Minutes IETF117: ipsecme: Wed 22:30
minutes-117-ipsecme-202307262230-00
Meeting Minutes | IP Security Maintenance and Extensions (ipsecme) WG | |
---|---|---|
Date and time | 2023-07-26 22:30 | |
Title | Minutes IETF117: ipsecme: Wed 22:30 | |
State | Active | |
Other versions | markdown | |
Last updated | 2023-07-26 |
IP Security Maintenance and Extensions (IPsecME) WG.
IETF 117 - Wednesday July 28th, 2023 15:30-17:00 PDT
https://meetings.conf.meetecho.com/ietf117/?group=ipsecme&short=&item=1
Agenda
- Note Well, technical difficulties and agenda bashing
- Document Status
-
Presentations
- IKEv2 Optional SA&TS Payloads in Child Exchange
- An RPKI and IPsec-based AS-to-AS Approach for Source Address
Validation - Traffic Selector for IKEv2 to add support DSCP
- IKEv2 Link Maximum Atomic Packet and Packet Too Big Notification
Extension - Diet ESP: ESP Header compression, IKEv2 EHC
- Anti-replay sequence number subspaces for traffic-engineered
paths and multi-core processing - Use of Reliable Transport in the IKEv2
- Problem statements and uses cases for lightweight Child Security
Associations
-
Adoption calls
- AOB + Open Mic
Minutes
Note Well, Agenda bashing
Chairs (5 min)
Nothing
Document Status
Chairs (10 min)
Chairs : add mssing sections to
draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt
Presentations
IKEv2 Optional SA&TS Payloads in Child Exchange
Paul Wouters paul@nohats.ca (15 min)
draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt
Tero: This is an optimization minimal implemenations support only
limited case. We do not need to support all cases, we can limit the use
to certain subset.
Tero: Ask on the mailing list is there anyone using IPCOMP with
different CPI? or rekeying?
An RPKI and IPsec-based AS-to-AS Approach for Source Address Validation
Ben Schwartz bemasc@meta.com (10 min)
draft-xu-ipsecme-risav
Joel Halpern, co-chair: SAVnet work on inter domain problem anaysis.
Please come to us.
Traffic Selector for IKEv2 to add support DSCP
Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-mglt-ipsecme-ts-dscp
WG Chair: probably main confusion on the list why use dscp as traffic
selector.
Joel Halpern, Co author of the draft: A small subset, high priority,
traffic get to the queue on the sender and arrive at the receiver out of
order cause replay protection at the receiver.
Joel Halpern: so we are not able solve the issues cause.
Christian Hopps: how big is your replay windows. It would be easy to
implement large replay window.
Joel: We do not know.
Scott Fluhrer: if there are multiple SAs does it matter which SA the
DSCP marked traffic takes? IPsec can handle deleting of an SA while
sending traffic another SA.
Yoav Nir: is the DSCP value coupled between inner and outer packet.
Joel: yes it is coupled.
Yoav: the coupling might be cause of the problem!
IKEv2 Link Maximum Atomic Packet and Packet Too Big Notification Extension
Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-liu-ipsecme-ikev2-mtu-detect
Christian Hopps: The packet is too big at egress should get back to the
ingress router.
Egress router when re-assembled the ESP fragments, decrypted it and
discovered egress router can't forward the decrypted packet. If the ICMP
is lost it is between egress and ingress.
Ben Schwartz: if you don't want to fragment set that bit. These
notifications are not necessary
Daniel thinks don't fragment does not solve the issues. We noticed it in
our implementations.
Diet ESP: ESP Header compression, IKEv2 EHC
Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-mglt-ipsecme-ikev2-diet-esp-extension
draft-mglt-ipsecme-diet-esp
Paul Wouters: the notifiers payloads are these text or values?
WG Chair: no, they are similar than sa attributes. Out of time, so take
to the list.
Anti-replay sequence number subspaces for traffic-engineered paths and multi-core processing
Mohsin Shaikh mohsisha@cisco.com (10 min)
draft-ponchon-ipsecme-anti-replay-subspaces
Paul Wouters: It is worth having this as a RFC.
There are possibly 3 IPR apply this ID. The SSH one gave us permissions.
The other two posible IPR status is unknown. Paul will reach out to the
person who mentioned the IPRs on the mailing list's attention.
Use of Reliable Transport in the IKEv2
Valery Smyslov smyslov.ietf@gmail.com
(10 min)
draft-smyslov-ipsecme-ikev2-reliable-transport
Tero: consider using ESP ping, new ID that was submitted yesterday, to
discover viability of IKE UDP or ESP.
WG Chair would discus with the our AD, possible adoption. And revisit if
it is within the charter.
Problem statements and uses cases for lightweight Child Security Associations
Steffen Klassert
steffen.klassert@secunet.com (10
min)
draft-mrossberg-ipsecme-multiple-sequence-counters
Ben: why can't you paralleize it.
Tero: thinks probably not many re-ordering actually happens.
Chris: there is a five tupple that is used to put packet on a specific
core
Ben: the point should be tolerate more. Re-ordering is happening anyways
Tero: on Slide 10: is it multiple IKE SA or IPsec?
Steffen: yes multiple IKE SAs on Slide 10.
Ben: like sub child SA. In terms use a key derivations that would help
Paul/Tero that is almost similar to new child SA?
Yoav: likes the sub SA and parallel SA. We already implemented
Tero: Sub child SA would lead to ESP v4.0, may be out of scope for the
charter.
Adoption calls
Chairs (5 min)
- draft-smslov-ipsecme-ikev2-qr-alt
- draft-mglt-ipsecme-ts-dscp
- draft-liu-ipsecme-ikev2-mtu-dect
- draft-mglt-ipsecme-diet-esp
- draft-mglt-ipsecme-ikev2-diet-esp-extension
- draft-smyslov-ipsecme-ikev2-cookie-revised
Skipped in onsite polls because of not enough time, and because AD is
not in the room.
AOB + Open Mic (0 min)
Paul: proposed an interium meeting in two months to speed up the
process/work of the Working Group.