IETF Logo Mail Archive

Re: [anonsec] Connection Latching draft review (draft-ietf-btns-connection-latching-04.txt)

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 08 January 2008 23:33 UTC

Return-path: <anonsec-bounces@postel.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCNxF-0000iX-H2 for btns-archive-waDah9Oh@lists.ietf.org; Tue, 08 Jan 2008 18:33:57 -0500
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JCNxE-0003F4-Vw for btns-archive-waDah9Oh@lists.ietf.org; Tue, 08 Jan 2008 18:33:57 -0500
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m08NRx76027870; Tue, 8 Jan 2008 15:28:00 -0800 (PST)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m08MqFDj006821 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <anonsec@postel.org>; Tue, 8 Jan 2008 14:52:16 -0800 (PST)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m08MqDQ6023746 for <anonsec@postel.org>; Tue, 8 Jan 2008 22:52:15 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m08MqCSR028477 for <anonsec@postel.org>; Tue, 8 Jan 2008 15:52:13 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m08Mq8EK000488; Tue, 8 Jan 2008 16:52:08 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m08Mq8W8000487; Tue, 8 Jan 2008 16:52:08 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 08 Jan 2008 16:52:08 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Black_David@emc.com
Message-ID: <20080108225208.GW22538@Sun.COM>
Mail-Followup-To: Black_David@emc.com, anonsec@postel.org, tsv-dir@ietf.org
References: <8CC6CEAB44F131478D3A7B429ECACD91085EA3@CORPUSMX20A.corp.emc.com> <20080108211846.GT22538@Sun.COM> <8CC6CEAB44F131478D3A7B429ECACD91085EB3@CORPUSMX20A.corp.emc.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <8CC6CEAB44F131478D3A7B429ECACD91085EB3@CORPUSMX20A.corp.emc.com>
User-Agent: Mutt/1.5.7i
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: nicolas.williams@sun.com
Cc: anonsec@postel.org, tsv-dir@ietf.org
Subject: Re: [anonsec] Connection Latching draft review (draft-ietf-btns-connection-latching-04.txt)
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36

On Tue, Jan 08, 2008 at 05:31:39PM -0500, Black_David@emc.com wrote:
> > > The introduction considerably undersells the architectural
> > > impact of this draft.  [...]
> > 
> > I agree, ...
> > 
> > ... but connection latching is one of a multi-prong approach to
> closing
> > that gap.  The other main prong is IPsec APIs.  A third, optional
> prong,
> > is channel binding.
> 
> Describing this overall multi-prong structure and connection
> latching's role in it would be a "good thing" to do in the
> introduction and should position the connection latching draft
> correctly.

OK, I will do so.

> > > -- NATs
> > > 
> > > p.5 says:
> > 
> > Well, does it hurt to have this?  I suppose this could be a MAY, if
> > implementors object (or it could be downgraded to MAY or removed
> > altogether when in the progression to Standard).
> > 
> > I don't feel too strongly about it, but I also don't feel too strongly
> > about discouraging the use of NATs (face it: NATs are here to stay, at
> > least in the IPv4 world).
> 
> This isn't about discouraging use of NATs; I completely agree
> that NATs are a fact of life for IPv4.  This is about avoiding
> encouragement of NAT-specific code in protocols and applications
> that don't need it (i.e., work just fine with IPsec NAT traversal).

I think this text doesn't do that at all.  Why would application
developers bother to ask about NAT-related information when they already
know that their app works with IPsec NAT traversal?

> Think of the goal as "damage containment" - it does hurt to
> encourage unnecessary attempts to deal with NATs.  It may be ok
> to have the interface if the interface adds value to what apps
> already have to do to cope with NATs, but there should be a
> rationale for the added value.

But also, and more to the point, as long as we accept the existence of
NATs we might as well accept the existence of protocols which need help
to traverse them, and then we should accept some of the responsibility for
helping them.

I'd reverse your question and ask how making this information available
to the application developer encourages the development of new
applications that need help in order to traverse NATs.

> > > -- Key Manager/Key Management
> 
> [... snip ...]
> 
> > >              This is the infamous "dangling SAs" issue
> > > applied to connection latch state.
> > 
> > What is this infamous issue?
> 
> Does a CHILD_SA survive termination of the IKE_SA used to create
> the CHILD_SA?

Right, that problem is irrelevant to connection latching as specified.
That said, that problem is relevant to the construction of IPsec channel
bindings.  But that's a topic for a different I-D.

Thanks,

Nico
-- 
_______________________________________________

v2.23.0 | Report a Bug | By Email