Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
Daniel Migault <daniel.migault@ericsson.com> Tue, 12 February 2019 13:17 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 488EA130DDA for <lwip@ietfa.amsl.com>; Tue, 12 Feb 2019 05:17:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJlLBJ9cgvZf for <lwip@ietfa.amsl.com>; Tue, 12 Feb 2019 05:17:56 -0800 (PST)
Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3343A130DD8 for <lwip@ietf.org>; Tue, 12 Feb 2019 05:17:56 -0800 (PST)
Received: by mail-lj1-f182.google.com with SMTP id g80so420442ljg.6 for <lwip@ietf.org>; Tue, 12 Feb 2019 05:17:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OSpaAkwbe0+vM5og9wExJpqkEGKtq4Dy40CMOIkcWZo=; b=ikWqZP1j36orlAVO+5rzautMTqi+H9HR0+sVsWIwbdwiHDpPIjMa35yb95jG042E99 YQ+1T7XmOZ/DgoeIqWzi6479g4KAK32K9dYZW1AugpXuo1s3HaZDzk7/4kJmFnen1XQd xIdrAtaTFK3iyH+lg7hYaOVHCKJMUkv8aOyTfFl3/cMhKPdnsSEID3LgoOXrl+0cp8mC 6+mLf7DmhSoB2fITjrS/HsLmW60LunoIg0zAcPqKDvc6Zid0A/kAjxnzZ0SNQTGr1mOE vtgTQ5FcPWtuJiLK4JXW5p4tyBXt8rEIa0TSu4riyCWZPCPbbfUqBQu7jWVMK1ssArhe dg1g==
X-Gm-Message-State: AHQUAua5vcucA9O2pefRTFi2fDNOijjJmk4k42nRNQXcWzBp0YSC+fgA KEeNmbd/XhVL7H9mYSjBOf4ypqeQW/TqvPFxMyg=
X-Google-Smtp-Source: AHgI3IYFcL3hvcr5IvnDvsLttHW0kJhl4w4KRw01202XIAfmgm7ZhRCGS25I3Vn8xnuEOCLPgrNoCD7HiPlm/f+JtsM=
X-Received: by 2002:a2e:870c:: with SMTP id m12-v6mr2378504lji.180.1549977474068; Tue, 12 Feb 2019 05:17:54 -0800 (PST)
MIME-Version: 1.0
References: <CAP_kZQqckPJhCn083sg8=PVpiO_+Ke=GhOKre=qujkk4k=dU7A@mail.gmail.com> <CADZyTk=dtJS7bS8oJtSa1bW-Xv3-AkuboX1QoJTFG+DyuN94ow@mail.gmail.com> <CAP_kZQrnmJJaLtzSJ5MeDYSme2mV6sAfGZrE5tnx8P6hbMib7g@mail.gmail.com> <23433.17795.580382.531001@fireball.acr.fi> <alpine.LRH.2.21.1808311231250.27198@bofh.nohats.ca> <VI1PR07MB4717173E61C887FDF4E4D3ABD0F70@VI1PR07MB4717.eurprd07.prod.outlook.com>
In-Reply-To: <VI1PR07MB4717173E61C887FDF4E4D3ABD0F70@VI1PR07MB4717.eurprd07.prod.outlook.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Tue, 12 Feb 2019 08:17:42 -0500
Message-ID: <CADZyTk=hYhJH8yU5TU6m_dsEr_u+iEfd=c=oasV5=JEHM4dc1g@mail.gmail.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>
Cc: Paul Wouters <paul@nohats.ca>, Tero Kivinen <kivinen@iki.fi>, Heinrich Singh <heinrich.ietf@gmail.com>, "lwip@ietf.org" <lwip@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0779e0581b240a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/YmYHglebYtLaD6T02pwTZ7q0nks>
Subject: Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 13:17:59 -0000
Hi, I am wondering what is currently the status of the draft. Feel free to let me know if I something is expected on my side. Yours, Daniel On Thu, Oct 25, 2018 at 3:05 AM Mohit Sethi M <mohit.m.sethi@ericsson.com> wrote: > Hi Paul, Heinrich and Tero, > > The authors have updated the draft based on the feedback received: > > https://datatracker.ietf.org/doc/draft-mglt-lwig-minimal-esp/ > > Please let us know whether you still have objections to this being > adopted as a WG document. > > --Mohit > > On 8/31/18 7:50 PM, Paul Wouters wrote: > > On Fri, 31 Aug 2018, Tero Kivinen wrote: > > > >> There is no requirement for SPI to be random and originally it was > >> written that way so implementations can use whatever method to > >> allocate SPIs they like. > > > > However, the randomized SPIs does give us some security, as we saw in > > the SLOTH attack, that was only stopped because of the effort of 2^77 > > to break. If we used predictable SPIs for IKE, then IKE would have > > fallen to the SLOTH attack as well. > > > > https://access.redhat.com/blogs/product-security/posts/sloth > > > > Although in this case, I guess we are talking about ESP/AH SPIs. There > > is still benefits in randomness, even if it is not cryptographically > > random. Just to ensure the same SPIs aren't re-used too quickly and > > get confused. The document does correctly point out not to use SPIs > > below 256. > > > >> Adding requirement that SPI needs to be random would be modifying the > >> base ESP, and is not in the scope of draft trying to define minimal > >> ESP. Saying that in contrained devices which have very few SPIs the > >> SPIs can be allocated using some other method than random is in scope > >> of the this draft. > > > > Agreed. > > > >> On the other hand sender is REQUIRED to send sequence numbers in such > >> way they are monotonically incrementing (not necessarely by one), and > >> if it has any kind of other monotonically incrementing counter like > >> clock, it can use that to generate the sequence numbers and get rid of > >> the requirement to store outgoing sequence number to the flash. > > > > Wouldn't not incrementing by one screw up the windoz sizes of receiving > > ends? Eg if they received #64, they might accept 65-128 so receiving 300 > > might just make them do more work or effectively have no window? > > > >> I have not actually never seen anybody sending dummy packets or TFC > >> padding packets in any implementations. > > > > Yup. Linux supports it. With libreswan you can configure tfc= with a > > value of zero meaning pad to MTU. We haven't yet enabled this by default, > > since there are reasons for and against it. It's much better for privacy > > obviusly, but if this is going of mobile data, you are paying for the > > padding. > > > >> not even sure which implementation support for sending dummy packets. > > > > That I don't know either. although there are already so many "dumb" DPD > > packets, we sort of have this already over port 4500 :) > > > >> So as those are not really used in non-constrained devices > > > > Hmm, I guess the Lantronix Xport Pro does not count as constrained? > > Because it does run Linux and libreswan in 8MB SDRAM with NOMMU :) > > > > I still have to read the full document before I decide if I am in favour > > of adopting or not. > > > > Paul > > > > _______________________________________________ > > Lwip mailing list > > Lwip@ietf.org > > https://www.ietf.org/mailman/listinfo/lwip > > _______________________________________________ > Lwip mailing list > Lwip@ietf.org > https://www.ietf.org/mailman/listinfo/lwip >
- [Lwip] The LWIG WG has placed draft-mglt-lwig-min… Heinrich Singh
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Heinrich Singh
- Re: [Lwip] The LWIG WG has placed draft-mglt-lwig… Zhen Cao
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Tero Kivinen
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Michael Richardson
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Paul Wouters
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Mohit Sethi
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] The LWIG WG has placed draft-mglt-lwig… Heinrich Singh
- Re: [Lwip] The LWIG WG has placed draft-mglt-lwig… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Mohit Sethi M
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Paul Wouters
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Valery Smyslov
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Paul Wouters
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Mohit Sethi M