19. >> > > This document confuses me. > > It seems section 4 to 7 are about much more than just transport mode. It > seems to (re?)introduce versioning, non-transport notify payloads, etc. > > MOBIKE is about keeping your assigend address with you, making your > inner IP consistent regardless of the outer IP. That makes no sense > with transport mode, which is tied to your ephemeral outer address. > > Transport mode IPsec is terrible idea in todays NATed world. It should > die, not see more use. The NAT issues are not at all mentioned in this > draft. What if two clients connect to the same MOBIKE VPN server with > the same internal IP of 10.1.2.3? > > The use case is "saving a few bytes", which to me seems very weak. > > It would only work with UDP, not TCP. For UDP, doesn't recvfrom() and > recvmsg() family deal with changing IPs? IKE and DNS servers already > use this to listen on ANY and reply to the address of the received > packet. > > This is a lot of specification and code and possible interop problems > for a use case of "saving a few bytes on some UDP packets". > > It is possible further discussion might convince me otherwise, although > not likely. I'm happy to discuss this item further as a working group > if adoption now means we can still decide it is not a good idea later. > If adoption to the WG now means we must end up with some kind of spec, > than I would rather not see adoption now. > > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- [IPsec] Call for adoption: MOBIKEv2: MOBIKE exten… Yaron Sheffer
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Paul Wouters
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Daniel Migault
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Paul Wouters
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Daniel Palomares
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Joe Touch
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Valery Smyslov
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Frederic Detienne (fdetienn)
- Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE e… Manish Kumar (manishkr)