Re: [IPsec] TCP and MOBIKE
"Valery Smyslov" <smyslov.ietf@gmail.com> Wed, 14 November 2018 08:55 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C859130DF3 for <ipsec@ietfa.amsl.com>; Wed, 14 Nov 2018 00:55:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCRNXIBGbMwO for <ipsec@ietfa.amsl.com>; Wed, 14 Nov 2018 00:55:49 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EEF6130DC5 for <ipsec@ietf.org>; Wed, 14 Nov 2018 00:55:48 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id p86so10938836lfg.5 for <ipsec@ietf.org>; Wed, 14 Nov 2018 00:55:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=MV/UTNYf7t8HK4M8m4NW5yUpfaoeiQcqFDIINZi6OzA=; b=gjsh+Smtn3ruUSyQAMnOLho1IWklOGlOOu22cMHm9omSmF93ipqBRX2zGOhuIZoQde oncIrTVkqR5ESdWyhBljB0L97cmPSAaoqBlMpBYUA174N7gaNxkVA0EoZDwUah+DHMjM QdozT1eHtkLjhptZ+0wyBoeux1HckF0NokgF9BpASrT4kz7Ny8niX3Dt4iEB0wiDTNvd b4XhPfjobcGEhjnNZxlGwDwKvftKgTNDgEZVJAPMLQ8j70av1Y8jgOGXIYMAFueClk0J LKXWl3tciaHJX1WTaprtWlv5KoF8m67nO0n8Dt29IMNV2oaCrTP39uWmPfXBlmymKWLs LWyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=MV/UTNYf7t8HK4M8m4NW5yUpfaoeiQcqFDIINZi6OzA=; b=U83gt7e7RfZqQbVa5IBs7kBPxT/FNf2zbXv9IDPtVtyabvUkUj9d++4oJ2VJ/A5/ns 7SfHQVq+mHaztBV2N5yW7hWo+nf8RJtgZEjblE8i2tkyqTW+y/NJ0LmXcxiHw0eEzrNO kVHL3M4hTtKjoj2zrveND8nmbWt2R5Bl3twe8Llfd/0oWR4YeWA44DV63o5+oDrgb24+ YfCs5lLMmAzXa8v9PygtnuL2Ehn0bf7AuBlUSSxk6pKvIJOXhtv+6TjzEEvHYfBRZi4f vsc9Qw4hN/pwpnM5X+d5bKVy0G6VTsGXtuB4+JSNxge6aq1mCmtvPbAlrjOx4RKBRr5H iiCw==
X-Gm-Message-State: AGRZ1gKrjMq8hUxDngvaK5b2S9gKtEDl1kRbx0IlwmXnLAgDbtslzHH3 kxAuvKsp1OMNnivjrkkeBFs=
X-Google-Smtp-Source: AJdET5eFKwRf726eLtn7u9q5s4v8kZ8MJUFcebgZUEW1kxPgMN6WHuTphOE0Us+WPBkTd9vBNbjJ4A==
X-Received: by 2002:a19:7399:: with SMTP id h25mr579350lfk.85.1542185746459; Wed, 14 Nov 2018 00:55:46 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id y81-v6sm579279lje.30.2018.11.14.00.55.45 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 14 Nov 2018 00:55:45 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Tero Kivinen' <kivinen@iki.fi>
Cc: 'David Schinazi' <dschinazi.ietf@gmail.com>, ipsec@ietf.org
References: <031f01d47720$e9fb8220$bdf28660$@gmail.com> <CAPDSy+6V3dVkrcX=Lgd-G47RaLug8fhR=SZcD-cBdAmXJeCXvA@mail.gmail.com> <032c01d47724$f906d6d0$eb148470$@gmail.com> <23531.54545.136222.41944@fireball.acr.fi>
In-Reply-To: <23531.54545.136222.41944@fireball.acr.fi>
Date: Wed, 14 Nov 2018 11:55:44 +0300
Message-ID: <01db01d47bf7$d4e34630$7ea9d290$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQINC5x2IttgBeVJM8GBpgLrp7BrywFkiMAmAUp58kMBQ1c7HqS+N/zA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tKfMSNkL_WX7x4SvEsQHSXQD9CM>
Subject: Re: [IPsec] TCP and MOBIKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 08:55:51 -0000
Hi Tero, > > Hmm, maybe. Or maybe not. Or maybe just ignore it in case of TCP? > > I would say that is better approach. I.e., ignore NO_NATS_ALLOWED and > NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP o receiver > when connection comes in with TCP. > > There is nothing we want to do even if detected NAT on the tcp path, > we are not going to switc to switch to another port, we are not going > to allow dynamic updates (as they would not work with TCP anyways), > there is no point of sending keepalives on TCP etc. > > So on tcp just ignore those payloads. Makes sense. > > I think that in general the co-existence of MOBIKE and TCP must be > > elaborated in more detail in the draft. > > I agree. There are also several cases where we some of the mobike > processing does not really make sense. Things like return routability > checks, changing nat mappings, etc. The initial UPDATE_SA_ADDRESSES > should be enough to just say that use this connection for return > traffic. I do not think there is anything else for the responder to do > for it. The uselessness of the return routability check in case of TCP is already mentioned in the draft. > > request. Probably we could clarify in TCP guidelines draft that the content > > of NO_NATS_ALLOWED MUST be recalculated in this case? Or is it obvious? > > Modifying the packet after it has been sent over any transport once, > is impossible, and will break things. > > I.e., if client send packet using UDP and it did reach the destination > correctly, but return packet got lost, and then client decided to move > to TCP, and resend the packet. > > If the packet is modified, then responder will see it as an attack, as > it is using message-id that where it has already processed and > responded to, but the content of the frame is not same. As the content > is not same, it will not retransmit its reply, so both ends just stop > and finally the connection times out. Depending on the implementation, the content in this case might not be checked, the latest response might just be sent. There is no point to re-check the content of the replayed packet, it's only waste of CPU resources. > >From the RFC7296 section 2.1: > > A retransmission from the initiator MUST be bitwise identical to > the original request. That is, everything starting from the IKE > header (the IKE SA initiator's SPI onwards) must be bitwise > identical; items before it (such as the IP and UDP headers) do not > have to be identical. > > That is the reason why mobike for example does the processing so that > if it needs to change address during UPDATE_SA_ADDRESSES it will not > modify packet it is sending out, it will simply run the process to > end, and then redo it again from the start. It needs to do if it ever > used more than one address, regardless which of them succeeded. I.e., > if it send UPDATE_SA_ADDRESSES using source IP1 and does not get > reply, moves to IP2, does not get reply, moves back IP1, and now do > get reply, it still needs to do UPDATE_SA_ADDRESSES again because it > did not know which of his frames got to the other end. It could have > been that first packet ever reaching responder was sent from IP2, but > the reply got lost, and then when initiator resent the packet from > IP1, the responder just repeated the reply generated earlier packet > from IP2... These exchanges (trying out IP1, IP2 etc.) will have different Message IDs anyway (*). So the responder won't reply with previously saved response, because Message IDs will differ. And the content of NAT_DETECTION_*_IP can be recalculated accordingly (*) From RFC 4555: If the request to update the addresses is retransmitted using several different source addresses, a new INFORMATIONAL request MUST be sent. Anyway, I agree that the current exchange must be finished off (either completed or deemed timed out) before a new one is started from (to) a different IP. But with TCP we don't change address, we only change transport, so the exchange must remain the same when switching from UDP to TCP... And this would break some things, like NO_NATS_ALLOWED and NAT_DETECTION. Regards, Valery. > kivinen@iki.fi > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE David Schinazi
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen