Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-tcp-guidelines-00.txt
Tommy Pauly <tpauly@apple.com> Fri, 07 September 2018 15:48 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE590130DD4; Fri, 7 Sep 2018 08:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BB2DzB7JlvPC; Fri, 7 Sep 2018 08:48:07 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C943E12F1AB; Fri, 7 Sep 2018 08:48:07 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.22/8.16.0.22) with SMTP id w87FfOPf028838; Fri, 7 Sep 2018 08:48:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=Jm24OJ3Vk7b+Jxze3sZeO0WEt36aEmwVPwEqR2xDe8s=; b=hozWfxlmpjCgm+a2Oi4/C1hDaJ6HyPRoaGFYKks9/dPARPbRjHop6bOIO+S9JZXLkyD5 GoxFrkD60miAYhoY3sFt3X/Bgi6mQsHPrX6RNkSBxFprc7WG4RDJ1L9PkQWNTRI4Xzvs ZZ0dCvrVQCPsRBc0b+UtxgptNcrrIx1ZIWmnqtI6P7Uz7YWEL5E5LiRUkgNYldVyxM5I QchOSCu79CDNj1/skdSHPWwc++MYsJVwwGoUFJOGPp56MjJ5i7pGfc+bFCVCC9VJk4xL Un6OyV+20gvOJ3fOOMFpZ5sZOWN4zOAKPo9/hPiNulD82NtMg+MxTbmsTFIUogEOpEc5 xA==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2m7qbrj2s8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 07 Sep 2018 08:47:59 -0700
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PEO00JWLZVZKL50@ma1-mtap-s01.corp.apple.com>; Fri, 07 Sep 2018 08:47:59 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PEO00F00YES5E00@nwk-mmpp-sz10.apple.com>; Fri, 07 Sep 2018 08:47:58 -0700 (PDT)
X-Va-A:
X-Va-T-CD: c32dbaa97f6cb839155684977103028d
X-Va-E-CD: 5ebd350c3104e03c31bb529541a1dbe7
X-Va-R-CD: b3d5e4c71d6ae56c65ff667bce554311
X-Va-CD: 0
X-Va-ID: 48e610fe-93c2-4612-ae46-d32dce733084
X-V-A:
X-V-T-CD: c32dbaa97f6cb839155684977103028d
X-V-E-CD: 5ebd350c3104e03c31bb529541a1dbe7
X-V-R-CD: b3d5e4c71d6ae56c65ff667bce554311
X-V-CD: 0
X-V-ID: ae6506f6-64a0-48cf-854a-58dd16e6af4e
Received: from process_milters-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PEO00200ZQDZM00@nwk-mmpp-sz10.apple.com>; Fri, 07 Sep 2018 08:47:58 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-09-07_08:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp15.corp.apple.com-10000_instance1
Received: from tpauly.scv.apple.com (tpauly.scv.apple.com [17.192.171.37]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PEO0076ZZVXKK20@nwk-mmpp-sz10.apple.com>; Fri, 07 Sep 2018 08:47:57 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <059d01d446b5$b85610a0$290231e0$@gmail.com>
Date: Fri, 07 Sep 2018 08:47:57 -0700
Cc: Paul Wouters <paul@nohats.ca>, Valery Smyslov <svan@elvis.ru>, IPsecME WG <ipsec@ietf.org>, draft-ietf-ipsecme-tcp-encaps@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <27A951D3-CA76-4C38-990B-6553B4B0CA74@apple.com>
References: <153632409170.28963.3858352353321879475.idtracker@ietfa.amsl.com> <058901d446ad$fd78b5a0$f86a20e0$@elvis.ru> <alpine.LRH.2.21.1809070957170.20905@bofh.nohats.ca> <059d01d446b5$b85610a0$290231e0$@gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.100.21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-07_08:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/f1KRVWWqGAjFNiTLA4FvBC1shWI>
Subject: Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-tcp-guidelines-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2018 15:48:10 -0000
Hi Valery, Thanks for sharing this! I agree with the points you bring up for MOBIKE (not changing the message ID, and needing to recalculate NAT detection payloads). Those are useful to clarify. Regarding retransmissions/puzzles/error handling, I agree with Paul that the recommendations being provided in your draft are potentially harmful to interoperability. We specifically did not include those in RFC8229 because it is not only possible, but likely, that some deployments will use TCP as a proxying layer that’s not directly implemented on the IKE endpoint, and that the IKE messages may be sometimes transmitted over both UDP and TCP (UDP behind TCP). This is, in fact, how we did our initial testing and bringup of the functionality. Not retransmitting (or the other examples) assumes that the reliable link is end-to-end, even though that is not guaranteed or required by the spec. Can you clarify why an implementation would require modification of the protocol such that TCP encapsulation could not occur in a proxy? The one case I see is client-side MOBIKE, but I don’t think the server needs to do anything special (and clients that don’t want to do fancy MOBIKE fallback between UDP and TCP don’t need to change). Thanks, Tommy > On Sep 7, 2018, at 7:18 AM, Valery Smyslov <smyslov.ietf@gmail.com> wrote: > > Hi Paul, > >>> I've posted a draft with clarifications and implementation guidelines >>> for RFC8229. These clarifications and recommendations are based >>> on experience of implementing TCP encapsulation and testing it in >>> various IKEv2 scenarios. >>> >>> Feedback of any sort is highly appreciated. >> >> I would cut a lot of the introduction / abstract and come straight to >> the point. Simiarly, further one not provide as much details and just >> come to the point faster. > > I tried to be pedant :-) > >> I don't see any consideration in the document about deployments that >> use a TCP proxy in front of the IKE daemon. In those scenarios, the >> daemon might not even know TCP is used or the proxy code is written in >> a way that only minimal changes to the IKEv2 core are needed. > > Is it ever possible? My experience shows that adding TCP encapsulation > influences IKEv2 code pretty highly. > >> So a lot of decisions you specify, such as not sending retransmits, might not >> be possible for those kind of implementations, and so this document >> dictating them for make interop harder, not easier. > > Why? Can you clarify in which cases interop will be harder? > >> As this also touches on message IDs, and I think we might have some >> msgid deadlocks even in the UDP only case, perhaps a clarifying > > If you mean MOBIKE, I agree with you that deadlocks seem to be possible. > >> document could add some non-TCP items as well? And the TCP part could >> be part of the new clarification draft ? > > Not sure it's worth to mix them. > > Regards, > Valery. > >> >> Paul >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] New Version Notification for draft-sm… Paul Wouters
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] New Version Notification for draft-sm… Tommy Pauly
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov