Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

2020-02-25 Thread Yoav Nir 
The draft says “IPsec tunnel mode is required ”, so it’s not transport. What 
goes in the TS payloads?

> On 26 Feb 2020, at 3:20, Michael Richardson  wrote:
> 
> 
>> Michael: Yoav talked about the non-GRE case.
> 
> In the non-GRE case, then it's just IPIP-over-IPSEC-transport mode.
> Which is literally the VTI case.
> 
> --
> ]   Never tell me the odds! | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works|IoT architect   [
> ] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails
> [
> 
> 
> --
> Michael Richardson , Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

2020-02-25 Thread Michael Richardson 

> Michael: Yoav talked about the non-GRE case.

In the non-GRE case, then it's just IPIP-over-IPSEC-transport mode.
Which is literally the VTI case.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[


--
Michael Richardson , Sandelman Software Works
 -= IPv6 IoT consulting =-





signature.asc
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

2020-02-25 Thread Toerless Eckert 
Michael: Yoav talked about the non-GRE case.

On Tue, Feb 25, 2020 at 05:44:10PM -0500, Michael Richardson wrote:
> 
> Yoav Nir  wrote:
> > The profile specifies that the ACP nodes should use tunnel mode (when
> > GRE is not used), because: IPsec tunnel mode is required because the
> > ACP will route/forward packets received from any other ACP node across
> > the ACP secure channels, and not only its own generated ACP packets.
> 
> It's a VTI-type interface.
> The TS should be for hostA<->hostB with protocol GRE.
> It could be in tunnel or transport mode.
> hostA and hostB are identified, btw, with IPv6 LL addresses.
> 
> > If I understand the above paragraph correctly, both the source of the
> > packet and the destination can be the IP address of any ACP node,
> > neither of which are required to be the tunnel endpoints.  This implies
> > some sort of generic traffic selector.  The draft should specify this,
> > IMO
> 
> The GRE layer and the routing protocol would take care of the ::/0<->::/0
> needs, not IPsec.
> 
> --
> Michael Richardson , Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec


-- 
---
t...@cs.fau.de

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

2020-02-25 Thread Michael Richardson 

Yoav Nir  wrote:
> The profile specifies that the ACP nodes should use tunnel mode (when
> GRE is not used), because: IPsec tunnel mode is required because the
> ACP will route/forward packets received from any other ACP node across
> the ACP secure channels, and not only its own generated ACP packets.

It's a VTI-type interface.
The TS should be for hostA<->hostB with protocol GRE.
It could be in tunnel or transport mode.
hostA and hostB are identified, btw, with IPv6 LL addresses.

> If I understand the above paragraph correctly, both the source of the
> packet and the destination can be the IP address of any ACP node,
> neither of which are required to be the tunnel endpoints.  This implies
> some sort of generic traffic selector.  The draft should specify this,
> IMO

The GRE layer and the routing protocol would take care of the ::/0<->::/0
needs, not IPsec.

--
Michael Richardson , Sandelman Software Works
 -= IPv6 IoT consulting =-





signature.asc
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

2020-02-25 Thread Toerless Eckert 
On Tue, Feb 25, 2020 at 10:17:30PM +0200, Yoav Nir wrote:
> ipsec is this group???s mailing list. I don???t know that there even is an 
> ipse...@ietf.org 

Yepp. Silly me. Didn't check that ipsecme was keeping the old mailing list name.

> I read a little more. Hope you don???t mind.
> 
> The profile seems fine to me.

Great!

> There is one thing that I think is missing.
> 
> The profile specifies that the ACP nodes should use tunnel mode (when GRE is 
> not used), because:
>IPsec tunnel mode is required because the ACP will route/forward
>packets received from any other ACP node across the ACP secure
>channels, and not only its own generated ACP packets.  With IPsec
>transport mode, it would only be possible to send packets originated
>by the ACP node itself.

> OK. When IKEv2 is used to negotiate tunnel-mode SAs (and transport mode, but 
> that???s not important here) they need an IPsec policy that specifies traffic 
> selectors so that IKEv2 can specify traffic selectors.  Nowhere in your draft 
> do I see a specification of what traffic selectors need to be negotiated.
> 
> If I understand the above paragraph correctly, both the source of the packet 
> and the destination can be the IP address of any ACP node, neither of which 
> are required to be the tunnel endpoints.  This implies some sort of generic 
> traffic selector.  The draft should specify this, IMO

Great catch.

How about:

The traffic selector for the SA MUST be set to IPv6 ANY ANY (::/0, ::/0).

(was trying to find an RFC with the same requirement, but to difficult to grep 
;-)

Cheers
toerless

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

2020-02-25 Thread Yoav Nir 
Hi, Toerless.

I trimmed below most of your background info.

> On 24 Feb 2020, at 21:50, Toerless Eckert  wrote:
> 
> [hope its fine to cross-post ipsec and ipsecme given how one is concluded, 
> but may have
> more long-time subscribers]

ipsec is this group’s mailing list. I don’t know that there even is an 
ipse...@ietf.org 

> We're looking for opinions about an IPsec profile for "Autonomic Control 
> Plane"
> draft-ietf-anima-autonomic-control-plane, or specifically 6.7.1.1.1 of:
> 
> https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/be056679b9c9cac8c2d664958a3b91585b010a83/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane.txt
> 
> Quick background so you do not need to read anything more than 6.7.1.1.1:

I read a little more. Hope you don’t mind.

The profile seems fine to me. There is one thing that I think is missing.

The profile specifies that the ACP nodes should use tunnel mode (when GRE is 
not used), because:
   IPsec tunnel mode is required because the ACP will route/forward
   packets received from any other ACP node across the ACP secure
   channels, and not only its own generated ACP packets.  With IPsec
   transport mode, it would only be possible to send packets originated
   by the ACP node itself.
OK. When IKEv2 is used to negotiate tunnel-mode SAs (and transport mode, but 
that’s not important here) they need an IPsec policy that specifies traffic 
selectors so that IKEv2 can specify traffic selectors.  Nowhere in your draft 
do I see a specification of what traffic selectors need to be negotiated.

If I understand the above paragraph correctly, both the source of the packet 
and the destination can be the IP address of any ACP node, neither of which are 
required to be the tunnel endpoints.  This implies some sort of generic traffic 
selector.  The draft should specify this, IMO

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec