Re: [IPsec] Labeled IPsec options
"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Fri, 13 December 2019 01:09 UTC
Return-Path: <jun.hu@nokia.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A57A01200FB for <ipsec@ietfa.amsl.com>; Thu, 12 Dec 2019 17:09:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqklNQ6Xt3jq for <ipsec@ietfa.amsl.com>; Thu, 12 Dec 2019 17:09:40 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130123.outbound.protection.outlook.com [40.107.13.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95404120090 for <ipsec@ietf.org>; Thu, 12 Dec 2019 17:09:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=axPt2EVOj5v3peL+P1YzsciK7FEmah7j2w7AwOR+epyH00DMxB/T3tOdZGuyqNSUtDJ4j6kVdTO4tKUV3uJIkN5gXvn5SaZrIiQdyONjHgBtLMpVH7YwnybjcYb0z6fqfEOVlJfCEM8/sGJRFj5lHqjUuJEPjpdi4mekZr4VD7htnaL0148f9DaOQa4iTrnTQ1k75JBf2afQ81iXkiOBHs4hsO4Aq2HM69yR8iFuO1+ht4Wiv1pdgdTxqtUtWBHLQzh8ujGHzE3ABAs2+7dsIGdzwmko0loCBI/z3OxjyygFL+efLFKwLUCwAmmeVVBoJtW+TcpPPKOZueErLC3eag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PXaQ8siOBUB3LH9a6deslufo5c34qBTBFXVZfydDmHk=; b=h1lTG3gvpj044X6xUtUek7iQ6zL8TTOf/Qxm0Ww31qnRUUIpnxXSKjKWMjIyHnyJWXaCKBBw058PPMENgLcuIdVcGKCcxbFUzT0TTFx/matb15yA6ZD3UARsEX+SM///TR32y9IpRANOOzIa0EJLlLuPsQ6fo5ow3QqGl6LLJYsHSDL2ckQXZcO5B+n2LE8CN5CK/Fo65JRZsEmSHZc0vfwqiPT/nJgQC2mKLfs02P4VxB/Ys2TFeuY+s7y/FAXmgSavqsA/6LdyAkiKuafOHO4NXc4HPjsA85y+p6cDrDjztNjetoCvVMzplZgZYIv0RpYqIMW8UFkmbqmrd7Gg9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PXaQ8siOBUB3LH9a6deslufo5c34qBTBFXVZfydDmHk=; b=vY3FdE1Yfmg0MNUbe0A5yN80mI9CO4krl8R/4FOi44it4zYry3j7/45xCmChGz+l6QLdvO6dL1h4OVA+qnd4wZtbEPuuWSLWv9f/Px3vLpNK4gbJ9a27XeQcsdJ/dqW+vWImMwitT7Ksx0itkBAzb0j4vK91om2VXPO9gxL74qM=
Received: from AM5PR0701MB2353.eurprd07.prod.outlook.com (10.169.150.18) by AM5PR0701MB2292.eurprd07.prod.outlook.com (10.169.152.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.9; Fri, 13 Dec 2019 01:09:36 +0000
Received: from AM5PR0701MB2353.eurprd07.prod.outlook.com ([fe80::c00:ee6e:9763:f843]) by AM5PR0701MB2353.eurprd07.prod.outlook.com ([fe80::c00:ee6e:9763:f843%7]) with mapi id 15.20.2538.017; Fri, 13 Dec 2019 01:09:35 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org WG" <ipsec@ietf.org>, Sahana Prasad <sahana@redhat.com>
Thread-Topic: [IPsec] Labeled IPsec options
Thread-Index: AQHVrxZ09uToqmx5zEOPjFh9TCkZuae1Rf+AgAHA9YCAAD0q8A==
Date: Fri, 13 Dec 2019 01:09:35 +0000
Message-ID: <AM5PR0701MB2353880DFB9B9BB875A8340295540@AM5PR0701MB2353.eurprd07.prod.outlook.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <AM5PR0701MB2353D18756E93CD302C43ABF955A0@AM5PR0701MB2353.eurprd07.prod.outlook.com> <alpine.LRH.2.21.1912121623440.22484@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912121623440.22484@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [98.234.123.80]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 91273852-952d-4b03-c7cc-08d77f691ea8
x-ms-traffictypediagnostic: AM5PR0701MB2292:
x-microsoft-antispam-prvs: <AM5PR0701MB2292C13DF4978296E659379195540@AM5PR0701MB2292.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0250B840C1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(376002)(346002)(136003)(39860400002)(199004)(189003)(13464003)(6916009)(54906003)(6506007)(316002)(53546011)(9686003)(186003)(55016002)(7696005)(478600001)(26005)(81166006)(8676002)(8936002)(4326008)(81156014)(71200400001)(86362001)(33656002)(2906002)(52536014)(5660300002)(66476007)(66946007)(64756008)(76116006)(66446008)(66556008); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0701MB2292; H:AM5PR0701MB2353.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UrLelRUTFhkt6t8Zuky4oJ0nJnBeD/h5WCrio1yNHpMpmp193a6QGI012yh5x4Uoi+RegHxKcHe9qHLqTX8cNa5F0mTQlHe2fxR1U+39lbC+33aGdh1U3Wlm+mMD5n03bj/UFeueU6vquiHbjMYxptgqb4jpfuCpC04OBoK8Gw4Q6VgPZwFyYWP8SGjf0XnSKFablCDC7xUKBwiqaTYc8o5l004eoj8TZGxoqM0JBO6u0WJpZ3/wo1waDR1fZ38BCoEDBbxyufCeG/gnHhnhYeEpI9/m/kTTj3a87WODMSW3yWk+Cu2HPNWrzy7l1ZuzcCC/mRshJgwODMvf2Hgz0mA9jgJ13AKet4hn1qfooPovz/vg0CLwxe09qDUSTtNYEDcKINxim9gtbIgCNs76ZtVDWd2hm8LF28pQfTwGonBpX3wiOhkZ0tpi9FK1E2XosTKI1wJ89LDe2uwRLlyw243tRcw0UHGC5bU5FoIVyp4wBa3iBMh5hvN9PA6sWbSd
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 91273852-952d-4b03-c7cc-08d77f691ea8
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2019 01:09:35.7976 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NLiXm5ctDGyWiSlCvw8eTeL+UQIvKnzXiDa23Qu2bTj91HJvD7HCXahL0v2OAQE/ItQRZmVzHJi2KMHu1xdiDQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2292
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Y9FWgBmbiuOlwtXE6c1GFEXJ0v0>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 01:09:42 -0000
In line as [Hu Jun] -----Original Message----- From: Paul Wouters <paul@nohats.ca> Sent: Thursday, December 12, 2019 1:25 PM To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com> Cc: ipsec@ietf.org WG <ipsec@ietf.org>; Sahana Prasad <sahana@redhat.com> Subject: Re: [IPsec] Labeled IPsec options On Wed, 11 Dec 2019, Hu, Jun (Nokia - US/Mountain View) wrote: > Subject: Re: [IPsec] Labeled IPsec options > > +1 for option4, +0.5 for option3 > One factor to consider is the granularity of label, for me it is per > CHILD_SA; option1 is per TS (e.g TS with label and TS without label > could be mixed in the same payload), option2 is per TS payload (e.g. > you could have TSi with label, TSr without label) If you select multiple TS's these all become part of one Child SA. So I think the granularity of the label does not change between the solutions? [Hu Jun] if we agree that label is per CHILD_SA, then with option 1 or 2, there is possibility for invalid TS combination, following are some examples of invalid TS: - with option-1: There are two TS in TSi, first TS contains label-1, 2nd TS contains label-2 - with option-2: TSi contains label-1, while TSr contains a different label-2 With option-3/4 there is no such concern > Option3 is a bit "abusing" the semantic of notification payload, since a "label notification" is not communicating a status, error or capability. A bit yes :) Paul
- [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Russ Housley
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters