IETF Logo Mail Archive

Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

Martin Duke <martin.h.duke@gmail.com> Wed, 10 August 2022 14:06 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303FCC14F743; Wed, 10 Aug 2022 07:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoPT2C1pCJFU; Wed, 10 Aug 2022 07:05:59 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A892EC15948D; Wed, 10 Aug 2022 07:05:19 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id i24so11122964qkg.13; Wed, 10 Aug 2022 07:05:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=YSGNNRGvQHn+jIcg4TSGJlPMmpC2HdJ8C8ni6N14t2Q=; b=dBvg9fP1mCYBKdhlAAfuTfuUHuCSWHsltR2B59K0nR4X5OnTWhmPSzX9ffaW9JCTpG csA+cUFtUAHd9XvUidOG63Jy0H+o8Ck6pgpbHsVfckOW8HAQ+dK1qfI9MFvlU3RhyO9B sycgvYmGBfVE1ysaWsTCc6wlQ8Bccnz1LOl0YSTSSZB31N7mueO4GfB8x8kyZY026ySu mFUdMxaPNtGVVkmHBPtIINoynrweZ3oS9lLxvNq+uLXSRleDuB03K+qHWWZblwgJalOt zaOdtnNC2h09xk1B7MwbfixuuvuwkkNFpUDZnJ3b8EuGXL1E9PR/PZaXDGu6XaJ/anpr Kv/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=YSGNNRGvQHn+jIcg4TSGJlPMmpC2HdJ8C8ni6N14t2Q=; b=NlGRLJaXC9BpGrUtBoh3X/PgHcDWcF22HlSyfdn26rT3OAyTjehrLmOiKHK1KFmb22 qSw7rspc0t41oDroTVKcLtgPNdA4ajXn0QJ0rx8bryoUTDr9ywXpxLmlIhUNdxQgWo+E f1L83VCDKhPb8k8Dy5HjTcL/5YJ+ehf7iHbZlcm8QRDPaAwpQvkLztIpdtSBdZctDE3/ pWN++RdcTbqBlwHLq5YXaCOsAVH6scvFD517sljeBXLsyHmTeQJVfYpihjlhtQ1kI3bz H3tEDu6KymeOLoLf73dWUIqNRNI4eSaDYjO+zeK0PfGiKkiIA5zf8PwJrc0jh+gwQX4C dAsA==
X-Gm-Message-State: ACgBeo3SYaWrFxpJi1EJGlLbqwxjCCaqU/Vu9SmUG3VOoML1XH2ttnac NbI4Sha18B6oYK92nqt9uepOhGv1og/UIzFp6+eCHPA0
X-Google-Smtp-Source: AA6agR7tZLNyzoWauRA++jy4NU8cvUCHWmSYIIdtXTzza1tvmgFlJQye9FlwooSlDNZiJY0vQonuOx+34mlTsLVw8BU=
X-Received: by 2002:a05:620a:4416:b0:6b6:8101:be81 with SMTP id v22-20020a05620a441600b006b68101be81mr21595313qkp.414.1660140318388; Wed, 10 Aug 2022 07:05:18 -0700 (PDT)
MIME-Version: 1.0
References: <165973261426.54808.11128651982166539913@ietfa.amsl.com> <051401d8ab20$28b98660$7a2c9320$@elvis.ru> <CAM4esxR182_=Y+F6MC8Kk9czUvjepAQQAAFTjNZ1nsG955Yw+Q@mail.gmail.com> <068e01d8ac92$ad49b080$07dd1180$@elvis.ru>
In-Reply-To: <068e01d8ac92$ad49b080$07dd1180$@elvis.ru>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 10 Aug 2022 07:05:06 -0700
Message-ID: <CAM4esxRQG0rPna81pbhDSAYEZp_yAJ2sN2VNncc++8K23xJvTw@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-rfc8229bis@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
Content-Type: multipart/alternative; boundary="000000000000f476b305e5e3898d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/f_Fq9pbzhe_4OR-wScd1Yhx2-dc>
Subject: Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 14:06:04 -0000

Sounds good to me, we're all set modulo the thread with Joe.

On Wed, Aug 10, 2022, 01:25 Valery Smyslov <svan@elvis.ru> wrote:

