IETF Logo Mail Archive

Re: [IPsec] Labeled IPsec options

"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Mon, 16 December 2019 19:05 UTC

Return-Path: <jun.hu@nokia.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4E141208E9 for <ipsec@ietfa.amsl.com>; Mon, 16 Dec 2019 11:05:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0zYVUHcfJgZ for <ipsec@ietfa.amsl.com>; Mon, 16 Dec 2019 11:05:29 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70094.outbound.protection.outlook.com [40.107.7.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6726E1208E4 for <ipsec@ietf.org>; Mon, 16 Dec 2019 11:05:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OktZzkacUYIST5nvPDJSOLaO49DO5JObrGM/55wbUW9kzsV0VyuBZ2yvZyrBG/QJ/SNWVN2K6JkAfUREG/K2g5p6z+CuinPcDOrxllBQ725nRtICchInk3EduzbZ6+HqWDP5W6/qV6odHlji7pFtZZFqzeWMK65O4bgHbziHwm3KuNYLoIZGg8kUjFgB3F1ECVE8J6jBaNGINRxyEn6XFDXQmnpQ9HA0aW0nplQtWJyUM5AWESdJcQQ/eDUvGseEN171dbwWVmyDHXw5LLnuH88QLI3faiVoQt6WNsjJ186jwOk1S/MVLlC9sG3rx4aY+qEp87CwOagbn2QLz0vxiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hUqXzsY/b5U7IelPRCTA8PfSRnyKKkBqShCYkA+4Hx8=; b=k95fw2nnS1gRuMeh0YyWZ03U+BeCi6daByoRa5uP//32batax06P6mmncHZ0Q2i9jTfIcO2kg1vOar3NRzJ7BBfC2qZXMHfMbhkYNEHU8Paw+PT+tnT2GhwYBqZEowPvZkWY33xa+OXoCY12TVYEIqcT55knQ0JMFF+o0OXoSuwnKqio3ypSshimwPLYDrDJpzmIiUo9wHldLV03+ggUWS8sEhWNkJJNdQ2BdCG3qB64qZnklyhDLSbQdlmGcIjAwxqe5H9DlmTENA/3TJvIe8RhQ4R0uHd8Hcj/+4dqJ0k08IZDJMlevN6JISU6V+LWLhlpcOSTmlJiAL5rPh2iyA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hUqXzsY/b5U7IelPRCTA8PfSRnyKKkBqShCYkA+4Hx8=; b=Oaom19BdNjH5PvqsUZ4iuf646TbQBqOo3vRnqpNEYwxyXHx/1SLmzSfukSJNuMzDYhPSAMAKluTrYarNjv5KiOGMEV0oRpxb9XoKDm4UTVlPjNZndCnTk2bRQ+EKvV1dM0ji7tSdK86I7d+s8+4nVyn+gzpFZa9F9VLw3KmJG+0=
Received: from AM5PR0701MB2353.eurprd07.prod.outlook.com (10.169.150.18) by AM5PR0701MB2481.eurprd07.prod.outlook.com (10.169.153.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.12; Mon, 16 Dec 2019 19:05:26 +0000
Received: from AM5PR0701MB2353.eurprd07.prod.outlook.com ([fe80::c00:ee6e:9763:f843]) by AM5PR0701MB2353.eurprd07.prod.outlook.com ([fe80::c00:ee6e:9763:f843%7]) with mapi id 15.20.2559.012; Mon, 16 Dec 2019 19:05:26 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org WG" <ipsec@ietf.org>, Sahana Prasad <sahana@redhat.com>
Thread-Topic: [IPsec] Labeled IPsec options
Thread-Index: AQHVrxZ09uToqmx5zEOPjFh9TCkZuae1Rf+AgAHA9YCAAD0q8IAA50OAgAT6SPA=
Date: Mon, 16 Dec 2019 19:05:26 +0000
Message-ID: <AM5PR0701MB23533940C0FAB5EEF1DE790B95510@AM5PR0701MB2353.eurprd07.prod.outlook.com>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <AM5PR0701MB2353D18756E93CD302C43ABF955A0@AM5PR0701MB2353.eurprd07.prod.outlook.com> <alpine.LRH.2.21.1912121623440.22484@bofh.nohats.ca> <AM5PR0701MB2353880DFB9B9BB875A8340295540@AM5PR0701MB2353.eurprd07.prod.outlook.com> <alpine.LRH.2.21.1912130946340.8529@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912130946340.8529@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jun.hu@nokia.com;
x-originating-ip: [2601:646:8500:5ce4:d131:b115:9adb:2e1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1bc7f654-8708-480a-fa8a-08d7825ae937
x-ms-traffictypediagnostic: AM5PR0701MB2481:
x-microsoft-antispam-prvs: <AM5PR0701MB2481BDAF584C67C75554F8B295510@AM5PR0701MB2481.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02530BD3AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(136003)(376002)(346002)(396003)(366004)(31014005)(13464003)(199004)(189003)(66946007)(186003)(54906003)(7696005)(52536014)(86362001)(4326008)(81166006)(55016002)(53546011)(5660300002)(81156014)(9686003)(6506007)(71200400001)(8936002)(76116006)(2906002)(478600001)(8676002)(66476007)(316002)(33656002)(66556008)(6916009)(64756008)(66446008); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0701MB2481; H:AM5PR0701MB2353.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PhnNxSWKOaj9/i4Pl/xSUGWU9rdc2iKPJMw4OBzUHjVCE4GoQDtzNi38KfV6ARPFSuUKmOlNxy0YPTXqQ6OB6v3Qlf0osm2lUbbySP2VNbhRFH6witVnCYWFrmiRwoBbJND7/rH6vxBWWTzf/BYp4B3aMtB5k9+JfHeS5E1ZKuA+XJofUuLum74dOp1vr9gvSZCWXFyNqBwUWYvgGmzpnG8X5ctLPPGgrfhjtb0fyNjHNSkvde07f53o+YvuHgjSwfgFprJC19itvw5a2gxTD190Z/0Glo24rFz3ln0mxr9EhMI8zdW6ahGLa8kXDC8BD3MDcaD68VS4kI38u77Egjw9mUZVSKvlWudijJmKIm9iglnYFRNRHxwTOQqhL6UaAqsaC4RL306A75akf4FwrRPbvxStDJ+q/wfoLCeKRMez112BC5g28xj9DNliZyU7hPYz9ExeMOh0fRPHUCP2r/7o6Hd7bwfPWzKS5U+klq2g6txkPxHYpVL5VBHaf3tcyA0F1RvwsPI9Nx0+SXh6eg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bc7f654-8708-480a-fa8a-08d7825ae937
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2019 19:05:26.6542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6tdTJjv30Iz9S5isXIZnz0gCfBduGAquN7l9Ndt2RpDgdHXZ52XeynMKQYxElWn6d/towVsctFcfIJBfFfvIag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2481
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/j9F60X0WXT-G9Q3rNS9vMWM7v18>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 19:05:32 -0000

