Re: [IPsec] diet-esp - How do you know?
Daniel Migault <mglt.ietf@gmail.com> Tue, 24 May 2022 21:24 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F48C2B0006 for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 14:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDeUw9ntHZsv for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 14:24:28 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D310C2B0004 for <ipsec@ietf.org>; Tue, 24 May 2022 14:24:28 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id 1so9020946ljh.8 for <ipsec@ietf.org>; Tue, 24 May 2022 14:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YY0InMrPXNW2Uw10D7nzPcQzrY+2Ho/hMrE7tFYpzLs=; b=Ik4kYf2m9EkihvDK21YuWwmuQ3wp3CNbSqCL0j3lEBpNdmGpzzACaXon35xYAh2Glm cX4jvzvmXDO6ibsnDI2IEget2XCVTmOkJNxQkW9WSPt73byO9r++XlVSs28ojl6I9+ml XNxXAkcPliBs6utviYE4g4ROi1tll9IJ0IOKqCPC0QAMXTivmb6UY1112D2BRaYVXRks II7r7RG0DPEXXxXuW8avZIiSBM7yZ7KH3/XkfwQqYvcUBloj7nmM1smUb559isDV2Qj5 PaP2ANrpp4qIWslqkhqwJNbjhRKB8dxscYX650zc4oO9wGkzHj38u6M/uLttfuaKAu3r 4tYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YY0InMrPXNW2Uw10D7nzPcQzrY+2Ho/hMrE7tFYpzLs=; b=BltppaamLhDvM4R/Pigdkr+nmN58JyImLAd7n6XMAQTpC9DQpmbIOto/LKvHTVHzJp k/8xPGD4mUb3hQkmU5ba6xtT3MAxsNl/2adLKGxlzlMWA3zbdcYol4ts8OOoURU0V07w 7gnIIN3ZNdqFaqkJxV1MRIGkL/5rk6VkYZFf09kDWodMe3IviJras82g8bSt37tVG+Fu kEUn+oQJ4LlOgw+oDFnE59hzS7E+YMq7YtfQlo3p9YWJX3Ua1+cj/auSdozKyVUSMyxW p+NFyndANOaXNuCq+BFSS47NkP429K7qlb86IQbBU2zmh6ZO738xbCU5UVrOdushSzvX xwZw==
X-Gm-Message-State: AOAM532u3yyWSP7ht+CZSjS0ZF2JK0GJmojrtJw/BDt2+C4y6YJSHPLq Gl+m3RDiv+S6hnGFO952lNw0/fzbJO+lgjnDB8Q=
X-Google-Smtp-Source: ABdhPJzm0ZrYVXsR1EkIwwBKJmg0kSPAY31GKF+FMvtGI6tvGQMciCqbj8NKvrpzePpa2XaYAqTqRYp1Oc8MN0eCCog=
X-Received: by 2002:a2e:9f4f:0:b0:253:cee8:62a2 with SMTP id v15-20020a2e9f4f000000b00253cee862a2mr16733676ljk.107.1653427466076; Tue, 24 May 2022 14:24:26 -0700 (PDT)
MIME-Version: 1.0
References: <245277bb-6d70-dbcd-b99e-badc435b9c4d@htt-consult.com> <CAGL5yWa=hjCZD912YJPWM-x_=ChTo=yULk1P5FRfkfB9Db9+Gg@mail.gmail.com> <CADZyTknARDjj=SZmstnBqxo5hJp-NzH09a6cH5Dxj3Zg7VfyAw@mail.gmail.com> <f55061a1-b1af-8ce5-7ecc-8d7ccef0ee03@htt-consult.com> <CADZyTknQSiCrBvdsnjQU8OcTCRhCOBeNW0CC10xhK6cHnD+76g@mail.gmail.com> <CH0PR11MB544485C64BF43499C0DBBC6FC1D79@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB544485C64BF43499C0DBBC6FC1D79@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 24 May 2022 17:24:14 -0400
Message-ID: <CADZyTkkQPyBB=WytC5XHf8Jwi9=UWaPTg5c-52z5stLdJV7ppA@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: Robert Moskowitz <rgm-sec@htt-consult.com>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7067f05dfc89444"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/n3zH10wT2CUGyDjmGlra0P5U13w>
Subject: Re: [IPsec] diet-esp - How do you know?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 21:24:29 -0000
I agree, maybe we should be more explicit in the security consideration. I think at the time we wrote it, we did not want to define a SPI format and leave it to the implementer. But I agree mentioning it as an example would be clarifying. An example where a 0 byte SPI could be used is when the pairing is performed by lower layers - like a remote garage door. Yours, Daniel On Tue, May 24, 2022 at 4:56 PM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> wrote: > The easiest way would be to assign the first few bits of the SPI to > indicate the SPI size; for example, all 8 bit SPIs might be allocated to > have the first two bits being 11; all 16 bit SPIs might have those two bits > being 10; etc. That way, an examination of the first few bits of the SPI > would unambiguously give you the SPI size. > > > > Obviously, this doesn’t apply to a ‘0 byte SPI’. I have no idea how that > is intended to be processed; does that mean that the decrypter is expected > to just try to decrypt the packet with all the SAs he has and see which one > worked? > > > > *From:* IPsec <ipsec-bounces@ietf.org> *On Behalf Of *Daniel Migault > *Sent:* Tuesday, May 24, 2022 4:48 PM > *To:* Robert Moskowitz <rgm-sec@htt-consult.com> > *Cc:* Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>; IPsecME WG < > ipsec@ietf.org> > *Subject:* Re: [IPsec] diet-esp - How do you know? > > > > The issue only comes when a gateway wants to support all sizes of SPIs 0 - > 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I > would suggest using IP addresses and the minimum allowed byted compressed > SPI. > > If you use 2 - 3 bytes, the likelihood of collision might still be very > low to support an additional signature check. > > > > Yours, > > Daniel > > > > On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-sec@htt-consult.com> > wrote: > > That is the 'easy' part. > > What does the code do when it receives an ESP packet? How do it know that > it is a diet-esp packet and apply the rules? > > Next Header just says: ESP. > > On 5/24/22 16:23, Daniel Migault wrote: > > This is correct. IKEv2 is used both to agree on the use of Diet-ESP as > well as values to be used for the compression/decompression. > > > > Yours, > Daniel > > > > On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters= > 40aiven.io@dmarc.ietf.org> wrote: > > > > On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-sec@htt-consult.com> > wrote: > > I think there is something else I am missing here. > > How does the receiving system 'know' that the packet is a diet-esp packet? > > > > > https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 > > > > It's negotiated with IKEv2. > > > > I guess the IKE stack has to signal this to the ESP implementation on what > to expect when > > the policy is installed ? > > > > Paul > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > > > -- > > Daniel Migault > > Ericsson > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > > > -- > > Daniel Migault > > Ericsson > -- Daniel Migault Ericsson
- [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Paul Wouters
- Re: [IPsec] diet-esp - How do you know? Scott Fluhrer (sfluhrer)
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Scott Fluhrer (sfluhrer)
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault