Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
Christian Hopps <chopps@chopps.org> Wed, 14 October 2020 10:24 UTC
Return-Path: <chopps@chopps.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8413A1464 for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 03:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8XmpcjyYUUu for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 03:24:29 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 33E163A1463 for <ipsec@ietf.org>; Wed, 14 Oct 2020 03:24:29 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 8EEA561674; Wed, 14 Oct 2020 10:24:28 +0000 (UTC)
From: Christian Hopps <chopps@chopps.org>
Message-Id: <27AAF738-100F-4CD5-A498-BE8E93765343@chopps.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_9A5F94F1-B7A3-490F-AE2B-22C9DAE527C9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Wed, 14 Oct 2020 06:24:27 -0400
In-Reply-To: <24454.53404.39277.731780@fireball.acr.fi>
Cc: Christian Hopps <chopps@chopps.org>, Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
To: Tero Kivinen <kivinen@iki.fi>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <56F3A6E6-EDD6-46FA-8829-EC10FD9AD058@chopps.org> <003b01d6a200$2d70df80$88529e80$@gmail.com> <9A514314-DA80-4498-9FFA-22B8647D2D9D@chopps.org> <24454.53404.39277.731780@fireball.acr.fi>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ot3foZWLH-6GwYwpOBRgXl7cWG0>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 10:24:31 -0000
> On Oct 14, 2020, at 6:19 AM, Tero Kivinen <kivinen@iki.fi> wrote: > > Christian Hopps writes: >> What is intended is that an implementation can process inbound IPTFS >> payloads w/o actually explicitly configuring the inbound SA to be in >> "IPTFS-mode" (zero-conf). That is all. > > And if IKE is used what is the use case for that? The text Lou and Valery ended up with indicated this was not used in the IKE case. > IKE allows easy way of agreeing on the set of parameters for each > IPsec SA, and agreeing on the mode of the encapsulation is one thing > it already does. It does negotiate whether the IPsec SA is in tunnel > or transport mode, and for my view the IPTFS is just one more mode for > that, i.e., something that can be negotiated when IPsec SA is created > using IKE, and then that encapsulation mode is used. There is no need > to know or do that per packet basis. > > In theory in recipient we could detect tunnel mode by looking at the > next header field of the inner packet, and if we see it is IP inside > the packet, then we would assume it is tunnel mode, and enable tunnel > mode processing. We do not do that, we do negotiate whether the IPsec > SA is tunnel or transport mode and create IPsec SA either in tunnel or > in transport mode. > > Earlier there was also another encapsuluation mode called a Bound > End-to-End Tunnel (BEET) mode for ESP [1] that was also proposed, and > in that case it would have been impossible to detect the mode from the > incoming packet, as lots of the information needed to reconstruct the > end to end IP header is stored in the SA. > > Anyways we do store things in the IPsec SA when we create them, we do > have negotiation mechanism to agree on those parameters and we can use > them, we do not need to process things per packet basis. Are you saying that the next-header field is useless then? I mean the code I've worked on parses the next header field on a per packet basis to handle the inner packet payload. I'm not interested in trying to redesign ESP with IPTFS, just use it as provided. Thanks, Chris. > > [1] https://tools.ietf.org/html/draft-nikander-esp-beet-mode-09 > -- > kivinen@iki.fi >
- [IPsec] I-D Action: draft-ietf-ipsecme-iptfs-02.t… internet-drafts
- [IPsec] Update and WGLC request [Re: I-D Action: … Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Michael Richardson
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Paul Wouters
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger