Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"

Mohit Sethi M <mohit.m.sethi@ericsson.com> Thu, 25 October 2018 07:04 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FFE512F18C for <lwip@ietfa.amsl.com>; Thu, 25 Oct 2018 00:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.77
X-Spam-Level:
X-Spam-Status: No, score=-4.77 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=YKLY63+f; dkim=pass (1024-bit key) header.d=ericsson.com header.b=BKxEWcIR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNi8l5thB2cV for <lwip@ietfa.amsl.com>; Thu, 25 Oct 2018 00:04:53 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F98012D4F2 for <lwip@ietf.org>; Thu, 25 Oct 2018 00:04:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1540451090; x=1543043090; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=OYlvR/chh5uftAEZh2ItRqRasBqPNnLMk1Y6GYXD4SY=; b=YKLY63+f9HGA3QpFu+U0hizO7R8r60SktPCBGQntKa82laYf9Grm2RkWiva+lh0z FxyAphzT8aAgsuKA09Fhcvyxt1MxxI6zZqiBjSFtxh946xTHTyZOQP7NKuT9O+ML i60HVWzKPJX+HNGRw492FYCRrJAWL/PsuavMWiXJBM8=;
X-AuditID: c1b4fb2d-40dff7000000434d-6c-5bd16b123645
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 9C.20.17229.21B61DB5; Thu, 25 Oct 2018 09:04:50 +0200 (CEST)
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 25 Oct 2018 09:04:50 +0200
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB503.ericsson.se (153.88.183.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 25 Oct 2018 09:04:50 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OYlvR/chh5uftAEZh2ItRqRasBqPNnLMk1Y6GYXD4SY=; b=BKxEWcIRBP5+QAzFhYwl4SnMeVrlVI2LVD1DI+rfmsB5c+a1PixldhtTxPco2BWAmyRguuj36AeMyvS+KXn/9H8hb8TurRIDN1mDvcaGC+bAV+a4bdYJ/zz7MmFnyloFlYko5ZA6XIiFMfT/sCHEPsK3Stfd3AKGbVmOSg9JwvE=
Received: from VI1PR07MB4717.eurprd07.prod.outlook.com (20.177.54.82) by VI1PR07MB5824.eurprd07.prod.outlook.com (20.178.122.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.12; Thu, 25 Oct 2018 07:04:44 +0000
Received: from VI1PR07MB4717.eurprd07.prod.outlook.com ([fe80::8412:d8ae:dfa0:c61f]) by VI1PR07MB4717.eurprd07.prod.outlook.com ([fe80::8412:d8ae:dfa0:c61f%4]) with mapi id 15.20.1294.009; Thu, 25 Oct 2018 07:04:44 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Paul Wouters <paul@nohats.ca>, Tero Kivinen <kivinen@iki.fi>, Heinrich Singh <heinrich.ietf@gmail.com>, "lwip@ietf.org" <lwip@ietf.org>
Thread-Topic: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
Thread-Index: AQHUbDEB5aQJBkJpW0aBhj6u5Mghlw==
Date: Thu, 25 Oct 2018 07:04:44 +0000
Message-ID: <VI1PR07MB4717173E61C887FDF4E4D3ABD0F70@VI1PR07MB4717.eurprd07.prod.outlook.com>
References: <CAP_kZQqckPJhCn083sg8=PVpiO_+Ke=GhOKre=qujkk4k=dU7A@mail.gmail.com> <CADZyTk=dtJS7bS8oJtSa1bW-Xv3-AkuboX1QoJTFG+DyuN94ow@mail.gmail.com> <CAP_kZQrnmJJaLtzSJ5MeDYSme2mV6sAfGZrE5tnx8P6hbMib7g@mail.gmail.com> <23433.17795.580382.531001@fireball.acr.fi> <alpine.LRH.2.21.1808311231250.27198@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB5824; 6:gCfvrGxrvQ1bgHexwHNesxbdReYlYV88b2+8rb2/mmrFJDyoN0cYhmkCT0JHXwLlxVZwJTdC0gEwD1RPVJYU9rgfJtexytl3LEl1q2kR976GQZvAXNu/d3cYrxoOSGzyK5/3fw//FpeORbSK970+fdFbN/kG0iZ2uNV2sggfa7C8MauTL32/Q0LYaH5fLTwHnHTYDzo7hnRulUdjSA8brvZg+3S8bpG7XTZgp4XWINewC3ytakvXU/Bd3Z0+aZyKYTOyezAozWf4zJ3JIPStNCPNzW2KQemsPtVp0tilSCjgJL0I4ld97SgBl+GeYCHtJOcJ659QqZaZ+wUFMX63qmseTCMq3NSm6czBMLd5n+682ag/T4rBAFmBteR1wqu+qMt2AZObbn9/vmenkhC/425Y9NmzFY1oONippxVFf2yPnYC3QaJunFmNb6tY3+dym3Hno7lhzMGP9V7lKYgOuw==; 5:pFCoGEaysTm2GONjkcljdf9pMo7eQtWankCaMTG/Ce18IQYCn1AYZX0rutTxi/DSQKUtOSASt9Gx3ctuSibnq9MlAar6H76GctbWkzXlSa1hhxZwYmYqH9kHdipGr7oOwZ2BMNQndD0tOOxOKb0l8tTs4jaVKhpnICZ4hCoUcxs=; 7:rXbWUun4adRwel0qZWql9K2LyNhdJdkzFQg7fb+VsUKKRG6ZgJVlWitLhQCvImypgzfsm1kcLkgw7++6dcL0JyHwPPzMZccsFPGnm29I44iQO0qMkC7fpPQC3YXiaCmMgH/hYikqKzrQ/jSL3yh8FQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5467122c-b1f0-470b-eea4-08d63a482466
