Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
"Panwei (William)" <william.panwei@huawei.com> Tue, 02 April 2024 03:48 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6768C14CF0D for <ipsec@ietfa.amsl.com>; Mon, 1 Apr 2024 20:48:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsKveFrA2TP1 for <ipsec@ietfa.amsl.com>; Mon, 1 Apr 2024 20:48:44 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E11B5C14F698 for <ipsec@ietf.org>; Mon, 1 Apr 2024 20:48:26 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4V7v2l72nrz6K5wq; Tue, 2 Apr 2024 11:47:11 +0800 (CST)
Received: from lhrpeml100001.china.huawei.com (unknown [7.191.160.183]) by mail.maildlp.com (Postfix) with ESMTPS id F3C53140A36; Tue, 2 Apr 2024 11:48:23 +0800 (CST)
Received: from kwepemi500009.china.huawei.com (7.221.188.199) by lhrpeml100001.china.huawei.com (7.191.160.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 2 Apr 2024 04:48:23 +0100
Received: from kwepemi500010.china.huawei.com (7.221.188.191) by kwepemi500009.china.huawei.com (7.221.188.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 2 Apr 2024 11:48:21 +0800
Received: from kwepemi500010.china.huawei.com ([7.221.188.191]) by kwepemi500010.china.huawei.com ([7.221.188.191]) with mapi id 15.01.2507.035; Tue, 2 Apr 2024 11:48:21 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
Thread-Index: AQHaayQFUr6vZiHeJEm4rFfwTHJng7FJ2NuAgACSVACAAJLA0P//0IaAgADN7XD//4uGAIAAxToAgAdSLjCAAChxAIABDZ4w
Date: Tue, 02 Apr 2024 03:48:21 +0000
Message-ID: <a1166bd53101488a8438ce18bcd5f4c2@huawei.com>
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com> <476994.1711501928@dyas> <3f7b0380650a40e6b9cec4afb7f6d034@huawei.com> <497306.1711523247@dyas> <57bd1510e66b45c7af60513fbba3051c@huawei.com> <343238de-93c9-ed85-2c9d-2d783e3a38ca@nohats.ca> <536308.1711584810@dyas> <2217d98aacad4db88a8341849578ebe6@huawei.com> <32539.1711995972@obiwan.sandelman.ca>
In-Reply-To: <32539.1711995972@obiwan.sandelman.ca>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.106.141]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/_tX7CESN5zIyuOcppPkycEKpOR4>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 03:48:47 -0000
Michael Richardson <mcr+ietf@sandelman.ca> wrote: > Yes, that's true up to the final hop. > At the final hop, when the destination address is local, then one *might* > receive an ICMP Parameter Problem because the SPI is not recognized. > Maybe. > If it does not, then the sender will send another packet with TTL one > larger, and then when it gets no reply try again with two larger, etc. > > Receiving ESPping reply with SPI=8, would be a positive reply that the > path was clear (in both directions!). I just wondered if there is a mechanism that doesn't rely on making changes at the on-path router/firewall and the final IPsec peer. It seems there is no such a perfect mechanism (no changes required except on the sender). The final IPsec peer may indeed not reply any ICMP packets when it doesn't recognize the SPI (and this is highly possible). Therefore, the host can't know whether the ESP packet reaches the final IPsec peer. Maybe comparing the result of ESP traceroute and the one of UDP traceroute can find something to deduce the ESP packet reaches the final IPsec peer, but this isn't guaranteed. Besides that, even though the final IPsec peer replies an ICMP packet to the host, the host can only know the ESP packet can traverse in the direction from the host to the IPsec peer, but doesn't know whether the reverse direction also works. (BTW, I'd like to know the test results of this extended traceroute mechanism in the real world, if someone would do such tests.) ESP-ping can be an explicit way to find out the path is clear in both directions. It just has a prerequisite that both parties support the ESP-ping and both know that the other party supports it. > One thing which the document does not say, and I'm not sure what to > say, is what the TTL of the ESP reply ought to be. > I was contemplating if it should copy the TTL of the incoming packet. > That would weirdly let one traceroute in the reverse direction too, only > the ICMPs would go to the receiving host, which is not the host doing > the traceeroute, so not very useful actually. The TTL of the packet received by the final IPsec peer isn't the original TTL sent by the host, and its value is the original TTL minus the number of on-path routers. So, the TTL of the ESP reply may out of the scope of this draft and just be the decision of the IPsec peer's local policy, such as a default TTL. Regards & Thanks! Wei PAN (潘伟)
- [IPsec] Fwd: New Version Notification for draft-c… Jen Linkova
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Paul Wouters
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Lorenzo Colitti
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Kan-Ru Chen