IETF Logo Mail Archive

Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 27 April 2017 13:56 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E33129522; Thu, 27 Apr 2017 06:56:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbZ0cv2tiZ81; Thu, 27 Apr 2017 06:56:54 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F39A8129516; Thu, 27 Apr 2017 06:56:53 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id 203so15852059ywe.0; Thu, 27 Apr 2017 06:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tw9WIqHH4Dd5Dgh4+bXtt9r3G280G2TcCQvTY5GXcfs=; b=UOlWYtoVRZPn5wuRmbYjmdH4EX+7PoxS/K7RPp1eRgGkjEzAfZcoHtLjEJBg/dMgBa HjyJTuxUbtJb7djV2BPUarggx8bCqAHeA5QGCANE4R0yrBvv4cdxIEmtly2gVGR4ncjC JvvrsyZoRV4bEKArHbsuXUO7kSaPUaB+v/s5lSNVrFmSmy2nbeZfHM6IU4cWjpyina7H L+KR2oLWy+VSsJO8/Hm7NaCAYWUUnoYSPXbo1W3VREOTuHHJWZSZ+1DO4AfX1Ls1v+Ks bgC2KEOM4FkxqHEl/X3d7fxJdy6JGI8M0FiHrOK826oDSdodIBgP45KxfnYJSlqB7aTa VkZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tw9WIqHH4Dd5Dgh4+bXtt9r3G280G2TcCQvTY5GXcfs=; b=qN7xs1s/lbODfZl6zLMLjNXdufEQr+SKRz5M+PbDnZPltGaS/RNBEd5KZzcb/rO7+i EbJGqhcIceRtDsVhy2OZFNpAkj/B1mu028sME7gPq8YH2wjdRAmNsfaoReAC6d0+X6Kz MI/Y6VpdVT4gtGSJ25m5PPl3yTvbPEXmh5Bwbbs0MDzvzq0/CwMIIpIBmeqJw8Yj/F0D fbLCESP11+YRaCDhZYN0ZTVTO6Kar8CzQm1d6wzwSloj2GAgRkJOFtAKB1LuHBoJHwoA kl2wboQxHavTdBcUgwkR0Sa1EsVgKijPRU5pEekNNwXrGrPdlDAwPFRc+neMIxEUx8MX eohA==
X-Gm-Message-State: AN3rC/5tp1kXbByJiQd+JfowXSJX0TQs7pbkipe49UwSj/rnclOszGnI 1it5fVF3chJeFVMCzr7vpWazvVV0ZA==
X-Received: by 10.129.62.22 with SMTP id l22mr4777776ywa.37.1493301413173; Thu, 27 Apr 2017 06:56:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.161.198 with HTTP; Thu, 27 Apr 2017 06:56:52 -0700 (PDT)
In-Reply-To: <22785.63297.423256.805596@fireball.acr.fi>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net> <CAKKJt-eWifk8ReWLGUism13XAiOCAGO7H7iyEUTGTvMw9fT0kw@mail.gmail.com> <22785.63297.423256.805596@fireball.acr.fi>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 27 Apr 2017 08:56:52 -0500
Message-ID: <CAKKJt-e74MO8WLcZcA4GCcG727aUs=EOW8Dy0omjoNnBG2aCMw@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Mirja Kuehlewind <ietf@kuehlewind.net>, Tommy Pauly <tpauly@apple.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f2d9246626d054e26545d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/s1JjgizGmXKbjvzpxDBFNMGbmmM>
Subject: Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 13:56:55 -0000

Tero,

Top-posting, because I'm only saying "thank you, that's very helpful".

Spencer

On Thu, Apr 27, 2017 at 8:50 AM, Tero Kivinen <kivinen@iki.fi> wrote:

> Spencer Dawkins at IETF writes:
> > The reason optional ports in URIs work, is that someone handed you a URI
> with
> > that port number who has some reason to believe that the port number is
> OK to
> > use with the host included in the URI.
> >
> > Is that a reasonable assumption about the way IPsec and IKE over TCP
> will be
> > deployed? That no Initiator would assume that another host is an IKE
> > Responder, without being configured to use that host?
>
> I have been using following matrix to understand the IETF security
> protocols:
>
> +---------------------+-----------------------+------------------+
> |                     | "Kernel" mode         | Application mode |
> +---------------------+-----------------------+------------------+
> | Pre-configuration   | IPsec                 | Secure Shell     |
> | required            |                       |                  |
> +---------------------+-----------------------+------------------+
> | No per host         | HIP                   | SSL/TLS          |
> | pre configuration   | /                     |                  |
> | needed /            | TCPINC                |                  |
> | opportunistic       |                       |                  |
> +---------------------+-----------------------+------------------+
>
> Kernel mode means it is implemented inside the operating system kernel
> or libraries, and Application mode means it is part of the application
> level implementation.
>
> Pre-configuration required means that both ends needs to be
> pre-configured to accept the connection. I.e., there is no point of
> trying to use ssh to connect host kivinen.iki.fi unless you have
> account and some method of authentication token for that host. Same
> with IPsec, you cannot assume that other end talks IPsec and allows
> you to connect unless you have pre-configured both ends to support it.
>
> Even when using opportunistic IPsec this is mostly same, there is no
> point of even trying to use opportunistic IPsec to www.google.com, and
> assume it would work. It might be that at some day we are there, and
> we have opportunistic IPsec installed in every single host, but we are
> not there now, and main use of IPsec is with pre-configuration.
>
> With HIP and TCPINC you always assume that you simply connect the
> other end and you do not need per host configuration. The connection
> either works or not, and if not you fall back to TCP (TCPINC), or just
> fail (with HIP adding configuration might help).
>
> With TLS you can just assume that other end allows you to connect if
> it supports TLS at all, and this is because everybody is
> "pre-configured" with same trusted anchor list, but there is no need
> for per-host configuration.
>
> So short answer to your question is: IPsec do require
> pre-configuration, so if configuration says that IP address x.y.z.0
> talks IPsec over TCP on port 1234, then you do that. If there is no
> configuration then you usually just fail, as you do not know what
> authentication credentials you are supposed to use.
> --
> kivinen@iki.fi
>

v2.23.0 | Report a Bug | By Email