Re: [IPsec] WG Interest in TCP Encapsulation
Samy Touati <samy.touati@ericsson.com> Wed, 16 September 2015 07:25 UTC
Return-Path: <samy.touati@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679091B3822 for <ipsec@ietfa.amsl.com>; Wed, 16 Sep 2015 00:25:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWO7CoNVw5a7 for <ipsec@ietfa.amsl.com>; Wed, 16 Sep 2015 00:25:05 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4781B381F for <ipsec@ietf.org>; Wed, 16 Sep 2015 00:25:05 -0700 (PDT)
X-AuditID: c6180641-f792c6d00000686a-0b-55f8aadb898b
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 79.49.26730.BDAA8F55; Wed, 16 Sep 2015 01:33:47 +0200 (CEST)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.03.0248.002; Wed, 16 Sep 2015 03:09:55 -0400
From: Samy Touati <samy.touati@ericsson.com>
To: Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [IPsec] WG Interest in TCP Encapsulation
Thread-Index: AdDwTq/Brk4ZaFDuQIKr2M3PbrgipA==
Date: Wed, 16 Sep 2015 07:09:54 +0000
Message-ID: <66a50285-3a04-4b8b-99f6-d0664b69a06d@ericsson.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----8324A7AC30A5DD5BB3CDAF9894843679"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAIsWRmVeSWpSXmKPExsUyuXRPrO7tVT9CDe42aFjs3/KCzeLo+eds FhNPHGR1YPbYevIHm8eSJT+ZPA5/XcgSwBzFZZOSmpNZllqkb5fAlXHo+RX2gidzGSt+HZnD 1sC4fSZjFyMnh4SAicSlX59ZIWwxiQv31rN1MXJxCAkcZZT4cOk6O0hCSGA5o8Sy55UgNpuA jsTlzTNYQGwRAUWJ3U+2MoHYzAL2Equab4MNFRYwlbj++QkrRI2ZxKd375ggbD2JfT9/gsVZ BFQlpu34AzafF6h3yZTjYHFGAVmJ3WevQ80Ul7j1ZD4TxHEiEg8vnmaDsEUlXj7+xwpyKLNA B6PE6pXv2SAGCUqcnPmEZQKj0Cwk/bOQ1c1CUjeLkQMoESvR/bEcol5d4s+8S8wQtqLElO6H 7BAlahLLWpVQhUFsW4n9V1cyY4qbSrw++pFxASP3KkaO0uLUstx0I8NNjMAoPCbB5riDccEn y0OMAhyMSjy8D6b8CBViTSwrrsw9xCjNwaIkzjtvxv1QIYH0xJLU7NTUgtSi+KLSnNTiQ4xM HJxSDYyr97opb1O1lnjwq3yrHFd/4pXZ29+nCdnGqrQ/yPlUus1Y0aHk1gS+wP3bJZOE78l0 TloU+CJhW7v5M57bvFyMB0LfXzEKuvayay6vatvHLRJVO8Mko7vOffUMqlkV/MbZJ3n9hdLp zItmvegsyvykUNYvrLtbMNyFbWL6zY2tEpLz/QusfiqxFGckGmoxFxUnAgAN82TzowIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/oet-0V6dXBPLE_SnKW4iSuJNSAc>
X-Mailman-Approved-At: Thu, 17 Sep 2015 08:19:50 -0700
Cc: IPsecME WG <ipsec@ietf.org>, Tommy Pauly <tpauly@apple.com>
Subject: Re: [IPsec] WG Interest in TCP Encapsulation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 07:25:08 -0000
Hi Tero, From a gateway perspective having a standardized implementation from terminals for tcp encapsulation of ipsec is something which is needed. The untrusted Wi-Fi architecture defined in 3gpp is used for voice traffic, and is being deployed by multiple carriers. The mobile device may be connected to networks only allowing "web traffic" or using a web proxy, and this draft provide mobile devices with a standardized method to still use ipsec. The performance impacts on the gateway are mitigated with the on-demand use of TCP encapsulation by mobile devices. Thanks Samy. From: Tommy Pauly <tpauly@apple.com> Sent: Sep 15, 2015 8:20 PM To: Tero Kivinen Cc: IPsecME WG Subject: Re: [IPsec] WG Interest in TCP Encapsulation Hello Tero, I have read the previous draft for using TCP to avoid fragmentation problems, and I believe that the new TCP-encapsulation draft is aimed at solving a different use case with a different approach. The current standard for IKEv2 fragmentation is definitely the right thing to do to avoid problems with networks that treat large UDP packets badly, causing IKEv2 tunnel establishment problems. The new spec is very specifically targeted at networks that block all UDP traffic, to be used as a fallback mechanism only. Here’s a quick point-by-point comparison: draft-ietf-ipsecme-ike-tcp-01 (old draft) 1. Negotiated with an IKEv2 Notify payload. 