[dhcwg] light review of draft-ietf-dhc-sedhcpv6 and helpful suggestion

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 17 April 2017 20:43 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5C886127977 for <dhcwg@ietfa.amsl.com>; Mon, 17 Apr 2017 13:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id UuL5VhIYbCzd for <dhcwg@ietfa.amsl.com>; Mon, 17 Apr 2017 13:43:43 -0700 (PDT)
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7585129454 for <dhcwg@ietf.org>; Mon, 17 Apr 2017 13:43:40 -0700 (PDT)
Received: by mail-pg0-x22a.google.com with SMTP id z127so13340699pgb.1 for <dhcwg@ietf.org>; Mon, 17 Apr 2017 13:43:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=iPX+VEQYgJ0GYOegI2iiFnvAdVWwAgeQRrYbXow4zaM=; b=OLOJdSWDA0HQsOIaafj6KOEKv2HezJQJ3c/p5TU3kveh1YTnxDukzpWycgCjTzVvqQ KDUDEqg+X3uLBTVMTDX8e4cSbgOyCIBX3rL0AM3DjBZd0OkZ01wZf/A0TrVXfAFQLbGY eDlpwCjF+GbBRwH1nXularHg0w4M8XiPMbp7vfrQpJCRH1FFhhOwJXUS8YzGBakG3k8d 4LhMA00IC1FPwXuKaBh94XaVGmeqIewoedq+xb4gtyndAC46LGSc3tIgAWH1Gu2EB3VE qdwZDUxSgVyKfhZhu6o4jzFTpm5ZB+3VPG20AisM1yaruozyCbdqMBdt2K/q5DOg0NF+ LP1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=iPX+VEQYgJ0GYOegI2iiFnvAdVWwAgeQRrYbXow4zaM=; b=jL7LDPOJYWwNETHsXnCLAPoS1jrI/plzr2/SZIuNw0bUSECVgrPzaQECD7X5JjeR5T JJmDA4Dsk5JTWI8OyllAwADCUswc7JO+IVGMgcR5aWdqw/TPico6vj9FgithrXEeO7NW q6xh+cvDrngocIebp0SEnFGCxeBBnIiwe3+l3/YOO/5Ua9tks+SnZIRWeSLUCiht0c0Y ey+WrHJyOKa5g2eCQQldu9UTq+td50s+FdetFjZqjfJ6lmeFralxgRbHY2sCh8NWIgDR zefOIQRwXk6mciFCO/W32BupsvVWoJ7p6dXqQREBHsUnFuFogvQNpb/imOQc22XqAmOD 5uDQ==
X-Gm-Message-State: AN3rC/6EJCA+cNPOk7TDAKRvkV6jeNRSAapU0g0ZA7Kjj4UqH18gueB2 ttChs2RRKFCEJT24rk/GctcHnJcT2A==
X-Received: by with SMTP id 1mr18420208ply.70.1492461820486; Mon, 17 Apr 2017 13:43:40 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 17 Apr 2017 13:43:00 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 17 Apr 2017 16:43:00 -0400
Message-ID: <CAHbuEH7ymFOtU7HBz3FgsrBQmwaxFwm8gU=b3xye1-T0SiOGxw@mail.gmail.com>
To: "<dhcwg@ietf.org>" <dhcwg@ietf.org>
Cc: Paul Wouters <paul@nohats.ca>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/JgtBdUjztrh4uFwl1oNFhtuC6Dw>
Subject: [dhcwg] light review of draft-ietf-dhc-sedhcpv6 and helpful suggestion
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2017 20:43:45 -0000

Dear authors,

I just skimmed the draft  triggered by another review and noticed the
deployment concerns in the WGLC summary sent to the list.  think I can
help here with the remaining issues on making it easier to deploy.

First, I'm really glad to see this work.  Thanks for all of your
efforts on it!  Second, I know this is late in the process, but I
think more text on opportunistic security for IPsec is worth
documenting to overcome implementation hurdles and address the coffee
shop use cases.  I didn't see a reference to:


and am thinking the authors/WG might not be aware of this work.
Additionally, it should be noted that there are several Linux
implementations for IPsec with NULL authentication (OS).  Paul
Woulters is a author on the mentioned RFC and did implement this with
IPsec for RedHat.

Michael Richardson is an author on the draft:

documenting the OS IPsec implementation for the Linux FreeS/WAN project.

I think it would be beneficial to see text that has OS as mandatory to
implement (MTI) and upgradeable to authenticated IPsec when practical.
Ideally, they would both be MTI, not mandatory to use (MTU) at least
for the authenticated since that is too hard.  But MTI on
opportunistic would be a great next step that could be deployed.  If
we were able to get DCHPv6 supporting this option in code with OS,
then people could turn it on.  As you point out in the draft,
enterprise and other managed scenarios could use an option with
authentication if implemented.  I think the MTI versus MTU could have
been more clear in this draft and the relay one that just went through
the IESG review.

The current OS text leaves me, the reader, thinking it won't be
implemented as it's not pointing to a practical implementable RFC.  I
am copying Michael and Paul (mentioned above) as one of them might be
willing to help with text.  I think this will greatly assist with the
deployability of session encryption.

Thank you!


Best regards,