Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-tcp-guidelines-00.txt
"Valery Smyslov" <smyslov.ietf@gmail.com> Mon, 10 September 2018 12:14 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99E5A130EB8; Mon, 10 Sep 2018 05:14:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFa8-EiN6xZb; Mon, 10 Sep 2018 05:14:55 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49FD8130EAE; Mon, 10 Sep 2018 05:14:55 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id v9-v6so17692953ljk.4; Mon, 10 Sep 2018 05:14:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=CaxFlKme+x4t2gA/1jFl4yc5BZUJn4c8gFwVGUjPow4=; b=Kygo7+Qp01vwnOh1Xxn/O+lvugzUBObPzlS8IelO5g6WcQ7dy/ILMcISCjhEhUsYg7 8W7FCB2rRCkTrwOTpGgvKCbuUR/Ujjts88To/Gg9p5MIvdMNP5VclOWuksPYqllgJOjR Zha2mmkqAhoLIBoZdUOSdtSdHCgMcFnQ5vk87TEj7YDKm60esCLV6G6PxquhAnvX4XlW te1NnpWUFsXmswxWgBkvgN0GG6oTNdDBLpZke1y2rXIRqatl5LG6K5Buq6A9ecHXlkHH AsfTfRdTE712oygNSPVrKYLZmrAVV0rFnE/fJ9n20jGFMvNQMgXHA1f+5eJwwBrk4d9H ph0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=CaxFlKme+x4t2gA/1jFl4yc5BZUJn4c8gFwVGUjPow4=; b=a7P0A0eBtzXpSdFZ+IvuRdISqClIlNcb9QRbU/0XkSXoKrvTeKYermQ2fw07mx5Kcp 2Suf9l/hyMUuXsVhY05YHz88wpqBXj2CeVUX+6sVbTw6g/+Ys/gpQFLvC5AQeEKGbGVW JiOCJOfxYYyPj9hvmYyc55myUVIdBIjyWDNuWFi5oiajWQ9/rS0pBd8lah5Hzlh5Qqmp XdQ9rI+XU8JXjeukCz5Qe5L8b44rWMqThlrUsdpBxunxi/FCWXovl1hdvVAmyMy8LYC5 VK8QwfJAcyNMu/Iua2TdAy3dbDJ5WbwCHHQXFpg0vgtgTwYJqyHrmvqCOU3DF1eideIz bRYQ==
X-Gm-Message-State: APzg51AakrYxrnVBA8PQ8oPJ0CYKvGtFsjITCGdCwxBXsfrN+tMvg76m 3/HIHcDbKhWA6VkbUcliDgBaJ+Ib
X-Google-Smtp-Source: ANB0VdbNaMBKU1dfPuLTmsnUsi2bstmlQDViF3glevzR9fOnwnDhX6BaV5zcSR6AfholxQrQjLq0FQ==
X-Received: by 2002:a2e:350b:: with SMTP id z11-v6mr12773976ljz.55.1536581692944; Mon, 10 Sep 2018 05:14:52 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id x3-v6sm2747999ljb.25.2018.09.10.05.14.51 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Sep 2018 05:14:52 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: tpauly@apple.com
Cc: 'Paul Wouters' <paul@nohats.ca>, 'IPsecME WG' <ipsec@ietf.org>, draft-ietf-ipsecme-tcp-encaps@ietf.org
References: <153632409170.28963.3858352353321879475.idtracker@ietfa.amsl.com> <058901d446ad$fd78b5a0$f86a20e0$@elvis.ru> <alpine.LRH.2.21.1809070957170.20905@bofh.nohats.ca> <059d01d446b5$b85610a0$290231e0$@gmail.com> <27A951D3-CA76-4C38-990B-6553B4B0CA74@apple.com>
In-Reply-To: <27A951D3-CA76-4C38-990B-6553B4B0CA74@apple.com>
Date: Mon, 10 Sep 2018 15:14:52 +0300
Message-ID: <070201d448ff$e10860b0$a3192210$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJcXB691A5/IRakRUGL31dObam09AIk+U4iAZLUdFsBvh/7AQH5rVJZo52N0LA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/iWHsq7ymBJzkggNo3UwvuH717tQ>
Subject: Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-tcp-guidelines-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2018 12:14:58 -0000
Hi Tommy,
> I agree with the points you bring up for MOBIKE (not changing the message ID, and needing to recalculate
> NAT detection payloads). Those are useful to clarify.
>
> Regarding retransmissions/puzzles/error handling, I agree with Paul that the recommendations being
> provided in your draft are potentially harmful to interoperability. We specifically did not include those in
> RFC8229 because it is not only possible, but likely, that some deployments will use TCP as a proxying layer
> that’s not directly implemented on the IKE endpoint, and that the IKE messages may be sometimes
> transmitted over both UDP and TCP (UDP behind TCP). This is, in fact, how we did our initial testing and
> bringup of the functionality.
Yes, I assumed that TCP is end-to-end.
> Not retransmitting (or the other examples) assumes that the reliable link is end-to-end, even though that is
> not guaranteed or required by the spec. Can you clarify why an implementation would require modification of
> the protocol such that TCP encapsulation could not occur in a proxy? The one case I see is client-side MOBIKE,
> but I don’t think the server needs to do anything special (and clients that don’t want to do fancy MOBIKE
> fallback between UDP and TCP don’t need to change).
Let's first clarify what TCP proxy is. I can imagine a four different scenarios
( <-> means UDP traffic, <=> means TCP traffic):
1. UDP IKEv2 Initiator <-> TCP Proxy 1 <=> TCP Proxy 2 <-> UDP IKEv2 Responder
In this case both IKEv2 implementations see only UDP traffic, so recommendations
given in the draft are not applicable.
2. TCP IKEv2 Initiator <=> TCP IKEv2 Responder
In this case there are no TCP proxies at all, this is the case that is assumed in the draft.
3. TCP IKEv2 Initiator <=> TCP Proxy <-> UDP IKEv2 Responder
4. UDP IKEv2 Initiator <-> TCP Proxy <=> TCP IKEv2 Responder
These are the cases where problems might arise. In particular:
a. NAT_DETECTION_*_IP content won't match, so there will always
be "false positive" detection of NAT.
b. In case 4 if TCP session is broken for any reason, then it is the
Initiator's responsibility to restore it. However, in this case
Initiator is not aware of the presence of TCP, so if it has no traffic
to send, the TCP connection will remain broken. If the responder
during that period needs to send something to the Initiator
(say, to rekey SA), it will fail and the SA will be deleted, causing
de-synchronization between the peers.
c. Multihomed MOBIKE scenarios won't work (unless proxy is co-located
on the same host with IKEv2).
d. There may be some issues with transport mode, because it is
assumed that the IPsec SA is between IKE peers, and the "peers"
will be different in case of TCP and UDP (unless proxy is co-located
on the same host with IKEv2).
Am I missing something?
BTW, if you assume that the TCP proxy is always co-located on the same host
with UDP IKEv2 implementation, then we can assume that the UDP link
proxy <-> IKEv2 is reliable (the packets don't leave the host),
so recommendations given in the draft (no retransmissions etc.) won't harm.
Regards,
Valery.
> Thanks,
> Tommy
>
> > On Sep 7, 2018, at 7:18 AM, Valery Smyslov <smyslov.ietf@gmail.com> wrote:
> >
> > Hi Paul,
> >
> >>> I've posted a draft with clarifications and implementation guidelines
> >>> for RFC8229. These clarifications and recommendations are based
> >>> on experience of implementing TCP encapsulation and testing it in
> >>> various IKEv2 scenarios.
> >>>
> >>> Feedback of any sort is highly appreciated.
> >>
> >> I would cut a lot of the introduction / abstract and come straight to
> >> the point. Simiarly, further one not provide as much details and just
> >> come to the point faster.
> >
> > I tried to be pedant :-)
> >
> >> I don't see any consideration in the document about deployments that
> >> use a TCP proxy in front of the IKE daemon. In those scenarios, the
> >> daemon might not even know TCP is used or the proxy code is written in
> >> a way that only minimal changes to the IKEv2 core are needed.
> >
> > Is it ever possible? My experience shows that adding TCP encapsulation
> > influences IKEv2 code pretty highly.
> >
> >> So a lot of decisions you specify, such as not sending retransmits, might not
> >> be possible for those kind of implementations, and so this document
> >> dictating them for make interop harder, not easier.
> >
> > Why? Can you clarify in which cases interop will be harder?
> >
> >> As this also touches on message IDs, and I think we might have some
> >> msgid deadlocks even in the UDP only case, perhaps a clarifying
> >
> > If you mean MOBIKE, I agree with you that deadlocks seem to be possible.
> >
> >> document could add some non-TCP items as well? And the TCP part could
> >> be part of the new clarification draft ?
> >
> > Not sure it's worth to mix them.
> >
> > Regards,
> > Valery.
> >
> >>
> >> Paul
> >>
> >> _______________________________________________
> >> IPsec mailing list
> >> IPsec@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ipsec
> >
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] New Version Notification for draft-sm… Paul Wouters
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] New Version Notification for draft-sm… Tommy Pauly
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov