Re: [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07
Daniel Migault <mglt.ietf@gmail.com> Thu, 12 May 2022 15:58 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E74AC157B52 for <ipsec@ietfa.amsl.com>; Thu, 12 May 2022 08:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQhtV2W_vFXD for <ipsec@ietfa.amsl.com>; Thu, 12 May 2022 08:58:35 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A18CC157B4A for <ipsec@ietf.org>; Thu, 12 May 2022 08:58:35 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id g16so7084152lja.3 for <ipsec@ietf.org>; Thu, 12 May 2022 08:58:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K4x/5gxBcj/X9jzWpE83kVmCN3RbJBAK9vo6aBldwOI=; b=KF7xdi8i7RzcYUNy+5jrlRmQnXdYSbvAFUeTXzf4npaD/4b330yyxQ4PSIRmwi790y 4o/NcyFwrUNAqkLYdxl7qNQt8sWYXvDtjfNA+0rQYstMg4PnKXLNrvDUTou8KKTCwgVf YW3o3wMAHOw9xslPi0xr0UGIYKDfNO7DScxHwylKh+sGlxCYSQe5l9jRdRQPox16hKyT ivvaI7Ni8wAXcGIk/ixLOgc3KHfPfs1UJuRNytUO9ZCmFJojCCHxG8+LFwCtq3/oqMMa NyOtLw+N90b/aJIxdYtuf6DNIqrj94gz+1BjQW+KapZQuU2o3LvKxvHj+onoOpAGD7+V zG+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K4x/5gxBcj/X9jzWpE83kVmCN3RbJBAK9vo6aBldwOI=; b=qh+dax/7Li9R3Tk63e+DIB3RWByfbkxOCk/t5b1/QE8w6K4qr60v1aAD5aOCxzHHG1 RIXdRN0IqLbSaYUdTIdXLOPPSQloMc8BBpzBRW23O/pV1Wy+fnDUPmQ8jiDBJUVw2WDA fTLEY6c+jx/Xx8SDWaR9ap8bu1u6Yc7bD8WtrvAZB670p+Q+HRDJsTy1mp0RvAIGXuHP gPVD+ypGyI/G52jwRUDPu0b21jIIX/KA1LA9gJoI9cwBDvUHLfZaJcDU4kICoUgFuSHY vrXJuJtGLhEj4NkqNHZqd//rUSAvx+nOPcM4WOFxgvJBLhBzzmlRKpDKJ201I5tOFTZI 0ueA==
X-Gm-Message-State: AOAM530YYTat0ltb2ufC7lfvsXMP8adgbxL8jz4WOMxUOmttPikN0dk+ O97uXOYSExXvIjltMDB7SNsronvIH3dsuPd+tqXPuNVkKxs=
X-Google-Smtp-Source: ABdhPJyTWb21O1YGaUQKN4TEbXA/QUzCyrVPJxXtAiR9iOpLwu49CEgp/Z2pmv/c1V55OyE9QcRHrz573oR/ZnhE3Bg=
X-Received: by 2002:a2e:8346:0:b0:250:baa1:76ee with SMTP id l6-20020a2e8346000000b00250baa176eemr407968ljh.194.1652371112797; Thu, 12 May 2022 08:58:32 -0700 (PDT)
MIME-Version: 1.0
References: <b510dbad-fa37-7591-ebf6-e3af2a31c140@htt-consult.com>
In-Reply-To: <b510dbad-fa37-7591-ebf6-e3af2a31c140@htt-consult.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 12 May 2022 11:58:21 -0400
Message-ID: <CADZyTkkMTALCRzBquTZZQOoAgeFbvyqML3pCnTSommxr5U0sRg@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003728ff05ded2a1c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/gJ1dgEf0Y2YQlSwnlNPb3UcT7Sk>
Subject: Re: [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 15:58:39 -0000
Hi Bob, I apologize for the delayed response. I am happy to go back to this document. Yours, Daniel On Fri, May 6, 2022 at 5:02 PM Robert Moskowitz <rgm-sec@htt-consult.com> wrote: > First read-through. > > Is there an implementation of this draft? > > yes we do have an implementation on contiki, as well as in python. The implementation is available here: https://bitbucket.org/sylvain_www/diet-esp-contiki You can also find a description of the implementation as well as some experimental measurements we performed there: https://www.researchgate.net/publication/316348221_Diet-ESP_IP_layer_security_for_IoT Obviously it being last published in '19 some drafts are now RFCs and > thus need updating. > > Sure ;-) > Page 5 at top: > > Non ESP fields may be compressed by ESP under > certain circumstances, but EHC is not intended to provide a generic > way outside of ESP to compress these protocols. > > How does EHC work with SCHC CoAP compression, rfc 8824? I would think > this is a must work with... > > I agree that is something we should consider and probably clarify. Diet-ESP is not intended to provide some compression beyond what is being used for TS. I do not see CoAP as part of these TS, and as such, I would expect the compression associated to CoAP to be handled "after Diet-ESP". Not having read how SCHC compresses CoAP, I Assume that SCHC CoAP compresses also the UDP/IP part which ends in the compressed CoAP packet not being an IP packet. On the sender side, when IPsec is applied to such packet, there is a need that this compressed CoAP packet matches the SPD TS - unless these are set to ANY. So my first question would be how SCHC CoAP works with IPsec ? Assuming the compressed packet is protected by IPsec, only the ESP fields will be subject to compression. On the other hand, if IPsec requires some fields, there is probably a need to request Diet-ESP to compress what SCHC(CoAP) has not compressed to make IPsec work. > As depicted in Figure 1, the EHC Strategy - Diet-ESP in our case - > and the EHC Context are agreed upon between the two peers, e.g. > during key exchange. The EHC Rules are to be implemented on the > peers and do not require further agreement. > > Can the EHC Strategy, Context, and Rules be static between two hosts? > This is of interest to me with Network Remote ID where these will always > be the same (I think so far) between the UA and Service Provider. > > In fact if aligned with SCHC, static is the norm which can be overridden > during a key exchange. This approach would allow the key exchange to be > unmodified to support diet-esp. > > Rules are static and require only to agree on a very small number of parameters via IKEv2. WHat I do not think we considered is the exchange of additional SCHC rules. > With EHC, the agreement of the level or occurrence of compression is > left the negotiation protocol (e.g. IKEv2), contradicting the > signalization of the level of compression for a certain packet send > over the wire. > > This is a sentence fragment and I don't get what is being said here. > Taking out the comma delimited: > > With EHC, contradicting the > signalization of the level of compression for a certain packet send > over the wire. > > ? > > Good I will need to review the doc. > This > leads to multiple SAs, and thus, multiple SPIs for different levels > of compression agreed with the EHC Context. > > This can lead to multiple... > > Sure, Thanks. > I think > > If the sender detects the de-compression can not be guaranteed with a > given EHC Context and EHC Strategy, it MUST NOT apply compression. > > If the sender detects that the de- > > ? > > Made it through sec 6, stopping for now a 6.1 where I will continue Monday? > > I see that with ESP Next Header compression and ony UDP in the SA, that > SCHC for UDP is not needed so don't need an IP Protocol number for SCHC > here. But what about SCHC for CoAP over UDP? > > I think there is a need to define which layers will compress the inner UDP, and this is likely to depend on the TS values. > Anyway, stopping for now. More, I suspect, later. > > Oh, and NIST is having their 4th LWC workshop M-W, so I am busy with > that too! > > Bob > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Ericsson
- [IPsec] Comments on draft-mglt-ipsecme-diet-esp-07 Robert Moskowitz
- [IPsec] For authors of draft-mglt-ipsecme-diet-esp Robert Moskowitz
- [IPsec] More comments on draft-mglt-ipsecme-diet-… Robert Moskowitz
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Daniel Migault
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Robert Moskowitz
- Re: [IPsec] Comments on draft-mglt-ipsecme-diet-e… Daniel Migault
- Re: [IPsec] More comments on draft-mglt-ipsecme-d… Daniel Migault