Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-ipsecme-add-ike-14> for your review
rfc-editor@rfc-editor.org Sat, 09 September 2023 02:59 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860C2C15108F; Fri, 8 Sep 2023 19:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.467
X-Spam-Level:
X-Spam-Status: No, score=-4.467 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HC81iaUSz9SJ; Fri, 8 Sep 2023 19:59:51 -0700 (PDT)
Received: from rfcpa.amsl.com (unknown [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F25BC15106A; Fri, 8 Sep 2023 19:59:51 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id E9D64E5EA7; Fri, 8 Sep 2023 19:59:50 -0700 (PDT)
To: mohamed.boucadair@orange.com, kondtir@gmail.com, dwing-ietf@fuggles.com, svan@elvis.ru
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, ipsecme-ads@ietf.org, ipsecme-chairs@ietf.org, kivinen@iki.fi, rdd@cert.org, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20230909025950.E9D64E5EA7@rfcpa.amsl.com>
Date: Fri, 08 Sep 2023 19:59:50 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/Ni8Pk5Zfr0WRbWlcW7WliyXvtgo>
Subject: Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-ipsecme-add-ike-14> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Sep 2023 02:59:55 -0000
Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!-- [rfced] Section 2: We had trouble following this paragraph; "but could be located outside of it" followed by "the latter option becomes plausible" is a bit confusing. If the suggested text doesn't adequately clarify things, would you like to provide alternative text that does? Original: For many years, typical designs have often considered that the DNS resolver was usually located inside the protected domain, but could be located outside of it. With encrypted DNS, the latter option becomes plausible. Note that existing VPN client implementations might not expect that the discovered DNS resolver IP addresses to be outside of the covered IP address ranges of the VPN tunnel. Suggested: For many years, typical designs have often assumed that the DNS resolver was usually located inside the protected domain, but they don't consider implementations where the DNS resolver could be located outside of it. With encrypted DNS, managing the latter scenario becomes plausible. Note that existing VPN client implementations might not expect the discovered DNS resolver IP addresses to be outside of the covered IP address ranges of the VPN tunnel. --> 2) <!-- [rfced] Section 3.1: Please clarify the meaning of "to configure ... to an initiator". Original: The ENCDNS_IP* IKEv2 Configuration Payload Attribute Types, ENCDNS_IP4 and ENCDNS_IP6, are used to configure encrypted DNS resolvers to an initiator. --> 3) <!-- [rfced] Please review each artwork element. Should any of them be tagged as sourcecode? If the current list of preferred values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) does not contain an applicable type, please let us know. Also, it is acceptable to leave the "type" attribute not set. --> 4) <!-- [rfced] Figure 1: We corrected the field-name mismatch per "IP Address(es) (variable) - Includes one or more IP addresses" as listed in the descriptions below. Please let us know any objections. Original: ~ IP Addresses ~ Currently: ~ IP Address(es) ~ --> 5) <!-- [rfced] Section 3.1: The use of "attribute" versus "attributes" was confusing here. We updated the figure title and the next sentence as follows. If this is incorrect, please provide a clear figure title and following text. Original: Figure 1: Attributes Format The description of the fields of the attribute shown in Figure 1 is as follows: Currently: Figure 1: Format of ENCDNS_IP4 and ENCDNS_IP6 Attribute Types The descriptions of the fields shown in Figure 1 are as follows: --> 6) <!-- [rfced] Sections 3.1 and 3.2: Should these three instances of "Configuration Attribute Type" be "Configuration Payload Attribute Type"? Original: * Attribute Type (15 bits) - Identifier for Configuration Attribute Type. This is set to TBA1 for ENCDNS_IP4 or TBA2 for ENCDNS_IP6, as registered in Section 8. ... * Attribute Type (15 bits) - Identifier for Configuration Attribute Type; is set to TBA3 value listed in Section 8. ... * Attribute Type (15 bits) - Identifier for Configuration Attribute Type; is set to TBA3 value listed in Section 8. --> 7) <!-- [rfced] Section 3.1: It looks odd to have 'Length of the ADN' but no quotes around Length of SvcParams. May we update as suggested? Original: - (4 + 'Length of the ADN' + N * 4 + Length of SvcParams) for ... - (4 + 'Length of the ADN' + N * 16 + Length of SvcParams) for Suggested: * (4 + 'Length of the ADN' + N * 4 + 'Length of SvcParams') for ... * (4 + 'Length of the ADN' + N * 16 + 'Length of SvcParams') for --> 8) <!-- [rfced] Figure 2: We found it confusing that the description for the "Certificate Digest" field only appears after Figure 4. Will readers readily find the field description, or should some clarifying text be added? Original: Some of the fields shown in Figure 2 can be omitted as further detailed below. Possibly: Some of the fields shown in Figure 2 can be omitted, as further detailed below. Descriptions for the "Authentication Domain Name" and "Certificate Digest" fields are provided below Figure 4. --> 9) <!-- [rfced] Section 4: Per Section 6.2 of RFC 8310 ("Section 8 discusses these mechanisms ..."), should "the mechanism" be "the mechanisms" here, or should one mechanism in particular from Section 8 of RFC 8310 be cited here? Original: The DNS client establishes an encrypted DNS session (e.g., DoT, DoH, DoQ) with the address(es) conveyed in ENCDNS_IP* and uses the mechanism discussed in Section 8 of [RFC8310] to authenticate the DNS resolver certificate using the authentication domain name conveyed in ENCDNS_IP*. --> 10) <!-- [rfced] Section 4: Please confirm that "PKIX-EE(1) with selector SPKI(1)" is correct. We could only find "DANE-EE(3) and selector SPKI(1)" and "DANE-EE(3) with selector SPKI(1)" in RFC 7671. Original: This approach is similar to certificate usage PKIX-EE(1) with selector SPKI(1) defined in [RFC7671] but without PKIX validation. --> 11) <!