IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Tero Kivinen <kivinen@iki.fi> Wed, 14 October 2020 10:19 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D7143A145F for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 03:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xeuqViRf0cNM for <ipsec@ietfa.amsl.com>; Wed, 14 Oct 2020 03:19:12 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1041D3A145D for <ipsec@ietf.org>; Wed, 14 Oct 2020 03:19:11 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id E6A9D1B0029D; Wed, 14 Oct 2020 13:19:08 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1602670749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Tp9kSNzvKio6a7umKotCy1qEmIqH20ePwSxe4A3HWIY=; b=rph6pWpGk7KvRMFfKjkSsVQU6YyGY61FU25Y+dOXcqXHco8UXByxD7CLliBtcuYQqPEiqM 3ou+D2ke04gHxpLZF8jhlVL4ZE9dDqM38qZCjlWHjSg5HP+RF7Z31pIvzQOFP4cfmZXSHr vTGUZfCk4MuYCPCodeDOJ4u2mGE/5O3GjGaM+lNUsQ93YZKFW2T9xKaBFKrJj3/MzPhAX3 MviFdZTt3X2+94evtgZqwV39a8JAr++/Po6hTXusqgNynkQqIQ4mV5borXHXTt/DFGxSwR /KdVQ1I5GpkhH1/pLtoJhUZtQsnbV/n2k0mYfFKJZSzwmaKFJzLZFUnEnOZwjg==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 15E7725C1739; Wed, 14 Oct 2020 13:19:08 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24454.53404.39277.731780@fireball.acr.fi>
Date: Wed, 14 Oct 2020 13:19:08 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Christian Hopps <chopps@chopps.org>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, Lou Berger <lberger@labn.net>, ipsec@ietf.org
In-Reply-To: <9A514314-DA80-4498-9FFA-22B8647D2D9D@chopps.org>
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <24453.58544.114398.668064@fireball.acr.fi> <0b080379-48c0-b4ac-c213-f8cdfefc514a@labn.net> <24454.5506.450515.501200@fireball.acr.fi> <001701d6a1f7$76981240$63c836c0$@gmail.com> <56F3A6E6-EDD6-46FA-8829-EC10FD9AD058@chopps.org> <003b01d6a200$2d70df80$88529e80$@gmail.com> <9A514314-DA80-4498-9FFA-22B8647D2D9D@chopps.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 21 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1602670748; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Tp9kSNzvKio6a7umKotCy1qEmIqH20ePwSxe4A3HWIY=; b=iFrMg98gkl0AVwjDCnFzLpS70yvDqm5O+Fb0v1WvMVsoi63OhL8u71Uxgm+JNZS1NjLL0N +ZgXPAuiQjhjrnIS3i6f0ejXRLvEC4dL+870kczc9f/GWoSo1BUJhD2KDnjdfztIY585CY XgEK8tYBlXzb7HRjM+OiX9M6lUh3mBLHDui0BJus/Ds1CJU1dEVbH0yTuso52ftc2ZL5Ji PSNWeBWb8JN29we5pkm7OArrXOMy0MCcXhVLSbmmZ6lslg0J1qVkqIq3OOC/qe5bc5qbq9 9TktI39+9xuoKlN6dIqysg0bn2JiFbIwtZaAr0MKQ4yqhP2s5TJN0uolZtYIhQ==
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1602670749; a=rsa-sha256; cv=none; b=MVNTpiyTczOuoHjUkc9gMNhwsgungPYS99ksCZaudIFfFlCo4Denx2kpf4+SndMHluK0GC jVsxHhn58CO8W4VaZoW5r+X/7FiA/OR2Sfb2+Klt399rBiSfmNxX3kGmThnxP4R5XlY9hB ihKujJkKqOhw5GKw7XYyf3rbC4zPZiMei6dSoea7jYceiljTT0zIAy49xTYhDDaT0oiLhG lcTEE1Mmcb0Hi/FmCB2r6i8FW1/SyCuihxFB/SDpJNnUAoDztsWjf0HZo6JOOtpHcpWLlO hQSy+n8cbMHnpl0uZqYLZNA/lwYpuTz8OmAff9H1uto2jwvY8lKwIjAF6nQXUg==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/vRRKGUYXriPK6XFi2exGt66gsG4>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 10:19:14 -0000

Christian Hopps writes:
> What is intended is that an implementation can process inbound IPTFS
> payloads w/o actually explicitly configuring the inbound SA to be in
> "IPTFS-mode" (zero-conf). That is all. 

And if IKE is used what is the use case for that?

IKE allows easy way of agreeing on the set of parameters for each
IPsec SA, and agreeing on the mode of the encapsulation is one thing
it already does. It does negotiate whether the IPsec SA is in tunnel
or transport mode, and for my view the IPTFS is just one more mode for
that, i.e., something that can be negotiated when IPsec SA is created
using IKE, and then that encapsulation mode is used. There is no need
to know or do that per packet basis.

In theory in recipient we could detect tunnel mode by looking at the
next header field of the inner packet, and if we see it is IP inside
the packet, then we would assume it is tunnel mode, and enable tunnel
mode processing. We do not do that, we do negotiate whether the IPsec
SA is tunnel or transport mode and create IPsec SA either in tunnel or
in transport mode.

Earlier there was also another encapsuluation mode called a Bound
End-to-End Tunnel (BEET) mode for ESP [1] that was also proposed, and
in that case it would have been impossible to detect the mode from the
incoming packet, as lots of the information needed to reconstruct the
end to end IP header is stored in the SA.

Anyways we do store things in the IPsec SA when we create them, we do
have negotiation mechanism to agree on those parameters and we can use
them, we do not need to process things per packet basis. 

[1] https://tools.ietf.org/html/draft-nikander-esp-beet-mode-09
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email