Minutes IETF115: ipsecme: Wed 15:00
minutes-115-ipsecme-202211091500-00
Meeting Minutes | IP Security Maintenance and Extensions (ipsecme) WG | |
---|---|---|
Date and time | 2022-11-09 15:00 | |
Title | Minutes IETF115: ipsecme: Wed 15:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2022-11-09 |
IP Security Maintenance and Extensions (IPsecME) WG.
IETF 115 - Wednesday November 9th, 2022 15:00-16:30 UTC
https://meetings.conf.meetecho.com/ietf115/?group=ipsecme&short=&item=1
Agenda
- Note Well, Agenda Bashing and logistics - 5 min
- Document status - 5 min
-
multi-sa update - 5 min
- draft-pwouters-ipsecme-multi-sa-performance-05
- Paul Wouters
-
IPsec workshop report - 10 minutes
- Steffen Klassert
-
IPComp Extension - 10 min
-
New IKEv2 payload format - 15 min
- Valery Symslov
-
Revised Cookie Processing in IKEv2 - 10 min
- draft-smyslov-ipsecme-ikev2-cookie-revised
- Valery Smyslov
-
Inter-domain source address validation using RPKI and IPsec - 15 min
- draft-xu-risav and draft-xu-erisav
- Yangfei Guo
-
IKEv2 Optional SA&TS Payloads in Child Exchange - 10 min
- draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt
- Wei PAN (潘伟)
-
IPsec anti-replay subspaces - 10 min
- draft-ponchon-ipsecme-anti-replay-subspaces
- Paul Ponchon
-
If time permits:
- Traffic Selector with DSCP - Daniel Migault
- MTU fragmentation - Daniel Migault
Working Group Minutes
Note Well, Agenda Bashing and logistics
(chairs)
Tero Kivinen noted we will likely not get to the last two items on the
agenda.
Document status
(chairs)
- 4 I-Ds in RFC Editor's queue
- 2 Pub request
- 1 Waiting for write-up (Paul asked Tero to try to get this done
ASAP) - 1 WGLC
- 2 In progress
Multi SA update
(Paul Wouters)
draft-pwouters-ipsecme-multi-sa-performance-04
Paul Ponchon: We are facing similar issues. One concern that adding
more SAs we could face scability issues.
Paul Wouters: More than one SA/tunnel might cause problems?
Paul P: In some situation you might have a few that add lot.
Paul Wouters: When you have a lot of clients and tunnels your
spreading them out over CPUs.
Valery Smyslov: I support adoption of this I-D. Will have some
experimentation. It's a good starting point.
Daniel Migault: I think it's a problem that we nneed to solve. It
would be more complicated to have multiple SAs. We sohuld limit the
number of SAs.
Christian Hopps: I was excited to hear you have an implementation.
Paul Wouters: It's in the implementation section.
IPsec workshop report
(Steffen Klassert)
No comments
IPComp Extension
(Hang Shi)
draft-ls-6man-ipcomp-exclude-transport-layer
Yoav Nir: IPComp has been deprecated and mostly hidden. As much
deprecated from AH. Fine to decouple it, but not sure how useful it is.
Tero Kivinen: Decouple means move it to another WG.
Paul Wouters: One way to make this go away is not use IPComp. If use
case is MTU issues, then use IPTFS.
Hang: It's about bandwidth.
Eric (INT AD): we just got the draft that cmpresses directly over
IP. SHAKE?
Tero Kivinen: MTU problems start to appear if you add compression
header overhead without actually compressing the packet.
Daniel Migault: Look at SHAKE.
New IKEv2 payload format
(Valery Symslov)
Daniel Migault: I think it's interesting. When we decreace redudnacy
is it easier or harder?
Valery Symslov: It's moderate. But easy to build into existingn
systems, but not that much.
Tero Kivinen: I think this is two seperate work items. Would like to
have one solution for each. There has to be interest and there appears
to be interest.
Revised Cookie Processing in IKEv2
(Valery Smyslov)
draft-smyslov-ipsecme-ikev2-cookie-revised
Tero Kivinen: I think this is a little bit questionable. It's a
flaw, but is the question is that it doesn't affect the security then
maybe it's okay to leave alone. Maybe there's another way to do this ...
Tero: send a "this is the cookie that was used" in IKE_AUTH
responder. It is optional. Could fix it. You now know WHY auth failed
and know you can retry from scratch
Smyslov: Might be good idea, but what to do if you notice cookie is
different.
Tero: Send error ntification saying cookie changed.
Paul Wouters: If Valery volunteers I can help out here. ALso have
some questions about how often this happens.
Paul mumbled some wrong things and retracted :)
Tero: Need to get more comments. Valery to send message to list to
gauge interest.
Inter-domain source address validation using RPKI and IPsec
(Yangfei Guo)
draft-xu-risav and draft-xu-erisav
Paul W: 1) slide 4: yes it's delete/notify. 2) ICV is optional
depending for the packet format but its use is mandated by the cipher
(ICV for non-AEAD, no ICV for AEAD) 3) transport mode can only be
requested as preference. tunnel mode fallback is mandatory. Sorry to
those who hate us for that.
Scott Fluhrer: On Static-static-DH is that there is no PQ
equivalent. Better to avoid it.
Ben Schwartz: This is early stage proposal. This is really closely
to anti-replay proposal.
IKEv2 Optional SA&TS Payloads in Child Exchange
(Wei PAN (潘伟))
draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt
Tero: Slide 3: The middle option is from ... option for IKE SA
doesn't really apply.
Wei Wanng: Did you have deployment in any operators network.
Wei Pan: As far as I know the base station has deployed this in
their 5G network.
Wei Wang: Very interested in this solution.
Chan Meiling: Used by low power systems. Support adoption.
Valery Symslov: Read it and support adoption.
Tero: After presentation, this I-D will be in WG adoption.
IPsec anti-replay subspaces
(Paul Ponchon)
draft-ponchon-ipsecme-anti-replay-subspaces
Scott Fluhrer: For the GCM nonce issue remember 32 bits are cming
from the KEX. Take the subspace from there then no collisions.
Ben Schwartz: This is one of the main problems while try to do this.
Would prefer pure statelesss solution. Prefers options #2. Also talked
abut trying to hash the source ID of the sender into the secret used for
deceryption and validation.
Daniel Migault: We do support this work and happy to work together.
Tero Kivinen (no hat): We already have 32 bit sending ID; it'ss
called SPIs. Multiple SAs is the solution for that. Mandatory to
generate sequence number, but checking replay protection window is not.
Not sure you are getting much help here.
Steffeb Klassert: Rough consensus shows we work on this. Let's do an
interim to address this!
Ben Schwarts: To respond to Tero, disabling replay protection seems
danngerous. (more back and forth I didn't catch)
Pierre Pfister: I think it's a concern of anti-replay. Serious
concerns about scaling.
Traffic Selector with DSCP
(Daniel Migault)
Ran out of time:
MTU fragmentation
(Daniel Migault)
Ran out of time: