[IPsec] Re: Comments on draft-pwouters-ipsecme-delete-info

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 31 July 2024 07:32 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E14C14F73E for <ipsec@ietfa.amsl.com>; Wed, 31 Jul 2024 00:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id is46kguoiYwn for <ipsec@ietfa.amsl.com>; Wed, 31 Jul 2024 00:32:26 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8240AC14F6B5 for <ipsec@ietf.org>; Wed, 31 Jul 2024 00:32:26 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-52ed741fe46so6096421e87.0 for <ipsec@ietf.org>; Wed, 31 Jul 2024 00:32:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722411144; x=1723015944; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oBYpP0oaEdyTvHata00gKsF/KKORsZgLA26yK9MNx0U=; b=k3pUg88mL0QyegHr4sIFGXAQVTLR1BRBZ4WKZR4FGM4c5ab6C3O6fq+Jnc4alAS80X 6aQQNbAw1NDVAEsG6QBCuf05OlEMbv/VyQuWw0OQm/Sa8s7jHz3+t6RlpgUqe8idW2JZ 3p+O3VVUqoh/ZCm2YD7n469oLSLKCdWK7QeJKGOSybUnlRWMDfMUCu+zrO641fCSfIIQ SbD/Lf4oMrQ583ekZ9DbwJpgrqHduxzfG79vrwEDx8sogY5RG1/duWceLuUEUbHrDKkE ggos6AmF6eyrCT6ZoSWkP/3L3c/Tuf4vu2aeFiFBXwQjzioGwQX4E89/9T5LIQkkX5HJ aytA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722411144; x=1723015944; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oBYpP0oaEdyTvHata00gKsF/KKORsZgLA26yK9MNx0U=; b=dLjw6o3PBizHGCDzAomCA7mR0J2JzbHSUzetDV2wD3MHTJLhkGGr6OXDVDyt3woW/6 FabANnB+Jr1vlV2gLFUVOYiDWTictfJqrmjR6anzSMoQfibXQ6/QLoe2Z16md8gnn+Dd 7y4i/bv2E5VfLy+aJgsrK+YHqng7utSnUMsHso2rMr9C9KIHRdRRpKEZ+F9eJcT/AJAw QRCBefUGMXUd7f//FM06y9jxgssRCiWXd2ljdL7xb85X3zWYx1naGqTIUGHbugN+piYk esifYtemZOQcsOyQtXsIYQ/z+mGt5QpuUF5zIdkix38fMERN0yjXgane6PX+ks+FqM2i 4QXA==
X-Gm-Message-State: AOJu0YyxwrE5UvVK4xyEll0wjmAVQTO5zZX+uaeHGCljb0u8knGTHkIz UyzGjrSyjor4mtwqhrzkfqbg5ECmykK8YhIUTMGYhCA3vH6vkQZ56K1mWw==
X-Google-Smtp-Source: AGHT+IFXRB/7Rruj5P7hfmOKz5brDxeDDHhaMH2a30BmBLaR+wJT7rPZYlBLNY96OzueT0S5NYueOw==
X-Received: by 2002:a05:6512:3193:b0:52c:818c:13b8 with SMTP id 2adb3069b0e04-5309b269b92mr10525710e87.4.1722411144173; Wed, 31 Jul 2024 00:32:24 -0700 (PDT)
Received: from BuildPC ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52fd5c2be29sm2129484e87.249.2024.07.31.00.32.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jul 2024 00:32:23 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul.wouters@aiven.io>
References: <020701dae1b9$b6741070$235c3150$@gmail.com> <CAGL5yWY4NktSfjyEs_kGEjWAyRFtd0kncDam4YMtGwfrtbDMEg@mail.gmail.com> <02b901dae28f$9c17ff30$d447fd90$@gmail.com> <CAGL5yWZ15kkXN3zB+U4L1TwakU82wTX7-kC697_06N8msofJ2g@mail.gmail.com>
In-Reply-To: <CAGL5yWZ15kkXN3zB+U4L1TwakU82wTX7-kC697_06N8msofJ2g@mail.gmail.com>
Date: Wed, 31 Jul 2024 10:32:22 +0300
Message-ID: <030101dae31b$c8efecc0$5acfc640$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0302_01DAE334.EE3F95C0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKTXxMcsL+OEoqUquj1O3JZgb5E3gFcW1jiAZzcA6wC1ygAWLBw6jLA
Content-Language: ru
Message-ID-Hash: YKCJQQFMITA4KMO3F2BZN2RVIWUWDF5X
X-Message-ID-Hash: YKCJQQFMITA4KMO3F2BZN2RVIWUWDF5X
X-MailFrom: smyslov.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ipsec@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [IPsec] Re: Comments on draft-pwouters-ipsecme-delete-info
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uxO0IXVEic8ZArh1y68n3A0q8bg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>

Hi Paul,

 

(I think gmail is reaching its limits on careful quoting context, hope I get it all right)

 

         I will mark my replies with this color.

 

 

         As I wrote in the message to Chris, if we use any human-readable text in the protocol,

         then we MUST support multiple languages to be compliant with BCP18 (RFC2277, Sections 4.4, 4.2).

         This is what “Typical ART Area Issues” page (https://wiki.ietf.org/group/art/TypicalARTAreaIssues) 

requires to check when doing ART review. I really don’t want to open this I18N can of worms L

 

         And in this case the text won’t always help much. Will you understand what is happening if I send you:

 

Сервер отключен для пусконаладочных работ, включим после дождичка в четверг

 

         Will it help your debugging? I doubt.

 

No but if it says "abra cadabra conn 'vpn-customer1-toronto-rain[4]' more words and words", it could already help me

debugging so I know to look for my connection named vpn-customer1-toronto-rain, using state object 4. Obviously,

this depends on implementation. But it is definitely not useless.

 

         And what you will do with “vpn-customer1-toronto-rain[4]” at your side? This is the name of the connection

         on peer’s side that doesn’t relate to your configuration at all (even more true for state object). You still

         to have to call the peer and in this case the only information it needs is an SPI.

 

         By the way, I think that it would be more helpful to the user if you include “Related SPI” field

         in your notify – the SPI of the SA that caused the deletion of this SA.

         In case of INITIAL_CONTACT this might help.

 

 2. The list of reasons looks to me both incomplete and excessive at the same
time.
    For example, CONFIGURATION_CHILD_REMOVED and CONFIGURATION_IKE_REMOVED
    are not needed, since you either delete IKE SA or Child SA in a single
exchange, so it is 
    always clear what configuration is removed and only one such reason
would suffice. 

 

This is not about the current instance of the exchange but about the local configuration. It basically

says "this one tunnel is no longer configured" vs "the entire config for the peer has been removed".

 

         OK, this is not clear from the draft (that increases my concerns that without

         direct (phone) contact with the peer these reason have little value).

 

Yes, the notify reason basically TOLD YOU, there is an expectation difference between you and the peer. Maybe

you forgot to pay a bill. It's a feature not a bug :)

 

         And the bill number with the needed sum will be included into the reason text? J

 

 

         Can you please provide an example or give more detailed explanation how this can happen?

         From my understanding of IKEv2 it is always known from the local logs

         which SA is deleted as erroneous in case of simultaneous rekey. Am I missing something?

 

Often when we deal with customers, they cannot produce a log on their end and finding reasons about their

behaviour is impossible. Having the remote peer put some information into a delete reason payload would mean

the customer's equipment does tell us a bit better why, without needing the remote logs.

 

         My point was that deletion due to the simultaneous rekey is always clear from any side’s logs…

         At least from our experience. The only case when remote logs are needed in this case is

         when you turned off local logging…

 

The point of this reason is to put the Exec Summary of that phone call in the payload :)

 

         This is not really needed. The only information that is needed for the phone call is SPI of the SA.

 

Not in my world. The extend of info a customer tells me about their Cisco failure is usually a "tunnel failed".

They usually dont know how to get logs, how to enable debugging, or who to talk to to help with their ipsec

machine.

 

         In this case how the reason notify would help? I presumed that this notify is for logging purposes only

         and if users don’t know how to get their own logs, then they cannot tell you the received reason.

         Or is it intended to be displayed to the user on a UI? Randomly popping up?

 

 

         I see. It won’t help those poor who was down when the hardware started been replaced – 

         they never receive this announcement and won’t know why the cannot connect J

 

Some of my customers run an RFC5685 IKEV2 redirect proxy in front of their servers, so this wouldn't be

a problem :)   So imagine you receive a "deleted connection because IPsec GW being upgraded", but with

0 downtime. You redirect and the proxy redirects you. If you were down for a few seconds, you know what the

cause was, that you not need to do anything.

 

         Redirect would help in this case regardless of the reason code.

         As a customer, I’d rather use it immediately if I need an access, rather than

         waiting the time indicated in the reason (because it is only a hint J).

 

         Regards,

         Valery.

 

Paul