IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tommy Pauly <tpauly@apple.com> Wed, 26 April 2017 03:28 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E79E01317DD for <ipsec@ietfa.amsl.com>; Tue, 25 Apr 2017 20:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yllmaAjSFMun for <ipsec@ietfa.amsl.com>; Tue, 25 Apr 2017 20:28:11 -0700 (PDT)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7AC6124D68 for <ipsec@ietf.org>; Tue, 25 Apr 2017 20:28:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1493177291; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MhXYONduLqGBRQyTPb0D276pBtxLwDXWF5eMxnnvi7o=; b=VFXPxzcQ6w8QAk/OkDBKKZ4tfSizM+a9nm2PjXeAd1a721GgOX5q9100uvSmEzdg nGD2gFRSz7hdjpLIv79rzLUQDGQpVTVOkrXUR9locf9iWwBwepw1jqFgdj2SpOnl zkKVZ9vpH46G7QkI2QrE8/9DVjRbZ0/GFniAv0cZ6J4TrHHKoZ3oJUXcqGAudbD1 jT15M7PrvgrulkdVNBz+47p6gfmfYm9Wo5IEAlYThpA/ge4ijXi0DSP1gxX5xKZA BaQ/8ehfhG9h3h+cSIr0QX3EV2wUdVuOREluBMkydHkisqe3h9nkI7BFOvHicZqt XgRXIYWN6LD63nXh10jSoA==;
Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id CA.16.08351.BC310095; Tue, 25 Apr 2017 20:28:11 -0700 (PDT)
X-AuditID: 11973e16-9f9fb7000000209f-94-590013cb446b
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by relay2.apple.com (Apple SCV relay) with SMTP id C3.9F.07829.AC310095; Tue, 25 Apr 2017 20:28:10 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.153.70.191] (unknown [17.153.70.191]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OOZ00F96YYX5EA0@nwk-mmpp-sz11.apple.com>; Tue, 25 Apr 2017 20:28:10 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com>
Date: Tue, 25 Apr 2017 20:28:09 -0700
Cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, kivinen@iki.fi
Content-transfer-encoding: quoted-printable
Message-id: <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>
X-Mailer: Apple Mail (2.3424)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrHLMWRmVeSWpSXmKPExsUi2FDorHtamCHS4OBcQYv3f84wWsz4M5HZ 4sX1j8wW+7e8YLOYOecDi8XR88/ZHNg8liz5yeRx+OtCFo+WjwtZA5ijuGxSUnMyy1KL9O0S uDJ2PcooeK9V0XAwtIHxilIXIyeHhICJxJIr/5m7GLk4hARWM0l0T5vBBpN43HiFHSJxiFFi 55+dzCAJXgFBiR+T77F0MXJwMAuoS0yZkgtRM5FJYsHMy8wgcWEBCYnNexJB4sICExglXl+b xQ7SyyagInH82wawGk4BP4lZazxBTBYBVYnL1wJAKpgF6iV+P/7GAmFrSzx5d4EVYquNxMWL i8G2Cgn4SrSccAUJiwhYSTRvf8QCcbGsxIR1m5kh7BNsEqfX601gFJ6F5OZZCDfPQrJgASPz Kkah3MTMHN3MPHO9xIKCnFS95PzcTYygCJhuJ7aD8eEqq0OMAhyMSjy8K7z+RwixJpYVV+Ye YpTmYFES51XaARQSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXA6LV9tnGEq6RR7tXrbFVp625O szXgV/Dqndez+fXWU7KK3sv+zChotHo8IaLTqKIst+nom56ae1r5t9bOr7iyiP2GoUup9ST5 H7/7XnG+P37riHJGtp1C/fUq5WSVHW+qJsuIrU64mXv8Xsrabn2zdJN9YS8//5/x5OSLD8dZ TquV6fNlFz7mUGIpzkg01GIuKk4EAD7wN+1hAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIIsWRmVeSWpSXmKPExsUi2FA8W/eUMEOkwZotNhbv/5xhtJjxZyKz xYvrH5kt9m95wWYxc84HFouj55+zObB5LFnyk8nj8NeFLB4tHxeyBjBHcdmkpOZklqUW6dsl cGXsepRR8F6rouFgaAPjFaUuRk4OCQETiceNV9i7GLk4hAQOMUrs/LOTGSTBKyAo8WPyPZYu Rg4OZgF1iSlTciFqJjJJLJh5mRkkLiwgIbF5TyJIXFhgAqPE62uz2EF62QRUJI5/2wBWwyng JzFrjSeIySKgKnH5WgBIBbNAvcTvx99YIGxtiSfvLrBCbLWRuHhxMdhWIQFfiZYTriBhEQEr iebtj1ggLpaVmLBuM/MERoFZSO6chXDnLCRDFzAyr2IUKErNSaw00kssKMhJ1UvOz93ECA7Z QucdjMeWWR1iFOBgVOLhDfD4HyHEmlhWXJkLDAgOZiUR3otLgEK8KYmVValF+fFFpTmpxYcY q4A+mcgsJZqcD4ynvJJ4QxMTAxNjYzNjY3MTc6oIK4nzZp0E2iyQnliSmp2aWpBaBLOciYNT qoExucJ/p5FF4u4rh2WU3TPelCSZxmQtaw1Z+KpT+PinJL70lCTNmIPVQT90v/WpzljK67Gm TZ5h7j5J+crPq3/NPDBBhq9TRoavWnNdcs+7yXGflxcari5YnNbV4LBH6lzB1nTxZ7OmviwM idr/wPzoRyXdZ9fEVCZeTXCsjNyvp7Ov4842kyAlluKMREMt5qLiRABfSQtBtAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/iouHpY35oTzpA_fwuh2pOFBSqjM>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 03:28:14 -0000


> On Apr 25, 2017, at 5:48 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
> 
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-ipsecme-tcp-encaps-09: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-tcp-encaps/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> This draft suggests that ports that are assigned to other services can
> simply be used. This is not okay. If a port is assigned to a certain
> service, this service and/or the respective RFC defines how this port is
> used. Simply changing the specified behavior by requiring a check for a
> magic number cannot be done without updating the RFC that the port
> assignment belongs to. Also for the use of 4500/tcp RFC3948 as well as
> the IANA registry would need to be updated.

At this point, the only portion of the document that mentions a port other than 500 and 4500 is the appendix. We recommend that 4500 is used as the port for TCP encapsulation. The IANA registry for 4500/tcp is already assigned to IPSec NAT Traversal in RFC 3947; that document does not explain how TCP is to be used, so the reference should be updated to point to the document on TCP encapsulation.

We can soften the references in the appendix to the fact that other ports may, in fact, be used. As for the configuration, it should state 4500 as the default, but allow peers to configure something else out-of-band if they want to modify behavior (which is standard even in UDP implementations of IKE).

> 
> Further, as also mentioned in the tsv-art review (Thanks Wes!), this
> draft does not sufficiently handle the case of TCP in TCP encapsulation.
> Here a copy of the tsv-art review:
> 
> Reviewer: Wesley Eddy
> Review result: On the Right Track
> 
> This document is clear and well-written.  It can easily be implemented
> based on the description.
> 
> There are a few additional issues that should be considered with
> advice to implementers in Section 12 on performance considerations:
> 1) Invisibility of packet loss - Inner protocols that require packet
> losses as a signal of congestion (e.g. TCP) will have a challenge due
> to not being able to see any packet losses since the outer TCP will
> repair them (unless sending into a full outer TCP socket buffer shows
> up back to the inner TCP as a packet loss?).

Yes, this is definitely true. We try to capture that with the line: "This will make loss-
   recovery of the inner TCP traffic less reactive and more prone to
   spurious retransmission timeouts."

However, this can certainly be expanded upon.

> 2) Nesting of ECN -  Inner TCP connections will not be able to use
> effectively ECN on the portion of the path covered by the outer TCP
> connection.

Generally, IPsec tunnels will apply RFC 6040 for translating ECN markings between inner/outer packets. Since TCP encapsulation places the inner IP packets in a stream, there isn't a direct mapping.

An implementation could try to roughly map, but it may be best to suggest that the ECN markings for inner and outer packets be left separate. What is your opinion?

> 3) Impact of congestion response on aggregate - The general "TCP in
> TCP" problem is mentioned, and is mostly appropriate for a single
> flow.  If an aggregate of flows is sharing the same outer TCP
> connection, there may be additional concerns about how the congestion
> response behavior impacts an aggregate of flows, since it may cause a
> shared delay spike even to low-rate flows rather than distributing
> losses proportional to per-flow throughput.

Indeed. We can add further comments to that effect.

> 4) Additional potential for bufferbloat - Since TCP does not bound
> latency, some applications in the IPsec-protected aggregate could
> drive latency of the shared connection up and impact the aggregate of
> flows that may include real-time applications.  The socket buffer for
> the outer TCP connection might need to be limited in size to ensure
> some bounds?

We can add a comment to suggest that the buffering should be limited on the outer connection if possible.

> 
> Not addressing these could lead to poor experiences in deployment, if
> implementations make wrong assumptions or fail to consider them.

I do think all of these concerns go back to the overall recommendation of "use direct ESP or UDP Encapsulation whenever possible". Anything to help back up that point is great!

Thanks,
Tommy
> 
> In the security considerations section, there are several RFCs on
> mechanisms to increase robustness to RST attacks and SYN floods that
> could be mentioned if it's worthwhile.
> 
> 
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email