Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
Lorenzo Colitti <lorenzo@google.com> Wed, 27 March 2024 04:07 UTC
Return-Path: <lorenzo@google.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF95C14CF1C for <ipsec@ietfa.amsl.com>; Tue, 26 Mar 2024 21:07:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.607
X-Spam-Level:
X-Spam-Status: No, score=-22.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKG9Q8AucfDg for <ipsec@ietfa.amsl.com>; Tue, 26 Mar 2024 21:07:15 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38804C14F602 for <ipsec@ietf.org>; Tue, 26 Mar 2024 21:07:15 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a4a393b699fso73026566b.0 for <ipsec@ietf.org>; Tue, 26 Mar 2024 21:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1711512433; x=1712117233; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=i5/fyP57JKjqUcPMBoqxYW2OpATxSI4Kn8W4YdYRCYw=; b=zsaZ9udAsiFP7kClHqGiV/1YKSSgk2O1W1saww1FCtvjDC3fgFSmqT83IPauCa73zA RDONk4x2y1OPQWGQXpwyhsIiRlN2nS97xkno0PznzP54ZsC8zUSU83OuUUohHWEnZ0/4 bvmnkoQu4nUqxUid8+NzwUuAdGsCsxuVh3zRGh9+2seWDFraLdXB2aqZRVARKR2TLNM9 jrr9XEFtnjQfXvEtV8ojKUs2+46rTcvUSQRMnFNoUMK0s/gjBa7d8eD0OOhkMQOY2Zqj /HuMyeINTijiv6S32KxzU4LWDE21wxw90vJaH6BLHXvToOg/qvSTk/dHaE8TqtUA1/La oJ5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711512433; x=1712117233; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i5/fyP57JKjqUcPMBoqxYW2OpATxSI4Kn8W4YdYRCYw=; b=TtkHftC/GXVRuPbUBkP52WoyKIf8m+q2CnR6vL8dEtR2u5F23i7ER5DQgw8TcYs6If xTurekeLAJE6gCQ9GoT8MWE9YV6mX6NrYjnrcI+bYE4YoYvSie/Q8UmNKozZ+mH56r4S zWogc8pqcsAcEZCrjrebjKvGPT1ANSaPxQ7FSJI6tD/TeZqRg7upBd2zRny0kN4E8EjV 1T0zBnRBZOBPYFzpDjVxnAQIBRI5CVch+DARd6PH5Wg6Nxr5yJpJ7+DDDYGf35eZ+nb7 ZDKcPQRlKy7tVpJxFDtWQI9abOpzyLeicn80il6mn/1wPlTE68DS9p9+Dyu84WThcCU7 8Y4Q==
X-Forwarded-Encrypted: i=1; AJvYcCUoPZB6ObKyVT3TIyGy7vS1fZgJ1QZB+NXpfLqwL5ypWBjvktQuT2HLoe1EKc4HVU1JcmSuxv3ssldFii6VNA==
X-Gm-Message-State: AOJu0YxSZ7hoW/go5p9ukTboU8oTTIZ5ncSqmAGeRHYL6Ad8Iu3WDgvD l9jJvyQwDGsxp/Ky9x57VNOIIpAdE9Z76HBVBJg2KEt3WdhEVARi7P7LGnkFQPz76m9rqV5kseE AJQtndXH1v4/Fu2l8jbtJO0wMI7Qv40aYoyJn
X-Google-Smtp-Source: AGHT+IEO1DnYWqnsJztqa7MF+ke9Uc9noMEXKuAhaTchQVxo0Q3xl2g5B1fVQIC/jiWr1j3ZrJqjTE7MZS16WP1nOh0=
X-Received: by 2002:a17:906:5ad7:b0:a46:ab93:9848 with SMTP id x23-20020a1709065ad700b00a46ab939848mr2867325ejs.26.1711512432639; Tue, 26 Mar 2024 21:07:12 -0700 (PDT)
MIME-Version: 1.0
References: <170922023791.21652.13338059706655424526@ietfa.amsl.com> <CAFU7BAQuNkHDRidjQqGbXySKJ1FCRKuAksDa0BHsvfGeG45k6g@mail.gmail.com> <4b44a218c77a49edbaecd3b524dbaac7@huawei.com>
In-Reply-To: <4b44a218c77a49edbaecd3b524dbaac7@huawei.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 27 Mar 2024 13:06:56 +0900
Message-ID: <CAKD1Yr3CbS7KHn-MYm0Wos2mq3BUPFteas3SZQyRqXSxa5cqcw@mail.gmail.com>
To: "Panwei (William)" <william.panwei@huawei.com>
Cc: Jen Linkova <furry13@gmail.com>, "ipsec@ietf.org WG" <ipsec@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="00000000000093cafd06149c8a5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/g-8zRgO7m_q2FZtOCYiFNOvbt-Y>
Subject: Re: [IPsec] Fwd: New Version Notification for draft-colitti-ipsecme-esp-ping-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 04:07:19 -0000
Yes, the idea is to make it possible to leverage native ESP. Pretty much all IPv6 networks (at least commercial networks) don't do NAT. But some of them drop ESP packets. On these networks, NAT detection will say there is no NAT, and the ESP session will be established, but no traffic will flow. On Tue, Mar 26, 2024 at 6:24 PM Panwei (William) <william.panwei@huawei.com> wrote: > Hi, > > I've read the draft and I think I can understand the solution part. But > please allow me to ask a stupid question about the motivation or use case, > because I'm a little confused about that. > > I feel that the problem of IPv6 ESP traverse failure, as described in the > draft and presentation slides, is because of NAT. IKEv2 already supports > the detection of NAT. After the detection of NAT, the peers can use IP + > UDP (4500) + ESP to traverse the NAT. Are there some use cases that this > existing solution doesn't work and this draft tries to solve? Or, are there > some use cases that IKEv2 fails in detecting the existence of NAT? > I can understand the advantages of native ESP described in the draft: 1) > no keepalives or fewer keepalives, 2) no overhead of UDP header. Does this > draft target the use cases where IP + UDP + ESP and IP + ESP can both work > in the existence of NAT, and try to benefit from the native ESP? > > Regards & Thanks! > Wei PAN (潘伟) > > > -----Original Message----- > > From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Jen Linkova > > Sent: Thursday, February 29, 2024 11:28 PM > > To: ipsec@ietf.org > > Cc: Lorenzo Colitti <lorenzo@google.com>; Michael Richardson > > <mcr+ietf@sandelman.ca> > > Subject: [IPsec] Fwd: New Version Notification for > > draft-colitti-ipsecme-esp-ping-01.txt > > > > -01 version shall address comments received since -00. > > The main change is that payload format is defined similarly to ICMPv6 > > echo, and the draft now updates RFC4303, so ESP packets with SPI == 7 > > or 8 and next header==59 are not considered to be dummy packets. > > > > Comments are appreciated! > > > > > > ---------- Forwarded message --------- > > From: <internet-drafts@ietf.org> > > Date: Fri, Mar 1, 2024 at 2:24 AM > > Subject: New Version Notification for > > draft-colitti-ipsecme-esp-ping-01.txt > > To: Jen Linkova <furry13@gmail.com>, Lorenzo Colitti > > <lorenzo@google.com>, Michael Richardson > > <mcr+ietf@sandelman.ca> > > > > > > A new version of Internet-Draft draft-colitti-ipsecme-esp-ping-01.txt > > has been successfully submitted by Jen Linkova and posted to the IETF > > repository. > > > > Name: draft-colitti-ipsecme-esp-ping > > Revision: 01 > > Title: ESP Echo Protocol > > Date: 2024-02-29 > > Group: Individual Submission > > Pages: 7 > > URL: > > > https://www.ietf.org/archive/id/draft-colitti-ipsecme-esp-ping-01.txt > > Status: > > https://datatracker.ietf.org/doc/draft-colitti-ipsecme-esp-ping/ > > HTML: > > > https://www.ietf.org/archive/id/draft-colitti-ipsecme-esp-ping-01.html > > HTMLized: > > https://datatracker.ietf.org/doc/html/draft-colitti-ipsecme-esp-ping > > Diff: > > > https://author-tools.ietf.org/iddiff?url2=draft-colitti-ipsecme-esp-ping- > > 01 > > > > Abstract: > > > > This document defines an ESP echo function which can be used to > > detect whether a given network path supports IPv6 ESP packets. > > > > > > > > The IETF Secretariat > > > > > > > > > > -- > > Cheers, Jen Linkova > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Fwd: New Version Notification for draft-c… Jen Linkova
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Paul Wouters
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Lorenzo Colitti
- Re: [IPsec] Fwd: New Version Notification for dra… Michael Richardson
- Re: [IPsec] Fwd: New Version Notification for dra… Panwei (William)
- Re: [IPsec] Fwd: New Version Notification for dra… Kan-Ru Chen