IETF Logo Mail Archive

Re: [IPsec] diet-esp - How do you know?

Daniel Migault <mglt.ietf@gmail.com> Tue, 24 May 2022 21:24 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F48C2B0006 for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 14:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDeUw9ntHZsv for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 14:24:28 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D310C2B0004 for <ipsec@ietf.org>; Tue, 24 May 2022 14:24:28 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id 1so9020946ljh.8 for <ipsec@ietf.org>; Tue, 24 May 2022 14:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YY0InMrPXNW2Uw10D7nzPcQzrY+2Ho/hMrE7tFYpzLs=; b=Ik4kYf2m9EkihvDK21YuWwmuQ3wp3CNbSqCL0j3lEBpNdmGpzzACaXon35xYAh2Glm cX4jvzvmXDO6ibsnDI2IEget2XCVTmOkJNxQkW9WSPt73byO9r++XlVSs28ojl6I9+ml XNxXAkcPliBs6utviYE4g4ROi1tll9IJ0IOKqCPC0QAMXTivmb6UY1112D2BRaYVXRks II7r7RG0DPEXXxXuW8avZIiSBM7yZ7KH3/XkfwQqYvcUBloj7nmM1smUb559isDV2Qj5 PaP2ANrpp4qIWslqkhqwJNbjhRKB8dxscYX650zc4oO9wGkzHj38u6M/uLttfuaKAu3r 4tYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YY0InMrPXNW2Uw10D7nzPcQzrY+2Ho/hMrE7tFYpzLs=; b=BltppaamLhDvM4R/Pigdkr+nmN58JyImLAd7n6XMAQTpC9DQpmbIOto/LKvHTVHzJp k/8xPGD4mUb3hQkmU5ba6xtT3MAxsNl/2adLKGxlzlMWA3zbdcYol4ts8OOoURU0V07w 7gnIIN3ZNdqFaqkJxV1MRIGkL/5rk6VkYZFf09kDWodMe3IviJras82g8bSt37tVG+Fu kEUn+oQJ4LlOgw+oDFnE59hzS7E+YMq7YtfQlo3p9YWJX3Ua1+cj/auSdozKyVUSMyxW p+NFyndANOaXNuCq+BFSS47NkP429K7qlb86IQbBU2zmh6ZO738xbCU5UVrOdushSzvX xwZw==
X-Gm-Message-State: AOAM532u3yyWSP7ht+CZSjS0ZF2JK0GJmojrtJw/BDt2+C4y6YJSHPLq Gl+m3RDiv+S6hnGFO952lNw0/fzbJO+lgjnDB8Q=
X-Google-Smtp-Source: ABdhPJzm0ZrYVXsR1EkIwwBKJmg0kSPAY31GKF+FMvtGI6tvGQMciCqbj8NKvrpzePpa2XaYAqTqRYp1Oc8MN0eCCog=
X-Received: by 2002:a2e:9f4f:0:b0:253:cee8:62a2 with SMTP id v15-20020a2e9f4f000000b00253cee862a2mr16733676ljk.107.1653427466076; Tue, 24 May 2022 14:24:26 -0700 (PDT)
MIME-Version: 1.0
References: <245277bb-6d70-dbcd-b99e-badc435b9c4d@htt-consult.com> <CAGL5yWa=hjCZD912YJPWM-x_=ChTo=yULk1P5FRfkfB9Db9+Gg@mail.gmail.com> <CADZyTknARDjj=SZmstnBqxo5hJp-NzH09a6cH5Dxj3Zg7VfyAw@mail.gmail.com> <f55061a1-b1af-8ce5-7ecc-8d7ccef0ee03@htt-consult.com> <CADZyTknQSiCrBvdsnjQU8OcTCRhCOBeNW0CC10xhK6cHnD+76g@mail.gmail.com> <CH0PR11MB544485C64BF43499C0DBBC6FC1D79@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB544485C64BF43499C0DBBC6FC1D79@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 24 May 2022 17:24:14 -0400
Message-ID: <CADZyTkkQPyBB=WytC5XHf8Jwi9=UWaPTg5c-52z5stLdJV7ppA@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: Robert Moskowitz <rgm-sec@htt-consult.com>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7067f05dfc89444"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/n3zH10wT2CUGyDjmGlra0P5U13w>
Subject: Re: [IPsec] diet-esp - How do you know?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 21:24:29 -0000

I agree, maybe we should be more explicit in the security consideration. I
think at the time we wrote it, we did not want to define a SPI format and
leave it to the implementer. But I agree mentioning it as an example would
be clarifying.
An example where a 0 byte SPI could be used is when the pairing is
performed by lower layers - like a remote garage door.

Yours,
Daniel

On Tue, May 24, 2022 at 4:56 PM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
wrote:

> The easiest way would be to assign the first few bits of the SPI to
> indicate the SPI size; for example, all 8 bit SPIs might be allocated to
> have the first two bits being 11; all 16 bit SPIs might have those two bits
> being 10; etc.  That way, an examination of the first few bits of the SPI
> would unambiguously give you the SPI size.
>
>
>
> Obviously, this doesn’t apply to a ‘0 byte SPI’.  I have no idea how that
> is intended to be processed; does that mean that the decrypter is expected
> to just try to decrypt the packet with all the SAs he has and see which one
> worked?
>
>
>
> *From:* IPsec <ipsec-bounces@ietf.org> *On Behalf Of *Daniel Migault
> *Sent:* Tuesday, May 24, 2022 4:48 PM
> *To:* Robert Moskowitz <rgm-sec@htt-consult.com>
> *Cc:* Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>; IPsecME WG <
> ipsec@ietf.org>
> *Subject:* Re: [IPsec] diet-esp - How do you know?
>
>
>
> The issue only comes when a gateway wants to support all sizes of SPIs 0 -
> 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I
> would suggest using IP addresses and the minimum allowed byted compressed
> SPI.
>
> If you use 2 - 3 bytes, the likelihood of collision might still be very
> low to support an additional signature check.
>
>
>
> Yours,
>
> Daniel
>
>
>
> On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-sec@htt-consult.com>
> wrote:
>
> That is the 'easy' part.
>
> What does the code do when it receives an ESP packet?  How do it know that
> it is a diet-esp packet and apply the rules?
>
> Next Header just says: ESP.
>
> On 5/24/22 16:23, Daniel Migault wrote:
>
> This is correct. IKEv2 is used both to agree on the use of Diet-ESP as
> well as values to be used for the compression/decompression.
>
>
>
> Yours,
> Daniel
>
>
>
> On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters=
> 40aiven.io@dmarc.ietf.org> wrote:
>
>
>
> On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-sec@htt-consult.com>
> wrote:
>
> I think there is something else I am missing here.
>
> How does the receiving system 'know' that the packet is a diet-esp packet?
>
>
>
>
> https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02
>
>
>
> It's negotiated with IKEv2.
>
>
>
> I guess the IKE stack has to signal this to the ESP implementation on what
> to expect when
>
> the policy is installed ?
>
>
>
> Paul
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
>
> --
>
> Daniel Migault
>
> Ericsson
>
>
>
> _______________________________________________
>
> IPsec mailing list
>
> IPsec@ietf.org
>
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
>
>
>
> --
>
> Daniel Migault
>
> Ericsson
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email