Re: [IPsec] Comments: New Version Notification for draft-mglt-ipsecme-diet-esp-08
Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 07 June 2022 12:14 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ACCCC13D086 for <ipsec@ietfa.amsl.com>; Tue, 7 Jun 2022 05:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.783
X-Spam-Level:
X-Spam-Status: No, score=-3.783 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSDEHH7VAiJr for <ipsec@ietfa.amsl.com>; Tue, 7 Jun 2022 05:14:37 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D5FBC13C2DE for <ipsec@ietf.org>; Tue, 7 Jun 2022 05:14:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 8BCB0625DA; Tue, 7 Jun 2022 08:13:50 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Oy8S0iwCGdRN; Tue, 7 Jun 2022 08:13:42 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 5B2576247F; Tue, 7 Jun 2022 08:13:40 -0400 (EDT)
Message-ID: <437d32fa-9e1f-2711-285f-ad33567b5d4f@htt-consult.com>
Date: Tue, 07 Jun 2022 08:14:10 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
References: <165245934076.55873.10897274756238806359@ietfa.amsl.com> <DM6PR15MB36891F40C6CE592453EA70B7E3CA9@DM6PR15MB3689.namprd15.prod.outlook.com> <53e16b45-a7a0-dcbe-2303-81d438749912@htt-consult.com>
In-Reply-To: <53e16b45-a7a0-dcbe-2303-81d438749912@htt-consult.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mnD0cbi2QqAPdLk_BTCbIKpcEhI>
Subject: Re: [IPsec] Comments: New Version Notification for draft-mglt-ipsecme-diet-esp-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 12:14:38 -0000
Daniel, Back at it, now that ASTM is behind me... what will it take to bring this in line with SCHC. I don't know SCHC well enough to pick up the differences. What will it take to add AES-GCM-12 to supported ciphers by IKE (and thus ESP)? For my use case, I have a hard time seeing why I need a 16-byte ICV. Even an 30 min operation with streaming video is a limited number of packets. I am going to talk to my contact at DJI to see what information they are willing to share... Bob On 5/16/22 16:47, Robert Moskowitz wrote: > Thanks, Daniel for the update. > > Now some comments. > > The necessary state is held within the IPsec Security Association and > > The document specifies the necessary parameters of the EHC Context to > allow compression of ESP and the most common included protocols, such > as IPv4, IPv6, UDP and TCP and the corresponding EHC Rules. > > Should any reference be made to cipher compression? At least > reference to 8750? Or since this is just the abs > > It also > defines the Diet-ESP EHC Strategy which compresses up to 32 bytes per > packet for traditional IPv6 VPN and up to 66 bytes for IPv6 VPN sent > over a single TCP or UDP session. > > > In UDP transport I am reducing 18 bytes (assuming cipher with zero > padding) to 4 bytes. Also worth noting here... > > > On the other hand, in IoT > communications, sending extra bytes can significantly impact the > battery life of devices and thus the life time of the device. The > document describes a framework that optimizes the networking overhead > associated to IPsec/ESP for these devices. > > > You say nothing about constrained comm links. This compression may > make ESP viable over links like LoRaWAN. > > ESP Header Compression (EHC) chooses another form of context > agreement, which is similar to the one defined by Static Context > Header Compression (SCHC). > > Reference rfc 8724. > > And more than 'similar"? Maybe "based on the one"? > > The context > itself can be negotiated during the key agreement, which allows only > minimal the changes to the actual ESP implementation. > > I don't get this. What only allows minimal changes? The key > agreement protocol or ECH? If the later then perhaps: > > The context > itself can be negotiated during the key agreement, which then needs > only > minimal the changes to the actual ESP implementation. > > More for introduction: > > Perhaps you can add that in transport mode, an SA may be for a single > transport/port to tune the ECH for that use and that multiple SAs > could be negotiated for this case. > > Question: Can a single IKE exchange produce multiple SAs? > > Here is my use case: > > Between the UA and GCS are two flows. One for Command and Control > (C2) the other streaming video. Both over UDP, but different ports. > So instead of having carry the UDP ports in all the messages, > negotiate separate SAs with the appropriate ECH. > > Ah, I see this in Sec 5. You should say something about this in the > intro. > > sec 4. > > EHC is able to compress any protocol encapsulated in ESP and ESP > itself. > > No really true per other claims. Does it offer compressing RTP? I > need that, probably, for my streaming video app. > > to compress any IP and transport protocol... > > And only TCP and UDP are shown, what about, say, SCTP? > > BTW, I note that you use 'IKEv2'. At this point is that really > needed? Should just IKE be enough? Has not IKEv1 been depreicated? > > 6. EHC Context > > > The EHC Context is defined on a per-SA basis. A context can be > defined for any protocol encapsulated with ESP and for ESP itself. > > Should that be "any IP or Transport protocol"? To exclude layer 5 > protocols (CoAP, RTP,,,)? > > Layer 5 protocols SHOULD be via standard SCHC with the SCHC Rule ID > included... > > Or maybe 'typically'? As some layer 5 might be easy? RTP maybe? > > So this is it for this round of comments. I am looking at Appdx A and > making a UDP example. Including IIV. > > Bob > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Fw: New Version Notification for draft-mg… Daniel Migault
- [IPsec] Comments: New Version Notification for dr… Robert Moskowitz
- Re: [IPsec] Comments: New Version Notification fo… Robert Moskowitz
- Re: [IPsec] Comments: New Version Notification fo… Daniel Migault
- Re: [IPsec] Comments: New Version Notification fo… Robert Moskowitz
- Re: [IPsec] Comments: New Version Notification fo… Daniel Migault
- Re: [IPsec] Comments: New Version Notification fo… Daniel Migault
- Re: [IPsec] Comments: New Version Notification fo… Paul Wouters