IETF 117 - Wednesday July 28th, 2023 15:30-17:00 PDT
https://meetings.conf.meetecho.com/ietf117/?group=ipsecme&short=&item=1
Presentations
Adoption calls
Chairs (5 min)
Nothing
Chairs (10 min)
Chairs : add mssing sections to
draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt
Paul Wouters paul@nohats.ca (15 min)
draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt
Tero: This is an optimization minimal implemenations support only
limited case. We do not need to support all cases, we can limit the use
to certain subset.
Tero: Ask on the mailing list is there anyone using IPCOMP with
different CPI? or rekeying?
Ben Schwartz bemasc@meta.com (10 min)
draft-xu-ipsecme-risav
Joel Halpern, co-chair: SAVnet work on inter domain problem anaysis.
Please come to us.
Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-mglt-ipsecme-ts-dscp
WG Chair: probably main confusion on the list why use dscp as traffic
selector.
Joel Halpern, Co author of the draft: A small subset, high priority,
traffic get to the queue on the sender and arrive at the receiver out of
order cause replay protection at the receiver.
Joel Halpern: so we are not able solve the issues cause.
Christian Hopps: how big is your replay windows. It would be easy to
implement large replay window.
Joel: We do not know.
Scott Fluhrer: if there are multiple SAs does it matter which SA the
DSCP marked traffic takes? IPsec can handle deleting of an SA while
sending traffic another SA.
Yoav Nir: is the DSCP value coupled between inner and outer packet.
Joel: yes it is coupled.
Yoav: the coupling might be cause of the problem!
Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-liu-ipsecme-ikev2-mtu-detect
Christian Hopps: The packet is too big at egress should get back to the
ingress router.
Egress router when re-assembled the ESP fragments, decrypted it and
discovered egress router can't forward the decrypted packet. If the ICMP
is lost it is between egress and ingress.
Ben Schwartz: if you don't want to fragment set that bit. These
notifications are not necessary
Daniel thinks don't fragment does not solve the issues. We noticed it in
our implementations.
Daniel Migault
daniel.migault@ericsson.com (5
min)
draft-mglt-ipsecme-ikev2-diet-esp-extension
draft-mglt-ipsecme-diet-esp
Paul Wouters: the notifiers payloads are these text or values?
WG Chair: no, they are similar than sa attributes. Out of time, so take
to the list.
Mohsin Shaikh mohsisha@cisco.com (10 min)
draft-ponchon-ipsecme-anti-replay-subspaces
Paul Wouters: It is worth having this as a RFC.
There are possibly 3 IPR apply this ID. The SSH one gave us permissions.
The other two posible IPR status is unknown. Paul will reach out to the
person who mentioned the IPRs on the mailing list's attention.
Valery Smyslov smyslov.ietf@gmail.com
(10 min)
draft-smyslov-ipsecme-ikev2-reliable-transport
Tero: consider using ESP ping, new ID that was submitted yesterday, to
discover viability of IKE UDP or ESP.
WG Chair would discus with the our AD, possible adoption. And revisit if
it is within the charter.
Steffen Klassert
steffen.klassert@secunet.com (10
min)
draft-mrossberg-ipsecme-multiple-sequence-counters
Ben: why can't you paralleize it.
Tero: thinks probably not many re-ordering actually happens.
Chris: there is a five tupple that is used to put packet on a specific
core
Ben: the point should be tolerate more. Re-ordering is happening anyways
Tero: on Slide 10: is it multiple IKE SA or IPsec?
Steffen: yes multiple IKE SAs on Slide 10.
Ben: like sub child SA. In terms use a key derivations that would help
Paul/Tero that is almost similar to new child SA?
Yoav: likes the sub SA and parallel SA. We already implemented
Tero: Sub child SA would lead to ESP v4.0, may be out of scope for the
charter.
Chairs (5 min)
Skipped in onsite polls because of not enough time, and because AD is
not in the room.
Paul: proposed an interium meeting in two months to speed up the
process/work of the Working Group.