IETF Logo Mail Archive

Re: [Gen-art] Gen-art review of draft-ietf-btns-connection-latching-08.txt

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 26 February 2009 20:20 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5E3E28C2CF for <gen-art@core3.amsl.com>; Thu, 26 Feb 2009 12:20:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.029
X-Spam-Level:
X-Spam-Status: No, score=-6.029 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uD9oOgW7m46b for <gen-art@core3.amsl.com>; Thu, 26 Feb 2009 12:20:15 -0800 (PST)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id 6388028C286 for <gen-art@ietf.org>; Thu, 26 Feb 2009 12:20:14 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n1QKKZaM015868 for <gen-art@ietf.org>; Thu, 26 Feb 2009 20:20:35 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n1QKKV2g027397 for <gen-art@ietf.org>; Thu, 26 Feb 2009 13:20:32 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n1QK42Qw009177; Thu, 26 Feb 2009 14:04:02 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n1QK3xo2009176; Thu, 26 Feb 2009 14:03:59 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 26 Feb 2009 14:03:59 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Elwyn Davies <elwynd@dial.pipex.com>
Message-ID: <20090226200359.GZ9992@Sun.COM>
References: <49A420C4.1090307@dial.pipex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <49A420C4.1090307@dial.pipex.com>
User-Agent: Mutt/1.5.7i
Cc: General Area Reviwing Team <gen-art@ietf.org>, draft-ietf-btns-connection-latching@tools.ietf.org, btnss-ads@tools.ietf.org, btns-chairs@tools.ietf.org
Subject: Re: [Gen-art] Gen-art review of draft-ietf-btns-connection-latching-08.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 20:20:20 -0000

On Tue, Feb 24, 2009 at 04:31:00PM +0000, Elwyn Davies wrote:
> I have been selected as the General Area Review Team (Gen-ART)
> reviewer for this draft (for background on Gen-ART, please see
> http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).

Thanks you for your review and comments.  Replies to the API issues are
below.  I'll reply to the other issues separately.

> Summary:
> Not ready.  I don't have any problems with the latching concept and how
> it is set out here.  I think the major concern is that the draft seems
> to be saying that it is addressing the application API needed to support
> the connection whereas it only addresses linkage between the ULP and
> IPsec within the protocol stack.  If I understand correctly it is
> effectively supporting the real application API defined in
> draft-ietf-btns-abstract-api, but this is only mentioned in the very
> last lines of the draft, and there is no apparent attempt to coordinate
> with that draft.  At the moment that draft is in a very rudimentary
> form, and I feel that it would be extremely premature to turn this draft
> into an RFC: of course the WG and the ADs may have different ideas, in 
> which case their views will prevail.

I've answered the concern about the API separately:

 - In a reply to Chris Newman:

|I tend to agree, but note that lack of abstract APIs and programming
|language bindings hasn't stopped TLS nor SASL.
|
|Also, IMO there's enough of a sketch of an abstract API in this draft
|now.
|...
|
|I don't think this I-D should wait for an API I-D.


 - In a reply to Cullen Jennings:

|Solaris already has connection latching today.  It requires no APIs to
|use because it does it by default.  There are APIs available, but they
|are not complete enough.
|
|Solaris does not comply entirely because it only latches IPsec policy
|and does not latch IKE IDs (but it could).

I.e., it's not necessary to have an API in order to benefit from
connection latching.

It's necessary to have an API in order to:

 - do channel binding to IPsec
 - use IPsec for authentication (i.e., use the IDs authenticated by IKE
   for application purposes)

I should add that there are references in the I-D to both, proposed and
actual connection latching APIs.  If the IESG or IETF agree we could
always turn the reference to [I-D.ietf-btns-abstract-api] into a
normative reference and then we could let this I-D block on that (but I
don't think this is necessary).

> In relation to coordination I think that it is necessary to examine
> more closely how the application and the ULP work together to control
> and integrate with the IPsec component - at the moment there are some
> rather vague statements that indicate that the application will get some
> notification even when the ULP is doing the active control of the
> connection.

That's an API issue.

> Major issues
> General: The abstract claims that the draft abstractly  defines how to
> interface ULPs *and applications* to IPsec.  Para 3 of s1 seems to imply
> that we should expect to see here defined an abstract interface that
> could be converted into a implementation that an *application* could use
> to control/monitor the usage of IPsec in creating 'channels'.  In

It was not my intention to imply that this I-D provides an abstract API
for applications, but it does actually outline what it looks like in
that there are plenty of requirements for what such an API must provide.

> actuality, the interfaces that are defined are linkages between the ULPs
> in the kernel and the IPsec implementation in the kernel.  It is not

Interfaces for applications are described, just not in as much detail as
the interfaces between the ULPs and IPsec key management.

There's a good reason for this: this I-D focuses on correctness of the
connection latching concept, and that requires a focus on the interfaces
between ULPs and IPsec.  The application APIs follow from the
requirements in the I-D, but the actual specification of application
APIs is left for a different document.

> clear how this would be extended to the application itself, although
> some of the definitions imply that the notifications will be propagated
> to the application and the latch creation functions pass security
> parameters to the latch machine.  The existing (basic) socket AP doesn't
> provide any help here. The implication is that the semantics of some of
> the socket interface will be extended, but I believe this draft misses
> its avowed aim of defining/improving the API for *applications* to make
> use of IPsec.  But then I read right to the end and find that maybe this
> isn't the aim after all, but just to support the main API  document in
> draft-ietf-btns-abstract-api.  It maybe that coordination with this
> draft (and more mention of it) is what is needed.

Solaris has a socket option interface to connection latching.  This
shows that a a socket-based connection-latching API is feasible.  See
the [IP_SEC_OPT.man] reference.

Nico
--

v2.23.0 | Report a Bug | By Email