Re: [IPsec] diet-esp - How do you know?
Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 24 May 2022 20:59 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62326C28E0B0 for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 13:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.755
X-Spam-Level:
X-Spam-Status: No, score=-3.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-wjxzW-kz08 for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 13:59:15 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F05AC28F59F for <ipsec@ietf.org>; Tue, 24 May 2022 13:59:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 109A36279D; Tue, 24 May 2022 16:58:28 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id kt3Bt-pJX3Uz; Tue, 24 May 2022 16:58:18 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 4CF3D62794; Tue, 24 May 2022 16:58:16 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------Tqn0mL80aeD06eGIvDAVeRrY"
Message-ID: <bf9499e1-0533-a503-e72b-ddd6ea62835a@htt-consult.com>
Date: Tue, 24 May 2022 16:58:58 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
References: <245277bb-6d70-dbcd-b99e-badc435b9c4d@htt-consult.com> <CAGL5yWa=hjCZD912YJPWM-x_=ChTo=yULk1P5FRfkfB9Db9+Gg@mail.gmail.com> <CADZyTknARDjj=SZmstnBqxo5hJp-NzH09a6cH5Dxj3Zg7VfyAw@mail.gmail.com> <f55061a1-b1af-8ce5-7ecc-8d7ccef0ee03@htt-consult.com> <CADZyTknQSiCrBvdsnjQU8OcTCRhCOBeNW0CC10xhK6cHnD+76g@mail.gmail.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <CADZyTknQSiCrBvdsnjQU8OcTCRhCOBeNW0CC10xhK6cHnD+76g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/v7CPs3Hkt937KdjzeBD3J8CQRLc>
Subject: Re: [IPsec] diet-esp - How do you know?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 20:59:16 -0000
In My Highly Biased Opinion,,, There should be a section on the IKE negotiation of diet-esp, specifically calling out how this is done. Especially the incoming SPI selection. Then there should be a section, perhaps sub-section of above, on incoming datagram processing to recognize a shortened SPI on the wire and pass it off to diet-esp processing. I keep thinking back to when we had fun writing 2410 and one implementor did not get the joke and did it wrong and would not interop in null mode with any other product. They were really not happy campers... On 5/24/22 16:47, Daniel Migault wrote: > The issue only comes when a gateway wants to support all sizes of SPIs > 0 - 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic > lookup, I would suggest using IP addresses and the minimum allowed > byted compressed SPI. > If you use 2 - 3 bytes, the likelihood of collision might still be > very low to support an additional signature check. > > Yours, > Daniel > > On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz > <rgm-sec@htt-consult.com> wrote: > > That is the 'easy' part. > > What does the code do when it receives an ESP packet? How do it > know that it is a diet-esp packet and apply the rules? > > Next Header just says: ESP. > > On 5/24/22 16:23, Daniel Migault wrote: >> This is correct. IKEv2 is used both to agree on the use of >> Diet-ESP as well as values to be used for the >> compression/decompression. >> >> Yours, >> Daniel >> >> On Tue, May 24, 2022 at 11:14 AM Paul Wouters >> <paul.wouters=40aiven.io@dmarc.ietf.org> wrote: >> >> >> On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz >> <rgm-sec@htt-consult.com> wrote: >> >> I think there is something else I am missing here. >> >> How does the receiving system 'know' that the packet is a >> diet-esp packet? >> >> >> https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 >> >> It's negotiated with IKEv2. >> >> I guess the IKE stack has to signal this to the ESP >> implementation on what to expect when >> the policy is installed ? >> >> Paul >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> >> >> >> -- >> Daniel Migault >> Ericsson >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > > > > -- > Daniel Migault > Ericsson > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Paul Wouters
- Re: [IPsec] diet-esp - How do you know? Scott Fluhrer (sfluhrer)
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Scott Fluhrer (sfluhrer)
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Daniel Migault
- Re: [IPsec] diet-esp - How do you know? Robert Moskowitz
- Re: [IPsec] diet-esp - How do you know? Daniel Migault