Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 27 April 2017 13:56 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E33129522; Thu, 27 Apr 2017 06:56:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbZ0cv2tiZ81; Thu, 27 Apr 2017 06:56:54 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F39A8129516; Thu, 27 Apr 2017 06:56:53 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id 203so15852059ywe.0; Thu, 27 Apr 2017 06:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tw9WIqHH4Dd5Dgh4+bXtt9r3G280G2TcCQvTY5GXcfs=; b=UOlWYtoVRZPn5wuRmbYjmdH4EX+7PoxS/K7RPp1eRgGkjEzAfZcoHtLjEJBg/dMgBa HjyJTuxUbtJb7djV2BPUarggx8bCqAHeA5QGCANE4R0yrBvv4cdxIEmtly2gVGR4ncjC JvvrsyZoRV4bEKArHbsuXUO7kSaPUaB+v/s5lSNVrFmSmy2nbeZfHM6IU4cWjpyina7H L+KR2oLWy+VSsJO8/Hm7NaCAYWUUnoYSPXbo1W3VREOTuHHJWZSZ+1DO4AfX1Ls1v+Ks bgC2KEOM4FkxqHEl/X3d7fxJdy6JGI8M0FiHrOK826oDSdodIBgP45KxfnYJSlqB7aTa VkZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tw9WIqHH4Dd5Dgh4+bXtt9r3G280G2TcCQvTY5GXcfs=; b=qN7xs1s/lbODfZl6zLMLjNXdufEQr+SKRz5M+PbDnZPltGaS/RNBEd5KZzcb/rO7+i EbJGqhcIceRtDsVhy2OZFNpAkj/B1mu028sME7gPq8YH2wjdRAmNsfaoReAC6d0+X6Kz MI/Y6VpdVT4gtGSJ25m5PPl3yTvbPEXmh5Bwbbs0MDzvzq0/CwMIIpIBmeqJw8Yj/F0D fbLCESP11+YRaCDhZYN0ZTVTO6Kar8CzQm1d6wzwSloj2GAgRkJOFtAKB1LuHBoJHwoA kl2wboQxHavTdBcUgwkR0Sa1EsVgKijPRU5pEekNNwXrGrPdlDAwPFRc+neMIxEUx8MX eohA==
X-Gm-Message-State: AN3rC/5tp1kXbByJiQd+JfowXSJX0TQs7pbkipe49UwSj/rnclOszGnI 1it5fVF3chJeFVMCzr7vpWazvVV0ZA==
X-Received: by 10.129.62.22 with SMTP id l22mr4777776ywa.37.1493301413173; Thu, 27 Apr 2017 06:56:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.161.198 with HTTP; Thu, 27 Apr 2017 06:56:52 -0700 (PDT)
In-Reply-To: <22785.63297.423256.805596@fireball.acr.fi>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net> <CAKKJt-eWifk8ReWLGUism13XAiOCAGO7H7iyEUTGTvMw9fT0kw@mail.gmail.com> <22785.63297.423256.805596@fireball.acr.fi>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 27 Apr 2017 08:56:52 -0500
Message-ID: <CAKKJt-e74MO8WLcZcA4GCcG727aUs=EOW8Dy0omjoNnBG2aCMw@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Mirja Kuehlewind <ietf@kuehlewind.net>, Tommy Pauly <tpauly@apple.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f2d9246626d054e26545d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/s1JjgizGmXKbjvzpxDBFNMGbmmM>
Subject: Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 13:56:55 -0000
Tero, Top-posting, because I'm only saying "thank you, that's very helpful". Spencer On Thu, Apr 27, 2017 at 8:50 AM, Tero Kivinen <kivinen@iki.fi> wrote: > Spencer Dawkins at IETF writes: > > The reason optional ports in URIs work, is that someone handed you a URI > with > > that port number who has some reason to believe that the port number is > OK to > > use with the host included in the URI. > > > > Is that a reasonable assumption about the way IPsec and IKE over TCP > will be > > deployed? That no Initiator would assume that another host is an IKE > > Responder, without being configured to use that host? > > I have been using following matrix to understand the IETF security > protocols: > > +---------------------+-----------------------+------------------+ > | | "Kernel" mode | Application mode | > +---------------------+-----------------------+------------------+ > | Pre-configuration | IPsec | Secure Shell | > | required | | | > +---------------------+-----------------------+------------------+ > | No per host | HIP | SSL/TLS | > | pre configuration | / | | > | needed / | TCPINC | | > | opportunistic | | | > +---------------------+-----------------------+------------------+ > > Kernel mode means it is implemented inside the operating system kernel > or libraries, and Application mode means it is part of the application > level implementation. > > Pre-configuration required means that both ends needs to be > pre-configured to accept the connection. I.e., there is no point of > trying to use ssh to connect host kivinen.iki.fi unless you have > account and some method of authentication token for that host. Same > with IPsec, you cannot assume that other end talks IPsec and allows > you to connect unless you have pre-configured both ends to support it. > > Even when using opportunistic IPsec this is mostly same, there is no > point of even trying to use opportunistic IPsec to www.google.com, and > assume it would work. It might be that at some day we are there, and > we have opportunistic IPsec installed in every single host, but we are > not there now, and main use of IPsec is with pre-configuration. > > With HIP and TCPINC you always assume that you simply connect the > other end and you do not need per host configuration. The connection > either works or not, and if not you fall back to TCP (TCPINC), or just > fail (with HIP adding configuration might help). > > With TLS you can just assume that other end allows you to connect if > it supports TLS at all, and this is because everybody is > "pre-configured" with same trusted anchor list, but there is no need > for per-host configuration. > > So short answer to your question is: IPsec do require > pre-configuration, so if configuration says that IP address x.y.z.0 > talks IPsec over TCP on port 1234, then you do that. If there is no > configuration then you usually just fail, as you do not know what > authentication credentials you are supposed to use. > -- > kivinen@iki.fi >
- [IPsec] Mirja Kühlewind's Discuss on draft-ietf-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Kathleen Moriarty
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Eric Rescorla
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 u… Paul Wouters
- Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-… Tommy Pauly