IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tommy Pauly <tpauly@apple.com> Wed, 26 April 2017 21:29 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43CD0128B91 for <ipsec@ietfa.amsl.com>; Wed, 26 Apr 2017 14:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XVFWLF-2G76N for <ipsec@ietfa.amsl.com>; Wed, 26 Apr 2017 14:29:18 -0700 (PDT)
Received: from mail-in23.apple.com (mail-out23.apple.com [17.171.2.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDCF41279EB for <ipsec@ietf.org>; Wed, 26 Apr 2017 14:29:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1493242154; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=cQR2+L9NFydO/ElpWXdtiHU9+IDxxM3GnaZ4RIZJQ+4=; b=4XtTXLvDXQXppsG1YGVsDFCVrN0KWCPaMdTwQUwRrBAfRovPUE/JXaPLwOwdXjbY YSi4jCxEzBB6c3w9a1TxmVSLZJW4prJAWxSo9UqM0TsixbJFsVooaJQYYjhCSCg9 O6056zfC3+nVkpgOLSJxM5nj4EDJEN71MIlATx+CKaRnoS09s76EvGkGcgmGi6uo HA4Ht9oOtI+D0xmGHUtUefWWqVE8hWXfKKeRMymsylKQTkg8ACxKsPLBm5YvKdbt 6isk0f4js4hybbhzb95zNBzf6CwRt0m2mHOlOX65lH8uDYpJ1UqqDNGA5OhsdHi/ WN+7TvpIqjGnM66okv7z0A==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in23.apple.com (Apple Secure Mail Relay) with SMTP id 32.4D.06019.92111095; Wed, 26 Apr 2017 14:29:14 -0700 (PDT)
X-AuditID: 11ab0217-9d7e79a000001783-f6-590111297485
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by relay6.apple.com (Apple SCV relay) with SMTP id F5.4B.09762.92111095; Wed, 26 Apr 2017 14:29:13 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_WWXv1e+fY1oxKlKIq6TXeQ)"
Received: from demo-wifi.coreoutside.org ([17.227.5.3]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OP100JYMD0OOK70@nwk-mmpp-sz09.apple.com>; Wed, 26 Apr 2017 14:29:13 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <89333EE4-4F8F-4206-AD61-6352C57AFBE7@apple.com>
Date: Wed, 26 Apr 2017 14:29:12 -0700
In-reply-to: <CABcZeBOb3dD4tQbiYH9jABCXMKOGWNaWCNAyMzyKeiXnB5YAoQ@mail.gmail.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsecme-chairs@ietf.org, ipsec@ietf.org, Mirja Kuehlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-tcp-encaps@ietf.org
To: Eric Rescorla <ekr@rtfm.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <22784.31378.631303.102297@fireball.acr.fi> <CABcZeBOb3dD4tQbiYH9jABCXMKOGWNaWCNAyMzyKeiXnB5YAoQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3263)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBLMWRmVeSWpSXmKPExsUi2FAYpaslyBhpcPivmsX7P2cYLVa8Psdu MePPRGaLF9c/Mlvs3/KCzWLmnA8sFkfPP2dzYPdYsuQnk8fhrwtZPFo+LmT1mPy4jTmAJYrL JiU1J7MstUjfLoEro2n9XLaCWzMZK15OuczawNhf38XIySEhYCJx8sl8RhBbSGANk8SJfQkw 8d+f1rF3MXIBxQ8ySty4sosVJMErICjxY/I9FhCbWSBMonnPW1aIoglMElP3bADq4OAQFpCQ 2LwnEaSGTUBF4vi3DcwgYV4BG4lfZ0RAyoUFJjBKvL42C6ycRUBV4scuLpByToFgiU8vPrOA 1DAL7GCUeHDtPxNIQkRAQeLXnxMsELu+MkpsXD+fBeJSWYnuhdOYQRISAs3sEn2fzzNPYBSa heTYWUiOhbC1JL4/agWKcwDZ8hIHz8tChDUlnt37xA5ha0s8eXeBdQEj2ypG4dzEzBzdzDwj Y73EgoKcVL3k/NxNjKCoWs0kvoPx82vDQ4wCHIxKPLwRxxgihVgTy4orcw8xSnOwKInzNu34 HyEkkJ5YkpqdmlqQWhRfVJqTWnyIkYmDU6qBcdKTnXx1VdvC0qxdF85pjjadddEh8mS0651z O9IvbJmUrrtkJ897bd7UdqdnRr6nTrnrWF26emSej8lRxis7T7Onr4m5YvtyncLdpK97JQ5/ 2xs4UU1gpXepJNesfXO+ddwvsZQ6JvTs1fPO+2rPN/yOVDoRfNB1tt8e7sYj8eEVRScP8bOG HVViKc5INNRiLipOBADXawnNiwIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrEIsWRmVeSWpSXmKPExsUi2FAcoKspyBhp8P6CisX7P2cYLVa8Psdu MePPRGaLF9c/Mlvs3/KCzWLmnA8sFkfPP2dzYPdYsuQnk8fhrwtZPFo+LmT1mPy4jTmAJYrL JiU1J7MstUjfLoEro2n9XLaCWzMZK15OuczawNhf38XIySEhYCLx+9M69i5GLg4hgYOMEjeu 7GIFSfAKCEr8mHyPBcRmFgiTaN7zlhWiaAKTxNQ9G4A6ODiEBSQkNu9JBKlhE1CROP5tAzNI mFfARuLXGRGQcmGBCYwSr6/NAitnEVCV+LGLC6ScUyBY4tOLzywgNcwCOxglHlz7zwSSEBFQ kPj15wQLxK6vjBIb189ngbhUVqJ74TTmCYz8s5DcNwvJfRC2lsT3R61AcQ4gW17i4HlZiLCm xLN7n9ghbG2JJ+8usC5gZFvFKFCUmpNYaaaXWFCQk6qXnJ+7iREcBYVROxgbllsdYhTgYFTi 4XXYyBApxJpYVlyZe4hRgoNZSYRX4yVQiDclsbIqtSg/vqg0J7X4EONERqAvJzJLiSbnA2M0 ryTe0MTEwMTY2MzY2NzEnJbCSuK8c98CXSSQnliSmp2aWpBaBHMUEwenVAMjX1q+7oZN8TJX rEQVYyoK2tWLU5a9Omjn/ufyQ9bSTKdjBpWPWPdUH7k8q8ucYzvDu2n+a6IjF7ZcbecJqjty 71eng6VxzIHTfmeXxqvuMJzu94/rnojVYe5Vb6oK2tT8HhxQNSg6cvZKWGT8me/Cm5//7/Sq ONaU8uPJ9jIDfokO2SotziglluKMREMt5qLiRAAZB1PO9QIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/w9hUK6A52SwqEDmsqADdxxUAmLc>
Subject: Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 21:29:20 -0000

