IETF Logo Mail Archive

Re: [IPsec] WG Adoption calls for draft-mglt-ipsecme-diet-esp and draft-mglt-ipsecme-ikev2-diet-esp-extension

hannes.tschofenig@gmx.net Tue, 12 December 2023 14:25 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757BFC05E05D; Tue, 12 Dec 2023 06:25:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS-T7GO6U58s; Tue, 12 Dec 2023 06:25:22 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69CA9C23961B; Tue, 12 Dec 2023 06:25:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1702391100; x=1702995900; i=hannes.tschofenig@gmx.net; bh=FwwUdnIYzRz7k4hjosnfnk2gIprtOwmkGGTvoaV2w/w=; h=X-UI-Sender-Class:From:To:Cc:References:In-Reply-To:Subject: Date; b=LqK2HiIsk7GGNbvTV4uguVMYzlzQdWg0S57H7jBerDSQqDncJMbMUknBzAxbcEFE y7DE2MmmvTMN6iN72Z2wlxactitX6pmX6O8MUI2zz5o9x5E3iAh2uTkiwuBKW8wJA nnU9M8TVmiCVm2g/kkqEbzVbhr69Ai4NsFW9AMHSZFHJt9b3orK9Kb2ufEFdyIatr xTp6RfiSZpWGfUPgA5eTXe0P8GEqhvOxsTtRv8vZP+kJfQyNNQSQsH1XbgnTweUqC hZc8XpmGtXvlD9KEBwLPTPRL+ctY0mhrnfx0jaTeo98D4mLxtbyNCRRPe/GfDXjmM iXAkv9dw904R72kpUw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([195.145.170.147]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MEm6F-1qySYR2xMB-00GHE9; Tue, 12 Dec 2023 15:25:00 +0100
From: hannes.tschofenig@gmx.net
To: 'Paul Wouters' <paul@nohats.ca>
Cc: 'Daniel Migault' <mglt.ietf@gmail.com>, 'Carsten Bormann' <cabo@tzi.org>, 'Tero Kivinen' <kivinen@iki.fi>, ipsec@ietf.org, schc@ietf.org
References: <b4199538-a09d-4e49-a960-0adbfb84946a@gmx.net> <F060175D-059A-4AA7-B394-978018E5CB6E@nohats.ca>
In-Reply-To: <F060175D-059A-4AA7-B394-978018E5CB6E@nohats.ca>
Date: Tue, 12 Dec 2023 15:24:58 +0100
Message-ID: <057e01da2d06$fc909b40$f5b1d1c0$@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_057F_01DA2D0F.5E577440"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQH3bzDU1IBq1ZksDwS+ZchvFcchpAFASr44sGErRVA=
Content-Language: de-at
X-Provags-ID: V03:K1:1UN3SsKJ2xueEVF9fcD4dG5gfHM9vbNBUzewkOBOiQ/PlKcBZJ2 FJHKRPp6pjGEYcEL9IIT0y0aWCaNpaQVZkXXDzb9tdFfi29oxvIcz/NMegsUp7YyR5rIySc aMDxXANUL3vAYQJ1ro+j/qfelpRItGo4Lysi/XLYeN+WkVZY77imOGQGldH9SjiLdUlotWI VTLvPyTo/ze7g5euLNU+A==
UI-OutboundReport: notjunk:1;M01:P0:oAJu+EXPfH8=;T3H5wF56Jmt8licG5WP6V5sqCbW TOs2eYmg6o4lzXEdYhc7qTwOiX/PjMRmktnoaMG/Rb5Z5SqsTZAVKxlkKu5yFqjIJ1PqEoSou U1F2meGnYj7YGUIyzzhEEDfWnMgcwvpNzpyjtruGkHlypYtT4wrbQpEiHTE4zkLH8STYgEr1x 6nUsfZ+Ys+L+QgRRT/5WgDMYC8J8DToI34S3xjPeOZ7B7DQuXi5TVJma+mncZkKjpq0O18e7n +BaoYMskSNHuGQiHFPu7s7L8Kf6Ij8Q81hhRHaMOoP0Q2hL/C6oCPHFq5J8+uRgDA08hS9m9q MHnWUjoAGB0Wj62z4vxgqwISHutRQFMqHihred4BuOvGSA/gbjGSu2aoIxqhFDavalxay02Wi 5fzxcivI6oYxKUGnv9qNjw7JnYF5QAOH0IGZZsQdZA/Frvbi06Fp8JPYBJ6llYmZhhZdIvC8A pyvn+tttQ3AN/5rMboalGZdN7lEhu8rdM7z41kQsyRjWzSt0ieOCUtBBT2om6tZgGMiu5DBuG t119pOHx646IE9EEDmt8WLg0YAJtZfc23E58IjYppeopYPDHf8kFDGp/9jLSgFyb9FE/1t+CL nZbGIGUV2dPkGDYiyFEyTbPemUZzs667jcbUrdyoBN48gyawpsatqP0+T13s5X6b4z5OOzHNE oK8clNU6MxogjOT4vEiXiGHJwXQrLH7WclIzvgXJN4C2qz0xdMTde7LWY7gIXB/kNYXOOe/cS yQan0no1ZACfANOE9v8+4JSe8Nvn4OFCGgVrRQIl0f+g0CtZmliBqyhtORP2qCoJMALSjtaTz W5H07s5MTOwLKgbDgCf4rWD8OkE2d2BR9DZLxyiq9jxBfTEybcdWcq+R5ZvKLQu2Osy8UQBYU 8QzFE6u06Kx4FbFON3v9g7gT6dno3XfEvT0hbAWSBfs+5WBSrQDNBWCuBTjPuD7V2G8oxZE4q WWTD/1cvB+hxMlD1lk9BRXbuai4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/rRG0nzLJJAvHI2oNmEdpa4KS5Lk>
Subject: Re: [IPsec] WG Adoption calls for draft-mglt-ipsecme-diet-esp and draft-mglt-ipsecme-ikev2-diet-esp-extension
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 14:25:27 -0000

Hi Paul,

 

reading your response it sounds to me that a myth busting (or a hitchhiker's guide to IKEv2/IPsec) document would be useful. I am curious whether others have also run into similar discussions about Wireguard. 

