IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Tero Kivinen <kivinen@iki.fi> Thu, 15 October 2020 20:48 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504D83A03F4 for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:48:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.313
X-Spam-Level:
X-Spam-Status: No, score=-2.313 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3d34426UkR71 for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:48:35 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F143F3A03F5 for <ipsec@ietf.org>; Thu, 15 Oct 2020 13:48:34 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 2A47F2059A; Thu, 15 Oct 2020 23:48:32 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602794912; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BFZJnJEiPX8JDXt3TjHSkTAzCyoROn/DT9RcBR6g6F0=; b=wuc8/zotLKz6ZQUkit4T037wiXD33cHkBNzXAfcfvliBHhNn13HujC53PRFJORWprVa+lC zT+nAx5fsITWBv5kmDmmeVcBotmzpypHoilfpaf/0ln997vMNc5AZr2hls9sNW8EzRZLtX N6OsM+OK5GuAOMO2iYB930PYhCyt6Qc=
Received: by fireball.acr.fi (Postfix, from userid 15204) id D617D25C0E58; Thu, 15 Oct 2020 23:48:31 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24456.46495.840733.468384@fireball.acr.fi>
Date: Thu, 15 Oct 2020 23:48:31 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Christian Hopps <chopps@chopps.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
In-Reply-To: <F8E266C0-CACB-4B4C-83F3-C5E05F2B547C@chopps.org>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <24454.51962.50262.36523@fireball.acr.fi> <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org> <24456.43991.701332.956314@fireball.acr.fi> <F8E266C0-CACB-4B4C-83F3-C5E05F2B547C@chopps.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602794912; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BFZJnJEiPX8JDXt3TjHSkTAzCyoROn/DT9RcBR6g6F0=; b=UrbrTwvTETcXsLflY71KdRFO3fNYxLkoigLENszlMNrDYLBpATaKYLwo4e/naegwVIoJLO N9WYMiV5kq8UkQ6hC/yvjTt4KkZJT5By4GZJB8dRPsJzo2yB9ykJKq2qgadZgD8iLbXYmg t7Y3fQSvUSYIb7ubxD8+G9qmqWww0FE=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1602794912; a=rsa-sha256; cv=none; b=W39lb7YN2strpXkvA3OaT7rxB8LqxBg1nkKA8WKj4kyw4trUJWCe1ixZ7Hz0QgExB668DO 7Wtm+TcboRyadJMUdQWGgNR8MuKrF/hMhByZfwiFCekiHRrSy7LAZWrTNlOWTXKGoNJkOL joTnoyjMOL3nfMBrqab6Cd3F6q9ZobA=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nVUaTjMHJtsKQce4NHOjtjVXhvE>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 20:48:37 -0000

Christian Hopps writes:
> We are defining the payload in this document, the payload is meant
> for ESP. ESP has a payload identifier why can't we use it?

If that is only possible value the next-header field can have as all
packets of the Child SA which has been negotiated with USE_IPTFS then
what is the point of allocating number that is not needed. You can
simply say that next payload field will be transmitted as 0, and
ignored on the recipient as you already know the format packet inside
ESP because it was negotiated in the IKE. 

> It feels like the clean KISS solution to me. Yes, we are doing IKE
> negotiation, but using the designed for payload identifier also
> allows the payload to be identified in non-IKE scenarios (packet
> captures, error logging, etc..), therefor it's not just KISS it's
> also more *robust* and thus I believe a better design.

So you want to allocate completely new protocol number from the 8-bit
registry, just so that you can print it out in the error logs and
auditing, instead of putting (use_ipftf ? "iptfs" : protocol number)?

Packet captures does not really help as ESP content is encrypted, and
most implementations do not really allow easy way of printing out the
traffic keys for wireshark etc use, and anyways wireshark has this
decode as XXX option where you can force it to decode it with whatever
protocol you think is inside, regardless whether there is protocol
number matching.

> I think your main objection is over actually making an IP protocol
> number allocation.

Actually doing early allocation.

> If that's what it is then let's focus on that point. It may be
> easier to make progress that way.

I need to justify why the WG thinks we need this done now, and why
this is going to be useful, and why this can't be done in other ways.

If I myself think it would be easier to do this by just negotiating it
in IKE, I have hard time convincing others.

> For example we could switch to our backup solution and re-use an
> existing IP protocol number which would never be carried in ESP
> (e.g., IPv5). I feel it's a bit less elegant, but still workable,
> and leaves us with the KISS/more robust outcome.

I do not think there is IP protocol number for IPv5, but if you really
want to have protocol number, why not use 253 that is reserved for
experimientation and testing.

This allows you to do your testing now, and you can write your draft
saying that as all payloads inside the ESP will be iptfs packets if
USE_IPFTF is negotiated in the IKE, then next-header field is ignored
on the recipient, and sent out as 253 (or 0, or whatever, as it is
always ignored on the recipient).
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email