IETF Logo Mail Archive

Re: [Hipsec] Alissa Cooper's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

Miika Komu <miika.komu@ericsson.com> Tue, 18 February 2020 17:56 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5FD612004C; Tue, 18 Feb 2020 09:56:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0Jdqg8U1PkO; Tue, 18 Feb 2020 09:56:07 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130047.outbound.protection.outlook.com [40.107.13.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2724D120018; Tue, 18 Feb 2020 09:56:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A9daB2NThbWFV8Oemx+E/XdX9QZwqD+OlDtPGZh4dnMzZVZKy4w3Nrw9tum4zRGqqQw7dnu+Dd0h3J2VKN4DDcC3ZlBECFwgN/Vp2o++LwFygBVydoGT53Uno8/1CWoC+HmtfHNn28aaMQrjcTUFqsdMwQJmsbixn81hdKdag9T5MXc5bRFHwoeFRr11E9jgtS7I/4qW90EiTPoPWMWu6Vh/35RufFMaEzwLKXcDmC2z6WotXSCB6za2D+2Yw9EigXs7BMBbCJyYxtzAJLGEELh2OU0ELBQ8zQSsNOqwHQdusNPANF+4F+g1AuLTpITELcdqEpvQJQwc5u8BGPLAjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xM8s0Tts5piMPxPI4RvF/53On9dWu61i/UTMcvgmHiM=; b=IJTcE432sc7Y/UPwFhmtH/lMkLAKbX/S0EO38Us6dai6bomect1xP1gBC2Q1MhWmeYaoSS7aPex++jgW8jFFFwu2wmsRY1Xltz+daROsfkbZoZB7n8x9wutakaym5tkXFKyJkcR668V1mlGQDUIRoodfDf5MJZ01DFEpOf8rdPfaRzmkdbnEnFg9iBi5DjQVr4mWJsbyymw6z7VaOr5JEufyUbcL16LBVrV3kmtT4TeI9+l5vIQ+LUJAJeJklE8nj1YY2I7tLy6EO8O/8W79bYzVvRDY+dKaxE8gWXc6uj4U0bRLXzHLuN2GSGk+lyAQb32GHfPAcWRwpcQwvExF2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xM8s0Tts5piMPxPI4RvF/53On9dWu61i/UTMcvgmHiM=; b=Uel/irG+R7vbuTsZiRPtFNNqKoRtH5gKBqZWJHs+GKYaxS6KZgaGGG0nvSWJo9uSdcXMOYcFdeLyB9JvwXG5tUYxrh54KiJI76D9dTcR+NDh1Zc6IqjBhbqoaSu71wDbfNBukaTKjv74Fb33Fg3YD8kpsc2bl6yF8ycH2edKQmk=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (52.134.81.144) by AM0PR07MB5586.eurprd07.prod.outlook.com (20.178.18.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.14; Tue, 18 Feb 2020 17:56:04 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::790c:4b51:77d2:7767]) by AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::790c:4b51:77d2:7767%5]) with mapi id 15.20.2750.016; Tue, 18 Feb 2020 17:56:04 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "alissa@cooperw.in" <alissa@cooperw.in>
CC: "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Alissa Cooper's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Thread-Index: AQHT56vrUK+Q+hsEyUGGmRJi8BluPaglOgSA
Date: Tue, 18 Feb 2020 17:56:04 +0000
Message-ID: <aa4efbf76abf87146cc899cb4c77333e25e9e598.camel@ericsson.com>
References: <152588036744.3925.12181216798778417370.idtracker@ietfa.amsl.com>
In-Reply-To: <152588036744.3925.12181216798778417370.idtracker@ietfa.amsl.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [88.148.205.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 14be7199-d50b-4432-b0d4-08d7b49bd2f9
x-ms-traffictypediagnostic: AM0PR07MB5586:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR07MB55864FA436F077EFCD15C1C8FC110@AM0PR07MB5586.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 031763BCAF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(366004)(136003)(346002)(39860400002)(189003)(199004)(5660300002)(81156014)(81166006)(8676002)(26005)(478600001)(36756003)(8936002)(6486002)(86362001)(186003)(966005)(44832011)(316002)(2616005)(66946007)(66476007)(66556008)(66446008)(4326008)(64756008)(110136005)(6506007)(54906003)(71200400001)(76116006)(91956017)(6512007)(2906002)(99106002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB5586; H:AM0PR07MB3876.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Bsts0Ft1TZh8l6SfzN72CIvmxoDYTpwDsFq8E0InwnLFroB304Mf0Ud9WyROEykv30NeajMWqalmtKShZd1KA9vMpdHWrTLysRObVYwrihAhAE/QbdkOlARywwm65laA/QjquK7cIVkyJD08fsS7HCSWRQfsCgEZsuEh9umPsDq3ixWoYxLQ2Zx5AKLQULiihDLakfpN3bKHOpQVQYIirbGt8/OGhJSHJEhXivqZAXDlGkPzNEwk/WLsYmDGvebpaxiK3gS21xtsnmpf6SRdGsv1OmWsg+dqJza/Uw/ID/x38AQ7AsS0W2Rlxi6H3WNgJTjiQSCNvrC4gFYpcl8taaoITtJaSoPRDxLT362CzLhTK2zuGfCinMC/B7GkJMgOFbgF+ix85riZkuwW7M6ANbkrJQUsnK0HQqcou8TxHtpuyIfygh0FS6joTDC49W9IoxH/O2hiRFMdeG6sgMtJZqPeBSucFb742Iuo4GdrTujfdVwE666u4denqi8sB+zbWwWXhMEjj5RCcc2HKwQhRfRYiH7eS4szSFVDba//MarH26aQ9pJZ9lAZP64T7UnM
x-ms-exchange-antispam-messagedata: 44lId1e4gaD9FCbM5xtUcd5+otw5NkinHHPtZu6H9KNez5OcH5pgwYZg1rdX0hD4qyXu9luYcsUcTTIRJPvT7EzJQxCHfvLrcshUcU9wKCqmSddUfeXUyzYLcOtYYd/YCqEJOZM4D+fmi0jK1Pj9nA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <F532EB3E53D0C844A348429DB09EAC06@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 14be7199-d50b-4432-b0d4-08d7b49bd2f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2020 17:56:04.7055 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dXoAcXp0BXFPUI5lZ72PiNbI/eNl544wQX2x6p7y5sSOVgow4zkF3zVilk6LsobE+vV4hsKzaBGnQVxBc4iOSw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5586
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/FbfOVqRm-aBOKc05xS8P-Qp9kRY>
Subject: Re: [Hipsec] Alissa Cooper's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 17:56:10 -0000

