IETF Logo Mail Archive

Re: [Gen-art] Gen-Art Last Call Review: draft-burgin-ipsec-suiteb-profile-00

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 08 July 2011 18:44 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8968521F8C3E; Fri, 8 Jul 2011 11:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YrZ9l7EahlXA; Fri, 8 Jul 2011 11:44:09 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 53CA221F8C37; Fri, 8 Jul 2011 11:44:08 -0700 (PDT)
Received: from [188.28.19.130] (188.28.19.130.threembb.co.uk [188.28.19.130]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <ThdP8wB=gMBF@rufus.isode.com>; Fri, 8 Jul 2011 19:44:06 +0100
Message-ID: <4E174FCE.6090207@isode.com>
Date: Fri, 08 Jul 2011 19:43:26 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4D9C8D2A.7080605@nostrum.com> <4DFBD34B.7000900@isode.com> <D22B261D1FA3CD48B0414DF484E43D32986F8C@celebration.infosec.tycho.ncsc.mil> <4E12223B.304@isode.com> <D21F5E32-CE3D-46F0-9302-5FBE177B759C@vpnc.org>
In-Reply-To: <D21F5E32-CE3D-46F0-9302-5FBE177B759C@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: iesg@ietf.org, gen-art@ietf.org, "Burgin, Kelley W." <kwburgi@tycho.ncsc.mil>, draft-burgin-ipsec-suiteb-profile.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-Art Last Call Review: draft-burgin-ipsec-suiteb-profile-00
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 18:44:09 -0000

Hi Paul,

Paul Hoffman wrote:

>I'll jump in wearing my shepherd hat.
>
>On Jul 4, 2011, at 1:27 PM, Alexey Melnikov wrote:
>  
>
>>How are you planning to achieve interoperability if one endpoint can use a mechanism which the other end is not required to support?
>>    
>>
>
>The draft assures interoperability between peers that are both at a minimum level (minLOS) of security of 128 bits. It also assures interoperability between peers that are at a minLOS of 192 bits. It has a SHOULD-level wording that would assure interoperability for systems that have different minLOSs.
>
>There are policy reasons why a system might only handle one security level; however, for systems that don't have such policy restrictions, the draft says that they SHOULD handle the other level.
>
>This is a conscious decision on the part of the authors, one that has been discussed within the authors' organizations. In my mind, it is better that they are being honest about it instead of having requirements that we know will silently ignored by some policies.
>  
>
Ok, I withdraw my original comment on this text.

>>>  A responder configured in a system at a minimum level of security
>>>  of 128 bits SHOULD accept the first Suite B UI suite offered by the
>>>
>>>Is this a new requirement in this document, or is this repeating a general requirement stated in another document? If the latter, a reference is needed here, ideally accompanied by some text stating that the requirement comes from another document.
>>>
>>>Similar text later in the same section.
>>>
>>>  initiator that it can accommodate.  If none of the four suites are
>>>  offered, the responder MUST return a Notify payload with the error
>>>  "NO_PROPOSAL_CHOSEN".
>>>
>>>[kwb] These are new, so no reference is given.        
>>>
>>Why is this a SHOULD and not a MUST, i.e. what are the possible reasons for not selecting the first offered mechanism?    
>>
>
>A system at minLOS_128 might also be able to support 192-bit security and have a policy of preferring it; the initiator might offer them in the reverse order for some reason. This SHOULD allows the responder to achieve the higher security even if the initiator didn't prefer it.
>
After thinking a bit more about that: we had a similar debate in the 
SASL WG and decided that the responder has no reason to trust the order 
suggested by the initiator. Why is this SHOULD important at all? I would 
feel more comfortable if the whole sentence is deleted or restated not 
to use RFC 2119 keywords.

>>>  The administrative user interface, (UI), for a system that conforms
>>>  to this profile MUST allow the operator to specify a single suite.
>>>  If only one suite is specified in the administrative UI, the IKEv2
>>>  implementation MUST only offer algorithms for that one suite.
>>>
>>>This requirement is unusual, because IETF documents rarely have requirements on UIs. Can you please elaborate what is this trying to achieve?
>>>      
>>>
>
>RFC 4308, "Cryptographic Suites for IPsec", is unusual, and is an exception to that "rarely". A small but significant number of IPsec VPN vendors have followed it.
>  
>
Ok.

v2.23.0 | Report a Bug | By Email