Re: [Pals] [EXTERNAL] Re: [Int-area] L2TP sequencing: Commonly disabled for IP data? Or always?

Derek Fawcus <dfawcus+lists-int-area@employees.org> Wed, 09 June 2021 11:53 UTC

Return-Path: <dfawcus@employees.org>
X-Original-To: pals@ietfa.amsl.com
Delivered-To: pals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F2E3A12B2; Wed, 9 Jun 2021 04:53:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSOeFxT5vRs5; Wed, 9 Jun 2021 04:53:37 -0700 (PDT)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F11C3A1281; Wed, 9 Jun 2021 04:53:32 -0700 (PDT)
Received: by clarinet.employees.org (Postfix, from userid 1736) id 0B5464E11AF9; Wed, 9 Jun 2021 11:53:30 +0000 (UTC)
Date: Wed, 9 Jun 2021 12:53:29 +0100
From: Derek Fawcus <dfawcus+lists-int-area@employees.org>
To: Bob Briscoe <ietf@bobbriscoe.net>
Cc: Stewart Bryant <stewart.bryant@gmail.com>, Alexander Vainshtein <Alexander.Vainshtein@rbbn.com>, "Andrew G. Malis" <agmalis@gmail.com>, mark@townsley.net, Carlos Pignataro <cpignata@cisco.com>, Ignacio Goyret <ignacio.goyret@nokia.com>, intarea IETF list <int-area@ietf.org>, pals@ietf.org
Message-ID: <YMCruRHlYWNzFOyy@clarinet.employees.org>
References: <5c60cc79-1552-3f52-641f-e508780227ae@bobbriscoe.net> <YLuFLq7k9akVVHWS@clarinet.employees.org> <CAA=duU2o9YKF5Sfu6VTr5+bUr1JVgaGZh=X4+BQRbMu63FqVsg@mail.gmail.com> <5E252602-F635-4DF0-8FAE-C80CF88293D9@gmail.com> <SA1PR03MB649903FB333E04FCE26EDE09F6369@SA1PR03MB6499.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <SA1PR03MB649903FB333E04FCE26EDE09F6369@SA1PR03MB6499.namprd03.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pals/TVgmxlxcnfLpbv0ZP_aHGreQ2FQ>
Subject: Re: [Pals] [EXTERNAL] Re: [Int-area] L2TP sequencing: Commonly disabled for IP data? Or always?
X-BeenThere: pals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Pseudowire And LDP-enabled Services dicussion list." <pals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pals>, <mailto:pals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pals/>
List-Post: <mailto:pals@ietf.org>
List-Help: <mailto:pals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pals>, <mailto:pals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 11:53:46 -0000

On Wed, Jun 09, 2021 at 11:04:04AM +0000, Alexander Vainshtein wrote:
> I mainly concur with Stewart's comments about sequence number checking.

There is also another potentially extensive 'deployment' of L2TP,
especially over the last year, and that is as one of the options
in the Microsoft Windows RAS VPN feature.

If so, then that would be by relatively unsophisticated users,
so they'd not really be able to tune it for issues.

This is PPP/L2TP/ESP(transport-mode) occasionally using NAT-T,
and negotiated by IKEv1.  I don't know if the L2TP layer makes
use of sequencing.

I'd not be surprised if the ESP layer is using an anti-replay window,
in which case the points already rehearsed wrt L4S would apply,
but this time with people who won't know how to 'fix' it.

We supported use of this in our protocol stack in our product
for remote access until quiterecently, and I see there are other
vendors who still offer the same mechanism.

Specifically I'd imagine to easily interoperate with the RAS feature.

DF