Re: [Gen-art] [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
Tommy Pauly <tpauly@apple.com> Mon, 22 October 2018 20:26 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3985130DD7; Mon, 22 Oct 2018 13:26:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSHsggY9_pSV; Mon, 22 Oct 2018 13:26:47 -0700 (PDT)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4F5130E5A; Mon, 22 Oct 2018 13:26:44 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.22/8.16.0.22) with SMTP id w9MKLvMN020871; Mon, 22 Oct 2018 13:26:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : message-id : subject : date : in-reply-to : cc : to : references; s=20180706; bh=/y+LpnBgp2m6I27czdsC0hmWG5XONHc1QcqIm7i4oI0=; b=WtA9d4AKVm+tqsy0NTRBaUfcQxnx67Uy0FssaLWiBulxOQKYD76ZDHdc3ap0568fQVPD RyhEEbHnEUj+iEDCi81Yty804Zx2rqIZU/Mt023WpBXgFu7LoDZHRYKPJP5MmVJdZsce cAOcomZr86Pfw3xNfQDy0PPMJy38SqY1Wdc3gxr0GqtJLiDA7rBzDF3HMGZNEcJYJCpp q7ZAJq9alw36oYQPILoI68cZL79GqSWfcgbG8jKYj6y4IDu9uue88bnLAEbQyLmvW7LS TGHtkLh0s6SL3uSoTenrddnPykOiKSVQMfCulVdI4J6WErc8laupIFt3fHGRQ+97msPk ug==
Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by nwk-aaemail-lapp01.apple.com with ESMTP id 2n83a43u9u-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 22 Oct 2018 13:26:41 -0700
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_AIk2C9sUBqsG6G+zQUleIQ)"
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PH000AIUOSETRH0@ma1-mtap-s03.corp.apple.com>; Mon, 22 Oct 2018 13:26:39 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PH000C00OHJ1E00@nwk-mmpp-sz09.apple.com>; Mon, 22 Oct 2018 13:26:39 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 1ea6b3df8a455fbf46f6c02bb174fde4
X-Va-E-CD: c2b8930c6ab4a651d1441d92483deb69
X-Va-R-CD: 941d76882d4051faa38891808138997d
X-Va-CD: 0
X-Va-ID: 7308b217-d9f9-4b61-ba48-b82689b1651d
X-V-A:
X-V-T-CD: 4872e25be6e630dbcadfff6081c6c948
X-V-E-CD: c2b8930c6ab4a651d1441d92483deb69
X-V-R-CD: 941d76882d4051faa38891808138997d
X-V-CD: 0
X-V-ID: e4434b18-5ebc-43be-bd7d-6b768baf64ce
Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PH000700O86QM00@nwk-mmpp-sz09.apple.com>; Mon, 22 Oct 2018 13:26:38 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-22_11:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp14.corp.apple.com-10000_instance1
Received: from [17.234.8.234] (unknown [17.234.8.234]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PH000EV2OSDND50@nwk-mmpp-sz09.apple.com>; Mon, 22 Oct 2018 13:26:37 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <FA979F31-FD60-482F-A4F2-91B4A5A05854@apple.com>
Date: Mon, 22 Oct 2018 13:26:36 -0700
In-reply-to: <c345ff86ec3d4bca9c88d85347a0789c@ericsson.com>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
To: Christer Holmberg <christer.holmberg@ericsson.com>
References: <153448715569.12184.4843735916628840351@ietfa.amsl.com> <220503CD-69AA-4015-A954-DF48D071D522@apple.com> <c345ff86ec3d4bca9c88d85347a0789c@ericsson.com>
X-Mailer: Apple Mail (2.3445.100.36)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-22_11:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/75GE1s_41AlqqX8lwIqpOFN-_3c>
Subject: Re: [Gen-art] [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 20:26:58 -0000
Hi Christer, Thanks again for the review. I've addressed all three comments below in an update to the draft: https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13 <https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13> https://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-13.txt Thanks, Tommy > On Aug 19, 2018, at 1:39 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote: > > Hi Tommy, > > Please see inline. > > > Minor issues: > > Q1: > >>> Section 3.1 contains some SHOULD-do statements, e.g.,: >>> >>> "the initiator SHOULD also include one or more INTERNAL_IP4_DNS and >>> INTERNAL_IP6_DNS attributes in the CFG_REQUEST" >>> >>> "the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN attributes >>> in the CFG_REQUEST." >>> >>> Is there a reason for not