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB5824;
x-ms-traffictypediagnostic: VI1PR07MB5824:
x-microsoft-antispam-prvs: <VI1PR07MB58243D0E34C7A317EFEF5E5ED0F70@VI1PR07MB5824.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(159839258108289);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231355)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:VI1PR07MB5824; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB5824;
x-forefront-prvs: 083691450C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(136003)(376002)(346002)(39860400002)(199004)(189003)(14444005)(53546011)(6506007)(2900100001)(446003)(3846002)(6116002)(74316002)(68736007)(81166006)(81156014)(2906002)(476003)(5250100002)(71190400001)(71200400001)(7696005)(93886005)(5660300001)(105586002)(86362001)(6246003)(8676002)(256004)(99286004)(478600001)(76176011)(66066001)(26005)(55016002)(53936002)(102836004)(6306002)(9686003)(110136005)(2501003)(316002)(25786009)(229853002)(106356001)(97736004)(6436002)(14454004)(33656002)(305945005)(486006)(186003)(966005)(39060400002)(8936002)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5824; H:VI1PR07MB4717.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: TGZ7GvJO2nrJWrNx+iCkLCKXOFFq/8bYjxxHC25I1vCBm6lAhBFR0/jcRZHrWwOiog2kL4ex21L1kQ2xemYogZn64G1VX305A2+k76nDZEsor1lLbVIDufsgGBMosm/j46/YlreF8oQZT5d7+hjLD6QJrbaBjXSteJ/oPe+6rlZT69bKUP/ZHRNxtrTk5IVJNE+G9Gd1m00IjmtJtJlThRQchR70lxjMKLM4ub0yL+ezTC05hm4xFpiesGAh3a49N4k/io3uAhutmpzGUb9UOfoA6whnzqzWuepkYqo6neJd68obmCOoqsiuQ6BfaTtm/w3PhTLlfVnbINIx4Ig5M8fg43RBmUN9634oBVXk3Ps=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5467122c-b1f0-470b-eea4-08d63a482466
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2018 07:04:44.1755 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5824
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHec85OzsOB2/T6YOrqIEQmpumhEQXJUK/BH1QEy/pyoOOeWNH JZVApauRtynewmlM8xIhVppohVsjlVScXUgz8JbKyqRQMSPzeI7Qt9/z/v//53mfl5chFfUS L0afnsUa03WpalpG1Ub3cH4Kw3isf+X3Q8FFjT10sH1skQ5ueOkW/GPSQYRQ4b1109Jwi2WT CLetNVHhGw3EBSpGdjKJTdXnsEbt6URZim30ujTzhepqecmgtAB1ehQjFwZwEKy/fistRjJG ge0I6tcclFCsIxif+yIqFgKmW2dIvqBwGQnW1kJRqSCgurdVwjdT4FkEg1N6nmnsD6bK1l2T Oy5FsNRglvKCG86Dmo8TuwF3nA/NFSMia+D9ZyfimcLeMLXcRfMsx3Gw3lckXspGgHX7G8UL CHvAxvAjgmcSe8LkvJkQVsJg6R8jBVbC8txfieCPh9XtUtFzGEZWZkQ+AA7zXcQPAPyBhuGe NiQIfrBaVSU2Og/vbo5SgukNgsIVk1QQfKBtyS6aDHBnc1sMx8ONhQei5yC035vZC5NQujAs BvaD1VZDlyFt3X9bCHwUGvt+0gL7QkuTk6zbfY59MFQ7TzUiqh0pOZbj0pKPBWpYo/4Kx2Wk a9LZrC6082UGnm75PUcdzlArwgxSu8oLksZjFRJdDpebZkXAkGp3+dlLO0fyJF1uHmvMSDBm p7KcFakYSu0p17T3xyhwsi6LNbBsJmvcUwnGxasAlYTRhsdWn8Ww3CZHFAcnzAmh3djp/7vz Vl2UarTmoW719iSTey7JFDLXEfFEGT08MmsrCiROXYu72LLWEumb/2zpyOWWMtVq10R1VJCp +Yx3oX3oj9Y/8fh65lbApNY1777ka0bITM94uVE5xyZkvYo0dUd8CjJFW6QD5l/ZaopL0QX4 kEZO9w8JdfDsLgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/JDutMhcad8OMIYcln6JRL9-sTck>
Subject: Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Oct 2018 07:04:56 -0000

Hi Paul, Heinrich and Tero,

The authors have updated the draft based on the feedback received:

https://datatracker.ietf.org/doc/draft-mglt-lwig-minimal-esp/

Please let us know whether you still have objections to this being
adopted as a WG document.

--Mohit

On 8/31/18 7:50 PM, Paul Wouters wrote:
> On Fri, 31 Aug 2018, Tero Kivinen wrote:
>
>> There is no requirement for SPI to be random and originally it was
>> written that way so implementations can use whatever method to
>> allocate SPIs they like.
>
> However, the randomized SPIs does give us some security, as we saw in
> the SLOTH attack, that was only stopped because of the effort of 2^77
> to break. If we used predictable SPIs for IKE, then IKE would have
> fallen to the SLOTH attack as well.
>
> https://access.redhat.com/blogs/product-security/posts/sloth
>
> Although in this case, I guess we are talking about ESP/AH SPIs. There
> is still benefits in randomness, even if it is not cryptographically
> random. Just to ensure the same SPIs aren't re-used too quickly and
> get confused. The document does correctly point out not to use SPIs
> below 256.
>
>> Adding requirement that SPI needs to be random would be modifying the
>> base ESP, and is not in the scope of draft trying to define minimal
>> ESP. Saying that in contrained devices which have very few SPIs the
>> SPIs can be allocated using some other method than random is in scope
>> of the this draft.
>
> Agreed.
>
>> On the other hand sender is REQUIRED to send sequence numbers in such
>> way they are monotonically incrementing (not necessarely by one), and
>> if it has any kind of other monotonically incrementing counter like
>> clock, it can use that to generate the sequence numbers and get rid of
>> the requirement to store outgoing sequence number to the flash.
>
> Wouldn't not incrementing by one screw up the windoz sizes of receiving
> ends? Eg if they received #64, they might accept 65-128 so receiving 300
> might just make them do more work or effectively have no window?
>
>> I have not actually never seen anybody sending dummy packets or TFC
>> padding packets in any implementations.
>
> Yup. Linux supports it. With libreswan you can configure tfc= with a
> value of zero meaning pad to MTU. We haven't yet enabled this by default,
> since there are reasons for and against it. It's much better for privacy
> obviusly, but if this is going of mobile data, you are paying for the
> padding.
>
>> not even sure which implementation support for sending dummy packets.
>
> That I don't know either. although there are already so many "dumb" DPD
> packets, we sort of have this already over port 4500 :)
>
>> So as those are not really used in non-constrained devices
>
> Hmm, I guess the Lantronix Xport Pro does not count as constrained?
> Because it does run Linux and libreswan in 8MB SDRAM with NOMMU :)
>
> I still have to read the full document before I decide if I am in favour
> of adopting or not.
>
> Paul
>
> _______________________________________________
> Lwip mailing list
> Lwip@ietf.org
> https://www.ietf.org/mailman/listinfo/lwip