IETF Logo Mail Archive

Re: [IPsec] draft-zhang-ipsecme-multi-path-ipsec

Xiangyang zhang <xiangyang.zhang@huawei.com> Fri, 06 April 2012 16:50 UTC

Return-Path: <xiangyang.zhang@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13BB021F85C0 for <ipsec@ietfa.amsl.com>; Fri, 6 Apr 2012 09:50:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[AWL=0.605, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SvnpfQyXb42y for <ipsec@ietfa.amsl.com>; Fri, 6 Apr 2012 09:50:26 -0700 (PDT)
Received: from dfwrgout.huawei.com (dfwrgout.huawei.com [206.16.17.72]) by ietfa.amsl.com (Postfix) with ESMTP id 6524121F8531 for <ipsec@ietf.org>; Fri, 6 Apr 2012 09:50:26 -0700 (PDT)
Received: from 172.18.9.243 (EHLO dfweml201-edg.china.huawei.com) ([172.18.9.243]) by dfwrg01-dlp.huawei.com (MOS 4.2.3-GA FastPath) with ESMTP id AFA06880; Fri, 06 Apr 2012 12:50:26 -0400 (EDT)
Received: from DFWEML403-HUB.china.huawei.com (10.193.5.151) by dfweml201-edg.china.huawei.com (172.18.9.107) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 6 Apr 2012 09:50:16 -0700
Received: from dfweml511-mbx.china.huawei.com ([169.254.16.128]) by dfweml403-hub.china.huawei.com ([10.193.5.151]) with mapi id 14.01.0323.003; Fri, 6 Apr 2012 09:50:07 -0700
From: Xiangyang zhang <xiangyang.zhang@huawei.com>
To: Stephen Kent <kent@bbn.com>
Thread-Topic: [IPsec] draft-zhang-ipsecme-multi-path-ipsec
Thread-Index: AQHNETbnWY8qptfHo0+ep8QVvtAqKJaNF6gAgAAfBWCAASJaAP//qN3g
Date: Fri, 06 Apr 2012 16:50:20 +0000
Message-ID: <00E6CDB229A4CF4487D6E0326EDE5A0320A0F648@dfweml511-mbx.china.huawei.com>
References: <20336.40486.516402.44061@fireball.kivinen.iki.fi> <a75ef412a8addbbf9cdfd495b2ebc5c2.squirrel@www.trepanning.net> <20337.35271.746249.402746@fireball.kivinen.iki.fi> <efc316aaa7bbc447f6fb3f00d605aa4c.squirrel@www.trepanning.net> <20337.53508.89005.604501@fireball.kivinen.iki.fi> <7aa224f3b90062aabf6dea821c57d8a4.squirrel@www.trepanning.net> <20339.3159.442125.142134@fireball.kivinen.iki.fi> <7C4DFCE962635144B8FAE8CA11D0BF1E05B2DFAD08@MX14A.corp.emc.com> <00E6CDB229A4CF4487D6E0326EDE5A0320A0EDF9@dfweml511-mbx.china.huawei.com> <p06240806cba38891fd20@[128.89.89.180]> <00E6CDB229A4CF4487D6E0326EDE5A0320A0F581@dfweml511-mbx.china.huawei.com> <p06240801cba4af56ce3e@[192.168.1.6]>
In-Reply-To: <p06240801cba4af56ce3e@[192.168.1.6]>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.193.34.152]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] draft-zhang-ipsecme-multi-path-ipsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 16:50:27 -0000

Stephen,

You understand this method very well.  The disadvantage is the possible severity of out of order delivery.  Even with single SA, it can also cause the out of order problem.  As for re-order, just like TCP reorder or IP reassembly, it can be done at intermediate node or end host.  If it is done at SGW, RFC 6471 may help to mitigate the issue.

In your previous mail, this is potentially very complex feature.  As a matter of fact, it is simpler comparing with SA bundle in implementation.  For SA bundle with two SAs, it must go through the processing two times.  For SA cluster, packet just needs to be processed one time.  Here I do not intend to deny the out of order claim. 

This is another option comparing with SA or SA cluster.  The product developers can choose what method they need, or it can be configurable.  I submitted the draft to see if it exhibits some benefit.  It does not intend to be necessarily absolute better or replace the existing method.

Thanks,

Victor

-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Friday, April 06, 2012 7:39 AM
To: Xiangyang zhang
Cc: ipsec@ietf.org
Subject: Re: [IPsec] draft-zhang-ipsecme-multi-path-ipsec

At 4:44 AM +0000 4/6/12, Xiangyang zhang wrote:
>Steve,
>
>Your understanding is partially right.  Only that anti-replay window 
>could possibly be bigger if two paths go along the different routes.
>If two paths go along the same route, it is no difference from the 
>traditional single SA.  But the attacker does not know two paths carry 
>the same flow of traffic.

when you take a sequence of packets and spread them over multiple SAs, you create new opportunities for the packets to arrive out of order at the destination. They have to be merged at the destination, either at the host or at an SG. If they are merged at an SG, new functionality is required to buffer the packets and re-order them. If not, then variances in traffic handling at each end creates new opportunities for reordering or traffic, and/or added jitter. OOO arrival is not good for TCP connections, irrespective of the IPsec anti-replay window. Jitter is also not great, especially for some realtime apps that run over UDP.

>   For security consideration, could you point out what is in error?

your text refers to multiple paths, when you mean multiple SAs.

>Thanks,
>
>Victor

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email