Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
Christian Hopps <chopps@chopps.org> Tue, 13 October 2020 13:22 UTC
Return-Path: <chopps@chopps.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18373A0FC4; Tue, 13 Oct 2020 06:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rwawx6tKCgpb; Tue, 13 Oct 2020 06:22:54 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 601CE3A0FC1; Tue, 13 Oct 2020 06:22:54 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 91A5061674; Tue, 13 Oct 2020 13:22:53 +0000 (UTC)
From: Christian Hopps <chopps@chopps.org>
Message-Id: <980B89DC-28AA-4C1C-ACD5-9CEE5992459D@chopps.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_F346255C-7085-40A7-997C-D906AD08961E"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Tue, 13 Oct 2020 09:22:52 -0400
In-Reply-To: <1b0b01d6a163$15ddcce0$419966a0$@gmail.com>
Cc: Christian Hopps <chopps@chopps.org>, Lou Berger <lberger@labn.net>, ipsec@ietf.org, ipsecme-chairs@ietf.org
To: Valery Smyslov <smyslov.ietf@gmail.com>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/eFZniHNMxe2pIOj2vkADczulRDw>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2020 13:22:57 -0000
> On Oct 13, 2020, at 9:16 AM, Valery Smyslov <smyslov.ietf@gmail.com> wrote: > > Hi Lou, > >> Valery, >> >> Please see below. >> >> On 10/13/2020 3:22 AM, Valery Smyslov wrote: >>> Hi Chris, >>> >>>> Hi ipsecme and chairs, >>>> >>>> This is a small update to the IPTFS draft which incorporates the last 2 changes that had been requested >> over >>>> the last year or so. >>>> >>>> 1. As requested last year, it dispenses with the late-enabled functionality, replacing it with a SHOULD >> clause >>>> supporting receiving IPTFS encapsulated ESP payloads w/o extra configuration. >>> I prefer this functionality to be removed. Either you are doing classical tunnel/transport in the SA or you are >> doing IPTFS. >> >> I agree that there is added code complexity, but have you considered the >> operational benefit of having this? Specifically (a) adding yet another >> required configuration parameter that must match at both ends to get an >> ipsec tunnels up and (b) what it takes to go from an operational non-TFS >> configuration to a TFS configuration in one or both directions? > > I can't buy these arguments. Using IPTFS is negotiated in IKEv2 via > exchange of USE_IPTFS notify (BTW, note a typo in Section 5.1 title: USE_TFS instead of USE_IPTFS). > So, unless you upgrade both ends and update configuration IPTFS won't be used at all. > Once you upgrade one end you can add a configuration parameter to it to > propose using IPTFS while being initiator. Until the other end is upgraded too, > it will ignore the USE_IPTFS notify and SA will be established in tunnel mode. > Once the other end is upgraded and its configuration is changed they > will start using IPTFS. > >>>> From my understanding it's just another encapsulation mode. Otherwise we have the following problems: >>> - Since this functionality is optional its capability must be negotiated (or indicated by the peers) in IKEv2. >>> And negotiation of IPTFS features is already complex enough. >> >> I'm not sure what needs to be negotiated here -- without negotiation the >> behavior is the same as would be seen with a miss-configured endpoint >> or mismatch in TFS config that will occur without the option. > > Not true. If peers are misconfigured, then IPTFS won't be negotiated and SA will be established in tunnel mode > (if using IPTFS is optional for both) or not established at all (if using PFS is mandatory for the peer suggesting it). > On the contrary, if switching from tunnel to IPTFS on live SA is not negotiated, and one of the peers doesn't > support it, then when the other peer switches from tunnel mode to IPTFS on live IPsec SA and starts sending > IPTFS packets, then the first peer will most probably drop them. We'll get a classical "black hole", and the worst > thing that it won't be detected by liveness checks, since IKE SA will be perfectly workable. > >>> - It complicates processing in the kernel. E.g, it's not clear for me what "on receipt of the first IP-TFS >> payload" means. >>> If packets are reordered in the network and the first received IPTFS packet is not the first sent IPTFS >> packet? >>> What to do with the non-IPTFS packets sent before first IPTFS packet but received after it? And so on. >> >> This