Re: [Hipsec] Adam Roach's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

2019-10-07 Thread Miika Komu 
Hi,

pe, 2019-10-04 kello 10:58 -0500, Adam Roach kirjoitti:
> Thanks for the reply! I think we're getting closer to an answer
> here, 
> but I'm still quite lost on one key aspect.
> 
> 
> On 10/4/19 7:15 AM, Miika Komu wrote:
> > In the legacy HIP NAT traversal (RFC5770), we have third protocol
> > (STUN) on the same port and it does not follow RFC7401 conventions
> > because it was not designed with IPsec in mind. As a result,*all*
> > packets need to be diverted to an userland daemon in order to
> > separate
> > the STUN packets from HIP/ESP.
> 
> 
> I can't figure out why this diversion is necessary. What prevents 
> characterization of packets in kernel space?

so let's split discussion of a new kernelspace component into
subproblems below. I believe the security aspects (2) could be real a
showstopper.

1. Standardization

I believe separate separate standardization effort (RFC2367?) would be
needed since this would impact all IPsec keying daemons, not just HIP
(since they share the kernel). I am not sure how to do it because
PF_KEY API is not really meant for delivering entire STUN packets to
userland daemons.

2. Security

Some security considerations are also needed to avoid messing ESP
traffic with bogus STUN packets. Probably this can be a big mess
because STUN packets don't have as strong security measures as
IKE/HIP/etc IPsec keying daemons.

Possibly STUN message security checks needs additional inspection via
userspace daemons, which makes a kernelspace solution moot.

3. Performance overhead

The kernelspace component would have to be some kind of hook in the ESP
modules (at least in the tunnel and beet modules) that detects incoming
STUN and deliver it to userspace daemons. It would still incur some
performance overhead since all ESP packets need extra inspection
(albeit incur less overhead than with userspace diversion).

4. Other IPsec keying daemons

A new ESP extension would require extra support in all existing IPsec
keying daemons since it's a new kernel module impacting all of them. It
doesn't make sense to define just a single hack for HIP.

5. Ship the kernelspace extension as a standard Linux kernel module

Have you ever implemented a Linux kernel module and tried to get it
accepted into Linux kernel? We actually tried to get HIP control plane
into Linux networking stack and failed miserably. Then we changed plans
and struggled a couple of years with the BEET IPsec module and finally
got it into Linux kernel. It was worth the trouble but personally I'd
rather not repeat this exercise again.

6. Ship the kernelspace extension as a separate kernel module

One option is to maintain a separate kernel module like with Virtual
Box or VMware has been doing earlier. So when you install HIP software,
you need to compile a kernel module. This is ok for developers, but I
don't think normal users want to do it. And it is painful to do it
everytime you have kernel updates, so you really want to have your
stuff in Linux distributions (of which there are quite a many...)

7. Repeat the exercise with Apple and Windows

No idea what it requires.

___
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec

Re: [Hipsec] Adam Roach's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

2019-10-04 Thread Adam Roach 
Thanks for the reply! I think we're getting closer to an answer here, 
but I'm still quite lost on one key aspect.



On 10/4/19 7:15 AM, Miika Komu wrote:

In the legacy HIP NAT traversal (RFC5770), we have third protocol
(STUN) on the same port and it does not follow RFC7401 conventions
because it was not designed with IPsec in mind. As a result,*all*
packets need to be diverted to an userland daemon in order to separate
the STUN packets from HIP/ESP.



I can't figure out why this diversion is necessary. What prevents 
characterization of packets in kernel space?


/a

___
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec

Re: [Hipsec] Adam Roach's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

2019-10-04 Thread Miika Komu 
Hi Adam,

ke, 2018-05-09 kello 22:43 -0700, Adam Roach kirjoitti:
> Adam Roach has entered the following ballot position for
> draft-ietf-hip-native-nat-traversal-28: Abstain
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut
> this
> introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/
> 
> 
> 
> ---
> ---
> COMMENT:
> ---
> ---
> 
> I share Ben's concerns about the disjointedness of this document's
> specification, and am likewise abstaining. My reasons for abstaining
> are
> deeper than Ben's, however.
> 
> I recognize that the effort put into this document is substantial,
> and that
> the recommendations I make are unlikely to be taken at this point in
> time,
> but I believe that the HIP ecosystem would be far better served by an
> "RFC
> 5570 bis" approach rather than a modified form of ICE recast using
> HIP
> messages. Among other reasons: several companies already offer
> geographically-distributed hosted TURN solutions, largely due to the
> relative
> popularity of WebRTC. HIP will have to reach a similar level of
> popularity
> before HIP-specific relay nodes are similarly commercially
> available.  Using
> ICE as-is would allow HIP to use those services that are available
> today.

nothing prevents from using TURN relays with the native NAT traversal
mode as only the host using TURN relay needs to implement TURN.

> As a further concern, I worry that this pattern may end up replicated
> in other
> protocols. For example, although ICE was initially developed with
> RTP/RTCP in
> mind, it was not implemented as a series of extensions to RTP or
> RTCP;
> instead, it is its own protocol, intended to be re-used in other
> contexts. I
> would not like to see, e.g., ICE-like extensions to the QUIC protocol
> to enable
> its use in peer-to-peer situations; I would certainly hope that such
> an effort
> would use ICE as currently defined.

I think the justification is only related to IPsec keying daemons,
please see below.

> Given that the headline rationale offered in this document is that
> "Implementing a full ICE/STUN/TURN protocol stack as specified in
> Legacy
> ICE-HIP results in a considerable amount of effort and code which
> could be
> avoided by re-using and extending HIP messages and state machines for
> the same
> purpose," this document puts forth an implication that all protocols
> could
> benefit from similar not-quite-ICE-but-almost-ICE extensions. I
> believe
> this implication is harmful. I also believe this analysis overlooks
> the
> availability of multiple existing, open-source, already-debugged, and
> "compatible with commercial use" ICE implementations.

the protocol that we specify in the document implements only a subset
of ICE and there I belive it should be relatively straighforward to
interop it.

ICE has not been designed with IPsec in mind (see my comments below),
so something else is needed.

> It is not clear that the four additional reasons offered in Appendix
> B are
> sufficient to justify the design. Taken in turn:
> 
> >  For example, ICE is meant for application-layer protocols, whereas
> > HIP
> >  operates at layer 3.5 between transport and network layers.
> 
> This doesn't have practical effect: ICE is designed to work with
> generic UDP
> packet flows, subject only to the ability to demultiplex STUN from
> such
> packets.
> 
> >  This is particularly problematic because the implementations
> > employ IPsec
> >  ESP as their data plane: demultiplexing of incoming ESP, HIP and
> > TURN
> >  messages required capturing of all UDP packets destined to port
> > 10500 to
> >  the userspace, thus causing additional software complexity and an
> >  unnecessary latency/throughput bottleneck for the dataplane
> > performance.
> 
> This doesn't seem like a foregone consequence. If you're using user-
> space HIP
> implementations, this user-space diversion is already necessary. If
> you're
> using kernel-space HIP implementations, it seems a modest step to add
> minimal
> STUN demultiplexing to the kernel implementation that is already
> performing
> ESP/HIP demultiplexing.  It's possible that I'm misunderstanding some
> subtle
> aspect of the way these protocols interact with each other, but isn't
> this
> described performance impact simply the result of specific
> implementation
> design decisions rather than inherent to the design of RFC 5570's
> mechanism?

the userspace diversion is completely unnecessary in the native NAT
traversal draft. HIP control packets have a special