IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tero Kivinen <kivinen@iki.fi> Wed, 26 April 2017 10:46 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5FC7129AD2; Wed, 26 Apr 2017 03:46:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FW9K_5g67_oq; Wed, 26 Apr 2017 03:46:50 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 681D3129421; Wed, 26 Apr 2017 03:46:49 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v3QAkgT0020168 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 26 Apr 2017 13:46:42 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v3QAkgBk016801; Wed, 26 Apr 2017 13:46:42 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22784.31378.631303.102297@fireball.acr.fi>
Date: Wed, 26 Apr 2017 13:46:42 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Tommy Pauly <tpauly@apple.com>
Cc: ietf@kuehlewind.net, The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org
In-Reply-To: <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 5 min
X-Total-Time: 2 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/iVNmDnMPJE5CS6Up2HfzKnMh2Vw>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 10:46:51 -0000

Tommy Pauly writes:
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > This draft suggests that ports that are assigned to other services can
> > simply be used. This is not okay. If a port is assigned to a certain
> > service, this service and/or the respective RFC defines how this port is
> > used. Simply changing the specified behavior by requiring a check for a
> > magic number cannot be done without updating the RFC that the port
> > assignment belongs to. Also for the use of 4500/tcp RFC3948 as well as
> > the IANA registry would need to be updated.
> 
> At this point, the only portion of the document that mentions a port
> other than 500 and 4500 is the appendix. We recommend that 4500 is
> used as the port for TCP encapsulation. The IANA registry for
> 4500/tcp is already assigned to IPSec NAT Traversal in RFC 3947;
> that document does not explain how TCP is to be used, so the
> reference should be updated to point to the document on TCP
> encapsulation. 

I already explained this in long email to the Joe and Paul, but
noticed that those emails did not go to to the IESG, so this is mostly
cut & paste of my previous email. This does not cover anything about
using any other ports, but covers the case about the IANA allocations
for TCP/4500 and UPD/4500.

----------------------------------------------------------------------
Paul Wouters writes:
> On Tue, 25 Apr 2017, Joe Touch wrote:
> > Every bit pattern, including those using magic numbers, is already
> > owned and under the control of each assigned port. It is not
> > appropriate for any new service to hijack that pattern as having a
> > different meaning UNLESS explicitly updating the service on 
> > that port.
> >
> > A simple summary of what needs to change, in 2119-language:
> >
> >    - this approach MUST NOT be described as applying to any
> >    	 assigned number unless also updating the associated RFC
> 
> So it should add an Updates: RFC-3947

Not really. It does not update RFC3947 as it does not change the
obsoleted protocol defined in the RFC3947. It does define way to
extend things in IKE in similar way than RFC3948 (UDPENCAPS) does. On
the other hand RFC3947 should have been obsoleted when we obsoleted
IKEv1, as that document only defines how to do IKEv1 NAT traversal
negotiation, and the IKEv2 NAT traversal negotation is described in
main IKEv2 RFC (RFC7296).

> It's a little weird. 3947 reserved TCP 4500, but did not specify how
> to actually use TCP at all. It seems it was mostly preventatively
> reserved.

The reason RFC3947 reserved TCP/4500 was that it updated both TCP/4500
and UDP/4500 references from individual user to the RFC3947, so that
IETF will have change control over the ports. I.e., those ports were
allocated before RFC3947 came out, and they were used for several
different non-interoperable versions of the NAT traversals, which then
evolved to the standard version we define in RFC3947. We decided to
reassign both TCP and UDP port 4500 to RFC3947 so it would be clear
for what use they will be used. Also we commonly reserve both TCP and
UDP ports for same number just in case someone defines a way to run
the protocol over other transport protocol in the future...

RFC3947 does not define anything over TCP/4500. Actually RFC3947 does
not define anything over the UDP/4500 either, it is the RFC3948 that
does that. The RFC3947 just says, we use the format defined in the
RFC3948 over the UDP/4500, but is silent about the TCP/4500.

RFC3947 is efficiently obsoleted, as it only defines the way to do NAT
traversal on IKEv1, and IKEv1 is obsoleted and replaced with IKEv2
(originally RFC4306, and now RFC7296). So the RFC3947 should have been
marked as obsoleted by RFC4306. I am not sure if we want to do that in
this late. 

So my proposal is update the IANA port registry for both UDP/4500 and
TCP/4500 as follows:

         Keyword       Decimal    Description          Reference
         -------       -------    -----------          ---------
         ipsec-nat-t   4500/tcp   IPsec NAT-Traversal  [RFCXXXX]
         ipsec-nat-t   4500/udp   IPsec NAT-Traversal  [RFC3948], [RFC7296]

(RFCXXXX being this RFC).

Note, that the RFC3947 on the 4500/UDP was changed to RFC3948 as the
RFC3948 actually defines the protocol used over the port. RFC3947
defines the IKEv1 negotiation over the UDP port 500 and 4500, but for
IKEv2 this is already defined in the RFC7296.

The RFC3947 could either be left as it is now, or marked as being
obsoleted by this or RFC4306, or RFC7296 or whatever. Updating
document which is effectively already obsoleted, is just wrong...
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email