> On Apr 26, 2017, at 12:51 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> AFAICT there are two separate issues:
> 
> - The use of 4500, which, as Tero says, we can just update the registry to point to this document for.
> - The use of 443, which seems more complicated
> 
> WRT 443, I would assert the following facts:
> 
> - It's not awesome that people use 443 (though understandable because of overly-aggressive firewalls)
> - People aren't going to stop using 443 (because it goes through NATs well)
> 
> Generally, I think it's more useful for documents to reflect reality, even if we don't like that reality,
> and 443 only appears in the appendix, so that seems fairly innocuous to me. Perhaps we can
> leave the 443 in the appendix with some note like:
> 
> "Note: While port 4500 is the reserved port for this protocol, some existing implementations
> also use port 443. The Stream Prefix provides some mitigation against cross-protocol
> attacks in this case, however, the use of port 443 is NOT RECOMMENDED"
> 
> What would people think about that?

That sounds good to me. I think we may want to mention that the Stream Prefix is used to distinguish from any other protocols running on port 4500, etc, not really specifically to 443.

> 
> Tommy, Tero, the stream prefix doesn't seem totally ideal. Would there be wiggle room
> to specify ALPN here? Or maybe a longer prefix?

The document's text regarding ALPN is in section 4:

"Although some framing protocols do support negotiating inner protocols, the stream prefix should always be used in order for implementations to be as generic as possible and not rely on other framing protocols on top of TCP."

The idea is that we don't want to use TLS as a wrapper whenever possible. An implementation on an IKE server may be behind a proxy or another process that's terminating the TLS or raw TCP, and passing the inner stream along. In that case, we wanted a standard way to put IKE and ESP in a stream, not relying on an outer protocol's details.

I'm perfectly open to using another prefix value; if you have a suggestion for a longer value, that would be great!

