Re: [IPsec] diet-esp - How do you know?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 24 May 2022 15:31 UTC

IronPort-PHdr: A9a23:5ixj4hUE214M73N7+linJR8xwjHV8K36AWYlg6HPw5pCcaWmqpLlOkGXpfBgl0TAUoiT7fVYw/HXvKbtVS1lg96BvXkOfYYKW0oDjsMbzAAlCdSOXEv8KvOiZicmHcNEAVli+XzzMUVcFMvkIVPIpXjn5j8JERK5Pg1wdYzI
IronPort-Data: A9a23:L3b6Na6LlOukneG3toDxVwxRtObFchMFZxGqfqrLsTDasY5as4F+vmpKWDjSb/eDM2Hyf9Enb9uzphlT6p7Ry4AyTVFppXpgZn8b8sCt6fZ1gavT04J+FiBIJa5ex512huLocYZlFxcwmj/3auK79SQli/nRLlbBILes1h5ZFFcMpBgJ0XqPq8Zh6mJZqYDR7zGl4LsekOWHULOR4AOYB0pPg061RLyDi9yp0N8QlgRWifmmJzYynVFNZH4UDfnZw3cV3uBp8uCGq+brlNlV/0vD9BsrT9iiiLu+KxVMSb/JNg/IgX1TM0SgqkEd/WppjeBqb7xFNRk/Zzahx7idzP1Wu5itSR0kJIXHmf8WVF9TFCQW0ahuoeefcCbv6p3OkCUqdFOpmZ2CFnoePJUD9+1fAGxS+7ofMj9lRgqMgqetzbmTSvVww88kKtL2OJ9ZsXZlpRnBBOsiB4/EXrnH/8QNgG85h95DG7DfYOIVbDN1Z1LBbgFBfFANB/oDcE2A7pXkWydTpFTQrq0t7i2KlEp60aPmN5zefdnieCmcpW7AzkquwogzKk1y2ASj9Ae4
IronPort-HdrOrdr: A9a23:XWfon6g2JpqWA5wENpbQvCVwwHBQX2513DAbv31ZSRFFG/FwyPrBoB1L73DJYWgqNE3IwerwRJVpQRvnhPpICPoqTMiftWjdySeVxeRZjLcKrAeQYxEWmtQtt5uINpIOdeEYbmIKwvoSgjPIaOrIqePvmMvD6IeurEuFDzsaEZ2IhD0JbTpzZ3cGPTWucqBJcqZ0iPA3wgaISDAyVICWF3MFV+/Mq5ngj5T9eyMLABYh9U2nkS6owKSSKWnX4j4uFxd0hZsy+2nMlAL0oo+5teug9xPa32jPq7xLhdrazMdZDsDksLlVFtyssHfpWG1SYczBgNkHmpDr1L/sqqiJn/4UBbUx15oWRBDznfKi4Xin7N9k0Q6d9bbRuwqTnSW+fkNiNyKE7rgpKScwLCEbzYlBOetwrhKknosSAhXakCvn4d/UExlsi0qvuHIn1fUelnpFTOIlGfRsRKEkjQpo+a07bWrHAUEcYZ1TJdCZ4OwTfUKRbnjfsGUqyNuwXm4rFhPDRkQZoMSa3zVfgXg8liIjtYEit2ZF8Ih4R4hP5uzCPKgtnLZSTtUOZaY4AOsaW8O4BmHEXBqJOmOPJlbsEr0BJhv22tTKyaRw4PvvdI0DzZM0lpiEWFREtXQqc0arEsGK1I0jyGG6fIx8Z0Wb9ihz3ekKhlSnfsuZDcSqciFar/ed
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, Robert Moskowitz <rgm-sec@htt-consult.com>
CC: IPsecME WG <ipsec@ietf.org>
Thread-Topic: [IPsec] diet-esp - How do you know?
Thread-Index: AQHYbkNfaOb3j8nuIUiGuLMrFfhyx60uJScAgAADCNA=
Date: Tue, 24 May 2022 15:30:54 +0000
Message-ID: <CH0PR11MB5444CB9D09A4C0E638D948F5C1D79@CH0PR11MB5444.namprd11.prod.outlook.com>
References: <245277bb-6d70-dbcd-b99e-badc435b9c4d@htt-consult.com> <CAGL5yWa=hjCZD912YJPWM-x_=ChTo=yULk1P5FRfkfB9Db9+Gg@mail.gmail.com>
In-Reply-To: <CAGL5yWa=hjCZD912YJPWM-x_=ChTo=yULk1P5FRfkfB9Db9+Gg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /qbB0BDbTRFoYxNW9TiO6Sp4Wx4/dymwPa5JMyJ18S7FYgU85rNr1JalNtoX9p4qSDsL3uNnzPbF9vmGKFmQU+6K3WHULvDJyfVlMRjSqR1mjQxbaotI4bV3EPS/nsDacJ86b5Tg62BGBzsc13WL+hQujcyW4AjB+zI3kvh5MTc6htnhf9c4KKToTfS7+HklAHc6Oeqy8oQatc8ZvcilPeY/h3lObSmNQRHKy8/lk2EZ/Ed0XGXGJlYR8bwTZQTbjRB3aUwWwhZYjNMNaFMe4TlSIIxkRxXjB099NrCQ84jAp02WJYTue5zyNtfczsXkwwSUNxnGjF8YwgGAl61Yau4Z57OIoyYuknj8JS3h434pcZhxfdtKuh08+C8H/k+h36Jy7THYZ2o9ENlMW7z/NO2F2WynTeEE4+g5PLtD/qlvQ8pygSFhSH/rsQEG8b6G1sL0YAgJGs4yIx/pFLSE9ilFX8dobhYY6yO3mdUQyswVFy+5K7e1m90YqbXFXuq+eaSyjbxV+xXYbd+9QaR/JfaRY65X3jnxlpV9fY0eo9epQB7bX1Q05XzTKWZawbx80A/0XpStxf5Lc5mURrm1/6cTGNOoNv7PNZOaaiTNLUGw3lkZdEbh3kJ+fm2Q5rhVfoGvjXDz+4r1o5rcIwyYuh9LZCDmlHIMyWYW7LvxPcfbtBmtn6TMz7l4E7c6xYvGe5E0bYXs1E/1PR9bSSUX43CLAlywOE3gmnbLDlaWqR52iXIHR3kMSeDqIgWTl/Wi+DsdicuyAur/1xS8Mo51TWE/HPLEgFnFZmK+hOiB07dLlrptYth+0W98a3gKd9d9H9sVyDPuloX1HNQvmaWf8lffcUcSV18MGbW7fOBK6XOGq88BNHhWi1X7SZtknhzFyo5z1+YNDtHrcMhh/aQgO4vXN93N4exNc/tcKjixppXVkd0SVZjbc91KHurmChEhq4Xo7e/OVplb72cG19mru3SFX+GVfA6Hfn6JCcBzEvRXj/8jS78AoEhh+ljsarRpz2Ll4QD1mZqO6IsetkaJ5dlFujaLG3u+0YnOYNi5DslDK5bEFD1l9xI4JPlfI+i1VqSoUTfFHy7mO8PG2pDF9cy0iDx5Vt7kaKTfvt3QYcwDbiKxBmR1f69oALTnq1jRKX3vuj/J/NRy8kkEhJNE+THaLHHsKymJud9iREECTfIIwsZwpyUbV1NCp44sAY5Sj631smCLMs4+QjXKwkCz5MMwscwuu8Y6pMqFnu3kjbcFH1XbrYhgxaFLmqzMR0+VwGP7H04BbgtjnNNh+CoQEndoSOCysMsAdEM5BKa1wo3Um/Aa3ffHjB6by00DHme1rAT4IXf1RMFt9ILU39n+6BX+yHqmV7a+69T0v0HW3eKmlTPhtR+yt0jfGjbXDTMaufm5Ski8cEmMMQtlFwS07ZIHJLZQ3zNdAzcPnlsmYay328iph+g4Jxfy4l6JWgQbImNI03M8IfckJgQi8EaN6Xy8x4CpLQRDRRBjFZroZ28q4DPkZS8qP4VOTIJeLMddrjjZwfO/h2KXQkqMzLsPxIoQiAquYNlOpIc3Jc3fYH/O0C2idJS+1nAqSfwS3W+F1F+HjoO/lAwZ6cRHMwo0Ijp1W2uUlM3eoFlZbNxd2kWmLRE57w3Y7pNaus0gS+npmeIdX6s+Mclc8fG3UnJyva45xfZjjHsuZAUkc1WRx5zTqtIJIchapD+8Tf0qB9jbEktec4DaQTgFmyIVCqh8GA==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5444CB9D09A4C0E638D948F5C1D79CH0PR11MB5444namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5444.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0eb6485d-d7e0-4a5e-a824-08da3d9a6441
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2022 15:30:54.2472 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DD1bQ61hWlCg3asg9O533gCX8BXcCFzC0EpqCX422wXn//S2t7/V1OJMwP+37l5fvP7FETiW6nj3+xDjJM5+YQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3667
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.253, xfe-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uN6YwIvMnLCH7xrIZqC3pP_qaqQ>
Subject: Re: [IPsec] diet-esp - How do you know?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 15:31:01 -0000

I believe that the question is “when someone receives an IPsec packet, how do they determine the SA, assuming that they have negotiated both standard SAs (with 32 bit SPIs), and diet-esp (with shorter SPIs).”

My initial assumption was that, as the receiver picks its incoming SPIs, that they pick them to allow unambiguous lookup.  For example, if a diet-esp inbound SA has an 8 bit SPI of 07, that means that the implementation ensures that it does not have any standard inbound SAs with SPIs of the form 07xxxxxxxx.

It might not be totally unreasonable if the diet draft spelled out a method for achieving this…

From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Paul Wouters
Sent: Tuesday, May 24, 2022 11:14 AM
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] diet-esp - How do you know?

On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-sec@htt-consult.com<mailto:rgm-sec@htt-consult.com>> wrote:
I think there is something else I am missing here.

How does the receiving system 'know' that the packet is a diet-esp packet?

https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02

It's negotiated with IKEv2.

I guess the IKE stack has to signal this to the ESP implementation on what to expect when
the policy is installed ?

Paul

[IPsec] diet-esp - How do you know? Robert Moskowitz
Re: [IPsec] diet-esp - How do you know? Paul Wouters
Re: [IPsec] diet-esp - How do you know? Scott Fluhrer (sfluhrer)
Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
Re: [IPsec] diet-esp - How do you know? Daniel Migault
Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
Re: [IPsec] diet-esp - How do you know? Daniel Migault
Re: [IPsec] diet-esp - How do you know? Daniel Migault
Re: [IPsec] diet-esp - How do you know? Scott Fluhrer (sfluhrer)
Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
Re: [IPsec] diet-esp - How do you know? Daniel Migault
Re: [IPsec] diet-esp - How do you know? Daniel Migault
Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
Re: [IPsec] diet-esp - How do you know? Daniel Migault