Hi Alissa,

thanks for the comments. Let me know if you have further concerns, my
corrections are listed below.

ke, 2018-05-09 kello 08:39 -0700, Alissa Cooper kirjoitti:
> Alissa Cooper has entered the following ballot position for
> draft-ietf-hip-native-nat-traversal-28: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut
> this
> introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/
> 
> 
> 
> -------------------------------------------------------------------
> ---
> COMMENT:
> -------------------------------------------------------------------
> ---
> 
> I admit to not having much familiarity with HIP, so apologies if some
> of these
> questions seem off-base.
> 
> Why is this document on the standards track when RFC 5770 was
> experimental?
> 
> Section 6.1 says:
> 
> "The locators are in plain text format in favor of inspection at HIP-
>    aware middleboxes in the future.  The current document does not
>    specify encrypted versions of LOCATOR_SETs, even though it could
> be
>    beneficial for privacy reasons to avoid disclosing them to
>    middleboxes."
> 
> This seems to cut in the opposite direction of some of the other work
> we have
> going on in the IETF, where the justification for maintaining header
> information in the clear is for backwards-compatability with existing
> middleboxes, not to facilitate some to-be-developed middlebox
> behavior. Why is
> this justified for HIP?

Eric Rescolarla commented about this first, so this text will be
removed in the next version. The new text actually mandates encrypted
locators:

With ICE-HIP-UDP mode, the LOCATOR_SET parameter MUST be encapsulated
within an ENCRYPTED parameter (denoted here with ENC) according to the
procedures in sections 5.2.18 and 6.5 in [RFC7401].

Unlike in ICE, the addresses are not XOR-ed in Native ICE-HIP protocol
but rather encrypted to avoid middlebox tampering.

> Section 6.1 also says "an end-host may exclude certain host addresses
> from its
> LOCATOR_SET parameter," but I don't think this is totally clear in
> Section 4.5
> where it talks about "all the HIP candidates." I also wonder if it
> would be
> possible to provide some guidance about the circumstances under which
> an
> initiator might choose to exclude certain addresses, e.g. if there is
> a common
> deployment scenario where it's clear that certain candidates are
> meant to
> remain private.

It is actually better to expose all IP addresses because the host may
not necessarily have adequate knowledge of the (possibly cascading) NAT
topologies and whether the other peer is in "intra" or "extra" network
and so on. Still, I think we should not mandate exposing all network
interfaces in cases where the host knows the topology and there are
some privacy concerns. So to better reflect your comment, I changed the
text as follows:

For these two local policy reasons, an end-host MAY exclude certain
host addresses from its LOCATOR_SET parameter, but this requires
further experimentation.

> Nits:
> 
> = Section 1 =
> 
> " As one solution, the HIP experiment report [RFC6538] mentions that
>    Teredo based NAT traversal for HIP and related ESP traffic (with
>    double tunneling overhead)."
> 
> This is a sentence fragment.

I have removed "that" so it should make more sense now:

   To overcome this problem, different methods, commonly referred to as
   NAT traversal techniques, have been developed.

   As one solution, the HIP experiment report [RFC6538] mentions
   Teredo-based NAT traversal for HIP and related ESP traffic (with
   double tunneling overhead). 

> = Section 2 =
> 
> The paragraph about RFC2119 should also reference RFC8174.

I changed the wording as follows:

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in 
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.

v2.23.0 | Report a Bug | By Email