using MUST instead of SHOULD? >> >> In general, the CFG_REQUEST attributes are a bit loose—they're hints more than requirements. >> >> From section 3.15.1 of RFC7296: >> >> The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request >> information from its peer. If an attribute in the CFG_REQUEST >> Configuration payload is not zero-length, it is taken as a suggestion >> for that attribute. The CFG_REPLY Configuration payload MAY return >> that value, or a new one. It MAY also add new attributes and not >> include some requested ones. Unrecognized or unsupported attributes >> MUST be ignored in both requests and responses. >> >> So, the CFG_REPLY MUST have a DNS server to go along with the DNS domain, but I left the SHOULD in spirit >> of the fact that the CFG_REQUEST is more of a suggestion. >> >> That being said, if others in the WG would like to see this be a MUST, I'm fine with that as well. I don't think we >> should have the responder error out if it doesn't see both, however. > > Well, if it is only a suggestion, then I guess my question is why use something as strong as SHOULD :) SHOULD basically means MUST-unless-you-have-a-good-reason to. > > In general, is providing suggestions a SHOULD, or is it only for the attributes above? > > Anyway, if you want to have a SHOULD (or even a MUST) I won't object. But, when I see a SHOULD, I always ask about the background :) > > > Q2: > >>> Section 3.2 says: >>> >>> "the initiator SHOULD behave as if Split DNS configurations are not supported >>> by the server." >>> >>> Again, is there a reason for not using MUST? >> >> This one could be a MUST. The one exception I could see is if the initiator was statically configured with some split DNS domains to use as split domains >> In case the responder didn't provide any in the CFG_REPLY, it should still use those and not send all DNS queries inside the tunnel. I wouldn't want this >> MUST to disable the static configuration workarounds that implementations have done prior to allowing split DNS to be negotiated. > > Could you say: > > "the initiator MUST behave as if a Split DNS configurations are not supported, unless <insert text above the statically configuration case above>" > > > > Nits/editorial comments: > > Q3: > >>> Is there a need for the "Background" section? Since the text is related to what >>> is described in the "Introduction", could the the text be moved there? >> >> The main new points that the Background section adds on top of the Introduction are: >> - The prior art for split DNS in IKEv1 >> - The fact that this is currently mainly seen in enterprise VPN deployments >> >> These points could indeed be moved to the introduction. I had felt they fit better as "background" since they're >> not essential to the description of the protocol, but give context that is relevant now (and may be less so in the future). > > The first sections of both the Introduction and the Background sections talk about split DNS: > > "Split DNS is a common configuration for secure tunnels, such as > Virtual Private Networks in which host machines private to an > organization can only be resolved using internal DNS resolvers" > > "Split DNS is a common configuration for enterprise VPN deployments, > in which one or more private DNS domains are only accessible and > resolvable via an IPsec based VPN connection." > > So, isn't Split DNS already covered by the Introduction? What extra does the Background text bring? > > The second paragraph of the Background could be placed at the end of the Introduction, in my opinion. > > Regards, > > Christer > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
- [Gen-art] Genart last call review of draft-ietf-i… Christer Holmberg
- Re: [Gen-art] [IPsec] Genart last call review of … Tommy Pauly
- Re: [Gen-art] [IPsec] Genart last call review of … Christer Holmberg
- Re: [Gen-art] [IPsec] Genart last call review of … Tommy Pauly
- Re: [Gen-art] [IPsec] Genart last call review of … Alissa Cooper