IETF Logo Mail Archive

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

"Valery Smyslov" <svanru@gmail.com> Sun, 19 March 2017 11:21 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A04D126BF0; Sun, 19 Mar 2017 04:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.261
X-Spam-Level:
X-Spam-Status: No, score=-2.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01HhlYRaYQDH; Sun, 19 Mar 2017 04:21:02 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 560EF126B71; Sun, 19 Mar 2017 04:21:01 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id y193so46371143lfd.3; Sun, 19 Mar 2017 04:21:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=uZcvCIzw3qpu94Du5Wv131JNAed+40SClrCrpxH/458=; b=HSCHK9KbckYJlQdPzNlJej9jPsLtPBBq+NV81o8qi935ChLpZHKKV7VuiSd/l60X/9 PzQk4cU49R+wA+Srb9g8CXSvtGk+ttETdo/KqDIX9fEKT9zjtPq0pPX4aaoX+EMRvRd1 KM26JCLCqYcf1Pqzr2JkFrBENn2Y53hVRE8pj2/2jI6zm5fwanY8Bg16zTD8wgRnNyp5 aQVrPYk6wTdb/jjtJtIMa/yt0BNfBTa+eyd5eV/Bq6VOmOy0BiXlL/TvbK4SIhaHuZH7 R1EPU7GwSwBOy1Cufnj2PkByFAGrV2gDxWHbhMB7+XMbXOanthjtAqVc2RzYBAZ0261x 0PFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=uZcvCIzw3qpu94Du5Wv131JNAed+40SClrCrpxH/458=; b=teO5v/o3eXCnED05mTsW+bcPQUGCkPM6T2woyhXLnfhicdtpmm8JVE59cV+WfqT1Ge WuHSs9xrpmxVJGulCsaXKv9P3xkVOeDN9V59UWP1sebh0C/j9Gyh4ybTNW1BJpR5D61F XwbU8QH7Pgd/ERfOH8V/RL95IrpMGux68LPTV2Elke+yPKdMK3/u1WNScJ/ipEg4MX7/ Dvf+TMuOEHmFw2gcZPwOIzKRZ8b5ISkvVVvvhU6Zqwv8iwN6HUqWt6EJ1o7WV64yU0pR NuqonGZPP+BXrAB0KgD0sopNnN8v5EdWC0GAmmyFFNEVULluOvJCLMGIio0jCwwHvCji LzKw==
X-Gm-Message-State: AFeK/H2q1+Mh1L3pqtnVVkp6mCtxDfHnuqy/aY15gh+FsIhVQRbucFqH+5IRvM0LITq84w==
X-Received: by 10.25.77.2 with SMTP id a2mr6753224lfb.143.1489922459646; Sun, 19 Mar 2017 04:20:59 -0700 (PDT)
Received: from chichi (ppp83-237-175-1.pppoe.mtu-net.ru. [83.237.175.1]) by smtp.gmail.com with ESMTPSA id h10sm1897245ljh.59.2017.03.19.04.20.58 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 19 Mar 2017 04:20:58 -0700 (PDT)
Message-ID: <706148CB241E49EEBE79559DF5EBFD7D@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, draft-ietf-ipsecme-tcp-encaps@ietf.org, ipsec@ietf.org
References: <CABcZeBPMR9m8zPdhG4Bc3DHWj9UmVq22Z7G4ApYjBGJeC7MU=A@mail.gmail.com> <621CA73A71744D9AAA226100AE915285@chichi> <2D2EA57F-EAF0-4C8C-87D7-FB1938C3CD22@gmail.com>
In-Reply-To: <2D2EA57F-EAF0-4C8C-87D7-FB1938C3CD22@gmail.com>
Date: Sun, 19 Mar 2017 14:20:58 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/hT1BLgzabCPFcHeZwv9bylL-jgE>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 11:21:03 -0000

Hi Yoav,

> > I don't think it's a good idea. The TCP encapsulation has a lot of drawbacks in terms of performance (see Section 
> > 12), so it is considered
> > as a last resort if UDP doesn't work. In general UDP (or no encapsulation) is a preferred transport. If we start 
> > trying TCP and UDP in parallel, then
> > in some cases TCP will win even if UDP works, resulting in non-efficient connection, even when UDP could be used.
>
> So as I said before, we do it, although IIRC (I’m not on the client team) the client gives TCP a one-second head 
> start.
> The reason is that in many places where a UDP packet can go, a fragmented UDP packet gets dropped,
> so the first packets will work fine but the packets with the certificates (either IKE_AUTH or Main Mode #5) will get 
> dropped.

With IKE Fragmentation that's not a problem anymore.

> In by the end of IKE we have determined that UDP also works, we move to that for IPsec. And if TCP is blocked, we will 
> try the IKE negotiation on UDP.

Your TCP encapsulation protocol seems to be more flexible than what is described in the draft.

The current draft doesn't allow moving existing SA from TCP to UDP unless MOBIKE is negotiated (see Section 5).
So, if you start with TCP first (or do happy eyeballs and TCP wins), you never switch back to UDP, even if it appears
that UDP works for that path too, unless both sides support MOBIKE. And even with MOBIKE it's not clear if switching
is alowed unless interface address changes. That's why UDP is given a preference.

> Yoav

Regards,
Valery.

v2.23.0 | Report a Bug | By Email