 

Additionally, it seems worthwhile to think about doing something similar to RFC 7925  (and draft-ietf-uta-tls13-iot-profile-08 <https://datatracker.ietf.org/doc/draft-ietf-uta-tls13-iot-profile/> ) but for IKEv2 / IPsec, maybe based on draft-kivinen-ipsecme-ikev2-minimal / draft-mglt-lwig-minimal-esp.

 

Ciao
Hannes

 

From: Paul Wouters <paul@nohats.ca> 
Sent: Montag, 11. Dezember 2023 20:30
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Daniel Migault <mglt.ietf@gmail.com>; Carsten Bormann <cabo@tzi.org>; Tero Kivinen <kivinen@iki.fi>; ipsec@ietf.org; schc@ietf.org
Subject: Re: [IPsec] WG Adoption calls for draft-mglt-ipsecme-diet-esp and draft-mglt-ipsecme-ikev2-diet-esp-extension

 

On Dec 11, 2023, at 12:03, Hannes Tschofenig <hannes.tschofenig=40gmx.net@dmarc.ietf.org <mailto:hannes.tschofenig=40gmx.net@dmarc.ietf.org> > wrote:

I have, however, heard about uses of WireGuard on Linux-based IoT devices (these are non-constrained devices, obviously) with the argument that it is simple to use and efficient.

It’s actually far less efficient because it only supports chacha20poly1305, so when doing benchmarks resulting in similar (within 5%) bandwidth, it ends up using 90% CPU versus like 5% with AES_GCM that’s hardware accelerated.

 

The ESP tunnel mode packet format and the wireguard packet format are basically the same thing.

 

The one thing people claim that can be argued is that configuration of wireguard is easier, but for IoT, I would expect either solution to be so abstracted from the user to not be a relevant consideration.





I believe it is worthwhile to think about the motivation of using WireGuard instead of IPsec/IKEv2 instead of spending a lot of time on yet another tiny optimization.

 

There is minimal IKEv2 and minimal ESP.





Hence, I would aim for a more ambitious goal: Make IPsec/IKEv2 work well on Linux-based IoT devices (*)

What’s the limiting factor here? usually Linux based iot has “plenty” of RAM, CPU and flash.

 

Paul

 

 





 

*: Forget the constrained IoT device use case - there are better solutions available that don't require IPsec/IKEv2

 

Coap? EDHOC ?

 

Paul





 

Am 11.12.2023 um 14:53 schrieb Daniel Migault:

Hi Hannes, 

 

One draft is esp, the other is ikev2, I tend to think it would be better to have two separate documents.

 

Validation of specification SCHC will be supported by implementations and I am aware of two ongoing implementations based on openschc. I am also aware of 2 implementations that do not rely on SCHC. One implementation on contiki and one in python (not public).

https://bitbucket.org/sylvain_www/diet-esp-contiki/src/master/

 

We are working on an implementation. What is not completely clear to me now is how we will be able to have/make public implementations for linux implementation and potentially *Swan projects. It is a bit too early for now, but I am hoping to have a path in the next coming months.  

 

As far as I know ROHC is still used, but I do not know how ROHC is specifically used for IPsec traffic.

 

Yours, 

Daniel

 

On Mon, Dec 11, 2023 at 7:12 AM Hannes Tschofenig <hannes.tschofenig=40gmx.net@dmarc.ietf.org <mailto:40gmx.net@dmarc.ietf.org> > wrote:

Shouldn't the two drafts be merged?


Who of the authors is going to implement the specs?


Ciao
Hannes


@Carsten: I have not been following the ROHC work after standardization
was completed. Was it actually used? Is it still used?


Am 30.11.2023 um 14:09 schrieb Carsten Bormann:
> As a co-author of draft-mglt-ipsecme-diet-esp, I do support this work (as well as the accompanying draft-mglt-ipsecme-ikev2-diet-esp-extension) and plan to continue working on it.
>
> We did the equivalent of these two drafts for ROHC in RFC 5856 to 5858.
> The current work is an obvious missing link for SCHC that needs to be filled in, just as we did for ROHC in 2010.
>
> Grüße, Carsten
>
>
>> On 2023-11-27, at 19:33, Tero Kivinen <kivinen@iki.fi <mailto:kivinen@iki.fi> > wrote:
>>
>> This is two week adoption call for draft-mglt-ipsecme-diet-esp. If you
>> support adopting this document as a working group document for IPsecME
>> to work on, and then at some point publish this as an RFC, send
>> comments to this list.
>>
>> This adoption call ends 2023-12-13.
>>
>> Note, that I do want to see people saying that they think this
>> document is worth of working on, and that they plan to review and
>> comment on it. If I only get one or two people (including authors :-)
>> to say they support this work, then there is no point of work on this
>> in WG.
>> --
>> kivinen@iki.fi <mailto:kivinen@iki.fi> 
>>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org> 
> https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org <mailto:IPsec@ietf.org> 
https://www.ietf.org/mailman/listinfo/ipsec




 

-- 

Daniel Migault

Ericsson





_______________________________________________
IPsec mailing list
IPsec@ietf.org <mailto:IPsec@ietf.org> 
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org <mailto:IPsec@ietf.org> 
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email