IETF Logo Mail Archive

Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

"Bhatia, Manav (Manav)" <manav@alcatel-lucent.com> Thu, 16 July 2009 08:00 UTC

Return-Path: <manav@alcatel-lucent.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E02813A67EA for <ipsec@core3.amsl.com>; Thu, 16 Jul 2009 01:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zm79rJ2Ih4zx for <ipsec@core3.amsl.com>; Thu, 16 Jul 2009 01:00:05 -0700 (PDT)
Received: from hoemail1.alcatel.com (hoemail1.alcatel.com [192.160.6.148]) by core3.amsl.com (Postfix) with ESMTP id 848E23A6998 for <ipsec@ietf.org>; Thu, 16 Jul 2009 01:00:02 -0700 (PDT)
Received: from horh1.usa.alcatel.com (h172-22-218-55.lucent.com [172.22.218.55]) by hoemail1.alcatel.com (8.13.8/IER-o) with ESMTP id n6G7xTrS012797; Thu, 16 Jul 2009 02:59:29 -0500 (CDT)
Received: from mail.apac.alcatel-lucent.com (aprelay03.apac.alcatel-lucent.com [202.65.2.133]) by horh1.usa.alcatel.com (8.13.8/emsr) with ESMTP id n6G7xOrt028886; Thu, 16 Jul 2009 02:59:25 -0500 (CDT)
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by mail.apac.alcatel-lucent.com (8.13.7/8.13.7/Alcanet1.0) with ESMTP id n6G88a9G023311; Thu, 16 Jul 2009 16:08:43 +0800
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.50]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Thu, 16 Jul 2009 13:29:14 +0530
From: "Bhatia, Manav (Manav)" <manav@alcatel-lucent.com>
To: QIU Ying <qiuying@i2r.a-star.edu.sg>, "Grewal, Ken" <ken.grewal@intel.com>, Yaron Sheffer <yaronf@checkpoint.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Thu, 16 Jul 2009 13:29:14 +0530
Thread-Topic: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05
Thread-Index: AcoF59ajfgpSdLYJRd+9eTCK3sZZewAA0W5A
Message-ID: <7C362EEF9C7896468B36C9B79200D8350A1C4BC30E@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <2E5D69B62A99425C894AA9B258004990@t3400><C49B4B6450D9AA48AB99694D2EB0A4832C2438DC@rrsmsx505.amr.corp.intel.com><E12B577D22E64DE1806D838CDC751259@t3400><C49B4B6450D9AA48AB99694D2EB0A4832C24406A@rrsmsx505.amr.corp.intel.com><7C362EEF9C7896468B36C9B79200D8350A1C4BC25F@INBANSXCHMBSA1.in.alcatel-lucent.com> <4EB8BD054AA343E79C6233E451202CBB@t3400> <449470331FD44A268216A4EDA48EDC52@t3400>
In-Reply-To: <449470331FD44A268216A4EDA48EDC52@t3400>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7C362EEF9C7896468B36C9B79200D8350A1C4BC30EINBANSXCHMBSA_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 172.22.12.27
X-Scanned-By: MIMEDefang 2.64 on 202.65.2.133
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 08:00:17 -0000

Yes, this is what i had meant. I agree that i don't see a use case for this, but there is really nothing that precludes the possibility of having ESP-NULL in WESP.

Cheers, Manav

________________________________
From: QIU Ying [mailto:qiuying@i2r.a-star.edu.sg]
Sent: Thursday, July 16, 2009 1.01 PM
To: QIU Ying; Bhatia, Manav (Manav); Grewal, Ken; Yaron Sheffer; ipsec@ietf.org
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Oh, maybe I misunderstood Manav's thought.

Perhaps Manav's meaning is that WESP carries an ESP-null packet which trailer next header is happened ESP. It will cause the conflict. But I do not think this assumption were practical.

Regards
Qiu Ying



----- Original Message -----
From: QIU Ying<mailto:qiuying@i2r.a-star.edu.sg>
To: Bhatia, Manav (Manav)<mailto:manav@alcatel-lucent.com> ; Grewal, Ken<mailto:ken.grewal@intel.com> ; Yaron Sheffer<mailto:yaronf@checkpoint.com> ; ipsec@ietf.org<mailto:ipsec@ietf.org>
Sent: Thursday, July 16, 2009 3:11 PM
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Hi, Manav

0xFF (255) is reserved by IANA. Maybe you are correct that IANA  would never release the special number to a document. But it is risk for a long term RFC.

If I am not wrong, Ken's meaning is to set the next header as ESP if carrying an ESP packet inside it. Otherwise, still use the same value of the next header in ESP trailer. So it seems acceptable.

