IETF Logo Mail Archive

Re: [IPsec] [Dtls-iot] IPsec/Diet-ESP for IoT and Minimal ESP

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 18 February 2014 17:10 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59C3E1A0213; Tue, 18 Feb 2014 09:10:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQhvvu6Xmc8D; Tue, 18 Feb 2014 09:10:09 -0800 (PST)
Received: from mail-ee0-x22c.google.com (mail-ee0-x22c.google.com [IPv6:2a00:1450:4013:c00::22c]) by ietfa.amsl.com (Postfix) with ESMTP id DACEA1A020A; Tue, 18 Feb 2014 09:10:08 -0800 (PST)
Received: by mail-ee0-f44.google.com with SMTP id c13so7905041eek.17 for <multiple recipients>; Tue, 18 Feb 2014 09:10:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=wsNzuN3JKdWrBCm7n/nY0NZHN4jUe0ZSlj04+FIFFx4=; b=dq7TIXyR4e7kGEjpZkak9ZYorucQMCu2sof5uY/0D3G39DEsot87EieYoPSothQaD7 9nssPxX+tKX4b/NBm4Dq7GNPevKS1v/kCG2u+OKFbhJrnqliOtAF+EnYwaIQYiqJiXNm xGe4QkZZ6s++iDiK+kRRRvZFAHLmvrloCBwD2XuK2wZP9EXQ24Jnr74w2GhcHEpj2uRM zELTEVbjUoMwn/LaDQAbWy/s4zER5ZpKIPacnqR6y9kPOJrgOHN4kcR98QEf2irULp59 VTOzBE28vdme9P31BFTQw3gTUiGFd3KU4jkxt+TN1aboz3kJ/9JigAZSKAbVt4rzyxG0 UnYg==
X-Received: by 10.14.194.193 with SMTP id m41mr9482728een.76.1392743405416; Tue, 18 Feb 2014 09:10:05 -0800 (PST)
Received: from [10.0.0.6] (bzq-79-177-25-225.red.bezeqint.net. [79.177.25.225]) by mx.google.com with ESMTPSA id 46sm72183092ees.4.2014.02.18.09.10.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Feb 2014 09:10:04 -0800 (PST)
Message-ID: <530393EA.5020008@gmail.com>
Date: Tue, 18 Feb 2014 19:10:02 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Daniel Migault <mglt.ietf@gmail.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <CADZyTk=k3=-BN=8ma=beMh9b0skswW-SvmbP9Ae2AOQwbV0k-Q@mail.gmail.com>
In-Reply-To: <CADZyTk=k3=-BN=8ma=beMh9b0skswW-SvmbP9Ae2AOQwbV0k-Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/aLxmS7MeKytqu7wtOk0p6jD3jD0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, lwip@ietf.org, Sye Loong Keoh <SyeLoong.Keoh@glasgow.ac.uk>
Subject: Re: [IPsec] [Dtls-iot] IPsec/Diet-ESP for IoT and Minimal ESP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 17:10:11 -0000

Hi Daniel,

This might be a naive answer - I have not read the draft in detail.

But on the "is this a duck or not" question, it seems to me the answer 
is simple: if the protocol can work stand-alone (two endpoints talking 
to each other, with manual keying and no IKE), then it's a protocol. 
Otherwise it's a protocol extension.

And if it's a protocol, it needs an IP protocol number, which is a 
seriously expensive resource. We allocated one for WESP 
(http://tools.ietf.org/html/rfc5840#section-4), is there any chance we 
could reuse it somehow?

Thanks,
	Yaron

On 02/18/2014 03:06 PM, Daniel Migault wrote:
> Hi Hannes,
>
[...]

>
> Now comes also another question: Is diet-ESP a new protocol, a new
> extension, a ESP compression algorithm.... I would be happy to get
> opinion on that.
>
> 1) Diet-ESP: Extension vs Protocol
>
>      - a) Diet-ESP is an IPsec extension
> The way we considered to peers agreeing on the diet-esp context is
> using minimal IKE sending an DIET-ESP_SUPPORTED Notify Payloads with
> proposition of DIET-ESP Context. The responder just ignores the
> propositions or chose one. All remaining stuff would be negotiated via
> the traditional CREATE_CHILD_SA were peers would agree on ESP, keys,
> algos....
>>From that point of view it looks the diet-ESP is more a
> wire-compression algorithm. If not supported by one of the peer we
> fall back with standard ESP.
>
>      -b) Diet-ESP is a new Protocol
> Another way would be to consider that all parameters of the Diet-ESP
> Context would be negotiated in the CREATE_CHILD_SA exchange with new
> Transform structures.
>>From that point of view diet-esp would look more like a new protocol
> and the possible choice may be IKE/ESP/AH/DIET-ESP....
>
>   There might be other alternatives I would be happy to hear about. For
> now I like better the extension way.
>
> 2) What Diet-ESP changes from regular ESP
>
> Diet-ESP changes IPsec and ESP headers, trailers with smaller fields.
>
> Diet-ESP changes the way the packet is compressed and encrypted.
>
> On the other hand, for a sensor with a single diet-ESP configuration,
> most of the IPsec stack remains unchanged. This is not so true for
> peers that are able to handle all Diet-ESP configuraions. In that case
> the standard way of looking up in the SAD may be changed. We will
> provide a better description of this in the next version of the draft.
>
> BR,
> Daniel
>

v2.23.0 | Report a Bug | By Email