Hi,
thank you for providing use cases in the new version of the draft. I still have some questions about the intended use of the ESP Ping protocol. I understand from the draft that one of the use cases is a manual check for ESP connectivity by network operators. This use case is clear for me. The unclear part is how the ESP Ping is intended to be used for IPsec SA establishment process. Should it always be initiated before starting IKE? Should it be periodically initiated after the ESP SA is established to check for the network connectivity change? What about MOBIKE – should it be initiated before MOBIKE starts changing IP addresses? These all is not clear from the draft. My another concern is that the draft seems to confirm my suspicions that the usefulness of this protocol is limited. After reading the draft it seems that the algorithm for establishing IPsec SA is as follows: 1. Send ESP Echo Request 2. If ESP Echo Reply is received, start IKE 3. If no ESP Echo Reply is received start IKE (*) (*) possibly with UDP encapsulation, or without it. So, the draft says that you SHOULD start creating ESP regardless of the result of ESP Ping. Thus, why to delay SA establishment (you should wait for some time for the response) with ESP Ping? Perhaps the better alternative would be to use mechanism described in draft-antony-ipsecme-encrypted-esp-ping in combination with ESP-in-UDP encapsulation. The peers can establish ESP with forced UDP encapsulation (regardless of the presence of NAT) and then immediately start encrypted ESP ping on the established ESP SA with no UDP encapsulation. If it succeeds, then the peers continue to use this ESP SA with no UDP encapsulation, if not – with it. Note, that RFC 7296 requires that if UDP encapsulation is negotiated, then peers are free to either use it or not (even on per-packet basis), unless NAT is detected. Regards, Valery. From: Yoav Nir <ynir.i...@gmail.com> Sent: Tuesday, June 11, 2024 7:44 AM To: ipsec <ipsec@ietf.org> Cc: Jen Linkova <furr...@gmail.com> Subject: [IPsec] The ESP Echo Protocol document for IPsecME Hi, folks At IETF 119, Jen Likova presented [1] the ESP Echo Protocol draft [2]. The conversation in the room was lively, but did not look like the kind of consensus that we just confirm on the list. So rather than starting an adoption call now, we’d like to encourage people to discuss it on the list, to see if we are approaching such a consensus. Regards, Yoav on behalf of the chairs [1] https://youtu.be/n-yH3jtQmdQ?t=1205 (presentation starts at the 20:10 mark) [2] https://datatracker.ietf.org/doc/draft-colitti-ipsecme-esp-ping/
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
