Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Miika Komu <miika.komu@ericsson.com> Wed, 19 February 2020 20:43 UTC
Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 521D4120815; Wed, 19 Feb 2020 12:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9pMl1COu8UF; Wed, 19 Feb 2020 12:43:31 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2043.outbound.protection.outlook.com [40.107.22.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 490AF120810; Wed, 19 Feb 2020 12:43:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bwfgQzf/sWt4RiIqA06FBHZDvG+oBPmoQtKbCvHNVWHMo3STLxsvMQ4PohZHzoyHWD7ZPvqFRZ/p+wIB+wVfbZiMh7XDydgG9CjToo+gXumYHo0xdevGWV3Uead42vU4tdcTlg5H/YGfrkOng7DiHN/yzagD/QG/ur2R2WwQI7LdcskMOREqmiO6AePfIxNnhSa3hYrPdfYiy7oqfxMG9RXf7GxcLwhV6C8q0OFeAUySxtCGefAtbKcbtP8+7yEoGrauxEZcWxDNMqdc+/8ev/ekR/AEBwRxIfJlD1U/fGmYcDMjm/pXs+nrfpE+qwPoz7GfrURmdZFhzGAKOvlmQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R03+X35WizL7gt1sKayOy/ru+JI2fzdiCqp2dKv4i1k=; b=cEdF+8fAVFNxomA+4PeE+K5WnbHqaBE4e0hufaB7/dGQ1mUwujwgGDZoI4uvEMqWilHcNc9E7hZP8fj7+UGMrcY7/qsLCbSHL5gdg4ZWHKi+GeHihu6wI95fWtyY1a7pDQGHiS6CSWkLJlPeHPTEBBjw3x0TqDgMJhWwm55xfMegdqkCI7y9HzHts6AN+/SDzo7Kp+i7awH/REk8ttwaPJcuymg53Z1uAy9uOUATqPKBE4XvV6ELfI8CXfhHnBINr0wAvDWL14MugpY+GshJn6jo00rc24GWp3dBZj4jwI4NM+dyQqoY7SSeWve+5JEVjhIQ7slr+Z6A5yHIgvrR8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R03+X35WizL7gt1sKayOy/ru+JI2fzdiCqp2dKv4i1k=; b=huJW2BHlDsiEK/DnHaaFd0SnmiEr4GtGb2ic1n9sj13Ksi95ZxU7WvBhAlWqJFgu4208Mz5Bm9EG1rrf9XmoyZI2P/Hwk4aA+We6JELN/5QRhljZebO3QJwwLPPZa6UUa7c3OnsC5S4aU3MCz7aPHlit4oJj+qjrzgC/DUtJq+0=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (52.134.81.144) by AM0PR07MB6225.eurprd07.prod.outlook.com (10.186.174.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.6; Wed, 19 Feb 2020 20:43:29 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::790c:4b51:77d2:7767]) by AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::790c:4b51:77d2:7767%5]) with mapi id 15.20.2750.016; Wed, 19 Feb 2020 20:43:29 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "ben@nostrum.com" <ben@nostrum.com>, "iesg@ietf.org" <iesg@ietf.org>
CC: "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Thread-Index: AQHT6ANZz4Lx+ERWNkqYmGlFCSDyRqgm+nEA
Date: Wed, 19 Feb 2020 20:43:28 +0000
Message-ID: <3ac040a545036ed86f5db5bcfd9e50a7de41ac61.camel@ericsson.com>
References: <152591791834.10400.6957331555512925079.idtracker@ietfa.amsl.com>
In-Reply-To: <152591791834.10400.6957331555512925079.idtracker@ietfa.amsl.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [88.148.205.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0a2844dc-f1e8-4c70-dd9b-08d7b57c6030
x-ms-traffictypediagnostic: AM0PR07MB6225:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR07MB6225592C2A53AE37EB6AB97CFC100@AM0PR07MB6225.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0318501FAE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(136003)(39860400002)(396003)(366004)(189003)(199004)(2906002)(44832011)(71200400001)(4326008)(186003)(26005)(6506007)(81166006)(2616005)(8936002)(8676002)(81156014)(5660300002)(316002)(110136005)(86362001)(54906003)(966005)(478600001)(66476007)(66946007)(64756008)(6486002)(6512007)(36756003)(76116006)(66446008)(66556008)(91956017)(99106002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6225; H:AM0PR07MB3876.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3t+R173JABHb35n33Z7dW4RgDIQwQPm2DU2kE5rlOH4pAm3IV7sArtE8OpNCDjpPEPe/j2sr52k7uoW//b3caxMdHUHg7flWO3kTIdtIzt0rqHpjm3UlUBBNIqIDVj2dh1WsxaBZPFP9+xp38R7IZ5sW/wSJWnuCnrznaK3Ju/usKSpSTdu7O0x/+9W0CHiePiK4OcdnCeGlYR6LzrnVevonaEXFsmbKxWdNmY3jys1ML6aEJsbZXCkhUJ8hpJVymufAPx8eW9z/kskS5Xffft0mVlNHiw1QKTR6HHO0VYPgh8roOVsuBJuBt5IaEmxMYyuLkRXbaEdNzJJIiye0ig0f5jHDt+5AagNckCTZY3Dx0Jbal8uklfYG5W1oOWlr/RvXAXa4oNHq1mN7zEiYXQN5oPyroUUuqDyBI62ISHAzAWJHrLoL/1gnPxwjB3UjRVO9xEMCjI62dp85ESxPWvK9Z5Ue9yKNb0pVEgfNx+fbADHflCyocbyYbXBjMnfbdGJus2bay2IsDLz28EUdoa7C7CDnokbUvtNZeUWdSWSSi/fwL18BeSYzsqAuSSWR
x-ms-exchange-antispam-messagedata: mctyv3xoZ1NjEkvW71REQ3iQMJks0zptP5GS28kdcser9/oO3V6NwMibYKrTTt2t5P/nayEoATCJcfx0suByn+gOvmxACqidOU23Dw03smapoutl9FSh/qHqOCqYHevX7hP2k424lqjinYMKXVfOyw==
Content-Type: text/plain; charset="utf-8"
Content-ID: <E07592EA49E90A488FD48B96616278A2@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a2844dc-f1e8-4c70-dd9b-08d7b57c6030
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2020 20:43:28.9682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KzcZAL2RZ6xoNST0IVH9UKVJtEe5a1K0MfSOiQ+nY4j1DDFyEbqxQqD91UO4AcMILSXdEashmUrKEI/+CHW9KA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6225
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/lzHNedEK48WiXXCD8vprGClckKg>
Subject: Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 20:43:34 -0000
Hi Ben, thanks for your comments! My response below. ke, 2018-05-09 kello 19:05 -0700, Ben Campbell kirjoitti: > Ben Campbell has entered the following ballot position for > draft-ietf-hip-native-nat-traversal-28: Abstain > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ > > > > ------------------------------------------------------------------- > --- > COMMENT: > ------------------------------------------------------------------- > --- > > I support all points of Ekr's discuss and comment points. I think > this either > needs to use ICE mostly as is (maybe with some minor profiling) or it > needs to > be self-contained here. I understand the material in appendix B, but > the > current mix seems untenable for implementors. Therefore I am > balloting > "abstain". I will reconsider that position if there is a substantial > reorganization. the current document has been organized for implementors of RFC5770 in mind. > Substantive Comments: > > I share Alissa's question about why this is standard track when the > previous > work has been experimental. HIP WG decided to move all of its experimental work to standards track. > §1, second paragraph: The citation for the version of ICE used by > "legacy > ICE-HIP" should be RFC5245, not the bis version. thanks, corrected. > §2: There are a number of lower-case keywords. Please use the RFC > 8174 > boilerplate. boilerplate added. Please comment some specific lower-case keyword is incorrect in your opinion. > §4.2: > - paragraph 5: Is everything in this paragraph from the ICE > specification? I > suspect not, but it's hard to tease out what is from ICE and what is > new > specification. It would be helpful to reference the ICE bits by > section number. it is either adapted from ICE (by e.g. changing "agent" to "host" or referencing the ICE spec (by sections). Based on the earlier reviews, the text has evolved now into the following: The rules in section 5.1.1 in [RFC8445] for candidate gathering are followed here. A number of host candidates (loopback, anycast and others) should be excluded as described in section 5.1.1.1 of the ICE specification [RFC8445]. Relayed candidates SHOULD be gathered in order to guarantee successful NAT traversal, and implementations SHOULD support this functionality even if it will not be used in deployments in order to enable it by software configuration update if needed at some point. Similarly as explained in section 5.1.1.2 of the ICE specification [RFC8445], if an IPv6- only host is in a network that utilizes NAT64 [RFC6146] and DNS64 [RFC6147] technologies, it may also gather IPv4 server- reflexive and/or relayed candidates from IPv4-only Control or Data Relay Servers. IPv6-only hosts SHOULD also utilize IPv6 prefix discovery [RFC7050] to discover the IPv6 prefix used by NAT64 (if any) and generate server-reflexive candidates for each IPv6-only interface, accordingly. The NAT64 server-reflexive candidates are prioritized like IPv4 server-reflexive candidates. > - paragraph 6: I'm confused in that I thought the previous text said > that > native ICE-HIP does not use STUN. you mean paragraph 7? Gathering of candidates MAY also be performed by other means than described in this section. For example, the candidates could be gathered as specified in Section 4.2 of [RFC5770] if STUN servers are available, or if the host has just a single interface and no STUN or Data Relay Server are available. Nothing prevents an implementation from gathering candidates via STUN but the recommended way is HIP control Relay as the "MAY" indicates here. > §6: I am skeptical of the assertion that the security considerations > for Native > ICE-HIP are no different than those for Legacy ICE-HIP. I have changed this now to a more precise statement: Since the control plane protocol and Control Relay Server are essentially the same (with some minor differences) in this document as in Legacy ICE-HIP [RFC5770], the same security considerations (in Section 6.1, Section 6.2, Section 6.3 and Section 6.4,) are still valid, but are repeated here for the sake of completeness. New security considerations related to the new Data Relay Server are discussed in Section 6.5, and considerations related to the new connectivity check protocol are discussed in Section 6.6 and Section 6.7 . > Editorial Comments: > > §1, 2nd paragraph: > - "responsible of NAT traversal": s/of/to > - "responsible of end-host": s/of/to I changed to "for", I assume that would do the trick as well > §4.3: "This section describes the usage of a new non-critical > parameter type. > ": Which is? It says now: This section describes the usage of a non-critical parameter type called NAT_TRAVERSAL_MODE with a new mode called ICE-HIP-UDP. > §4.6, first paragraph: 2nd sentence is hard to parse. I reworded this as follows: The address of the Control Relay Server MUST NOT be used as a destination for data plane traffic unless the server supports also Data Relay Server functionality, and the Client has successfully registered to use it.
- [Hipsec] Ben Campbell's Abstain on draft-ietf-hip… Ben Campbell
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Miika Komu
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Ben Campbell
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Eric Vyncke (evyncke)