Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-18 Thread Michael Richardson
Paul Wouters wrote: >> It seems that a reasonable implementation might spawn off many >> TCP-IKE-ESP daemons (perhaps even via TCP-load balancer proxy) to demux >> and decapsulate the traffic, turning it into real ESP and real IKE >> packets, >> and send it to

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-18 Thread Michael Richardson
Tero Kivinen wrote: > Actually no. Unknown SPI is something that can happen in normal case > too, as there are some race conditions which might cause the one end > to install the Child SA before the other end has installed it, thus > this might cause message with

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-18 Thread Tero Kivinen
Yoav Nir writes: > But since Tommy’s happy with tearing down the connection after one invalid > SPI, that solves the problem nicely. I do not think we want to do that. There are valid cases where we might get unknown SPIs, so tearing connection down after one of those is not good solution. > By

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-18 Thread Tero Kivinen
Tommy Pauly writes: > However: > a) That’s in a paragraph that starts “If a TCP connection is being > used to resume a previous IKE session…”; does it apply only in that case? > > No, the MUST close applies for all connections, regardless of resumption. We > could add a paragraph

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-17 Thread Yoav Nir
> On 17 May 2017, at 22:12, Scott Fluhrer (sfluhrer) wrote: > > > > > My TCP may be rusty, but I think Alice’s legitimate packet has the sequence > number to indicate it is retransmitting the byte that Bob already has. I > don’t know if that means that the new data

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-17 Thread Scott Fluhrer (sfluhrer)
From: tpa...@apple.com [mailto:tpa...@apple.com] Sent: Wednesday, May 17, 2017 3:44 PM To: Scott Fluhrer (sfluhrer) Cc: Yoav Nir; IPsecme WG (ipsec@ietf.org) Subject: Re: [IPsec] Question about ipsecme-tcp-encaps On May 17, 2017, at 12:12 PM, Scott Fluhrer (sfluhrer) <sfluh...@cisco.

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-17 Thread Tommy Pauly
psec@ietf.org <mailto:ipsec@ietf.org>) > Subject: Re: [IPsec] Question about ipsecme-tcp-encaps > > > On 17 May 2017, at 20:39, Scott Fluhrer (sfluhrer) <sfluh...@cisco.com > <mailto:sfluh...@cisco.com>> wrote: > > I’ve been looking over the draft, and I

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-17 Thread Scott Fluhrer (sfluhrer)
From: Yoav Nir [mailto:ynir.i...@gmail.com] Sent: Wednesday, May 17, 2017 2:54 PM To: Scott Fluhrer (sfluhrer) Cc: IPsecme WG (ipsec@ietf.org) Subject: Re: [IPsec] Question about ipsecme-tcp-encaps On 17 May 2017, at 20:39, Scott Fluhrer (sfluhrer) <sfluh...@cisco.com<mailto:sfluh...@cis

Re: [IPsec] Question about ipsecme-tcp-encaps

2017-05-17 Thread Yoav Nir
> On 17 May 2017, at 20:39, Scott Fluhrer (sfluhrer) wrote: > > I’ve been looking over the draft, and I think I see a potential DoS attack > that does not appear to be addressed. I’m writing this to see if there is > something I missed (and if there isn’t, start

[IPsec] Question about ipsecme-tcp-encaps

2017-05-17 Thread Scott Fluhrer (sfluhrer)
I've been looking over the draft, and I think I see a potential DoS attack that does not appear to be addressed. I'm writing this to see if there is something I missed (and if there isn't, start discussion on how we might patch things up). This is the scenario I'm looking at: Alice and Bob