Skip to main content

Minutes IETF117: ipsecme: Wed 22:30
minutes-117-ipsecme-202307262230-00

Meeting Minutes IP Security Maintenance and Extensions (ipsecme) WG
Date and time 2023-07-26 22:30
Title Minutes IETF117: ipsecme: Wed 22:30
State Active
Other versions markdown
Last updated 2023-07-26

minutes-117-ipsecme-202307262230-00

IP Security Maintenance and Extensions (IPsecME) WG.

IETF 117 - Wednesday July 28th, 2023 15:30-17:00 PDT
https://meetings.conf.meetecho.com/ietf117/?group=ipsecme&short=&item=1

Agenda

  • Note Well, technical difficulties and agenda bashing
  • Document Status
  • Presentations

    • IKEv2 Optional SA&TS Payloads in Child Exchange
    • An RPKI and IPsec-based AS-to-AS Approach for Source Address
      Validation
    • Traffic Selector for IKEv2 to add support DSCP
    • IKEv2 Link Maximum Atomic Packet and Packet Too Big Notification
      Extension
    • Diet ESP: ESP Header compression, IKEv2 EHC
    • Anti-replay sequence number subspaces for traffic-engineered
      paths and multi-core processing
    • Use of Reliable Transport in the IKEv2
    • Problem statements and uses cases for lightweight Child Security
      Associations
  • Adoption calls

  • AOB + Open Mic

Minutes

Note Well, Agenda bashing

Chairs (5 min)

Nothing

Document Status

Chairs (10 min)

Chairs : add mssing sections to
draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt

Presentations

IKEv2 Optional SA&TS Payloads in Child Exchange

Paul Wouters paul@nohats.ca (15 min)
draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt

Tero: This is an optimization minimal implemenations support only
limited case. We do not need to support all cases, we can limit the use
to certain subset.
Tero: Ask on the mailing list is there anyone using IPCOMP with
different CPI? or rekeying?

An RPKI and IPsec-based AS-to-AS Approach for Source Address Validation

Ben Schwartz bemasc@meta.com (10 min)
draft-xu-ipsecme-risav

Joel Halpern, co-chair: SAVnet work on inter domain problem anaysis.
Please come to us.

Traffic Selector for IKEv2 to add support DSCP

Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-mglt-ipsecme-ts-dscp

WG Chair: probably main confusion on the list why use dscp as traffic
selector.
Joel Halpern, Co author of the draft: A small subset, high priority,
traffic get to the queue on the sender and arrive at the receiver out of
order cause replay protection at the receiver.
Joel Halpern: so we are not able solve the issues cause.
Christian Hopps: how big is your replay windows. It would be easy to
implement large replay window.
Joel: We do not know.
Scott Fluhrer: if there are multiple SAs does it matter which SA the
DSCP marked traffic takes? IPsec can handle deleting of an SA while
sending traffic another SA.
Yoav Nir: is the DSCP value coupled between inner and outer packet.
Joel: yes it is coupled.
Yoav: the coupling might be cause of the problem!

Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-liu-ipsecme-ikev2-mtu-detect

Christian Hopps: The packet is too big at egress should get back to the
ingress router.
Egress router when re-assembled the ESP fragments, decrypted it and
discovered egress router can't forward the decrypted packet. If the ICMP
is lost it is between egress and ingress.
Ben Schwartz: if you don't want to fragment set that bit. These
notifications are not necessary
Daniel thinks don't fragment does not solve the issues. We noticed it in
our implementations.

Diet ESP: ESP Header compression, IKEv2 EHC

Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-mglt-ipsecme-ikev2-diet-esp-extension
draft-mglt-ipsecme-diet-esp

Paul Wouters: the notifiers payloads are these text or values?
WG Chair: no, they are similar than sa attributes. Out of time, so take
to the list.

Anti-replay sequence number subspaces for traffic-engineered paths and multi-core processing

Mohsin Shaikh mohsisha@cisco.com (10 min)
draft-ponchon-ipsecme-anti-replay-subspaces

Paul Wouters: It is worth having this as a RFC.
There are possibly 3 IPR apply this ID. The SSH one gave us permissions.
The other two posible IPR status is unknown. Paul will reach out to the
person who mentioned the IPRs on the mailing list's attention.

Use of Reliable Transport in the IKEv2

Valery Smyslov smyslov.ietf@gmail.com
(10 min)
draft-smyslov-ipsecme-ikev2-reliable-transport

Tero: consider using ESP ping, new ID that was submitted yesterday, to
discover viability of IKE UDP or ESP.
WG Chair would discus with the our AD, possible adoption. And revisit if
it is within the charter.

Problem statements and uses cases for lightweight Child Security Associations

Steffen Klassert
steffen.klassert@secunet.com (10
min)
draft-mrossberg-ipsecme-multiple-sequence-counters

Ben: why can't you paralleize it.
Tero: thinks probably not many re-ordering actually happens.
Chris: there is a five tupple that is used to put packet on a specific
core
Ben: the point should be tolerate more. Re-ordering is happening anyways

Tero: on Slide 10: is it multiple IKE SA or IPsec?
Steffen: yes multiple IKE SAs on Slide 10.
Ben: like sub child SA. In terms use a key derivations that would help
Paul/Tero that is almost similar to new child SA?
Yoav: likes the sub SA and parallel SA. We already implemented
Tero: Sub child SA would lead to ESP v4.0, may be out of scope for the
charter.

Adoption calls

Chairs (5 min)

Skipped in onsite polls because of not enough time, and because AD is
not in the room.

AOB + Open Mic (0 min)

Paul: proposed an interium meeting in two months to speed up the
process/work of the Working Group.

EOF