Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tcp-00.txt
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 04 November 2012 20:08 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D6321F87E1 for <ipsec@ietfa.amsl.com>; Sun, 4 Nov 2012 12:08:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.954
X-Spam-Level:
X-Spam-Status: No, score=-1.954 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcCJrP0IAq7O for <ipsec@ietfa.amsl.com>; Sun, 4 Nov 2012 12:08:27 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by ietfa.amsl.com (Postfix) with ESMTP id 8497621F87E6 for <ipsec@ietf.org>; Sun, 4 Nov 2012 12:08:23 -0800 (PST)
Received: from sandelman.ca (107-1-119-250-ip-static.hfc.comcastbusiness.net [107.1.119.250]) by relay.sandelman.ca (Postfix) with ESMTPS id D7C3081A9 for <ipsec@ietf.org>; Sun, 4 Nov 2012 15:00:21 -0500 (EST)
Received: from sandelman.ca (quigon.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 44867CA0CE for <ipsec@ietf.org>; Sun, 4 Nov 2012 12:40:45 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: ipsec@ietf.org
In-reply-to: <20629.51761.388715.484632@fireball.kivinen.iki.fi>
References: <20629.51761.388715.484632@fireball.kivinen.iki.fi>
Comments: In-reply-to Tero Kivinen <kivinen@iki.fi> message dated "Sun, 04 Nov 2012 03:51:45 +0200."
X-Mailer: MH-E 8.3; nmh 1.3; XEmacs 21.4 (patch 22)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Sun, 04 Nov 2012 12:40:45 -0500
Message-ID: <25304.1352050845@sandelman.ca>
Sender: mcr@sandelman.ca
Subject: Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tcp-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 20:08:28 -0000
Tero Kivinen <kivinen@iki.fi> wrote: TK> ---------------------------------------------------------------------- TK> Specifically, the messages of the IKE_AUTH exchange can become TK> quite large, as they may contain a chain of certificates, an TK> "Auth" payload (that may contain a public key signature), CRLs, TK> and some configuration information that is carried in the CFG TK> payload. TK> ---------------------------------------------------------------------- TK> In addition to the IKE_AUTH there is another big class of UPD TK> packets which can be large, and which might get fragmented, i.e TK> udp encapsulated nat traversal IPsec UDP packets. If the I don't think you are suggesting any specific technical change to support this. I think that you are saying that we need to be more clear that we aren't proposing anything here. And that if TCP gets used for the AUTH payload, that might be a clue to the IPsec layer that it should do: TK> For tunnel mode IPsec traffic, the gateway can fragment inner TK> packets before wrapping them to ESP, so the outer ESP packets TK> visible to nat box are not fragmented. which the gateway machine might not otherwise do. But, this can't be done for IPv6. (There isn't really any significant downside to doing this. If anything, this moves the memory expense of fragment reassembly from gateways to end nodes.) TK> which means we cannot modify the NAT_DETECTION_*_IP payloads TK> when switching from UPD to TCP. This might cause NAT to be TK> detected even when there is none there (i.e. the UDP source port TK> is 500, but TCP source port is most likely going to be random). The document does not tell us if we have to originate from port-500. I don't think that we can. TK> Also I think this document should tell the justifications why TK> the TCP session is not kept alive all the time, but only created TK> for sending one packet and then immediately teared down. I TK> assume the idea there is that open TCP session actually requires TK> quite a lot of resources from the SGW, i.e. maintaining the send TK> and receive windows requires tens of kilobytes of memory. Of TK> course the downside of such short TCP sessions is that sending TK> one exchange over TCP now requires 2 round trips of delay, and TK> most likely around 10 packets, compared to the 1 round trip and TK> 2 packets. Yes. I think that the congestion window argument is probably not relevant. I don't think the congestion window will open much even if the first round trip goes through. -- Michael Richardson -on the road-
- [IPsec] Comments to draft-ietf-ipsecme-ike-tcp-00… Tero Kivinen
- Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tc… Michael Richardson
- Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tc… Tero Kivinen
- Re: [IPsec] Comments to draft-ietf-ipsecme-ike-tc… Michael Richardson