[IPsec] Re: Comments on draft-pwouters-ipsecme-delete-info

Paul Wouters <paul.wouters@aiven.io> Wed, 31 July 2024 18:53 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA34C14F60B for <ipsec@ietfa.amsl.com>; Wed, 31 Jul 2024 11:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6ktY0KnjDNY for <ipsec@ietfa.amsl.com>; Wed, 31 Jul 2024 11:53:18 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 061BBC14F5FC for <ipsec@ietf.org>; Wed, 31 Jul 2024 11:53:12 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-a7a83a968ddso844356866b.0 for <ipsec@ietf.org>; Wed, 31 Jul 2024 11:53:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1722451991; x=1723056791; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6cVWDdm4IrEO7u95VqsI4b8+wC8TyPN3hibh4ON2IcM=; b=Pa1UMnN5Rpm2eLUR1gyExS2Xx4CaqvSsIbqPPyDNtNlLeCCDhW1aufl1oLiFoWMwIO wphumwvAPLBYELMjmV9DMXlSZkPPvbKcxTVRl+xuO3fYMkkoIua6pRlUUgrotejM6TZS wQKZ9oDl2vbcNwKgR9vggPKioqZYwh0+jlMmo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722451991; x=1723056791; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6cVWDdm4IrEO7u95VqsI4b8+wC8TyPN3hibh4ON2IcM=; b=eJUOmc/JQTtIpQY0EppTZyJM4cNmlbRDqDtzzAfZWg6BHMIYNHQpc8SPHv1hTj5UBG ebkFntCERQ89o6dtr1f8LAaMH2q05qgdRA7Z0co8aNpQpSVmw1CK30aRBdVmq4x/U5Eb OfskYww1w9YBkt66yaTAwT23smk8/sjT//tq1GcNYxdIkEuvcuXXlp1zJsrKRuOzWbSq nZTyvNB2w2mkwtG/lMwaXILNO3EDSGzUJ8s0z7mb2tclcPvxkqEyoGBDjaI35Jba/mh8 jGEOtbxFFYhfGl8KtTSfNrYMY0xfBjJLCFWNRFlXfJQcPn5kty8rq4splj/ulwkrvpd2 28Cw==
X-Gm-Message-State: AOJu0Yw2xQFyCGcklF5GyPNUtxzcgWBjYevO/qN16JVI6hhfdrItA/0f PbYN+rVYMjkvUXGn/OTniSXGpV/49+vngIFYt+YqEonKMcxRPtngtDljNYV4e8K/cNlf/a3jZ8H 1Ak7Lw+wVBIadzlCOSAoET3/yXqfPoucL6NTbFg==
X-Google-Smtp-Source: AGHT+IHWMzSaR4LqFK51h/+V7ffHi/DJ4cgAmikUFB/83uM+GOZ5wosVqqSZ8QpBwxpC0bzYqrLgz3GjDDxdNVE1Lhg=
X-Received: by 2002:a17:906:fd85:b0:a77:dbe2:31ff with SMTP id a640c23a62f3a-a7daf76b100mr784266b.66.1722451991051; Wed, 31 Jul 2024 11:53:11 -0700 (PDT)
MIME-Version: 1.0
References: <020701dae1b9$b6741070$235c3150$@gmail.com> <CAGL5yWY4NktSfjyEs_kGEjWAyRFtd0kncDam4YMtGwfrtbDMEg@mail.gmail.com> <02b901dae28f$9c17ff30$d447fd90$@gmail.com> <CAGL5yWZ15kkXN3zB+U4L1TwakU82wTX7-kC697_06N8msofJ2g@mail.gmail.com> <030101dae31b$c8efecc0$5acfc640$@gmail.com>
In-Reply-To: <030101dae31b$c8efecc0$5acfc640$@gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Wed, 31 Jul 2024 14:52:59 -0400
Message-ID: <CAGL5yWbeF5iuCVkotpmd5QoZuXWMymwmSw-a2CjFKjr2_b=XJw@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000001224a4061e8f9b7f"
Message-ID-Hash: ULEFQYHVBTHBGIYFZS2OSPYEEAREV5K6
X-Message-ID-Hash: ULEFQYHVBTHBGIYFZS2OSPYEEAREV5K6
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ipsec@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [IPsec] Re: Comments on draft-pwouters-ipsecme-delete-info
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/t_e2jUywn4DG7n-YhP7rJxkFLIU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>

On Wed, Jul 31, 2024 at 3:32 AM Valery Smyslov <smyslov.ietf@gmail.com>
wrote:

> Hi Paul,
>
>
>
> (I think gmail is reaching its limits on careful quoting context, hope I
> get it all right)
>
>
>
>          I will mark my replies with this color.
>

Thanks, that was very helpful!


