IETF Logo Mail Archive

Re: [IPsec] Early Allocation Request for IPTFS_PROTOCOL IP protocol number.

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 02 June 2020 20:40 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3F83A0FCF for <ipsec@ietfa.amsl.com>; Tue, 2 Jun 2020 13:40:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBNkQreqYFji for <ipsec@ietfa.amsl.com>; Tue, 2 Jun 2020 13:40:49 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 531DA3A0418 for <ipsec@ietf.org>; Tue, 2 Jun 2020 13:40:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 8EBC038A90; Tue, 2 Jun 2020 16:38:25 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id go0qhpWAKFrv; Tue, 2 Jun 2020 16:38:24 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 1EF0338A87; Tue, 2 Jun 2020 16:38:24 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 72B3D75; Tue, 2 Jun 2020 16:40:46 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tero Kivinen <kivinen@iki.fi>, Christian Hopps <chopps@chopps.org>, IPsecME WG <ipsec@ietf.org>
In-Reply-To: <24278.24659.921904.72666@fireball.acr.fi>
References: <AE24FF98-7348-4C36-A722-64DD4A78BE55@chopps.org> <13344.1583165241@localhost> <E3F6CB98-C07A-4BA5-81ED-4AEB5F1BDCD1@chopps.org> <24278.24659.921904.72666@fireball.acr.fi>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 02 Jun 2020 16:40:46 -0400
Message-ID: <1701.1591130446@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/aPai4LvwZ--ErAXqmdKDadXwIZ4>
Subject: Re: [IPsec] Early Allocation Request for IPTFS_PROTOCOL IP protocol number.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 20:40:52 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    > I am bit concerned about this. First of all, as far as I understand
    > for IPsec we do not need real IP protocol number, as the number we are
    > using is never going to appear anywhere in the actual IP packet
    > header, it only appears in the ESP trailer Next Header field.

Yes, we did have this conversation.
We know that it can't be a number that IANA might re-use for a an actual
protocol number.
So it could somehow be a re-use of something that is obsolete, historic, or
just contradicted with ever being used with IPsec.  (If I had to pick a such
a number, I'd use AH's number)

    > We had some discussion about this in the mailing list earlier, but I
    > didn't think that there was really a final result from that discussion
    > (or I might be remembering wrong, as I didn't have too much time to
    > participate that discussion at that time).

My memory is that most people didn't think that protocols numbers were so
scarce that the cost exceeded the possible confusion.   Christian is asking
for one number, not ten.

    > The reason I am concerned is that I was there when we wanted to get
    > the Wrapped ESP IP protocol number, and there was quite a lot of
    > discussion going on at that time, and it was not just we send request,
    > and we get the number. Of course at that point I also supported
    > proposal which did not require new IP protocol number, so for me the
    > problems getting IP number was for my favor :-)

Does anyone use Wrapped ESP?
Can we just mark that as historic now :-)

    > Note, that if the answer is going to be that we want to use this also
    > when we are not using IPsec, then this is even bigger can of worms, as
    > that would most likely mean that this work does not belong to the
    > IPsecME working group, but should be part of completely different
    > area...

Let's assume that we might want to use this protocol with another secure
tunnel protocol which was not ESP.  But, not in the clear over the Internet.
(Think: QUIC, Wireguard, OpenVPN)

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email