Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
Eric Rescorla <ekr@rtfm.com> Sun, 19 March 2017 18:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BBE71292FD for <ipsec@ietfa.amsl.com>; Sun, 19 Mar 2017 11:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcSO7YmkKLfx for <ipsec@ietfa.amsl.com>; Sun, 19 Mar 2017 11:47:08 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3327E126C0F for <ipsec@ietf.org>; Sun, 19 Mar 2017 11:47:08 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id o4so78727830ywd.3 for <ipsec@ietf.org>; Sun, 19 Mar 2017 11:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2++ecyVBg4v7NjpcABJkheRtEU5ZuAVa8iZr06PGvzg=; b=GKMpG/WBJ0sAHNQQPFuwyO1Sh4Swi7iWj3HlmqU2NsCtvHFbpdRv444APOzZ3Fe9bD xzxN34Fz08/etrSiBwIcz3NfZfcoe1FJq7zwy7FQEjr78Q4h4qU8stvlAiBzVS2N4+TX l2pQUF9uNnZMS1OCXNdd3Rn1DwM1yJq9atOYLADt5rg1wmMQEJ4zdLAo7hPHEHB/EGQt f1xKPmh/7TQyPWMC6I+EJIZSC5YJ47rKbjNrk7ydZ59BumKGyZguAfWlv2RNYzW23h7S jtErbQdUP9ZKpiwE6L7a9XIXwmlVPdbDIhMiHjIXglAwfZ7Ihg266Hstg4XjRVvR22H+ NXIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2++ecyVBg4v7NjpcABJkheRtEU5ZuAVa8iZr06PGvzg=; b=S8BzZHXqv0WTCosn4H6CnGtHCSMa4sofgGa/mH7VgqacrOoAvjZfx60qn7cQNwAoKP Ee3w3fc4AQve4Jjuvdgqxcf/DEKlvxSE/PMPX0IrfwxtSTLLBjCB6Rca1mpre/XxP1ua Nc8p82g15MvqY/Wh+l77dbcmKJTb0XkleGPQnjkWBskoASoPo3FLAuJyarzEZDqHXWNi 92h0jFipeB73+IK+UzaVl3aLmQWK6l5OnA1XHz/tPKBKiY0PNreTxBBHr9tsjAnnDskZ XxkZV15Q1oFM9BIOonkEB9Uaff0gnPI/oSrZdpUG8HwrJadf54ocWxv/MQSOGDacnDSa 7XTw==
X-Gm-Message-State: AFeK/H09jaeFJ/h9xzV5OmlGLayf73DPIrMPqbzb/5ll1KGZupd/Vu0nLeffcuuCJ/acvLgH9lx6kKzI9OdW2Q==
X-Received: by 10.129.92.84 with SMTP id q81mr11971974ywb.87.1489949227554; Sun, 19 Mar 2017 11:47:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Sun, 19 Mar 2017 11:46:27 -0700 (PDT)
In-Reply-To: <D2E36F6D-C467-4CD7-8180-493FA82D36FE@apple.com>
References: <CABcZeBPMR9m8zPdhG4Bc3DHWj9UmVq22Z7G4ApYjBGJeC7MU=A@mail.gmail.com> <A5D592C8-AEE0-4675-88AE-0064FD52B49B@gmail.com> <CABcZeBPiZmWBJEW5PYFDafS_v3dumEkS285MAifme85-ziu=ig@mail.gmail.com> <08CAB6F1-EA5C-4FA6-A9E9-1D7A87997470@apple.com> <CABcZeBM-83Q-j=VEQahJPer4w=Cve1h2seJRquZsrdhnXj1JqQ@mail.gmail.com> <D2E36F6D-C467-4CD7-8180-493FA82D36FE@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 19 Mar 2017 11:46:27 -0700
Message-ID: <CABcZeBMtLj6aZEYZQXH6RaTKO0H0LEu8+B=EHKEAtC_2vFK7Fg@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Yoav Nir <ynir.ietf@gmail.com>, ipsec@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org
Content-Type: multipart/alternative; boundary="001a114d8570712fc9054b19d6a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uRC449dLMlpSCw6Xc1dkyP3FaWc>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 18:47:10 -0000
Thanks for the explanation... -Ekr On Sun, Mar 19, 2017 at 11:45 AM, Tommy Pauly <tpauly@apple.com> wrote: > Some servers may support that, but some may not. These sessions are often > used for VPN access, and we've seen cases in which a particular > user/certificate combination is only allowed to be connected > once-at-a-time. That makes switching more complicated. Also, since the > recommendation is to try sending the UDP first packet at least twice, the > amount of time required for the user to wait before the fallback would kick > in is only on the order of a few RTT. > > I think if these session were more likely to be used for user-interactive, > short-lived connections, I'd see more value in a nuanced racing algorithm. > However, we often see IKE brought up in the background and stay associated > for a very long time, making the protocol that wins the race more > important, and the time to wait to establish slightly less important. > > Thanks, > Tommy > > > On Mar 19, 2017, at 11:40 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > I haven't fully thought this through, but if yu can switch-hit between > TCP > > and UDP, > > why can't you just race the setup between TCP and UDP and then if you > start > > getting packets on UDP, cut over to that. > > > > Maybe I'm just too influenced by ICE :) > > > > -Ekr > > > > > > On Sun, Mar 19, 2017 at 11:25 AM, Tommy Pauly <tpauly@apple.com> wrote: > > > >> > >> On Mar 19, 2017, at 6:47 AM, Eric Rescorla <ekr@rtfm.com> wrote: > >> > >> > >> > >> On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > >> > >>> Hi, Eric. > >>> > >>> On 19 Mar 2017, at 4:04, Eric Rescorla <ekr@rtfm.com> wrote: > >>> > >>> [Now with the right address] > >>> > >>> I just finished reading this document. Some comments below. > >>> > >>> > >>> - You have a uniform 16 bit length field followed by a 4 byte all-zeros > >>> sentinel value to indicate that a packet is IKE rather than ESP. > >>> Given that in S 3 graf 2 you have a SHOULD-level requirement > >>> to use typical UDP payload lengths, why not instead explicitly > >>> limit lengths to 15 bits and use the top bit to indicate IKE versus > >>> ESP. This would be slightly more efficient and seems simpler. > >>> I suppose that the counterargument is that IKE over UDP behaves > >>> differently, but in terms of implementation, that doesn't seem like > >>> much of an argument. > >>> > >>> > >>> Another counter-argument is that we sometimes need the entire > theoretical > >>> length of a UDP packet. The IKE_AUTH messages typically carry a > certificate > >>> chain and sometimes even a CRL. And there is no way to split a > certificate > >>> chain over several messages. With remote access VPN you also get a CFG > >>> payload with configuration information that can also encode an > unbounded > >>> amount of data. So I would not want to constrain the certificate chains > >>> that we are able to send any more than the IP packet length already > does > >
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Valery Smyslov
- [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Valery Smyslov
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Yoav Nir
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Tommy Pauly
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Tommy Pauly
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Eric Rescorla
- Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-en… Paul Wouters