Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
Tero Kivinen <kivinen@iki.fi> Thu, 27 April 2017 12:46 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42CB12949D; Thu, 27 Apr 2017 05:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BO9JGV7gsfDQ; Thu, 27 Apr 2017 05:46:44 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0559E129463; Thu, 27 Apr 2017 05:46:43 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v3RCkfNx009457 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 27 Apr 2017 15:46:41 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v3RCkeQY011424; Thu, 27 Apr 2017 15:46:40 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22785.59440.657008.252746@fireball.acr.fi>
Date: Thu, 27 Apr 2017 15:46:40 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Tommy Pauly <tpauly@apple.com>, ipsec@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, ipsecme-chairs@ietf.org, Mirja Kuehlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
In-Reply-To: <CABcZeBOb3dD4tQbiYH9jABCXMKOGWNaWCNAyMzyKeiXnB5YAoQ@mail.gmail.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <22784.31378.631303.102297@fireball.acr.fi> <CABcZeBOb3dD4tQbiYH9jABCXMKOGWNaWCNAyMzyKeiXnB5YAoQ@mail.gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 23 min
X-Total-Time: 23 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/symxbB6IkweaKilFzdUsifa5q2g>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 12:46:46 -0000
Eric Rescorla writes: > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > - The use of 443, which seems more complicated Yes. > WRT 443, I would assert the following facts: > > - It's not awesome that people use 443 (though understandable because of > overly-aggressive firewalls) > - People aren't going to stop using 443 (because it goes through NATs well) Especially as this has already been specified by the 3gpp TS.24.302 [1], [2]. One of the reasons we are doing this is that 3GPP defined how to run IPsec over TCP, and they decided to use port 443 and TLS framing for that (or HTTP proxy supporting HTTPCONNECT). I.e., they specified firewall traversal that will make TCP connection to port 443 of the ePDG address, and do normal TLS handshake over that, and then run TCP stream over that which will have IKEv2 and ESP frames similar what is defined here. When IPsec WG decided this is something that should be standardized for general use, we took that but we did not want to limit it to port 443 and TLS framing only, so we decided that we would define it mostly on port TCP/4500 without TLS. The original draft had text about the TLS in main body, but as it was moved to Appendix during the working group process. So regardless what we do here 3GPP will be running IPsec over TLS over TCP port 443 (i.e., IPsec, not HTTP inside the TLS). To be aligned with them we did for example change the length field before the messages to be 16-bit instead of original 32-bits. On the other hand we did add IKETCP stream prefix there, as that allows us to detect this is IETF version of the IPsec over TCP, not some proprietary or 3gpp method done before (just in case there are other differences we did not spot). [1] https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1073 [2] http://www.3gpp.org/ftp//Specs/archive/24_series/24.302/24302-e30.zip > Generally, I think it's more useful for documents to reflect > reality, even if we don't like that reality, and 443 only appears in > the appendix, so that seems fairly innocuous to me. Perhaps we can > leave the 443 in the appendix with some note like: This was the reason why WG originally wanted to move it to Appendix, and not remove it completely. > "Note: While port 4500 is the reserved port for this protocol, some > existing implementations also use port 443. The Stream Prefix > provides some mitigation against cross-protocol attacks in this > case, however, the use of port 443 is NOT RECOMMENDED" I think that text would be fine for me at least (but I am not author of this draft). > What would people think about that? > > Tommy, Tero, the stream prefix doesn't seem totally ideal. Would > there be wiggle room to specify ALPN here? Or maybe a longer prefix? The stream prefix is done also on the port 4500 or any other configured port, and those will not use TLS. Only the port 443 (or other configured ports defined to use TLS) will use TLS. Also the TLS wrapper before the IPsec / IKE might be completely sepearate module, and transferring things from there to IPsec module might be hard. The stream prefix is also inside the TLS wrapping (see B.1. example), i.e., it is the first bytes that come from the stream coming out from the TLS after the TLS handshake is finished. So for the IPsec module, it does not need to know whether there was TLS warpping around the TCP stream or not, it will get stream of octets starting with "IKETCP", and then followed by IKE or ESP packets. Also, note, that responder might use the fact that when new connection comes in and it starts with "IKETCP" as indication that there is no TLS wrapping around the frames, and give them directly to IPsec module. If there is something else, then it might try to do TLS handshake and if that successed, then check if inside the TLS there is "IKETCP" stream prefix and if so, then give that data to the IPsec module. This is something they could do on any port they are configured to listen, not only port 4500 or 443. Or it could be they are configured so that port 4500 is always without TLS framing, port 443 is always with TLS framing, and other configured ports have automatic TLS detection and processing enabled.... -- kivinen@iki.fi
- [IPsec] Mirja Kühlewind's Discuss on draft-ietf-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Tommy Pauly
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Eric Rescorla
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's Discuss on draft-ie… Kathleen Moriarty
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tero Kivinen
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kühlewind
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Spencer Dawkins at IETF
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Eric Rescorla
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- Re: [IPsec] Mirja Kuehlewind's Discuss on draft-i… Tommy Pauly
- [IPsec] Should draft-ietf-ipsecme-tcp-encaps-10 u… Paul Wouters
- Re: [IPsec] Should draft-ietf-ipsecme-tcp-encaps-… Tommy Pauly