Regards
Qiu Ying


----- Original Message -----
From: Bhatia, Manav (Manav)<mailto:manav@alcatel-lucent.com>
To: Grewal, Ken<mailto:ken.grewal@intel.com> ; QIU Ying<mailto:qiuying@i2r.a-star.edu.sg> ; Yaron Sheffer<mailto:yaronf@checkpoint.com> ; ipsec@ietf.org<mailto:ipsec@ietf.org>
Sent: Thursday, July 16, 2009 2:27 PM
Subject: RE: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

We can use ESP as the next header to denote encryption being used as long as we are sure that we will never have an ESP packet inside the WESP encapsulation. In my view there is nothing that precludes that from happening, which means that we may have some corner cases where WESP may actually be carrying an ESP packet inside it. Given this, i would rather that we don't use the ESP value to denote encryption being used.

I am also not a big fan of the encryption bit as that takes away one bit from the already limited number of bits that we have at our disposal in the flags field.

Given that a packet will never carry a protocol ID of 0xFF i propose to use this value in the next-header to denote encryption being used. Would this work?

Cheers, Manav

________________________________
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Grewal, Ken
Sent: Wednesday, July 15, 2009 8.57 PM
To: QIU Ying; Yaron Sheffer; ipsec@ietf.org
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Qiu Ying,
Copying the value of the ESP next header to the WESP next header is useful for efficient HW parsing when using ESP-NULL.
You are correct that in the case of encrypted traffic, we can set this value to 'ESP', which could denote that the payload is encrypted.
Having said that, some people in the past have mentioned that it may be cleaner to have a dedicated bit to denote whether the payload is encrypted or using ESP-NULL.

Either way works, as long as there is a discrete, unambiguous way to denote this.

Thanks,
- Ken

________________________________
From: QIU Ying [mailto:qiuying@i2r.a-star.edu.sg]
Sent: Tuesday, July 14, 2009 7:42 PM
To: Grewal, Ken; Yaron Sheffer; ipsec@ietf.org
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Hi, Ken

Agree that Option 1 is better as it applies lesser new IANA numbers. But in this case, it seems redundancy to copy the value of Next Header field in the ESP trailer to here. How about simply setting the value as ESP here? I think it more meet the original concept of Next Header.

Maybe I am missing something

Regards
Qiu Ying

----- Original Message -----
From: Grewal, Ken<mailto:ken.grewal@intel.com>
To: QIU Ying<mailto:qiuying@i2r.a-star.edu.sg> ; Yaron Sheffer<mailto:yaronf@checkpoint.com> ; ipsec@ietf.org<mailto:ipsec@ietf.org>
Sent: Wednesday, July 15, 2009 1:31 AM
Subject: RE: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Thanks Qiu Ying - great observation.

We had originally proposed using a bit from the WESP flags (integrity only) for differentiating between ESP-encrypted and ESP-NULL traffic, but changed this to using a value of zero in the next header for efficient encoding, although this is overloading the meaning of next header.
With your observation, the current definition is not practical so we have the following options:


 1.  Revert back to using a bit in the flags to differentiate between encrypted / NULL traffic.
 2.  Allocate a new protocol value for the next header field to indicate encrypted data, which seems like an overkill.

As we are already asking for a new protocol value for WESP, option 1 seems to be the better choice.

Other opinions?

Thanks,
- Ken

________________________________
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of QIU Ying
Sent: Tuesday, July 14, 2009 12:37 AM
To: QIU Ying; Yaron Sheffer; ipsec@ietf.org
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Since the zero of next header value is used for HOPOPT already, maybe applying a new value for this intention is better to avoid the confliction.

Regards
Qiu Ying

----- Original Message -----
From: QIU Ying<mailto:qiuying@i2r.a-star.edu.sg>
To: Yaron Sheffer<mailto:yaronf@checkpoint.com> ; ipsec@ietf.org<mailto:ipsec@ietf.org>
Sent: Tuesday, July 14, 2009 3:30 PM
Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

Regarding the Next Header in section 2, what will be happened if the value of Next Header is zero (i.e. IPv6 Hop-by-Hop option) and the packet is not encrypted?

Regards
Qiu Ying

----- Original Message -----
From: Yaron Sheffer<mailto:yaronf@checkpoint.com>
To: ipsec@ietf.org<mailto:ipsec@ietf.org>
Sent: Sunday, July 05, 2009 3:48 AM
Subject: [IPsec] WG Last Call: draft-ietf-ipsecme-traffic-visibility-05

This is the beginning of a two-week WG Last Call, which will end July 18. The target status for this document is Proposed Standard. The current document is at http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-05.

If you have not read the document before now, please do so. Having fresh eyes on the document often brings up important issues. If you HAVE read it before, please note that there have been several revisions since San Francisco, so you might want to read it again (plus it's a short document). Send any comments to the list, even if they are as simple as "I read it and it seems fine".

Please clearly indicate the position of any issue in the Internet Draft, and if possible provide alternative text. Please also indicate the nature or severity of the error or correction, e.g. major technical, minor technical, nit, so that we can quickly judge the extent of problems with the document.

Thanks,
            Yaron
________________________________
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Institute for Infocomm Research disclaimer: "This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you."
Institute for Infocomm Research disclaimer: "This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you."
Institute for Infocomm Research disclaimer: "This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you."

________________________________

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Institute for Infocomm Research disclaimer: "This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you."

v2.30.2 | Report a Bug | By Email | System Status