Re: [Gen-art] [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
Christer Holmberg <christer.holmberg@ericsson.com> Sun, 19 August 2018 20:39 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9270C130DC7 for <gen-art@ietfa.amsl.com>; Sun, 19 Aug 2018 13:39:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id daOwEEdl3ZuC for <gen-art@ietfa.amsl.com>; Sun, 19 Aug 2018 13:39:52 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 051B1130EA4 for <gen-art@ietf.org>; Sun, 19 Aug 2018 13:39:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1534711187; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Hc93WPhMIP/tpjnFDhBw3F0ccFJZmBbf6cq1qnIKwCs=; b=XH9WRNc9VwR7vcTwcDUImlsQext3uHn3eY16pLu9KSfs75ZR20N9FRX4fpgFAuXI 28Anh6iW17Sldb6OJ0MLZIizD+3plxk1ld52Obrmq1tfcgmFvWo/Cpehvl2YQLDt HsukqPSwtiRg8u0Xs1oNH7yRXrfBKwI4IQml7lEZKQ0=;
X-AuditID: c1b4fb3a-7ebff7000000680b-4f-5b79d59378a1
Received: from ESESBMB501.ericsson.se (Unknown_Domain [153.88.183.114]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id F5.46.26635.395D97B5; Sun, 19 Aug 2018 22:39:47 +0200 (CEST)
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sun, 19 Aug 2018 22:39:47 +0200
Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Sun, 19 Aug 2018 22:39:47 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "tpauly@apple.com" <tpauly@apple.com>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
Thread-Index: AQHUNjolgLrW6dFm9kmq3YLzoaV+xKTHiUzQ
Date: Sun, 19 Aug 2018 20:39:47 +0000
Message-ID: <c345ff86ec3d4bca9c88d85347a0789c@ericsson.com>
References: <153448715569.12184.4843735916628840351@ietfa.amsl.com> <220503CD-69AA-4015-A954-DF48D071D522@apple.com>
In-Reply-To: <220503CD-69AA-4015-A954-DF48D071D522@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.153]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUyM2J7ke7kq5XRBhdalS2O9jtbXH31mcXi 2cb5LBb7t7xgs5h44iCrA6vH1pM/2DyWLPnJFMAUxWWTkpqTWZZapG+XwJWx78xXxoJfWhXL etYxNjC+0exi5OSQEDCReH5tNmMXIxeHkMBRRon5y/+zgiSEBL4xSlw8VAKRWMYo8XnrVqAE BwebgIVE9z9tkBoRAU2JK7v3gzUzC5xilNjf/pYdpEZYIFDi1isdiJogibXNLUwQtpHEkW3n wWwWAVWJhbeesYDYvALWEsvazzOCtAoJlElMagoFCXMK2Ep83TIH7BxGATGJ76fWgLUyC4hL 3HoynwnifgGJJXvOM0PYohIvH/9jhbCVJPYeu84CMpIZ6Mz1u/QhWhUlpnQ/ZIfYKihxcuYT lgmMYrOQTJ2F0DELSccsJB0LGFlWMYoWpxYX56YbGemlFmUmFxfn5+nlpZZsYgRG1cEtv612 MB587niIUYCDUYmHd+G5ymgh1sSy4srcQ4wSHMxKIrytC4FCvCmJlVWpRfnxRaU5qcWHGKU5 WJTEeZ3SLKKEBNITS1KzU1MLUotgskwcnFINjNbcNjuWHFtpM1Vhl83b9wevrXny5J5q5LcU zuk/Ti88F3vMe6mLslv5mZj7h5VWdPdMPLvtV+pss51CXhd2uYk7Xn334KPWKfP33Ul8NYdu rCm/yrUnw3bS/Iw9p3bIHXj3VfyP2h52/hO3z8zY13e+cML1ffv/P9r0zkciK7CRw8905unO bee3KrEUZyQaajEXFScCAOqK4WGmAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/bEC4O8X_GxLYe7syWm9g0DF7VUs>
Subject: Re: [Gen-art] [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 20:39:54 -0000
Hi Tommy, Please see inline. Minor issues: Q1: >> Section 3.1 contains some SHOULD-do statements, e.g.,: >> >> "the initiator SHOULD also include one or more INTERNAL_IP4_DNS and >> INTERNAL_IP6_DNS attributes in the CFG_REQUEST" >> >> "the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN attributes >> in the CFG_REQUEST." >> >> Is there a reason for not using MUST instead of SHOULD? > > In general, the CFG_REQUEST attributes are a bit loose—they're hints more than requirements. > > From section 3.15.1 of RFC7296: > > The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request > information from its peer. If an attribute in the CFG_REQUEST > Configuration payload is not zero-length, it is taken as a suggestion > for that attribute. The CFG_REPLY Configuration payload MAY return > that value, or a new one. It MAY also add new attributes and not > include some requested ones. Unrecognized or unsupported attributes > MUST be ignored in both requests and responses. > > So, the CFG_REPLY MUST have a DNS server to go along with the DNS domain, but I left the SHOULD in spirit > of the fact that the CFG_REQUEST is more of a suggestion. > > That being said, if others in the WG would like to see this be a MUST, I'm fine with that as well. I don't think we > should have the responder error out if it doesn't see both, however. Well, if it is only a suggestion, then I guess my question is why use something as strong as SHOULD :) SHOULD basically means MUST-unless-you-have-a-good-reason to. In general, is providing suggestions a SHOULD, or is it only for the attributes above? Anyway, if you want to have a SHOULD (or even a MUST) I won't object. But, when I see a SHOULD, I always ask about the background :) Q2: >> Section 3.2 says: >> >> "the initiator SHOULD behave as if Split DNS configurations are not supported >> by the server." >> >> Again, is there a reason for not using MUST? > > This one could be a MUST. The one exception I could see is if the initiator was statically configured with some split DNS domains to use as split domains > In case the responder didn't provide any in the CFG_REPLY, it should still use those and not send all DNS queries inside the tunnel. I wouldn't want this > MUST to disable the static configuration workarounds that implementations have done prior to allowing split DNS to be negotiated. Could you say: "the initiator MUST behave as if a Split DNS configurations are not supported, unless <insert text above the statically configuration case above>" Nits/editorial comments: Q3: >> Is there a need for the "Background" section? Since the text is related to what >> is described in the "Introduction", could the the text be moved there? > > The main new points that the Background section adds on top of the Introduction are: > - The prior art for split DNS in IKEv1 > - The fact that this is currently mainly seen in enterprise VPN deployments > > These points could indeed be moved to the introduction. I had felt they fit better as "background" since they're > not essential to the description of the protocol, but give context that is relevant now (and may be less so in the future). The first sections of both the Introduction and the Background sections talk about split DNS: "Split DNS is a common configuration for secure tunnels, such as Virtual Private Networks in which host machines private to an organization can only be resolved using internal DNS resolvers" "Split DNS is a common configuration for enterprise VPN deployments, in which one or more private DNS domains are only accessible and resolvable via an IPsec based VPN connection." So, isn't Split DNS already covered by the Introduction? What extra does the Background text bring? The second paragraph of the Background could be placed at the end of the Introduction, in my opinion. Regards, Christer
- [Gen-art] Genart last call review of draft-ietf-i… Christer Holmberg
- Re: [Gen-art] [IPsec] Genart last call review of … Tommy Pauly
- Re: [Gen-art] [IPsec] Genart last call review of … Christer Holmberg
- Re: [Gen-art] [IPsec] Genart last call review of … Tommy Pauly
- Re: [Gen-art] [IPsec] Genart last call review of … Alissa Cooper