From hipsec-bounces@ietf.org Sat Mar 1 06:55:03 2008 Return-Path: X-Original-To: ietfarch-hipsec-archive@core3.amsl.com Delivered-To: ietfarch-hipsec-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 93ACC29401A; Sat, 1 Mar 2008 06:55:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.973 X-Spam-Level: X-Spam-Status: No, score=0.973 tagged_above=-999 required=5 tests=[AWL=-1.590, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, HTML_MESSAGE=1, J_BACKHAIR_23=1, J_BACKHAIR_32=1, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d-heXcU3WJd2; Sat, 1 Mar 2008 06:55:03 -0800 (PST) Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0583A294486; Sat, 1 Mar 2008 06:17:30 -0800 (PST) X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D01A3A6A48; Thu, 28 Feb 2008 12:14:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZzmrW2ZP7R5; Thu, 28 Feb 2008 12:14:21 -0800 (PST) Received: from exprod6og105.obsmtp.com (exprod6og105.obsmtp.com [64.18.1.189]) by core3.amsl.com (Postfix) with ESMTP id 80D5D3A6F1E; Thu, 28 Feb 2008 12:12:08 -0800 (PST) Received: from source ([192.150.20.142]) by exprod6ob105.postini.com ([64.18.5.12]) with SMTP; Thu, 28 Feb 2008 12:11:50 PST Received: from inner-relay-3.eur.adobe.com (inner-relay-3b [10.128.4.236]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id m1SKBlGb021316; Thu, 28 Feb 2008 12:11:48 -0800 (PST) Received: from fe2.corp.adobe.com (fe2.corp.adobe.com [10.8.192.72]) by inner-relay-3.eur.adobe.com (8.12.10/8.12.9) with ESMTP id m1SKBdFX013434; Thu, 28 Feb 2008 12:11:47 -0800 (PST) Received: from namail5.corp.adobe.com ([10.8.192.88]) by fe2.corp.adobe.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 28 Feb 2008 12:11:41 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 28 Feb 2008 12:10:34 -0800 Message-ID: <24CCCC428EFEA2469BF046DB3C7A8D22019E07F0@namail5.corp.adobe.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: draft-matthews-p2psip-id-loc-01 Thread-Index: Ach6RfCOWLPyOVmQQO6D7FmmEAkUlw== From: "Henry Sinnreich" To: "P2PSIP WG" , , X-OriginalArrivalTime: 28 Feb 2008 20:11:41.0003 (UTC) FILETIME=[2198F1B0:01C87A46] X-Mailman-Approved-At: Sat, 01 Mar 2008 05:34:07 -0800 Cc: Philip Matthews Subject: [Hipsec] draft-matthews-p2psip-id-loc-01 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0610822015==" Sender: hipsec-bounces@ietf.org Errors-To: hipsec-bounces@ietf.org This is a multi-part message in MIME format. --===============0610822015== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C87A46.2134318E" This is a multi-part message in MIME format. ------_=_NextPart_001_01C87A46.2134318E Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Folks, =20 Just in case you may have missed it, this I-D is a must read since it takes us step by step how to use a=20 HIP-like approach for NAT traversal for P2P SIP and most other application protocols. =20 An ID/Locator Architecture for P2PSIP http://www.ietf.org/internet-drafts/draft-matthews-p2psip-id-loc-01.txt=20 =20 The only nit I could find are the missing references to two I-Ds: =20 1. Basic HIP Extensions for Traversal of Network Address Translators and Firewalls http://ietf.org/internet-drafts/draft-ietf-hip-nat-traversal-03 =20 =20 2. The HIP Bone I-D gives an excellent overview http://www.ietf.org/internet-drafts/draft-camarillo-hip-bone-01.txt=20 =20 I hope this work will be adequately reflected in the emerging P2PSIP standard and have taken the liberty to include the mmusic and hipsec people who may also be interested. =20 Thanks, Henry =20 =20 ------_=_NextPart_001_01C87A46.2134318E Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable

Folks,

 

Just in case you may have missed it, this I-D is a must read since it takes = us step by step how to use a

HIP-like approach for NAT traversal for P2P SIP and most other application = protocols.

 

An ID/Locator Architecture for P2PSIP

http://www.ietf.org/internet-drafts/draft-matthews-p2psip-id-loc-= 01.txt

 

The only nit I could find are the missing references to two = I-Ds:

 

1. Basic HIP Extensions for Traversal of Network Address Translators and = Firewalls

=
http://ietf.org/internet-drafts/draft-ietf-hip-nat-traversal-03 =
    

 

2. The HIP Bone I-D gives an excellent = overview

http://www.ietf.org/internet-drafts/draft-camarillo-hip-bone-01.txt

 

I hope this work will be adequately reflected in the emerging P2PSIP standard and have taken the liberty to include the mmusic and = hipsec people who may also be interested.

 

Thanks, Henry

 

 

------_=_NextPart_001_01C87A46.2134318E-- --===============0610822015== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hipsec mailing list Hipsec@ietf.org https://www.ietf.org/mailman/listinfo/hipsec --===============0610822015==-- From hipsec-bounces@ietf.org Mon Mar 3 00:55:19 2008 Return-Path: X-Original-To: ietfarch-hipsec-archive@core3.amsl.com Delivered-To: ietfarch-hipsec-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4F2728C493; Mon, 3 Mar 2008 00:55:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.518 X-Spam-Level: X-Spam-Status: No, score=-1.518 tagged_above=-999 required=5 tests=[AWL=-1.081, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqMNUerwNOOH; Mon, 3 Mar 2008 00:55:01 -0800 (PST) Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C86E3A6A5B; Mon, 3 Mar 2008 00:55:01 -0800 (PST) X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C32463A697E for ; Mon, 3 Mar 2008 00:55:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UflO5IlnLO4d for ; Mon, 3 Mar 2008 00:54:55 -0800 (PST) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id E871A3A6A5B for ; Mon, 3 Mar 2008 00:54:54 -0800 (PST) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 11C141F3BA9; Mon, 3 Mar 2008 10:54:45 +0200 (EET) Received: from [127.0.0.1] (localhost [IPv6:::1]) by n2.nomadiclab.com (Postfix) with ESMTP id CBDEF1F3BA8; Mon, 3 Mar 2008 10:54:44 +0200 (EET) In-Reply-To: <295A6668-EC61-48EA-9F61-8C9F3F0B03D2@magma.ca> References: <295A6668-EC61-48EA-9F61-8C9F3F0B03D2@magma.ca> Mime-Version: 1.0 (Apple Message framework v753) Message-Id: <72F47449-7E76-4311-9C12-63C2359E2478@nomadiclab.com> From: Pekka Nikander Date: Mon, 3 Mar 2008 10:54:42 +0200 To: Philip Matthews X-Mailer: Apple Mail (2.753) X-Virus-Scanned: ClamAV using ClamSMTP Cc: HIP Group Subject: Re: [Hipsec] Demultiplexing STUN from ESP X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: hipsec-bounces@ietf.org Errors-To: hipsec-bounces@ietf.org Personally, I would prefer the latter alternative of requiring the SPI selection algorithm to make sure that at least one of the 0, 1, 30, and 31 bits is one. The SPI selection algorithm already now has some complexity in it, that is, making sure that none of the reserved SPIs (0, 1-255) are chosen. --Pekka On 29 Feb 2008, at 15:20, Philip Matthews wrote: > Folks: > > A few of us on the NAT Traversal for HIP design team have been > discussing how to demux a STUN connectivity check packet from an ESP > packet containing application data. Due to the way NATs work, the > STUN connectivity check packets have to be sent using the same > addresses and ports as the ESP packets. Thus a way to distinguish > these two kinds of packets at the receiver is needed. > > The current mechanism is described in section 5.2 of draft-ietf-hip- > nat-traversal-03 and draft-ietf-behave-rfc3489bis. Under the current > proposal, an incoming packet is a STUN packet if it has _all three_ > of the properties listed in the STUN specification: > 1) Bits 0, 1, 30, and 31 of the first 32-bit longword are zero; > 2) The second 32-bit longword contains the so-called "magic cookie" > value of 0x2112A442; AND > 3) The STUN message contains a Fingerprint TLV with the correct value. > The first two tests are clearly quick and easy to do, but the third > test requires more work because the packet must be parsed to locate > the Fingerprint TLV and then the value of the TLV must be checked. > > The design team has been discussing whether we might move to a > simpler test. In this simpler test, HIP endpoints would be required > to select SPI values in the range 0x80000000 to 0xFFFFFFFF. This > would ensure that the first bit of the ESP header is a 1. Since a > STUN packet must have a 0 in this position, a simple test would be > sufficient to demultiplex the two packet types. > > The only drawback that we can see from this simpler test is that the > effective range of an SPI is cut in half. It is not clear to us > whether this range reduction is important from a security standpoint > or not. > > We would like to get the WG's feedback on this proposed simpler test. > Is this the reduction in the SPI range acceptable? > > Comments? > > - Philip > > PS. An alternative, slightly more complex test is to ensure that the > SPI chosen sets at least one of bits 0,1,30,31 to one, since a STUN > packet sets all four of these bits to zero. This alternative test > allows the new SPI range to be 94% of the current range, at the cost > of a more complex algorithm for choosing an SPI (to keep it random). > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > _______________________________________________ Hipsec mailing list Hipsec@ietf.org https://www.ietf.org/mailman/listinfo/hipsec