IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Christian Hopps <chopps@chopps.org> Wed, 14 October 2020 10:24 UTC

Return-Path: <chopps@chopps.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8413A1464 for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 03:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8XmpcjyYUUu for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 03:24:29 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 33E163A1463 for <ipsec@ietf.org>; Wed, 14 Oct 2020 03:24:29 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 8EEA561674; Wed, 14 Oct 2020 10:24:28 +0000 (UTC)
From: Christian Hopps <chopps@chopps.org>
Message-Id: <27AAF738-100F-4CD5-A498-BE8E93765343@chopps.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_9A5F94F1-B7A3-490F-AE2B-22C9DAE527C9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Wed, 14 Oct 2020 06:24:27 -0400
In-Reply-To: <24454.53404.39277.731780@fireball.acr.fi>
Cc: Christian Hopps <chopps@chopps.org>, Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
To: Tero Kivinen <kivinen@iki.fi>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <56F3A6E6-EDD6-46FA-8829-EC10FD9AD058@chopps.org> <003b01d6a200$2d70df80$88529e80$@gmail.com> <9A514314-DA80-4498-9FFA-22B8647D2D9D@chopps.org> <24454.53404.39277.731780@fireball.acr.fi>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ot3foZWLH-6GwYwpOBRgXl7cWG0>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 10:24:31 -0000


> On Oct 14, 2020, at 6:19 AM, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> Christian Hopps writes:
>> What is intended is that an implementation can process inbound IPTFS
>> payloads w/o actually explicitly configuring the inbound SA to be in
>> "IPTFS-mode" (zero-conf). That is all.
> 
> And if IKE is used what is the use case for that?

The text Lou and Valery ended up with indicated this was not used in the IKE case.

> IKE allows easy way of agreeing on the set of parameters for each
> IPsec SA, and agreeing on the mode of the encapsulation is one thing
> it already does. It does negotiate whether the IPsec SA is in tunnel
> or transport mode, and for my view the IPTFS is just one more mode for
> that, i.e., something that can be negotiated when IPsec SA is created
> using IKE, and then that encapsulation mode is used. There is no need
> to know or do that per packet basis.
> 
> In theory in recipient we could detect tunnel mode by looking at the
> next header field of the inner packet, and if we see it is IP inside
> the packet, then we would assume it is tunnel mode, and enable tunnel
> mode processing. We do not do that, we do negotiate whether the IPsec
> SA is tunnel or transport mode and create IPsec SA either in tunnel or
> in transport mode.
> 
> Earlier there was also another encapsuluation mode called a Bound
> End-to-End Tunnel (BEET) mode for ESP [1] that was also proposed, and
> in that case it would have been impossible to detect the mode from the
> incoming packet, as lots of the information needed to reconstruct the
> end to end IP header is stored in the SA.
> 
> Anyways we do store things in the IPsec SA when we create them, we do
> have negotiation mechanism to agree on those parameters and we can use
> them, we do not need to process things per packet basis.

Are you saying that the next-header field is useless then? I mean the code I've worked on parses the next header field on a per packet basis to handle the inner packet payload. I'm not interested in trying to redesign ESP with IPTFS, just use it as provided.

Thanks,
Chris.

> 
> [1] https://tools.ietf.org/html/draft-nikander-esp-beet-mode-09
> --
> kivinen@iki.fi
>

v2.23.0 | Report a Bug | By Email