Re: [IPsec] TCP and MOBIKE
Tero Kivinen <kivinen@iki.fi> Thu, 15 November 2018 11:51 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC75A124C04 for <ipsec@ietfa.amsl.com>; Thu, 15 Nov 2018 03:51:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.421
X-Spam-Level:
X-Spam-Status: No, score=-3.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx-4_PqBrhgX for <ipsec@ietfa.amsl.com>; Thu, 15 Nov 2018 03:51:07 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC41124408 for <ipsec@ietf.org>; Thu, 15 Nov 2018 03:51:07 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id wAFBojFK008040 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 15 Nov 2018 13:50:45 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id wAFBoj2H018059; Thu, 15 Nov 2018 13:50:45 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23533.23957.749071.182117@fireball.acr.fi>
Date: Thu, 15 Nov 2018 13:50:45 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'David Schinazi' <dschinazi.ietf@gmail.com>, ipsec@ietf.org
In-Reply-To: <006e01d47cb2$a0e40cf0$e2ac26d0$@gmail.com>
References: <031f01d47720$e9fb8220$bdf28660$@gmail.com> <CAPDSy+6V3dVkrcX=Lgd-G47RaLug8fhR=SZcD-cBdAmXJeCXvA@mail.gmail.com> <032c01d47724$f906d6d0$eb148470$@gmail.com> <23531.54545.136222.41944@fireball.acr.fi> <01db01d47bf7$d4e34630$7ea9d290$@gmail.com> <23532.55468.578150.420475@fireball.acr.fi> <006e01d47cb2$a0e40cf0$e2ac26d0$@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 23 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/wiiM1Dxy2AzF9_TiEda8vRHF3JY>
Subject: Re: [IPsec] TCP and MOBIKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 11:51:10 -0000
Valery Smyslov writes:
> It's much easier to rate limit responses, say no more than one per second.
> You may also check the length.
True, but this is what some implementations did and perhaps do still.
And the RFC7296 mandates that retransmission must be bitwise identical
(there are other reasons for that too).
> OK, that only justifies my thought that MOBIKE is fragile :-)
> What if both paths work, but the networks are lossy?
In normal cases you do bit more tries for the first IP, before you
move to second or third. I.e., something like 5 retries on first
address (0.5, 1, 2, 4, 8 second intervals using 15.5 seconds or first
address), and then move to 2nd address and so on.
> In this case with high probability your second exchange
> will look like the first: you won't get reply on IP_R1,
> switch to IP_R2, got reply and initiate new exchange again.
> And so on. The process won't converge well.
True. On the other hand you only need to succeed once to converge it,
and you only need to do this if you have so bad connection that you
really start timing out lots of request. In that case there will be
other usage issues anyway....
> Not exactly. The MOBIKE currently is only concerned with IP addresses.
> It doesn't take transport into consideration. If you formally follow MOBIKE
> you don't need to initiate new exchange, because when you switch from
> UDP to TCP the IP will remain the same.
Not true.
> > In tcp encapsulation the situation is same. Once we move to TCP, or
> > from TCP to UDP, that is deteced by the initiator that something
> > changed during UPDATE_SA_ADDRESSES, so after that exchange finishs
> > successfully, it needs to redo it using the path it thinks work, and
> > verify that both ends are in sync.
>
> Again, the path doesn't change, the transport changes.
> So, this must be clarified in the draft...
The rfc4555 does not defined path, but rfc4621 does:
Path
The sequence of routers traversed by the MOBIKE and IPsec
packets exchanged between the two peers. Note that this path may
be affected not only by the involved source and destination IP
addresses, but also by the transport protocol. Since MOBIKE and
IPsec packets have a different appearance on the wire, they
might be routed along a different path, for example, due to load
balancing. This definition is taken from [RFC2960] and adapted
to the MOBIKE context.
So the transport protocol should be taken in to account. Unfortunately
the section 1.3 do not refer to the rfc4621 for terminology, but I
think it should have done that, as I think it defines other terms
too (available address, current path etc).
--
kivinen@iki.fi
- [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE David Schinazi
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen
- Re: [IPsec] TCP and MOBIKE Valery Smyslov
- Re: [IPsec] TCP and MOBIKE Tero Kivinen