> Hi Martin,
>
>
>
> please see inline.
>
>
>
> On Mon, Aug 8, 2022 at 5:12 AM Valery Smyslov <svan@elvis.ru> wrote:
>
> >
> > (Sec 9.1)
> > "TCP-in-TCP can also lead to "TCP meltdown", where stacked instances
> >    of TCP can result in significant impacts to performance
> >    [TCP-MELTDOWN].  For the case in this document, such meltdown can
> >    occur when the window size of the outer TCP connection is smaller
> >    than the window sizes of the inner TCP connections.  The resulting
> >    interactions can lead to packets backing up in the outer TCP
> >    connection's send buffers.  In order to limit this effect, the outer
> >    TCP connection should have limits on its send buffer size and on the
> >    rate at which it reduces its window size."
> >
> > Which "window" are you referring to? Receive window, congestion window,
> > or the
> > send buffer? My reading of [TCP-MELTDOWN] is that the tunnel ingress
> > should set
> > its send buffer size to the BDP of the tunnel, which is easier said than
> done.
> > It appears you are using "window" and "send buffer" interchangeably here
> in a
> > way that is confusing.
>
> This text was suggested by Joe Touch (
> https://mailarchive.ietf.org/arch/msg/ipsec/eD85hixrzfqwg4UhwRZ8WL5PkDA/)
> If you think it is unclear, can you please suggest how it can be improved?
>
>
>
> OK, I'll start a separate thread with Joe and you.
>
>
>
>           OK, thank you.
>
>
>
>
> > (9.5)
> > Implementations SHOULD follow the ECN compatibility mode for tunnel
> >    ingress as described in [RFC6040].  In compatibility mode, the outer
> >    tunnel TCP connection marks its packet headers as not ECN-capable.
> >    If upon egress, the arriving outer header is marked with CE, the
> >    implementation will drop the inner packet, since there is not a
> >    distinct inner packet header onto which to translate the ECN
> >    markings.
> >
> > This is not an accurate summary of compatibility mode. In compatibility
> mode,
> > the outer packet is marked Not-ECT, which means it will not be marked
> CE. In
> > normal mode, the outer packet is marked as the inner, and this might
> result in
> > an outer CE marking.
>
> Can you please, clarify why the description is inaccurate?
>
> According to RFC 6040 in compatibility mode outer packet are marked as not
> ECN-capable
> (Not-ECT). On the other hand, since using compatibility mode is SHOULD here
> and currently it is assumed that IPsec tunnels are used with normal mode
> (RFC 4301, RFC 6040), then some
> additional guidelines are given what to do if peer still uses normal mode.
>
> Am I missing something?
>
>
>
> I think my confusion here was that I read the second sentence ("If upon
> egress...") as also describing RFC6040,
>
> which I see now it does not. My apologies; perhaps splitting it into two
> paragraphs would help. However, the need
>
> for this text is related to difficulty mapping outer to inner; see also
> below.
>
>
>
>           I moved this sentence to a new paragraph.
>
>
>
>
> > It's a shame that there is no attempt to figure out a mapping between
> inner
> > and
> > outer that would make normal mode work, as this reviewer is optimistic
> that
> > ECN
> > marks will become increasingly important. But regardless, this section
> should
> > be clear and make correct statements.
>
> I'm not sure this is generally possible given that one outer TCP tunnel
> can include many inner TCP tunnels, so you have to decide which
> of them to inform. The things get worse if AggFrag mechanism
> is in use (draft-ietf-ipsecme-iptfs-13, in IESG evaluation).
>
>
>
> This isn't a DISCUSS, so you can choose to ignore this advice or not.
> However, my concern is that IPSec is going to miss
>
> out on the low-latency services operators are now enabling through ECN.
>
>
>
>           Not exactly :-) Note, that TCP is not a default transport for
> IPsec
>
>           and in case ESP is sent over IP or UDP, all the modern ECN
>
>           techniques must work well (I guess you mean L4S networks?).
>
>           TCP is a backup transport in case no other is available and
>
>           due to the inherent problems (TCP-in-TCP) we don't expect
>
>           to get good performance in this case, so there is no point
>
>           to complicate the protocol. TCP encapsulation is for those cases
>
>           when you need things to work somehow, not in the best way.
>
>
>
> If it were me I would design it this way:
>
>
>
> 1) Encapsulators SHOULD NOT mix ECT(0), Not-ECT, and ECT(1) inner packets
> in the same outer packet.
>
> 2) If they do, the outer packet MUST be marked Not-ECT.
>
> 3) If all packets are marked CE, mark the outer packet CE.
>
> 4) If CE packets are mixed with "something else", mark it "something else".
>
> 5) Decapsulators follow Figure 4 in RFC6040, except they SHOULD NOT log an
> event or raise an alarm when
>
> the outer packet is ECT(1) and one of the inner packets is CE.
>
>
>
> Per 3168, if an inner packet is fragmented, any CE applied to a fragment
> is applied to the reassembled packet.
>
>
>
>           This might work, but please, see above.
>
>
>
>
> > (Appendix A) Why not provide an in-band way to determine TLS support?
> > There
> > could be another port number, or different magic bytes to indicate that
> TLS
> > handshake messages follow.
>
> Actually, with this draft in-band switching to TLS is really a downgrade,
> rather than an upgrade (surprise?).
> The reason is that actual protection of the traffic is provided by IPsec
> and both TCP and TLS
> are only used as transport mechanisms that allow IPsec to work in
> environments where it cannot
> be used otherwise. And TLS is worse, since it requires more resources and
> has bigger overhead.
> So, once you get through using plain TCP there is no sense to switch to
> TLS.
>
>
>
> Thanks for the info. It might be good to explicitly state this in Appendix
> A, but feel free to ignore that suggestion.
>
>
>
>           Thank you!
>
>           Valery.
>
>
>
>
> Regards,
> Valery.
>
>

v2.23.0 | Report a Bug | By Email