Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

Tero Kivinen <kivinen@iki.fi> Thu, 01 April 2021 22:41 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3B63A263F for <ipsec@ietfa.amsl.com>; Thu, 1 Apr 2021 15:41:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOmkm14RqBk3 for <ipsec@ietfa.amsl.com>; Thu, 1 Apr 2021 15:40:56 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5743A263C for <ipsec@ietf.org>; Thu, 1 Apr 2021 15:40:55 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 6522E1B002B6; Fri, 2 Apr 2021 01:40:52 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1617316852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IDx7J4cwS/bnzQ8VtCxZNrySGJfA2KEh6KSbu2roFqs=; b=HOY8yIbIcvFjy5ssd570o6Wp0pds1DuNf1reGDqYpxRDBsJWQ1IZsd4+91hgDWWshKfrz/ RHvWzLUks0YKaGKD1SvoWI2nzkhCdoHfYUe/A9Mh6SnHZtLqNb3Bhy2KCedcgYCKyq9qcY YcDARv0B3fvnN2Sqqb1jcNaW823ObcdS+Uqy2ghoZTVy/1SrEzT3DhLswuypbsD8q7XmIB aYOrrg3314vvJhhBEQlxEZuy4T1m8gOUJ+0fJ+/CqNSd4QxN/OYIGcBZA6q+vMs21DJrBs LqBByJPiNxAkiv/XfD1la2zn+R23p3cFUWD2AeXxofHqXB8OIvVKxexW+2s88g==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 94A8625C102E; Fri, 2 Apr 2021 01:40:48 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24678.19440.553333.890224@fireball.acr.fi>
Date: Fri, 02 Apr 2021 01:40:48 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Bottorff, Paul" <paul.bottorff@hpe.com>
Cc: "antony.antony@secunet.com" <antony.antony@secunet.com>, IPsec <ipsec@ietf.org>
In-Reply-To: <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 23 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1617316852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IDx7J4cwS/bnzQ8VtCxZNrySGJfA2KEh6KSbu2roFqs=; b=P+iSLsLu4pFnlI2EXbPBNhGtZ3hr6RX+7qrVS4uvGHCpD8nOCFdt6jmKhqFNXzzPbKg03b ec1+gdBfrvudNzpEjIfpxMueEDHmgvSjwS/bBV8581Gf61/OJG4HgIgoWrnRPRI3D9u2WM Zi1Xg6t+UcwrQTUIS0maPuEfvAW4+zgGPIgu5TMFk1BAJHBvCG1NXSXG23AFK7gb0UKILh oclumv0bLIm5vRVIXBc6kZUr5XV267Srsnr5EMtV3q4WOAyVjLNr/KxadIpx47DD/cnjCP P+AuWQIo5+dy/Cjv73tifWGsiF2qAx+TVgtyVlsvJosDD4pohmNHh1kQEkivSA==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1617316852; a=rsa-sha256; cv=none; b=ZacN9rCEgvoBi4GqPejdkg3gikZyHPX78jgHuYIzWZMBrrWVpZex76WCkjfC7Z+FlU/eI7 oJ4ewqBqoEN8FWVIlw59Q9oRZprTIUtgKh36apM1Gq3hdhwuEPZ2SRzARKJpEZMMbEdLBp YOwWWRGoGkIcPF3r6pEp9FBpkaaMgGG64QY8OxGa/B+V57O6g5Bxhpoqef/2Dx0+20iLlW YwL1xqZAE7UUyD7V++15qv6FkjOg+oeKRxkJ5A+uBH/aLVgSQz7pSMmW+/96OtybydgoJS lSDwoY++6knAW+k3+uXhTHHqPLJigA10iDspwRQqFiVHUwCZCN3S0XJYMvyr/w==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/opt37Y8RHHuyp81g54E9madjmz0>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 22:41:00 -0000

Bottorff, Paul writes:
> The RFC3948 specifies one pair of UDP ports 4500-4500.

No it does not. It says you must use same ports than what you do for
IKE traffic.

> Both the IKE flow and the ESP in UDP flow should use the same UDP
> flow. The draft seems to suggest new destination port and source
> ports are only for ESP? How would this change work with IKE? May you
> are not intending to use IKE?

The reason NAT-T uses same ports for both ESP and IKE is to make sure
that responder will know the port mapping from the IKE packets for ESP
packets too. If they would use different port numbers, then responder
would need to wait for first ESP packet to come in from the initiator
before it can send any ESP packets back, as it would be able to know
which port numbers to use for ESP traffic. Also keepalives would be
needed to do for both IKE and ESP separately. 

> PB>>Our use cases use IKE, however as stated in RFC3948 ESPinUDP does not have to be tied to IKE, it is just advantageous to do so for the NAT case since this allows a single mapping for both at the NAT rather than two mappings.
> PB>>I've wondered why we could not use the RFC3948 encoding for ESPinUDP, but allow the source port to be chosen differently than IKE. Perhaps Xu has some thoughts on this. 
> <<

As there is no way for the responder to know whether the initiator
sent the packet out using source port of 4500 and then NAT changed it
to port number of xxxx, or whether the initiator sent the packet out
using port number of xxxx himself, the RFC7296 do require that
responder MUST accept incoming packets regardless of the source port,
and MUST always respond back to exactly same IP and port than what was
in the source packet of the request:

>From the 2.11 of the RFC7296:

						An implementation MUST
   accept incoming requests even if the source port is not 500 or 4500,
   and MUST respond to the address and port from which the request was
   received.  It MUST specify the address and port at which the request
   was received as the source address and port in the response.

There is text in 2.23 of the RFC7296 which do say:

								For this
   reason, even though IKE packets MUST be sent to and from UDP port 500
   or 4500, they MUST be accepted coming from any port and responses
   MUST be sent to the port from whence they came.

Which is bit funny, as the "even though" claims that IKE packets must
be sent to and from UDP port 500 or 4500, and there is no such claim
anywhere else in the RFC7296. I think it was supposed to say that
"even though IKE packets are normally sent ...", as this is not
correct place to make this kind of new requirement.

So making IKE implementation which uses some other source port than
500 or 4500 is common way to force NAT-T traversal and UDP
encapsulation on, and in that way allow user mode IKE + IPsec to be
implemented without affecting the in kernel version of the IPsec in
the host. I.e., user mode application wanting to use IPsec in usermode
without affecting host IPsec in any ways can use any random port as
source port and port 4500 as the destination port, and make sure that
NAT_DETECTION_SOURCE_IP does not match, so responder will enable udp
encapsulation.

The responder MUST work even with that setup, so there is no reason
why there should be requirement for the oritinal sender should be
mandated to use source port 4500...

> PB>>We are mostly interested in data centre use cases which don't have intervening NATs, however I believe SD-WAN cases could have NAT and FW traversals between tunnel end points. As it stands draft-xu-ipsecme-esp-in-udp-lb does not specify how the source port value is determined. It seems like it could be based on a hash value within the ESP or based on the SPI and IPs.
> <<
> 
> Should both sides use the same source port?

For the load balancing I think it is enough for just one of the ports
to be different, thus initiator could simply allocate n random source
port numbers, and initiate IKE from each of them to responder, and
then create SAs for each of them separately, thus allowing load
balancing using UDP encapsulation using existing hardware.

The real issue is that if you do not want to create n separate IKE
SAs, then you need to do something special, and there are other things
that needs to be considered then. 
-- 
kivinen@iki.fi