IETF Logo Mail Archive

Re: [IPsec] [Lwip] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)

Daniel Migault <mglt.ietf@gmail.com> Thu, 21 July 2022 17:29 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC673C131958; Thu, 21 Jul 2022 10:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RskHnP5iVGRR; Thu, 21 Jul 2022 10:29:19 -0700 (PDT)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AA0CC13C513; Thu, 21 Jul 2022 10:29:19 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id q43-20020a17090a17ae00b001f1f67e053cso2036643pja.4; Thu, 21 Jul 2022 10:29:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OKLzWU+rX8aqIUrj4ljB54veLthCLuMqPdqBiQzIbnY=; b=iQYQOUyN/ktHxFQFskG2BGfsK4CV3luLfCycxqPNVGubkZ0N8OyzgKdYfvmtIW2JX6 HxH1BnwhgAhKUqP3rY5NcFWM2HR2kWEL7IFvBK3zPulswQpAJBAvzGzil9K9utA+OxKp i3HtgZjd0DEqOnderB56+P6nV/Gv8HVFaQamGuU3ViwPWimYHVDiJMrKgTtr2RauwYIo zsqFUqaMyPxWf3jjI4key/c/7NIRK3kWvObenyZGIEA4bCRjGcEnfdVz7pOcw5CgU/FJ n1dAMLHJd+Xr/x19p2+2ZvUnNj0BNXhtXkgBVtrLdVPs3wX/Oklhpzeq11fZo78ORwJW CvUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OKLzWU+rX8aqIUrj4ljB54veLthCLuMqPdqBiQzIbnY=; b=erLRxPodEPTf9cCojXpzJqqswO0JmHnhH62Y/19KVyc4frS3EHHhaGF77oCMhYOE1N 1ZM/Q4hYW4gScdyXeWMCXvZWpk8JyXdwv3IFmsoGOKQPx54YCxmuJNdLehsXgTX4geyh t7xpn+IolKPVi4p9EBKe+JF9EXRVezVC/Bwp9oSxNrK8H5yw/BKG2cnbAsrw/+nRfkpW qPwi2/h4bT6MIcQTZ/VDW72RuRVPYJj9C9LhF61aPHUSFAWuXyuGarMI6rQdc6fYdkJC ffeaBqyKDUCc6KhKaIYJ9RhLG4iKCyGq483EeOtgyD7IZdZNXd3B3TPl1giC4f4R8PjX 6rIw==
X-Gm-Message-State: AJIora+emelo+jbEbbkgYSjovRJzzIgnMM0+Q7gxy3PX1j2HjyY71ac/ 8o1turGgJ1pGPszd9QNUwvgy7LquqcVHV6Ssyuy3m92p
X-Google-Smtp-Source: AGRyM1s+ZT+soCi1p5GapVpZdxg4TpjDdaxwKSimEXVnhiNEJMGO2U+ndWeFuGUzENhMrEv/P+U0cN1n+7DBtqJes+A=
X-Received: by 2002:a17:90a:cf81:b0:1f2:235a:3ad with SMTP id i1-20020a17090acf8100b001f2235a03admr8815080pju.107.1658424558846; Thu, 21 Jul 2022 10:29:18 -0700 (PDT)
MIME-Version: 1.0
References: <164919648646.8778.6947253487684946962@ietfa.amsl.com> <CADZyTkkdXs8tJu_J5M_Yb-VC2SbSECLen_igUrGVGtrNFng6QA@mail.gmail.com> <CAGL5yWb5oaridQzFdxoWQdieNxDb=pOB_5sMCBM+HdgCsn_NeA@mail.gmail.com> <CADZyTkk616G+U5323wBXhR35K=FojD2+V_L5UEv-=6Xzz-A4Tw@mail.gmail.com> <CADZyTkkw1h9F9pDrAYgQDOQ-BCwiezocMba4H3WUh9qvavmRYA@mail.gmail.com> <c07734f1-e33c-5aa6-92fd-24938298f3ba@nohats.ca> <CADZyTk=kRGEA3BTMz05uNQbbEgXQT+TTQ0C9-o0FFtK3ny5+oQ@mail.gmail.com> <a6ce149c-293f-9a46-86a5-964d71fe4b3@nohats.ca> <25304.25470.721165.962712@fireball.acr.fi>
In-Reply-To: <25304.25470.721165.962712@fireball.acr.fi>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 21 Jul 2022 13:29:07 -0400
Message-ID: <CADZyTkkhmbW3AvkR=OYQsEQZzqwaamvUuiKkeOstmHaP4gn2kQ@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, The IESG <iesg@ietf.org>, lwip@ietf.org, Mohit Sethi <mohit.m.sethi@ericsson.com>, draft-ietf-lwig-minimal-esp@ietf.org, lwig-chairs@ietf.org, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7888405e4540e7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/g_Jp-aUiIH3M3k-eNDtN10GJ9L0>
Subject: Re: [IPsec] [Lwip] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 17:29:20 -0000

Hi Tero,

This is correct. When reading Paul's comment I had in mind the text was
about the SN roll over. However, re-reading the full section this is not
the case and the SN roll over mechanism is described later in the section.
I propose to simply remove the current text "Note ... "

Yours,
Daniel

On Wed, Jul 20, 2022 at 4:20 PM Tero Kivinen <kivinen@iki.fi> wrote:

> Paul Wouters writes:
> > >       The sequence number discussion mentions the issue of packets
> falling
> > >       out of the receive window. We talked about an IKE option/notify
> to
> > >       signal this and during that discussion it also came to light
> that this
> > >       protocol is going to be used without IKEv2. This leaves an
> > >       interoprability unaddressed.
> > >
> > > I do not see any mention of IKE option and SN, but maybe you can
> > > refresh my memory.
> >
> > Without signaling that this is going to use large jumps in the SN, the
> > other end would drop packets outside of its replay window. If there is
> > no IKE, how is the peer going to know about this? eg you write:
> >
> >     Note that standard receivers are generally configured with
> >     incrementing counters and, if not appropriately configured, the use
> >     of a significantly larger SN than the previous packet can result in
> >     that packet falling outside of the peer's receiver window which could
> >     cause that packet to be discarded.
>
> I think this description is incorrect. Any kind of jumps in the SN
> will NOT cause any packets to be dropped unless there is reordering
> happening between the incoming packets.
>
> It you are using the time based sequence numbers then the difference
> between sequence numbers will be large if there has been lots of time
> between two packets, and reordering which causes one packet to be
> delayed for that long is uncommon.
>
> I.e. if properly implemented IPsec implementation gets sequence
> number which is much larger than previous sequence the recipient will
> simply move the replay window there and will drop only frames which
> has old sequence numbers that are older than this last received
> sequence number - replay window size.
>
> To receive such frame would require reordering of frames, and to cause
> issues the delayed frame needs to be delayed for time based sequnce
> number interval * replay window size.
>
> This all of course assumes that the sequence number is not trying to
> jump forward more than 2^31...
>
> > What you wrote is "this is a problem". Instead, I think you should state
> > something like "Using time based SN should only be used when it is known
> > that the remote peer supports this or when it is known that anti-replay
> > windows are disabled".
> --
> kivinen@iki.fi
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email