-----Original Message-----
From: Paul Wouters <paul@nohats.ca> 
Sent: Friday, December 13, 2019 6:51 AM
To: Hu, Jun (Nokia - US/Mountain View) <jun.hu@nokia.com>
Cc: ipsec@ietf.org WG <ipsec@ietf.org>; Sahana Prasad <sahana@redhat.com>
Subject: RE: [IPsec] Labeled IPsec options

On Fri, 13 Dec 2019, Hu, Jun (Nokia - US/Mountain View) wrote:

>> If you select multiple TS's these all become part of one Child SA. So I think the granularity of the label does not change between the solutions?
>
> [Hu Jun] if we agree that label is per CHILD_SA, then with option 1 or 2, there is possibility for invalid TS combination, following are some examples of invalid TS:
> - with option-1: There are two TS in TSi, first TS contains label-1, 
> 2nd TS contains label-2

This issue is similar to network ranges though. Say you want to have:
10.0.1.0/24 <-> 192.168.0.0/16
10.0.2.0/24 <-> 172.16.100.0/24

Then you can also not have a TSi containing 10.0.1.0/24, 10.0.2.0/24 and a TSr containing 192.168.0.0/16, 172.16.100.0/24

With 10.0.1.0/24+SEC_LABEL1 and 10.0.1.0/24+SEC_LABEL2 youl have a similar issue, that is you would need to use a seperate CREATE_CHILD_SA to prevent the mixup of TS elements.
[Hu Jun] since this label is new, ideally we should avoid to have such similar issue; and if this the label is per CHILD_SA, then of course it will require multiple CHILD_SA to have multiple labels, I don't think that's an issue. So again, I think WG need to get a consensus on the granularity of label before an option could be decided , is it per tunnel, per CHILD_SA or per TS?  for me it is per CHILD_SA

> - with option-2: TSi contains label-1, while TSr contains a different 
> label-2

Yes, see above.

> With option-3/4 there is no such concern

Since the notify or new payload type would be the same for all other TS parts, you do have the same problem.
[Hu Jun] sorry, but I fail to see why option-3/4 have same problem if the label is per CHILD_SA and semantic of new notification/payload is for the whole CHILD_SA 
 You also need a different CREATE_CHILD_SA negotiation to specify the different label. So I don't think what you describe is a new issue only affecting some of the solution options. All solutions need a similar workaround to prevent the mixup.

Paul

v2.29.0 | Report a Bug | By Email | System Status