Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
Tero Kivinen <kivinen@iki.fi> Thu, 15 October 2020 20:48 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504D83A03F4 for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:48:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.313
X-Spam-Level:
X-Spam-Status: No, score=-2.313 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3d34426UkR71 for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:48:35 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F143F3A03F5 for <ipsec@ietf.org>; Thu, 15 Oct 2020 13:48:34 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 2A47F2059A; Thu, 15 Oct 2020 23:48:32 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602794912; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BFZJnJEiPX8JDXt3TjHSkTAzCyoROn/DT9RcBR6g6F0=; b=wuc8/zotLKz6ZQUkit4T037wiXD33cHkBNzXAfcfvliBHhNn13HujC53PRFJORWprVa+lC zT+nAx5fsITWBv5kmDmmeVcBotmzpypHoilfpaf/0ln997vMNc5AZr2hls9sNW8EzRZLtX N6OsM+OK5GuAOMO2iYB930PYhCyt6Qc=
Received: by fireball.acr.fi (Postfix, from userid 15204) id D617D25C0E58; Thu, 15 Oct 2020 23:48:31 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24456.46495.840733.468384@fireball.acr.fi>
Date: Thu, 15 Oct 2020 23:48:31 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Christian Hopps <chopps@chopps.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
In-Reply-To: <F8E266C0-CACB-4B4C-83F3-C5E05F2B547C@chopps.org>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <24454.51962.50262.36523@fireball.acr.fi> <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org> <24456.43991.701332.956314@fireball.acr.fi> <F8E266C0-CACB-4B4C-83F3-C5E05F2B547C@chopps.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1602794912; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BFZJnJEiPX8JDXt3TjHSkTAzCyoROn/DT9RcBR6g6F0=; b=UrbrTwvTETcXsLflY71KdRFO3fNYxLkoigLENszlMNrDYLBpATaKYLwo4e/naegwVIoJLO N9WYMiV5kq8UkQ6hC/yvjTt4KkZJT5By4GZJB8dRPsJzo2yB9ykJKq2qgadZgD8iLbXYmg t7Y3fQSvUSYIb7ubxD8+G9qmqWww0FE=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1602794912; a=rsa-sha256; cv=none; b=W39lb7YN2strpXkvA3OaT7rxB8LqxBg1nkKA8WKj4kyw4trUJWCe1ixZ7Hz0QgExB668DO 7Wtm+TcboRyadJMUdQWGgNR8MuKrF/hMhByZfwiFCekiHRrSy7LAZWrTNlOWTXKGoNJkOL joTnoyjMOL3nfMBrqab6Cd3F6q9ZobA=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nVUaTjMHJtsKQce4NHOjtjVXhvE>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 20:48:37 -0000
Christian Hopps writes: > We are defining the payload in this document, the payload is meant > for ESP. ESP has a payload identifier why can't we use it? If that is only possible value the next-header field can have as all packets of the Child SA which has been negotiated with USE_IPTFS then what is the point of allocating number that is not needed. You can simply say that next payload field will be transmitted as 0, and ignored on the recipient as you already know the format packet inside ESP because it was negotiated in the IKE. > It feels like the clean KISS solution to me. Yes, we are doing IKE > negotiation, but using the designed for payload identifier also > allows the payload to be identified in non-IKE scenarios (packet > captures, error logging, etc..), therefor it's not just KISS it's > also more *robust* and thus I believe a better design. So you want to allocate completely new protocol number from the 8-bit registry, just so that you can print it out in the error logs and auditing, instead of putting (use_ipftf ? "iptfs" : protocol number)? Packet captures does not really help as ESP content is encrypted, and most implementations do not really allow easy way of printing out the traffic keys for wireshark etc use, and anyways wireshark has this decode as XXX option where you can force it to decode it with whatever protocol you think is inside, regardless whether there is protocol number matching. > I think your main objection is over actually making an IP protocol > number allocation. Actually doing early allocation. > If that's what it is then let's focus on that point. It may be > easier to make progress that way. I need to justify why the WG thinks we need this done now, and why this is going to be useful, and why this can't be done in other ways. If I myself think it would be easier to do this by just negotiating it in IKE, I have hard time convincing others. > For example we could switch to our backup solution and re-use an > existing IP protocol number which would never be carried in ESP > (e.g., IPv5). I feel it's a bit less elegant, but still workable, > and leaves us with the KISS/more robust outcome. I do not think there is IP protocol number for IPv5, but if you really want to have protocol number, why not use 253 that is reserved for experimientation and testing. This allows you to do your testing now, and you can write your draft saying that as all payloads inside the ESP will be iptfs packets if USE_IPFTF is negotiated in the IKE, then next-header field is ignored on the recipient, and sent out as 253 (or 0, or whatever, as it is always ignored on the recipient). -- kivinen@iki.fi
- [IPsec] I-D Action: draft-ietf-ipsecme-iptfs-02.t… internet-drafts
- [IPsec] Update and WGLC request [Re: I-D Action: … Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Michael Richardson
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Paul Wouters
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger