[TICTOC] The draft for IPsec synchronization security
"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Sat, 04 December 2010 02:19 UTC
Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: tictoc@core3.amsl.com
Delivered-To: tictoc@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E001A3A6403 for <tictoc@core3.amsl.com>; Fri, 3 Dec 2010 18:19:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.043
X-Spam-Level:
X-Spam-Status: No, score=-5.043 tagged_above=-999 required=5 tests=[AWL=1.556, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qORIZ1FhWqCc for <tictoc@core3.amsl.com>; Fri, 3 Dec 2010 18:19:22 -0800 (PST)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id 8C15928C0F6 for <tictoc@ietf.org>; Fri, 3 Dec 2010 18:19:20 -0800 (PST)
Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id oB42KUi9024253 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 3 Dec 2010 20:20:33 -0600 (CST)
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id oB42KTEt022032 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Sat, 4 Dec 2010 07:50:30 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.56]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Sat, 4 Dec 2010 07:50:30 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: "tictoc@ietf.org" <tictoc@ietf.org>
Date: Sat, 04 Dec 2010 07:50:26 +0530
Thread-Topic: The draft for IPsec synchronization security
Thread-Index: AcuTWdBBCeJSpUV2SA6xbwdBJa8hFw==
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CFAD7C916@INBANSXCHMBSA1.in.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.250.11.31
Cc: bixiaoyu <bixiaoyu@huawei.com>
Subject: [TICTOC] The draft for IPsec synchronization security
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2010 02:19:33 -0000
Hi, My understanding of the problem is as follows: Currently nodes recognize 1588 packets at the physical ports and generate a timestamp on RX or TX at a reference point between the PHY and the MAC. This becomes complicated when we throw Ipsec as the nodes will now no longer be able to identify the 1588 packets that need to be timestamped/consumed. Ideally we would like the nodes to recognize all such packets at the port level and therefore generate a time stamp that can be later used after decrypting (or verifying Ipsec if its only being used for data integrity i.e. ESP-NULL). The earlier we recognize the packets that need to be time stamped the better it is. There is also an issue at the intermediate nodes which need to know if there is a 1588 packet inside the Ipsec tunnel so that it can be prioritized over the other packets. I spoke to Rock and others in Beijing about this and I was told that having a separate Ipsec tunnel exclusively for transporting 1588 packets is not scalable in the femto architecture and we need a mechanism to unambiguously identify 1588 packets within an Ipsec tunnel that's also carrying other service/data traffic. This, thus is the problem that draft-xu-tictoc-ipsec-security-for-synchronization is attempting to solve. Is this correct? Cheers, Manav -- Manav Bhatia, IP Division, Alcatel-Lucent, Bangalore - India
- [TICTOC] The draft for IPsec synchronization secu… Xie Lei
- Re: [TICTOC] The draft for IPsec synchronization … Jack Kohn
- Re: [TICTOC] The draft for IPsec synchronization … Xie Lei
- Re: [TICTOC] The draft for IPsec synchronization … Jack Kohn
- Re: [TICTOC] The draft for IPsec synchronization … Greg Dowd
- Re: [TICTOC] The draft for IPsec synchronization … Jack Kohn
- Re: [TICTOC] The draft for IPsec synchronization … Michel Ouellette
- Re: [TICTOC] The draft for IPsec synchronization … Jack Kohn
- Re: [TICTOC] The draft for IPsec synchronization … Greg Dowd
- [TICTOC] The draft for IPsec synchronization secu… Bhatia, Manav (Manav)
- Re: [TICTOC] The draft for IPsec synchronization … Jack Kohn
- [TICTOC] 答复: The draft for IPsec synchronization … bixiaoyu