>
>          Will it help your debugging? I doubt.
>
>
>
> No but if it says "abra cadabra conn 'vpn-customer1-toronto-rain[4]' more
> words and words", it could already help me
>
> debugging so I know to look for my connection named
> vpn-customer1-toronto-rain, using state object 4. Obviously,
>
> this depends on implementation. But it is definitely not useless.
>
>
>
>          And what you will do with “vpn-customer1-toronto-rain[4]” at
> your side? This is the name of the connection
>
>          on peer’s side that doesn’t relate to your configuration at all
> (even more true for state object). You still
>
>          to have to call the peer and in this case the only information it
> needs is an SPI.
>

In a way, it would be like getting a selection of the peer's logging
without needing to ask the customer to ask the vendor
on how to get logging. I agree the usefulness would be depending on the
implementations and my knowledge. Logging
a SPI can be helpful, although the notify is already received under a known
IKE SPI, which is why I had not added it
as payload to the notify data, and the delete payload itself has the IPsec
SPI already.


>
>          By the way, I think that it would be more helpful to the user if
> you include “Related SPI” field
>
>          in your notify – the SPI of the SA that caused the deletion of
> this SA.
>
>          In case of INITIAL_CONTACT this might help.
>

It could be useful, but is it useful enough to add it to the structure so
every "reason" has to have a "related SPI"
field? It might be, andwould be more structural that expecting it in a
"free from field". So I wouldn't object to
adding this.

  2. The list of reasons looks to me both incomplete and excessive at the
> same
> time.
>     For example, CONFIGURATION_CHILD_REMOVED and CONFIGURATION_IKE_REMOVED
>     are not needed, since you either delete IKE SA or Child SA in a single
> exchange, so it is
>     always clear what configuration is removed and only one such reason
> would suffice.
>
>
>
> This is not about the current instance of the exchange but about the local
> configuration. It basically
>
> says "this one tunnel is no longer configured" vs "the entire config for
> the peer has been removed".
>
>
>
>          OK, this is not clear from the draft (that increases my concerns
> that without
>
>          direct (phone) contact with the peer these reason have little
> value).
>
>
>
> Yes, the notify reason basically TOLD YOU, there is an expectation
> difference between you and the peer. Maybe
>
> you forgot to pay a bill. It's a feature not a bug :)
>
>
>
>          And the bill number with the needed sum will be included into
> the reason text? J
>

No, you would do that on the next connection attempt, or else you have to
implement this twice :)


>
>
>
>
>          Can you please provide an example or give more detailed
> explanation how this can happen?
>
>          From my understanding of IKEv2 it is always known from the local
> logs
>
>          which SA is deleted as erroneous in case of simultaneous rekey.
> Am I missing something?
>
>
>
> Often when we deal with customers, they cannot produce a log on their end
> and finding reasons about their
>
> behaviour is impossible. Having the remote peer put some information into
> a delete reason payload would mean
>
> the customer's equipment does tell us a bit better why, without needing
> the remote logs.
>
>
>
>          My point was that deletion due to the simultaneous rekey is
> always clear from any side’s logs…
>
>          At least from our experience. The only case when remote logs are
> needed in this case is
>
>          when you turned off local logging…
>

We do have customers running with no logging, and even with "IP address
masking", but I think this use case would
be rare and not the main purpose of the draft.


> The point of this reason is to put the Exec Summary of that phone call in
> the payload :)
>
>
>
>          This is not really needed. The only information that is needed
> for the phone call is SPI of the SA.
>
>
>
> Not in my world. The extend of info a customer tells me about their Cisco
> failure is usually a "tunnel failed".
>
> They usually dont know how to get logs, how to enable debugging, or who to
> talk to to help with their ipsec
>
> machine.
>
>
>
>          In this case how the reason notify would help? I presumed that
> this notify is for logging purposes only
>
>          and if users don’t know how to get their own logs, then they
> cannot tell you the received reason.
>
>          Or is it intended to be displayed to the user on a UI? Randomly
> popping up?
>

We can usually tell our customers to get us libreswan logs, but not peer
logs. If the peers send back some more
information "automatically", this can help administrators. Note the use
cases I am mostly concerned about are
site-to-site type deployments and not "remote access VPN for $10/month"
retail deployments.


>           I see. It won’t help those poor who was down when the hardware
> started been replaced –
>
>          they never receive this announcement and won’t know why the
> cannot connect J
>
>
>
> Some of my customers run an RFC5685 IKEV2 redirect proxy in front of their
> servers, so this wouldn't be
>
> a problem :)   So imagine you receive a "deleted connection because IPsec
> GW being upgraded", but with
>
> 0 downtime. You redirect and the proxy redirects you. If you were down for
> a few seconds, you know what the
>
> cause was, that you not need to do anything.
>
>
>
>          Redirect would help in this case regardless of the reason code.
>
>          As a customer, I’d rather use it immediately if I need an access,
> rather than
>
>          waiting the time indicated in the reason (because it is only a
> hint J).
>

Yes of course you would automatically use the other endpoint. But now you
have your own end retrying and
failing and you don't know why. But if you look back in the logs you find
out why one of your redundant endpoints
went away,

Paul