Re: [IPv6] Fwd: New Version Notification for draft-xu-ipsecme-risav-00.txt
Benjamin Schwartz <ietf@bemasc.net> Sat, 11 March 2023 03:52 UTC
Return-Path: <benjamin.m.schwartz@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 891DAC1527AE; Fri, 10 Mar 2023 19:52:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.548
X-Spam-Level:
X-Spam-Status: No, score=-1.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6K_uyj8lsIW; Fri, 10 Mar 2023 19:52:10 -0800 (PST)
Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com [209.85.217.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCFE3C14CE22; Fri, 10 Mar 2023 19:52:10 -0800 (PST)
Received: by mail-vs1-f43.google.com with SMTP id s1so6471996vsk.5; Fri, 10 Mar 2023 19:52:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678506729; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=70YHt8QX4b7tX62Hgt9iusYRUKUj7gXP5v1P6gnfeEI=; b=HhJP9AJqtOCOHgVhfqp/nmvYGP44KqMCKoSvIYZxS0LLErINKUIKmzItke9hUD9ezA cByPu+XGqKfF2nHwtk0NGC9xvAUbTyWhho/QwhFctxaneyXqiVbUxE0uYPkDFAZ5wus8 l1m0il8UuB4MoZm3w5UCUdYtNtd7wvn1sPHlLFl0sbp0PWYU95eTH6DMd+DB00BCqy62 F9KuwNH+QbXbuXQgpw8FleiYAazjS3KJ6lDLY8OZaK0ZtYLwr1orugsd7Yi9Lv/UTSKj FCd/6gsvqhYvhQhzNrZJTwag6pNuqyV9UED9IKyXuBR4vuh+gpmnFG8eBegOUVzVu2aF 3Pgg==
X-Gm-Message-State: AO0yUKVnfzhDTO3GLjprDEjz6A8S2aZF0k3ktHpCZ70bXeEC7EW1cem8 olOTlYerxktdmvNm51EvD62bHtcka+U=
X-Google-Smtp-Source: AK7set/7WY/Am0EL9nVazN7TiJhebwcfHfDU3X7Npe5PeCtst/M2X2YWJ+Nq7m//ivHv9fwNPKd7zg==
X-Received: by 2002:a05:6102:fa6:b0:41d:932d:6db6 with SMTP id e38-20020a0561020fa600b0041d932d6db6mr16554134vsv.27.1678506729266; Fri, 10 Mar 2023 19:52:09 -0800 (PST)
Received: from mail-ua1-f53.google.com (mail-ua1-f53.google.com. [209.85.222.53]) by smtp.gmail.com with ESMTPSA id w2-20020a05610233c200b004124cff6378sm165313vsh.26.2023.03.10.19.52.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Mar 2023 19:52:08 -0800 (PST)
Received: by mail-ua1-f53.google.com with SMTP id h34so4885920uag.4; Fri, 10 Mar 2023 19:52:08 -0800 (PST)
X-Received: by 2002:a1f:38d6:0:b0:401:a4bf:210d with SMTP id f205-20020a1f38d6000000b00401a4bf210dmr17009861vka.1.1678506727815; Fri, 10 Mar 2023 19:52:07 -0800 (PST)
MIME-Version: 1.0
References: <167820894576.52247.15048889974386886786@ietfa.amsl.com> <CAJF-iTT5f0WAu5fvEDqPR4dk_f3Qw1A5Of8EAVwbUJrkM7scpA@mail.gmail.com> <CAO42Z2xqFWbV49_cGM6tLSRkRgcYVwLfF8xeKMsJkQSOfX3_iQ@mail.gmail.com>
In-Reply-To: <CAO42Z2xqFWbV49_cGM6tLSRkRgcYVwLfF8xeKMsJkQSOfX3_iQ@mail.gmail.com>
From: Benjamin Schwartz <ietf@bemasc.net>
Date: Fri, 10 Mar 2023 22:51:56 -0500
X-Gmail-Original-Message-ID: <CAJF-iTRMkHAqFm5__DPJqKR6b2y7uUQiUX6RoMTEjYoDu7MkaA@mail.gmail.com>
Message-ID: <CAJF-iTRMkHAqFm5__DPJqKR6b2y7uUQiUX6RoMTEjYoDu7MkaA@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: ipv6@ietf.org, draft-xu-ipsecme-risav@ietf.org
Content-Type: multipart/alternative; boundary="00000000000043c19c05f697cda7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/78Frr7aQR0sT7yKKkFXucv2tL-8>
Subject: Re: [IPv6] Fwd: New Version Notification for draft-xu-ipsecme-risav-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2023 03:52:14 -0000
On Fri, Mar 10, 2023 at 1:40 AM Mark Smith <markzzzsmith@gmail.com> wrote: > Hi Ben, > > On Fri, 10 Mar 2023 at 01:37, Benjamin Schwartz <ietf@bemasc.net> wrote: > > > > Hi 6MAN, > > > > I wanted to let you know about RISAV, our early-stage draft currently > being discussed in IPSECME. The draft essentially proposes a global > configuration mechanism for network-to-network IPsec between ASes. Each > IPsec association is "edge-to-edge", independent of any intermediate ASes > such as transit providers, and is authenticated to the RPKI. > > > > The proposal instructs certain intermediate nodes (the AS Border Routers > of the source and destination ASes) to modify packets (adding and removing > IPsec protection). As explained in Section 10.1 [1], we believe that this > is logically compliant with existing IPv6 standards, but we would > appreciate more input from 6MAN on any problems that might arise from the > proposed arrangement, or improvements we should consider. > > > > "In-Flight IPv6 Extension Header Insertion Considered Harmful" > Thanks for the reference. There's a clear parallel between RISAV (in Transport Mode) and SRH. However, I don't think most of the concerns raised there apply to RISAV. In RISAV, there is only one AS (the source) that can apply RISAV, and only one that can remove it (the recipient). It can only be applied once a shared secret is negotiated between these ASes (via IKEv2), so leaks seem less likely than in SRH. Recipient ASes that get unexpected RISAV AH headers are instructed to strip them out, so even in weird failure modes, any leaks should not be detectable by the endpoint systems. IETF 106 slide deck - > > https://datatracker.ietf.org/meeting/106/materials/slides-106-6man-sessb-in-flight-ipv6-extension-header-insertion-considered-harmful-00 > ID: > https://datatracker.ietf.org/doc/html/draft-smith-6man-in-flight-eh-insertion-harmful-01 > > I'm a bit intrigued to know how people are going to do cost effective > and high speed EH chain processing past the fixed IPv6 header in > literally every packet being forwarded, looking for EHs it is to > process, when that network device doesn't hold the Destination Address > of the packet. > It seems to me that it would be a much easier thing to do if the > network device that is to process EHs is only looking for packets with > its own DA, which is what an outer tunnel header provides. Sure, the > tunnel header is network overhead, however it allows the decision as > to whether or not to try to process EHs in the packet as simple as > whether or not the packet's DA is local to the device or not i.e. a > FIB lookup. > In case it's not clear, the RISAV draft proposes _two_ modes: Transport Mode (AH, header insertion) and Tunnel Mode (ESP, encapsulation). It sounds like you want Tunnel Mode. Currently, we say that Transport Mode is "mandatory to implement" and Tunnel Mode is optional, but we could certainly reverse that or make them both optional. As for the "CPU" efficiency of Transport Mode, I believe it's no worse than Tunnel Mode: - We can require that the RISAV AH header is the first header, so everything is at fixed offsets. (Thanks for pointing out the importance of this!) - For either mode, the sender and recipient ASBRs need to perform an IPsec Security Association Database lookup on the source and destination IP addresses of essentially every packet. (This is similar to a RIB query for IP->ASN mapping.) In Tunnel Mode, this is required because the sender needs to know which packets to encapsulate and into which tunnels, and the receiver needs to reject (drop) any packets that should be in a tunnel but are not. In my view, the main question is: do the MTU savings of AH over ESP justify the additional complexity? Given the goal of deploying RISAV for all traffic between many ASes, I think we may need to be very sensitive to MTU loss and overhead. (Otherwise I would prefer Tunnel Mode, for the sake of confidentiality.) In the limit of full deployment (aspirational!), we are talking about the difference between a ~2% increase in global backbone traffic and a ~5% increase.
- [IPv6] Fwd: New Version Notification for draft-xu… Benjamin Schwartz
- Re: [IPv6] Fwd: New Version Notification for draf… Mark Smith
- Re: [IPv6] Fwd: New Version Notification for draf… Benjamin Schwartz