IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Christian Hopps <chopps@chopps.org> Thu, 15 October 2020 20:12 UTC

Return-Path: <chopps@chopps.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716293A1343 for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uN2vxrK_EXH2 for <ipsec@ietfa.amsl.com>; Thu, 15 Oct 2020 13:12:41 -0700 (PDT)
Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by ietfa.amsl.com (Postfix) with ESMTP id 03BC23A133A for <ipsec@ietf.org>; Thu, 15 Oct 2020 13:12:40 -0700 (PDT)
Received: from stubbs.int.chopps.org (047-050-069-038.biz.spectrum.com [47.50.69.38]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id 6D1DA61676; Thu, 15 Oct 2020 20:12:38 +0000 (UTC)
From: Christian Hopps <chopps@chopps.org>
Message-Id: <801025DB-8496-49E3-B628-2CE1F4EF8F53@chopps.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_7E6D459D-F491-40A9-BA85-4335A30764C4"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Thu, 15 Oct 2020 16:12:37 -0400
In-Reply-To: <alpine.LRH.2.23.451.2010151558070.2189149@bofh.nohats.ca>
Cc: Christian Hopps <chopps@chopps.org>, Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org, Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>
To: Paul Wouters <paul@nohats.ca>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <24454.51962.50262.36523@fireball.acr.fi> <DFDCAC27-5099-4D5A-AEDA-C81A8C167002@chopps.org> <alpine.LRH.2.23.451.2010151558070.2189149@bofh.nohats.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tZqnYOOJ-oGyftBliWoC3KgEp8w>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 20:12:45 -0000

Hi Paul,

My comment was only about using the next header field in ESP to identify the ESP payload. I believe we've already agreed to remove the zero-conf section as too controversial.

Tero, is suggesting that we should not use the next header field at all. That is what I don't understand.

Thanks,
Chris.

> On Oct 15, 2020, at 4:06 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Wed, 14 Oct 2020, Christian Hopps wrote:
> 
>> I really don't understand the extreme back pressure against using ESP the way it was designed. The next-header field is supposed to identify the payload, it does so for every other
>> payload ESP carries. Any other solution to somehow infer the payload type some other way *has* to be seen as a hack. Why do we need a hack?
>> The fact that using a payload identifier the way ESP intended also allows us to do things like handle receipt of said payload without extra configuration, or use the payload outside
>> of ESP are just benefits from good design, they aren't indicative of doing something incorrectly, the opposite in fact. They also shouldn't even be needed to justify using ESP the
>> way it was designed to be used.
>> This is all very strange to me, this want to not use the next-header field to, you know, identify the next header.
> 
> I see it as a useful feature that I can "enable" IPTFS on my existing
> IPsec connection dynamically. Perhaps to avoid always sending traffic
> when I have none, and mostly wanting my decoy traffic when I am doing
> things (like typing over ssh, sending an email, etc)
> 
> I don't see how this would happen "automatically". It would be a user
> invoked event.
> 
> Based on that, userland has to somehow trigger to kernel to switch from
> regular ESP to IPTFS. We would need to define that (eg via Netlink or
> PF_KEY).
> 
> But why not use a NOTIFY with a REKEY event to USE_IPTFS ? No need for
> new PF_KEY/netlink messages, no new userland <-> kernel signaling. Just
> use existing implemented IKE/IPsec protocols.
> 
> So I think I agree with Valery (and Tero). It is not really about what
> the ESP packet format can or cannot do, but using existing channels for
> on-the-fly reconfiguration. It would work the same as if you wanted to
> switch a transport mode to tunnel mode or IPCOMP, rekey with(out)
> USE_TRANSPORT or USE_IPCOMP.
> 
> Paul
>

v2.23.0 | Report a Bug | By Email