IETF Logo Mail Archive

Re: [IPsec] [Lwip] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)

Tero Kivinen <kivinen@iki.fi> Wed, 20 July 2022 20:20 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3D6C14F722; Wed, 20 Jul 2022 13:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8wH5wTBdP5N; Wed, 20 Jul 2022 13:20:20 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C72C14CF16; Wed, 20 Jul 2022 13:20:19 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 48F751B001C6; Wed, 20 Jul 2022 23:20:15 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1658348415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iY3Mi5xDXFQubGpNEVRAP9GBN0cOM3BVh0xIJlqw7JY=; b=vb0tbXbrfeR5golzz0WtdXzOBOxtD6GUKltYHGVp6ZuPkX+73PAaFHA744PW1T3dsbl53A bn6q0E3hPOB34YfUgmdrhUrVMatuP2vs+M6OH8VoF1npxo6AmyrJqdJC5YLYDSpCPrvzw8 wGSMhsyMKgP/PyWP+Kpzp0JIk7JFAxLVAZ0jmftRzUCzfv2/OpEX35WzTfyPQUUIt2HISD qq4Us7t0oLELXFAcBhhfeMz1AZpdkTOllVUZnjeZwdDNUR1xCgOM0iVyP2tWqveAh7A9j9 aoChbtsO994rTPTbDvDR42NAkIJa+u0VEVrkJL72oFYaa/htmoCNqS4PCT0PLQ==
Received: by fireball.acr.fi (Postfix, from userid 15204) id C192E25C12EE; Wed, 20 Jul 2022 23:20:14 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25304.25470.721165.962712@fireball.acr.fi>
Date: Wed, 20 Jul 2022 23:20:14 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: Daniel Migault <mglt.ietf@gmail.com>, The IESG <iesg@ietf.org>, lwip@ietf.org, Mohit Sethi <mohit.m.sethi@ericsson.com>, draft-ietf-lwig-minimal-esp@ietf.org, lwig-chairs@ietf.org, IPsecME WG <ipsec@ietf.org>
In-Reply-To: <a6ce149c-293f-9a46-86a5-964d71fe4b3@nohats.ca>
References: <164919648646.8778.6947253487684946962@ietfa.amsl.com> <CADZyTkkdXs8tJu_J5M_Yb-VC2SbSECLen_igUrGVGtrNFng6QA@mail.gmail.com> <CAGL5yWb5oaridQzFdxoWQdieNxDb=pOB_5sMCBM+HdgCsn_NeA@mail.gmail.com> <CADZyTkk616G+U5323wBXhR35K=FojD2+V_L5UEv-=6Xzz-A4Tw@mail.gmail.com> <CADZyTkkw1h9F9pDrAYgQDOQ-BCwiezocMba4H3WUh9qvavmRYA@mail.gmail.com> <c07734f1-e33c-5aa6-92fd-24938298f3ba@nohats.ca> <CADZyTk=kRGEA3BTMz05uNQbbEgXQT+TTQ0C9-o0FFtK3ny5+oQ@mail.gmail.com> <a6ce149c-293f-9a46-86a5-964d71fe4b3@nohats.ca>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 7 min
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1658348415; a=rsa-sha256; cv=none; b=q99X5luyn8wKCmHPOIcSfL3IGTO1dJQI/aRRftuXe9mMRi6WjMDu3K2RU2EjfKR+nJVR4/ VZLaUBGUAICIaM+j3yW+U2LmZAQvehz7r9/7lVLLum81Ii/8D5IZdh6XR6OaE4Akek9+Sl cmm2RXkCqWVezZ2UZh8drZWSySwOmOUG2M43y44dfIyqKtrx3t/obUcNFwehO2+uhkJt41 ImrcxGdR6dgZ4ijBDppHypXtcUftDp7wlH0kVLiyqoOQHcXp6aR1DW8TKhccmCfJZFaJAu c4g9/jK35jSnuS6h5im7nsQYT8g4cNPA+A59/Lp6qSxf4mM9+TfnvMFl//aP0A==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1658348415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iY3Mi5xDXFQubGpNEVRAP9GBN0cOM3BVh0xIJlqw7JY=; b=A8fyDDkh2IWGhtkFKda6LvikvFLPgHsGJtyRddwfRJ9AQQu291vF6F6e2LBp0oUSQQhsJ8 TrHVJ2n+u6CWf+fEHNyaXkV32YzsPVmXJ8qQcCiJfTo2Q8TMnDU0zxLDkusMrJmFxC4k9x YqG0eWM09dOokyIyYMYxk+pSAEQsfJ7aM+ttcYmrZPjnVpMilXueO/dI4E8K7nkIEDfMKE kgCF5lV3gVYqOg7NhANlyVReM8b/MxXmAgq9egMKcfzRqTWn6NkaPbMNU1ZvTWDZ4UaFC2 BpZqxaUnXMDD9qaH0AJSWG+adPm79kn1gOHfFwBvyJACUDpv6niMe89k/RMTjg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uPP-sDe4LdQMO2dsNM9iH4reaxw>
Subject: Re: [IPsec] [Lwip] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2022 20:20:22 -0000

Paul Wouters writes:
> >       The sequence number discussion mentions the issue of packets falling
> >       out of the receive window. We talked about an IKE option/notify to
> >       signal this and during that discussion it also came to light that this
> >       protocol is going to be used without IKEv2. This leaves an
> >       interoprability unaddressed.
> > 
> > I do not see any mention of IKE option and SN, but maybe you can
> > refresh my memory. 
> 
> Without signaling that this is going to use large jumps in the SN, the
> other end would drop packets outside of its replay window. If there is
> no IKE, how is the peer going to know about this? eg you write:
> 
>     Note that standard receivers are generally configured with
>     incrementing counters and, if not appropriately configured, the use
>     of a significantly larger SN than the previous packet can result in
>     that packet falling outside of the peer's receiver window which could
>     cause that packet to be discarded.

I think this description is incorrect. Any kind of jumps in the SN
will NOT cause any packets to be dropped unless there is reordering
happening between the incoming packets.

It you are using the time based sequence numbers then the difference
between sequence numbers will be large if there has been lots of time
between two packets, and reordering which causes one packet to be
delayed for that long is uncommon.

I.e. if properly implemented IPsec implementation gets sequence
number which is much larger than previous sequence the recipient will
simply move the replay window there and will drop only frames which
has old sequence numbers that are older than this last received
sequence number - replay window size.

To receive such frame would require reordering of frames, and to cause
issues the delayed frame needs to be delayed for time based sequnce
number interval * replay window size.

This all of course assumes that the sequence number is not trying to
jump forward more than 2^31...

> What you wrote is "this is a problem". Instead, I think you should state
> something like "Using time based SN should only be used when it is known
> that the remote peer supports this or when it is known that anti-replay
> windows are disabled".
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email