-- [rfced] Section 4: The first sentence in the "Note:" paragraph did not parse. We updated it as noted below. Please let us know any objections. Also, please review whether the "Note:" paragraph should be in the <aside> element. It is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). Original: Note: [RFC8598] requires INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attribute to be mandatory present when INTERNAL_DNS_DOMAIN is included. This specification relaxes that constraint in the presence of ENCDNS_IP* attributes. That is, if ENCDNS_IP* attributes are supplied, it is allowed for responders to include INTERNAL_DNS_DOMAIN even in the absence of INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attributes. Currently: Note: [RFC8598] requires that the INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attribute be present when INTERNAL_DNS_DOMAIN is included. This specification relaxes that constraint in the presence of ENCDNS_IP* attributes. That is, if ENCDNS_IP* attributes are supplied, responders are allowed to include INTERNAL_DNS_DOMAIN even in the absence of INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attributes. --> 12) <!-- [rfced] Section 5: We do not see SHA2-256 mentioned in RFC 6234. Will this citation be clear to readers? Original: Implementations MUST support SHA2-256 [RFC6234]. --> 13) <!-- [rfced] Section 6: Please clarify the meaning of "does not alter the trust on" in this sentence. Are some words missing? Original: This document adheres to the security considerations defined in [RFC7296]. In particular, this document does not alter the trust on the DNS configuration provided by a responder. --> 14) <!-- [rfced] Section 6: We had trouble parsing this sentence. Please clarify "returned ENCDNS_IP* resolvers configuration" and to what "it" refers (the responder or the initiator?). Original: If the IKEv2 responder has used NULL Authentication method [RFC7619] to authenticate itself, the initiator MUST NOT use returned ENCDNS_IP* resolvers configuration unless it is pre-configured, e.g., in the operating system or the application. --> 15) <!-- [rfced] Regarding the references to IANA subregistries, we note that [IANA-IKE-HASH] is normative, whereas [IANA-IKE-CFG] is informative. Would you like these both to be one or the other? For background: "Normative references specify documents that must be read to understand or implement the technology in the new RFC, or whose technology must be present for the technology in the new RFC to work. An informative reference is not normative; rather, it only provides additional information." from https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/) [IANA-IKE-HASH] IANA, "IKEv2 Hash Algorithms", <https://www.iana.org/assignments/ikev2-parameters/>. [IANA-IKE-CFG] IANA, "IKEv2 Configuration Payload Attribute Types", <https://www.iana.org/assignments/ikev2-parameters/>. --> 16) <!-- [rfced] Appendix A.1: Please clarify the meaning of "There is no ambiguity to" in this sentence. Original: There is no ambiguity to identify the encrypted resolver associated with the supplied digest. Possibly: Identifying the encrypted resolver associated with the supplied digest is therefore unambiguous. --> 17) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide at <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>, and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> 18) <!-- [rfced] Please let us know if any changes are needed for the following: a) The following terms were used inconsistently in this document. We chose to use the latter forms. Please let us know any objections. configuration payload attribute (in text; 1 instance) / Configuration Payload Attribute (in text; 3 instances) Num addresses / Num Addresses (field name) b) The following terms/expressions appear to be used inconsistently in this document. Please let us know which form is preferred. hash algorithm identifiers / 'Hash Algorithm Identifiers' / Hash Algorithm Identifiers For example: included hash algorithm identifiers included 'Hash Algorithm Identifiers' the Hash Algorithm Identifier the hash algorithm identifiers set to zero / set to 0 / set to '0' the ENCDNS_IP* Configuration Payload Attribute / the ENCDNS_IP* Configuration Payload Attribute(s) / the ENCDNS_IP* Configuration Payload Attributes c) Please note that, per elsewhere in this document and per the rest of this cluster of documents (https://www.rfc-editor.org/cluster_info.php?cid=C461), we changed the single-quoted field names to double-quoted. Please let us know any concerns. --> Thank you. RFC Editor/lb/ar On Sep 8, 2023, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/09/08 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9464.xml https://www.rfc-editor.org/authors/rfc9464.html https://www.rfc-editor.org/authors/rfc9464.pdf https://www.rfc-editor.org/authors/rfc9464.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9464-diff.html https://www.rfc-editor.org/authors/rfc9464-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9464-xmldiff1.html This diff file compares an altered original and the RFC (in order to make the changes in moved text viewable): https://www.rfc-editor.org/authors/rfc9464-alt-diff.html Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9464 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9464 (draft-ietf-ipsecme-add-ike-14) Title : Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for Encrypted DNS Author(s) : M. Boucadair, T. Reddy.K, D. Wing, V. Smyslov WG Chair(s) : Yoav Nir, Tero Kivinen Area Director(s) : Roman Danyliw, Paul Wouters
- [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-ipsec… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Valery Smyslov
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… tirumal reddy
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Valery Smyslov
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Dan Wing
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Roman Danyliw
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9464 <draft-ietf-i… Lynne Bartholomew