2. IKE messages can use UDP or TCP within a single SA 3. Supports IKE packets only. 4. TLS/firewall traversal/ESP-in-TCP are non-goals. This draft was meant to be used always, and putting all traffic over TCP or TLS had too high overhead. draft-pauly-ipsecme-tcp-encaps-00 (new draft) 1. Non-negotiated, but pre-configured. Since the use case assumes that all UDP is blocked, a connection must try over TCP without prior communication if UDP gets no response. 2. All packets for a given IKE SA must use either UDP or TCP, with the exception of migration over MOBIKE. 3. Encapsulates IKE and ESP packets, since the tunnel must also go over TCP on a UDP-unfriendly network. 4. TLS and firewall traversal is the goal. This draft is meant to be used only as a last resort, and details many performance considerations to explain why the tunnel will work sufficiently, but is not ideal. I agree with the decision previously to go with IKEv2 fragmentation rather than TCP. However, shipping clients still have serious problems on networks that do block UDP traffic. There may always be some middle boxes that do enough inspection and want to block IKE/IPSec traffic, even over TCP and TLS, but the majority of cases in which IKEv2 cannot be used will be, in our experience, solved by moving the connection to TCP/TLS when needed. Other standards bodies, such as 3GPP, have published documents stating that clients should do this for IWLAN, without giving specifics on how the framing should be handled, or how it impacts the IKEv2 protocol. See: http://www.etsi.org/deliver/etsi_ts/133400_133499/133402/12.05.00_60/ts_133402v120500p.pdf If IKEv2 servers start implementing support for TCP encapsulation based on these documents, we may end up with diverging implementations, or implementations that are not compatible with MOBIKE, etc. We believe that a standard is needed to define how implementations should handle this. Thanks, Tommy > On Sep 15, 2015, at 7:01 PM, Tero Kivinen <kivinen@iki.fi> wrote: > > Tommy Pauly writes: >> >> I wanted to get a sense of WG interest in working on a standard for running >> IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that >> currently block UDP traffic. > > > Before we made the UDP framentation document, our original plan was to > run IKEv2 over TCP, just because that would solve this problem. > > During this process we then found out that WG wanted to standardize > UDP fragmentation instead of IKEv2 over TCP. > > Is there really happend something that changes that? > > The old informal poll can be found from > > https://urldefense.proofpoint.com/v2/url?u=http-3A__marc.info_-3Ft-3D136326093500003-26r-3D1-26w-3D1&d=BQICAg&c=eEvniauFctOgLOKGJOplqw&r=p3wIGO08_H-OJhunJTPABw&m=YwqtMpmTqLSFY01PopC4Ane63G1nyZ04LeAcZPn94us&s=uizqLw8LM5bxVJAGGXyM2XfMCL4pT-B5pYfWxblhIEU&e= > > So how does your draft relate to the earlier ike over tcp draft? > > https://urldefense.proofpoint.com/v2/url?u=http-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dipsecme-2Dike-2Dtcp_&d=BQICAg&c=eEvniauFctOgLOKGJOplqw&r=p3wIGO08_H-OJhunJTPABw&m=YwqtMpmTqLSFY01PopC4Ane63G1nyZ04LeAcZPn94us&s=o7KJL1YNdcjmDXh8Nc2klEkemDtBi8TQ98-hMj-1q6k&e= > -- > kivinen@iki.fi
- [IPsec] WG Interest in TCP Encapsulation Tommy Pauly
- [IPsec] WG Interest in TCP Encapsulation Tero Kivinen
- Re: [IPsec] WG Interest in TCP Encapsulation Tommy Pauly
- Re: [IPsec] WG Interest in TCP Encapsulation Yoav Nir
- Re: [IPsec] WG Interest in TCP Encapsulation Samy Touati
- Re: [IPsec] WG Interest in TCP Encapsulation Paul Wouters
- Re: [IPsec] WG Interest in TCP Encapsulation Tommy Pauly
- Re: [IPsec] WG Interest in TCP Encapsulation Valery Smyslov
- Re: [IPsec] WG Interest in TCP Encapsulation Samy Touati
- Re: [IPsec] WG Interest in TCP Encapsulation Tommy Pauly
- Re: [IPsec] WG Interest in TCP Encapsulation Les Leposo
- Re: [IPsec] WG Interest in TCP Encapsulation Graham Bartlett (grbartle)
- [IPsec] Discussing TCP Encapsulation of IPSec in … Tommy Pauly
- Re: [IPsec] Discussing TCP Encapsulation of IPSec… Paul Hoffman