Re: [Gen-art] [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
Tommy Pauly <tpauly@apple.com> Fri, 17 August 2018 14:54 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9434D130F52; Fri, 17 Aug 2018 07:54:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rkSRIvPAnAtA; Fri, 17 Aug 2018 07:54:10 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBB0130F80; Fri, 17 Aug 2018 07:54:07 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.22/8.16.0.22) with SMTP id w7HEksl8016720; Fri, 17 Aug 2018 07:54:04 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : message-id : subject : date : in-reply-to : cc : to : references; s=20180706; bh=YC0fRsqbDQ+8VZXnD/nt1QmOiOvpoKILuFq3YaoeNRw=; b=qrSL9Hq5PkUk3AIemmpNFp3cmpXHV0MWo822Vv6Rk06agDFawZwnh7kXojCIHPEx3Ln1 rEJUf3r7O1uKzW96XhvOb4BK3I6ro4bYmb3SqUZaCCLjxY9DzffF7P2j0RsceDN9Fsq/ kS1IfOcvbBm9oDQxb6Ym7TRZ7SshoJXFWWLXFxx3i9JPVo0g9/DnH/RCaI49HgypTM/M JyIPrS8QV0QB+2apTMsP6JUrVVtDv5A1FBOlt6meqFQOoaVUHT50vOyX2YbvSfA4iYio JvoOjPKFiq5NaLzpYhlvFI56nBuzCxf46o2tnh+h/1VHcGeruXKDT6ceoAnmWZIges5Q VQ==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 2ksxf82h8a-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 17 Aug 2018 07:54:04 -0700
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_P9lfeRUkhqf3Xiq3901Ogw)"
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PDM002QI1E3ZW80@ma1-mtap-s02.corp.apple.com>; Fri, 17 Aug 2018 07:54:04 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PDM00H001CJN500@nwk-mmpp-sz11.apple.com>; Fri, 17 Aug 2018 07:54:03 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 4872e25be6e630dbcadfff6081c6c948
X-Va-E-CD: c2b8930c6ab4a651d1441d92483deb69
X-Va-R-CD: 941d76882d4051faa38891808138997d
X-Va-CD: 0
X-Va-ID: 972acdd2-4297-4db6-b71e-2e64e0c67adf
X-V-A:
X-V-T-CD: 4872e25be6e630dbcadfff6081c6c948
X-V-E-CD: c2b8930c6ab4a651d1441d92483deb69
X-V-R-CD: 941d76882d4051faa38891808138997d
X-V-CD: 0
X-V-ID: 88df2550-80d8-48f9-a4dd-a3972e34af4a
Received: from process_milters-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PDM00C0010BIP00@nwk-mmpp-sz11.apple.com>; Fri, 17 Aug 2018 07:54:00 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-08-17_04:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp18.corp.apple.com-10000_instance1
Received: from [17.234.86.115] (unknown [17.234.86.115]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PDM001HI1D0QQ60@nwk-mmpp-sz11.apple.com>; Fri, 17 Aug 2018 07:53:26 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <220503CD-69AA-4015-A954-DF48D071D522@apple.com>
Date: Fri, 17 Aug 2018 07:53:23 -0700
In-reply-to: <153448715569.12184.4843735916628840351@ietfa.amsl.com>
Cc: gen-art@ietf.org, ipsec@ietf.org, draft-ietf-ipsecme-split-dns.all@ietf.org, ietf@ietf.org
To: Christer Holmberg <christer.holmberg@ericsson.com>
References: <153448715569.12184.4843735916628840351@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.100.36)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-17_04:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/CiKT3RDRjSEtOjdI5iAgoHUMmTw>
Subject: Re: [Gen-art] [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2018 14:54:21 -0000
Hi Christer, Thanks for the review! Some responses inline. Best, Tommy > On Aug 16, 2018, at 11:25 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote: > > Reviewer: Christer Holmberg > Review result: Ready with Nits > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-ipsecme-split-dns-12 > Reviewer: Christer Holmberg > Review Date: 2018-08-16 > IETF LC End Date: 2018-08-24 > IESG Telechat date: Not scheduled for a telechat > > Summary: The document is well written, and almost ready for publication. I have > a couple of questions that I would like the authors to address. > > Major issues: N/A > > Minor issues: > > Q1: > > Section 3.1 contains some SHOULD-do statements, e.g.,: > > "the initiator SHOULD also include one or more INTERNAL_IP4_DNS and > INTERNAL_IP6_DNS attributes in the CFG_REQUEST" > > "the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN attributes > in the CFG_REQUEST." > > Is there a reason for not using MUST instead of SHOULD? In general, the CFG_REQUEST attributes are a bit loose—they're hints more than requirements. From section 3.15.1 of RFC7296: The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request information from its peer. If an attribute in the CFG_REQUEST Configuration payload is not zero-length, it is taken as a suggestion for that attribute. The CFG_REPLY Configuration payload MAY return that value, or a new one. It MAY also add new attributes and not include some requested ones. Unrecognized or unsupported attributes MUST be ignored in both requests and responses. So, the CFG_REPLY MUST have a DNS server to go along with the DNS domain, but I left the SHOULD in spirit of the fact that the CFG_REQUEST is more of a suggestion. That being said, if others in the WG would like to see this be a MUST, I'm fine with that as well. I don't think we should have the responder error out if it doesn't see both, however. > > Q2: > > Section 3.2 says: > > "the initiator SHOULD behave as if Split DNS configurations are not supported > by the server." > > Again, is there a reason for not using MUST? This one could be a MUST. The one exception I could see is if the initiator was statically configured with some split DNS domains to use as split domains In case the responder didn't provide any in the CFG_REPLY, it should still use those and not send all DNS queries inside the tunnel. I wouldn't want this MUST to disable the static configuration workarounds that implementations have done prior to allowing split DNS to be negotiated. > > Nits/editorial comments: > > Q3: > > Is there a need for the "Background" section? Since the text is related to what > is described in the "Introduction", could the the text be moved there? The main new points that the Background section adds on top of the Introduction are: - The prior art for split DNS in IKEv1 - The fact that this is currently mainly seen in enterprise VPN deployments These points could indeed be moved to the introduction. I had felt they fit better as "background" since they're not essential to the description of the protocol, but give context that is relevant now (and may be less so in the future). > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [Gen-art] Genart last call review of draft-ietf-i… Christer Holmberg
- Re: [Gen-art] [IPsec] Genart last call review of … Tommy Pauly
- Re: [Gen-art] [IPsec] Genart last call review of … Christer Holmberg
- Re: [Gen-art] [IPsec] Genart last call review of … Tommy Pauly
- Re: [Gen-art] [IPsec] Genart last call review of … Alissa Cooper