IETF Logo Mail Archive

Re: [IPsec] WGLC of draft-ietf-ipsecme-labeled-ipsec

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 25 August 2021 14:08 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B8C83A0E3F for <ipsec@ietfa.amsl.com>; Wed, 25 Aug 2021 07:08:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbhzTEDI-o1l for <ipsec@ietfa.amsl.com>; Wed, 25 Aug 2021 07:08:33 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9A03A0E13 for <ipsec@ietf.org>; Wed, 25 Aug 2021 07:08:32 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id g138so15073003wmg.4 for <ipsec@ietf.org>; Wed, 25 Aug 2021 07:08:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=+1Spej/0Htdy61MJJwEv6pRaNDDzB47BoFivW2XKrJw=; b=hmzrsuY/XkbATfNF5JXaThKr1Tcb6Vnn25F9yIIzNKQ6Mr7/SUSGy72ul+na8KjfR4 9mvphhOQa54m7cIlgC9yWFzSehMsEG2EwCiA9UsGwJT1RHeF/sdeCQP3GSuCK258Y/KI id3dKRfe2sICZx9UP3Nl41AE1zHdINMciflPpR0J7Wzftvz3N4HT47Tmf0RJw122nLaQ tYH0oGg1esFDEmEat7F8dqZ4n6KxAM5NM+Kp5xUXD/GJXiX5OCBX6LaTaTJz/shVTOiS 1tFx9IBrgoQI7HnafHkl7ZN1tMKAn9IHAo4JjweA23uS2/MaxdWbvM392RGZqcfQhJy8 nQDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=+1Spej/0Htdy61MJJwEv6pRaNDDzB47BoFivW2XKrJw=; b=Q61ZS5/fpnxAXnNHb4d15TY+ur5pgXT3GNoi61yqS7jf1qTXRW1AOFWAXXqp7+uBp+ oISHlL7qWR5uT/aj6Cog0UzGx97j181pIb40k60lUG+AF0wAPFGvaOK3Ep9Jl+4qtPEb tH0HkgWKwOUx0Zxis6GqE7BdW86bhkCnXyCHn79nPFGGIhYwG7JjbNlRek3BQw9LQYVF n9L1x5mmpZR0XRmZnkf/7YBNPXWzZ6QSSY66F8Wer01+BmYAMojcjAJRPFQ7bZ+MZ5+h h++V9oXqOQ3//lFzIyTsAXfsqPy8f6cokgCcPGo+DOU+FsVAIEEwvXXHaqzI7+FY9mdR coXw==
X-Gm-Message-State: AOAM530r8qwirW/upx62a8G2iifOHZcVGwls2pGKMHv7dsY2Qg7ITjee ZL2lrbmxv3OQC8llRdRTlfxcWhoMWBQ=
X-Google-Smtp-Source: ABdhPJz8Oxxvvn0vi8+ign+MQ8S0EyH7XqXPBOMgCCsuMD/eUR8sFBM8yB+oSZsYCrTQVQhurpO4iQ==
X-Received: by 2002:a7b:c30f:: with SMTP id k15mr9602560wmj.128.1629900510087; Wed, 25 Aug 2021 07:08:30 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id n14sm14656wrx.10.2021.08.25.07.08.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Aug 2021 07:08:29 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Tero Kivinen' <kivinen@iki.fi>, ipsec@ietf.org
References: <24831.15082.263253.443690@fireball.acr.fi>
In-Reply-To: <24831.15082.263253.443690@fireball.acr.fi>
Date: Wed, 25 Aug 2021 17:08:30 +0300
Message-ID: <2d1501d799ba$af76bc40$0e6434c0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKYNO/A1f9S/Q/00+U6x9xSlcVzm6oC/VYA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mle3vpgWE3BDsxDNNSTAR8GbE8M>
Subject: Re: [IPsec] WGLC of draft-ietf-ipsecme-labeled-ipsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2021 14:08:46 -0000

Hi,

sorry for being late, the GGLC is already over, but I was really busy to review the draft before.

I have few comments.

1. Section 1.2.
The last para is erroneous here, since the immediately following the first para of Section 1.3
states exactly the same with more details. Either remove it or rephrase and move to 1.3 (e.g.
to keep provided example).

2. Section 2.2.
   If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic
   Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also
   be present in that TSi/TSr.

I think this requirement was already spelled out in more generic form in 1.3.
Why it is repeated here?

3. Section 2.2
   A zero length Security Label MUST NOT be used.  If a received TS
   payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
   Label, that specific Traffic Selector MUST be ignored.  If no other
   Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
   TS_UNACCEPTABLE Error Notify message MUST be returned.  A zero length
   Security Label MUST NOT be interpreted as a wildcard security label.

I wonder why zero-length TS_SECLABEL cannot be used to represent "no security label"?
This would significantly simplify negotiation when using security labels are optional
for initiator. Currently it is proposed that initiator performs two attempts
to establish Child SA in this case - with and without TS_SECLABEL.
If zero-length TS_SECLABEL meant "no security label", then a single CREATE_CHILD_SA
would be sufficient. It would also simplify the IKE state machine for this case.

Are there any reasons I'm not aware of?

4. Section 2.2
   If multiple Security Labels are allowed for a given IP protocol,
   start and end address/port match, multiple TS_SECLABEL can be
   included in a TS payload.

This sentence is unclear for me. If the initiator includes multiple TS_SECLABEL,
does it mean that the responder must select exactly one of them or not?
If yes, then can you please clarify, that the presence of  multiple TS_SECLABEL 
means that selection any of them is acceptable for the initiator.

5. Section 2.2:
What is "TS_set", which is mentioned twice in the last para?
This acronym was never used before in the dicument.

6. Section 3.
   Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of
   TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.

This is repeated for the third time in the document. Can you please keep the only
instance of this requirement?

7. Section 3.
   A responder MUST create its TS response by selecting one of each
   TS_TYPE present in the offered TS by the initiator.  If it cannot
   select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error
   Notify payload.

and later

   Some TS_TYPE's support narrowing, where the responder is allowed to
   select a subset of the original TS.  Narrowing MUST NOT result in an
   empty selector for that TS_TYPE.

This is wrong with regard to TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
The responder may return any subset of TSs with TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
E.g, if the initiator included 5 TSs with TS_IPV4_ADDR_RANGE and 3 with TS_IPV6_ADDR_RANGE,
then the responder is free to return (just as example) only 2 TS_IPV4_ADDR_RANGE and no TS_IPV6_ADDR_RANGE,
and all of them may have different content (due to narrowing). 

I think this paras must be rephrased more accurately.

8. Section 3.2:
   It would be unlikely that the traffic for TSi and TSr would have a
   different Security Label, but this specification does allow this to
   be specified.

Can you please provide some examples of possible semantics of
different TS_SECLABELs in TSi and TSr? Sending different
security labels in different directions? Just for curiosity.

9. Section 3.2:
   Rekey of an
   IPsec SA MUST only use identical Traffic Selectors, which means the
   same TS Type and selectors MUST be used.  This guarantees that a
   Security Label once negotiated, remains part of the IPsec SA after a
   rekey.

I think it is a too strong requirement. Traditionally in IKEv2 the rekey operation
is equivalent to creating a new Child SA with full negotiation of algorithms and 
TSs. I know that there is an effort to make thing simpler in most cases,
but I don't think status quo should be changed for generic case.
I prefer to remove this para.

Regards,
Valery.

> -----Original Message-----
> From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Tero Kivinen
> Sent: Tuesday, July 27, 2021 1:45 AM
> To: ipsec@ietf.org
> Subject: [IPsec] WGLC of draft-ietf-ipsecme-labeled-ipsec
> 
> This is the start of 2 week WGLC on the
> draft-ietf-ipsecme-labeled-ipsec document, ending 2021-08-10.
> 
> Please submit your comments to the list, also send a note if you have
> reviewed the document, so we can see how many people are interested in
> getting this out.
> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email