Thanks,
Tommy

> 
> -Ekr
> 
> 
> On Wed, Apr 26, 2017 at 3:46 AM, Tero Kivinen <kivinen@iki.fi <mailto:kivinen@iki.fi>> wrote:
> Tommy Pauly writes:
> > > ----------------------------------------------------------------------
> > > DISCUSS:
> > > ----------------------------------------------------------------------
> > >
> > > This draft suggests that ports that are assigned to other services can
> > > simply be used. This is not okay. If a port is assigned to a certain
> > > service, this service and/or the respective RFC defines how this port is
> > > used. Simply changing the specified behavior by requiring a check for a
> > > magic number cannot be done without updating the RFC that the port
> > > assignment belongs to. Also for the use of 4500/tcp RFC3948 as well as
> > > the IANA registry would need to be updated.
> >
> > At this point, the only portion of the document that mentions a port
> > other than 500 and 4500 is the appendix. We recommend that 4500 is
> > used as the port for TCP encapsulation. The IANA registry for
> > 4500/tcp is already assigned to IPSec NAT Traversal in RFC 3947;
> > that document does not explain how TCP is to be used, so the
> > reference should be updated to point to the document on TCP
> > encapsulation.
> 
> I already explained this in long email to the Joe and Paul, but
> noticed that those emails did not go to to the IESG, so this is mostly
> cut & paste of my previous email. This does not cover anything about
> using any other ports, but covers the case about the IANA allocations
> for TCP/4500 and UPD/4500.
> 
> ----------------------------------------------------------------------
> Paul Wouters writes:
> > On Tue, 25 Apr 2017, Joe Touch wrote:
> > > Every bit pattern, including those using magic numbers, is already
> > > owned and under the control of each assigned port. It is not
> > > appropriate for any new service to hijack that pattern as having a
> > > different meaning UNLESS explicitly updating the service on
> > > that port.
> > >
> > > A simple summary of what needs to change, in 2119-language:
> > >
> > >    - this approach MUST NOT be described as applying to any
> > >      assigned number unless also updating the associated RFC
> >
> > So it should add an Updates: RFC-3947
> 
> Not really. It does not update RFC3947 as it does not change the
> obsoleted protocol defined in the RFC3947. It does define way to
> extend things in IKE in similar way than RFC3948 (UDPENCAPS) does. On
> the other hand RFC3947 should have been obsoleted when we obsoleted
> IKEv1, as that document only defines how to do IKEv1 NAT traversal
> negotiation, and the IKEv2 NAT traversal negotation is described in
> main IKEv2 RFC (RFC7296).
> 
> > It's a little weird. 3947 reserved TCP 4500, but did not specify how
> > to actually use TCP at all. It seems it was mostly preventatively
> > reserved.
> 
> The reason RFC3947 reserved TCP/4500 was that it updated both TCP/4500
> and UDP/4500 references from individual user to the RFC3947, so that
> IETF will have change control over the ports. I.e., those ports were
> allocated before RFC3947 came out, and they were used for several
> different non-interoperable versions of the NAT traversals, which then
> evolved to the standard version we define in RFC3947. We decided to
> reassign both TCP and UDP port 4500 to RFC3947 so it would be clear
> for what use they will be used. Also we commonly reserve both TCP and
> UDP ports for same number just in case someone defines a way to run
> the protocol over other transport protocol in the future...
> 
> RFC3947 does not define anything over TCP/4500. Actually RFC3947 does
> not define anything over the UDP/4500 either, it is the RFC3948 that
> does that. The RFC3947 just says, we use the format defined in the
> RFC3948 over the UDP/4500, but is silent about the TCP/4500.
> 
> RFC3947 is efficiently obsoleted, as it only defines the way to do NAT
> traversal on IKEv1, and IKEv1 is obsoleted and replaced with IKEv2
> (originally RFC4306, and now RFC7296). So the RFC3947 should have been
> marked as obsoleted by RFC4306. I am not sure if we want to do that in
> this late.
> 
> So my proposal is update the IANA port registry for both UDP/4500 and
> TCP/4500 as follows:
> 
>          Keyword       Decimal    Description          Reference
>          -------       -------    -----------          ---------
>          ipsec-nat-t   4500/tcp   IPsec NAT-Traversal  [RFCXXXX]
>          ipsec-nat-t   4500/udp   IPsec NAT-Traversal  [RFC3948], [RFC7296]
> 
> (RFCXXXX being this RFC).
> 
> Note, that the RFC3947 on the 4500/UDP was changed to RFC3948 as the
> RFC3948 actually defines the protocol used over the port. RFC3947
> defines the IKEv1 negotiation over the UDP port 500 and 4500, but for
> IKEv2 this is already defined in the RFC7296.
> 
> The RFC3947 could either be left as it is now, or marked as being
> obsoleted by this or RFC4306, or RFC7296 or whatever. Updating
> document which is effectively already obsoleted, is just wrong...
> --
> kivinen@iki.fi <mailto:kivinen@iki.fi>
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email