is an implementation choice, right? Why not just drop it or >> process it as the implementation sees fit? > > Right, but it complicates processing. Currently I uniformly process all the packets within window. > Now I have to remember on which E(SN) the switching occured and process previous > packets as tunnel (or start dropping them) and subsequent packets as IPTFS. > >>> IPTFS processing in the kernel is already quite complex, let's not introduce additional complexity. >>> - I see no value in this functionality apart from the debugging and I don't want debugging capability to >>> be present in the RFC, so that people, who really don't need it, implement it in >>> their products introducing new bugs. You may argue, that you made it optional, but SHOULD is very close >>> to MUST and in addition making it optional only complicates negotiation of IPTFS. >> >> My view is that the main benefit is simpler configuration and removing a >> requirement for timing manual configuration changes at each end of a >> tunnel. Configuring IPsec is complex enough, from the operational >> perspective, I'd prefer to see this as a MUST, but can live with >> SHOULD. (IMO - Getting the code right once per implementation is >> greatly outweighed by the returns in not having to impose more >> configuration and configuration timing burdens.) > > Please, see above. Since using IPTFS is negotiated, I see no simplification > in configuring. You still need to upgrade and configure properly both ends > before you can use it. IPTFS is not always negotiated, as IKE is not always used. Supporting zero-conf IPTFS receive is very useful for supporting these non-IKE use-cases. Thanks, Chris. > > If you badly need this feature, then please make it MAY and negotiable, > so that people can ignore it. SHOULD is too strong for it, > leaving it non-negotiable is just unacceptable, IMHO. > > Regards, > Valery. > >> Thanks, >> >> Lou >> >>> So, please, remove it. >>> >>>> 2. It highlights that one must send payloads that carry inner packet fragments using consecutive ESP >>>> sequence numbered packets (with a caveat for all pad payload insertion). >>> That's useful clarification, thanks. >>> >>> Regards, >>> Valery. >>> >>>> We feel the document is quite stable at this point and would thus like to ask for moving to WG Last Call. >>>> >>>> Thanks, >>>> Chris. >>>> >>>>> On Sep 30, 2020, at 12:25 PM, internet-drafts@ietf.org wrote: >>>>> >>>>> >>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories. >>>>> This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF. >>>>> >>>>> Title : IP Traffic Flow Security >>>>> Author : Christian Hopps >>>>> Filename : draft-ietf-ipsecme-iptfs-02.txt >>>>> Pages : 26 >>>>> Date : 2020-09-30 >>>>> >>>>> Abstract: >>>>> This document describes a mechanism to enhance IPsec traffic flow >>>>> security by adding traffic flow confidentiality to encrypted IP >>>>> encapsulated traffic. Traffic flow confidentiality is provided by >>>>> obscuring the size and frequency of IP traffic using a fixed-sized, >>>>> constant-send-rate IPsec tunnel. The solution allows for congestion >>>>> control as well. >>>>> >>>>> >>>>> The IETF datatracker status page for this draft is: >>>>> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-iptfs/ >>>>> >>>>> There are also htmlized versions available at: >>>>> https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-02 >>>>> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-iptfs-02 >>>>> >>>>> A diff from the previous version is available at: >>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-iptfs-02 >>>>> >>>>> >>>>> Please note that it may take a couple of minutes from the time of submission >>>>> until the htmlized version and diff are available at tools.ietf.org. >>>>> >>>>> Internet-Drafts are also available by anonymous FTP at: >>>>> ftp://ftp.ietf.org/internet-drafts/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> IPsec mailing list >>>>> IPsec@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/ipsec >>>>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] I-D Action: draft-ietf-ipsecme-iptfs-02.t… internet-drafts
- [IPsec] Update and WGLC request [Re: I-D Action: … Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Michael Richardson
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Paul Wouters
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger