IETF Logo Mail Archive

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

Paul Wouters <paul@nohats.ca> Fri, 16 July 2021 19:46 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D64F73A4242 for <ipsec@ietfa.amsl.com>; Fri, 16 Jul 2021 12:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TdmtpNLKd9l for <ipsec@ietfa.amsl.com>; Fri, 16 Jul 2021 12:46:10 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C6823A4241 for <ipsec@ietf.org>; Fri, 16 Jul 2021 12:46:10 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4GRMDb5bxkz50w; Fri, 16 Jul 2021 21:46:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1626464767; bh=/DlpdW10YcTIdZ1cw8RhK7iuNmktJL35E9f/OzuKPhc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=sA/hQLeScHPMNkCynKlNCc/P5A8+ahmhSqeqD0K6TaJMeYfKVzMxg2xhgz2SjbYGG L3oZTsfCWyR9XNp6LGjj4do8zXRkNmZBBTbcjO1afj1gQnAE4G0LhD7tcehx+wZ86Y q3Sbs9WRj3FTAnribF50ywQAY9fjQaLi5DwSgPrs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id JRuPSmFM3wR9; Fri, 16 Jul 2021 21:46:06 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 16 Jul 2021 21:46:06 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 6554ACA25D; Fri, 16 Jul 2021 15:46:05 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 62186CA25C; Fri, 16 Jul 2021 15:46:05 -0400 (EDT)
Date: Fri, 16 Jul 2021 15:46:05 -0400
From: Paul Wouters <paul@nohats.ca>
To: "Bottorff, Paul" <paul.bottorff@hpe.com>
cc: Tobias Brunner <tobias@strongswan.org>, Valery Smyslov <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>, "antony.antony@secunet.com" <antony.antony@secunet.com>, 'IPsec' <ipsec@ietf.org>, Mahendra Maddur Puttaswamy <mpmahendra@juniper.net>, Shraddha Hegde <shraddha@juniper.net>, 徐小虎 <xiaohu.xu@capitalonline.net>
In-Reply-To: <CS1PR8401MB11928BB2C45625F3867EB774FE119@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
Message-ID: <5766259-f771-b4fd-8236-15dfd3c4fb25@nohats.ca>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <24678.19440.553333.890224@fireball.acr.fi> <036401d72786$91047b90$b30d72b0$@gmail.com> <CS1PR8401MB11924CD1BF4CC233523180F3FE7A9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <CS1PR8401MB119239134AD78A9B30754AE4FE139@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <f0cf6bca-f3b8-c991-2257-90def87f40c9@strongswan.org> <CS1PR8401MB11925D7FE5542E0E14F86F6CFE129@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <7cd40215-563d-9860-62fa-4110f1bd3895@strongswan.org> <CS1PR8401MB11928BB2C45625F3867EB774FE119@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/lGbhlXNsZKBuFrkaYWOgGdvampw>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 19:46:15 -0000

On Fri, 16 Jul 2021, Bottorff, Paul wrote:

> Somehow I think we are mis-understanding. Please excuse the long introduction to answer your question.

I am also very confused.

> Consider an IPSEC initiator sitting behind a NAPT talking with an IPSEC responder on the Internet (within a DC).
>
> The initiator will start with IKE. The IKE packets will not be LB and since a NAPT would be detected, the IKE packets would use source and destination port 4500.

Just to clarify, on the initiator those source/dest ports will be 4500,
but on the responder the source port can be anything and the destination
port will be 4500.

> After IKE established the SA, load balancing will be used with ESPinUDP packet exchanges.
>
> Both the initiator and the responder can exchange ESPinUDP with LB after the SA is established.

Which SA? The initial IPsec SA ?

> For ESPinUDP with LB the source port will be used for entropy. This does not necessary mean the source port is random, however does mean the source port must cover a range of values sufficient to provide the required level of entropy. Draft-xu-ipsecme-esp-in-udp-lb does not provide specific guidance on entropy values, however for NAT interoperability it is desirable to limit the number of entropy values.

I think you are saying "pick a random port and keep using it" and not
"use a random port for each packet", right ?

> At an IPSEC initiator (behind NAPT) using draft-xu-ipsecme-esp-in-udp-lb will generate LB ESPinUDP packets with the entropy value in the source port and a new destination port

Where does this "new destination port" come from? You only have a NAT
mapping for port 500 and a NAT mapping for port 4500. Did a new
destination port get negotiated over IKE? I don't see that specified in
the draft. Or do you expect the non-NAT IPsec endpoint to auto-detect
these packets to random ports based on encap payload and SPI ?

> , however the use of a new port to designate LB complicates the situation. Instead, if we consider both ends of the SA being configured for LB, then we can simply use the existing 4500 port to designate the ESPinUDP encapsulation. Using this observation IPSEC LB packets transmitted from the initiator (behind the NAPT) would have entropy in the source port and 4500 in the destination port.

But when using only destination port 4500, then you run into the
problem of NAT mapping updates. If you send a ESPinUDP packet to
port 4500 from source port X, the peer will update its IPsec SA
endpoint and start sending all packets to that single source port.
So any entropy gain is lost.

> Each IPSEC initiator LB packet with a different entropy value will result in a new mapping at the NAPT.

Yes, a new mapping, but the old mapping will be deleted. Is your draft
saying we should _keep_ those mappings? If so, how would you ever detect
a _rela_ IKE/ESP port remapping from the NAPT router between the
endpoints?

> The normal behaviour of the responder (outside the NAPT) is to transmit to the destination address and port of the last packet source address and port (from the initiator)

Not without MOBIKE. And with MOBIKE this requires explicit signaling via
the INFORMATIONAL IKE message containing an UPDATE_ADDRESS payload.

> however this is where we deviate for a LB implementation. Instead the responder (outside the NAPT) transmits all responses to the address and port established for IKE, however with an entropy value in the source port. Since the NAPT has the IKE mapping this will deliver the ESPinUDP packet to the initiator where the destination port will be restored to 4500 and the source port will be the entropy value.

I don't see how this can properly work. It would be really helpful if
you can explain this with ASCII art in your draft document.

> So to your question about NAPT filtering. If the NAPT follows REQ-8 in RFC 4787, then filtering will pass the responder packets since the destination address and port will be mapped and the source address will also be known. In the event a NAPT violates REQ-8 and does Address and Port - Dependent Filtering then the responder packets might be filtered. There may be solutions for this case, however for the present discussion it does not seem worth pursuing the case were a NAPT violates REQ-8.

I still don't see how you avoid reducing everything to 1 NAT mapping on
the NAPT router, and thus with no extra entropy, as it seems multiple
different source IPs are racing with the regular endpoint NAT mapping
update. And if you change that behaviour to not update but keep the
old NAT mappings, you need to not only change the kernel behaviour,
you also need to signal whether this is supported through IKE, and
whether you want it activated. Eg you would need some _SUPPORTED notify
and then some USE_ notify.

Paul W

v2.23.0 | Report a Bug | By Email