[IPsec] TSVDIR-ish review of draft-amjads-ipsecme-ikev2-data-channel-00
Joe Touch <touch@isi.edu> Tue, 22 October 2013 00:26 UTC
Return-Path: <touch@isi.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CEF111E82CD; Mon, 21 Oct 2013 17:26:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.377
X-Spam-Level:
X-Spam-Status: No, score=-104.377 tagged_above=-999 required=5 tests=[AWL=-1.778, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O+vno1XR6GBs; Mon, 21 Oct 2013 17:26:44 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 888BF11E82C4; Mon, 21 Oct 2013 17:26:32 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id r9M0QA46010833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 21 Oct 2013 17:26:10 -0700 (PDT)
Message-ID: <5265C647.5020908@isi.edu>
Date: Mon, 21 Oct 2013 17:26:47 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Martin Stiemerling <martin.stiemerling@neclab.eu>, ipsec@ietf.org, draft-amjads-ipsecme-ikev2-data-channel@tools.ietf.org, "tsv-ads@tools.ietf.org" <tsv-ads@tools.ietf.org>, tsvwg <tsvwg@ietf.org>
References: <51FA6A6C.8090803@gmail.com> <523CB65D.1090904@neclab.eu> <523CB9CB.7060507@isi.edu> <5265C19B.30108@isi.edu>
In-Reply-To: <5265C19B.30108@isi.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "tsv-dir@ietf.org" <tsv-dir@ietf.org>
Subject: [IPsec] TSVDIR-ish review of draft-amjads-ipsecme-ikev2-data-channel-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 00:26:51 -0000
Hi, all,
I've reviewed the following doc for TSVDIR:
draft-amjads-ipsecme-ikev2-data-channel-00
Although this is not intended as a complete TSVDIR review, I have
checked for the typical issues.
Joe
-------------------------------------------------------------------
draft-amjads-ipsecme-ikev2-data-channel-00
This doc makes the case that IKEv2 can provide a secure data channel for
arbitrary communication, rather than being used (as designed) to
configure IPsec channels for that purpose.
This mechanism lacks congestion control, and so needs to be used only
where its load is known to be a small fraction of capacity. In specific,
IKE's window mechanism allows for increasing the window size but not
decreasing it, as is needed to react to network congestion.
The acknowledged data transfer mode uses IKE's window mechanism, which
is presumably set to a small value, and may result in very low
throughput. Attempts to increase this window size to overcome this
limitation can easily increase burstiness and network loss.
This mechanism includes its own fragmentation mechanism based on a
pre-configiured MTU, where it should use an adaptive size based on
PLMTUD (RFC4821). The mechanism described replicates that of IP, and so
introduces no new issues. Fragment reassembly appears to rely on the IKE
sequence number, and the relationship between the two should be more
clear, especially on the reuse of the IKE sequence number and how that
affects reassembly timeout.
---
- [IPsec] TSVDIR-ish review of draft-ietf-ipsecme-i… Joe Touch
- [IPsec] TSVDIR-ish review of draft-amjads-ipsecme… Joe Touch
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Valery Smyslov
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Joe Touch
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Paul Wouters
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Valery Smyslov
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Valery Smyslov
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Joe Touch
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Valery Smyslov
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Joe Touch
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Valery Smyslov
- Re: [IPsec] TSVDIR-ish review ofdraft-ietf-ipsecm… Yaron Sheffer
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Joe Touch
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Matt Mathis
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Valery Smyslov
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Valery Smyslov
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Yoav Nir
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Tero Kivinen
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Yoav Nir
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Joe Touch
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Joe Touch
- Re: [IPsec] TSVDIR-ish reviewofdraft-ietf-ipsecme… Valery Smyslov
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Valery Smyslov
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Tero Kivinen
- Re: [IPsec] [tsvwg] TSVDIR-ish reviewofdraft-ietf… Matt Mathis