Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

Miika Komu <> Wed, 19 February 2020 20:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 521D4120815; Wed, 19 Feb 2020 12:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e9pMl1COu8UF; Wed, 19 Feb 2020 12:43:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 490AF120810; Wed, 19 Feb 2020 12:43:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=bwfgQzf/sWt4RiIqA06FBHZDvG+oBPmoQtKbCvHNVWHMo3STLxsvMQ4PohZHzoyHWD7ZPvqFRZ/p+wIB+wVfbZiMh7XDydgG9CjToo+gXumYHo0xdevGWV3Uead42vU4tdcTlg5H/YGfrkOng7DiHN/yzagD/QG/ur2R2WwQI7LdcskMOREqmiO6AePfIxNnhSa3hYrPdfYiy7oqfxMG9RXf7GxcLwhV6C8q0OFeAUySxtCGefAtbKcbtP8+7yEoGrauxEZcWxDNMqdc+/8ev/ekR/AEBwRxIfJlD1U/fGmYcDMjm/pXs+nrfpE+qwPoz7GfrURmdZFhzGAKOvlmQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R03+X35WizL7gt1sKayOy/ru+JI2fzdiCqp2dKv4i1k=; b=cEdF+8fAVFNxomA+4PeE+K5WnbHqaBE4e0hufaB7/dGQ1mUwujwgGDZoI4uvEMqWilHcNc9E7hZP8fj7+UGMrcY7/qsLCbSHL5gdg4ZWHKi+GeHihu6wI95fWtyY1a7pDQGHiS6CSWkLJlPeHPTEBBjw3x0TqDgMJhWwm55xfMegdqkCI7y9HzHts6AN+/SDzo7Kp+i7awH/REk8ttwaPJcuymg53Z1uAy9uOUATqPKBE4XvV6ELfI8CXfhHnBINr0wAvDWL14MugpY+GshJn6jo00rc24GWp3dBZj4jwI4NM+dyQqoY7SSeWve+5JEVjhIQ7slr+Z6A5yHIgvrR8A==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R03+X35WizL7gt1sKayOy/ru+JI2fzdiCqp2dKv4i1k=; b=huJW2BHlDsiEK/DnHaaFd0SnmiEr4GtGb2ic1n9sj13Ksi95ZxU7WvBhAlWqJFgu4208Mz5Bm9EG1rrf9XmoyZI2P/Hwk4aA+We6JELN/5QRhljZebO3QJwwLPPZa6UUa7c3OnsC5S4aU3MCz7aPHlit4oJj+qjrzgC/DUtJq+0=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.6; Wed, 19 Feb 2020 20:43:29 +0000
Received: from ([fe80::790c:4b51:77d2:7767]) by ([fe80::790c:4b51:77d2:7767%5]) with mapi id 15.20.2750.016; Wed, 19 Feb 2020 20:43:29 +0000
From: Miika Komu <>
To: "" <>, "" <>
CC: "" <>, "" <>, Gonzalo Camarillo <>, "" <>
Thread-Topic: Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Thread-Index: AQHT6ANZz4Lx+ERWNkqYmGlFCSDyRqgm+nEA
Date: Wed, 19 Feb 2020 20:43:28 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: fi-FI, en-US
Content-Language: en-US
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0a2844dc-f1e8-4c70-dd9b-08d7b57c6030
x-ms-traffictypediagnostic: AM0PR07MB6225:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0318501FAE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(136003)(39860400002)(396003)(366004)(189003)(199004)(2906002)(44832011)(71200400001)(4326008)(186003)(26005)(6506007)(81166006)(2616005)(8936002)(8676002)(81156014)(5660300002)(316002)(110136005)(86362001)(54906003)(966005)(478600001)(66476007)(66946007)(64756008)(6486002)(6512007)(36756003)(76116006)(66446008)(66556008)(91956017)(99106002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6225;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3t+R173JABHb35n33Z7dW4RgDIQwQPm2DU2kE5rlOH4pAm3IV7sArtE8OpNCDjpPEPe/j2sr52k7uoW//b3caxMdHUHg7flWO3kTIdtIzt0rqHpjm3UlUBBNIqIDVj2dh1WsxaBZPFP9+xp38R7IZ5sW/wSJWnuCnrznaK3Ju/usKSpSTdu7O0x/+9W0CHiePiK4OcdnCeGlYR6LzrnVevonaEXFsmbKxWdNmY3jys1ML6aEJsbZXCkhUJ8hpJVymufAPx8eW9z/kskS5Xffft0mVlNHiw1QKTR6HHO0VYPgh8roOVsuBJuBt5IaEmxMYyuLkRXbaEdNzJJIiye0ig0f5jHDt+5AagNckCTZY3Dx0Jbal8uklfYG5W1oOWlr/RvXAXa4oNHq1mN7zEiYXQN5oPyroUUuqDyBI62ISHAzAWJHrLoL/1gnPxwjB3UjRVO9xEMCjI62dp85ESxPWvK9Z5Ue9yKNb0pVEgfNx+fbADHflCyocbyYbXBjMnfbdGJus2bay2IsDLz28EUdoa7C7CDnokbUvtNZeUWdSWSSi/fwL18BeSYzsqAuSSWR
x-ms-exchange-antispam-messagedata: mctyv3xoZ1NjEkvW71REQ3iQMJks0zptP5GS28kdcser9/oO3V6NwMibYKrTTt2t5P/nayEoATCJcfx0suByn+gOvmxACqidOU23Dw03smapoutl9FSh/qHqOCqYHevX7hP2k424lqjinYMKXVfOyw==
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a2844dc-f1e8-4c70-dd9b-08d7b57c6030
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2020 20:43:28.9682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KzcZAL2RZ6xoNST0IVH9UKVJtEe5a1K0MfSOiQ+nY4j1DDFyEbqxQqD91UO4AcMILSXdEashmUrKEI/+CHW9KA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6225
Archived-At: <>
Subject: Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Feb 2020 20:43:34 -0000

Hi Ben,

thanks for your comments! My response below.

ke, 2018-05-09 kello 19:05 -0700, Ben Campbell kirjoitti:
> Ben Campbell has entered the following ballot position for
> draft-ietf-hip-native-nat-traversal-28: Abstain
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut
> this
> introductory paragraph, however.)
> Please refer to 
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> -------------------------------------------------------------------
> ---
> -------------------------------------------------------------------
> ---
> I support all points of Ekr's discuss and comment points. I think
> this either
> needs to use ICE mostly as is (maybe with some minor profiling) or it
> needs to
> be self-contained here. I understand the material in appendix B, but
> the
> current mix seems untenable for implementors. Therefore I am
> balloting
> "abstain".  I will reconsider that position if there is a substantial
> reorganization.

the current document has been organized for implementors of RFC5770 in

> Substantive Comments:
> I share Alissa's question about why this is standard track when the
> previous
> work has been experimental.

HIP WG decided to move all of its experimental work to standards track.

> §1, second paragraph: The citation for the version of ICE used by
> "legacy
> ICE-HIP" should be RFC5245, not the bis version.

thanks, corrected.

> §2: There are a number of lower-case keywords. Please use the RFC
> 8174
> boilerplate.

boilerplate added. Please comment some specific lower-case keyword is
incorrect in your opinion.

> §4.2:
> - paragraph 5: Is everything in this paragraph from the ICE
> specification? I
> suspect not, but it's hard to tease out what is from ICE and what is
> new
> specification. It would be helpful to reference the ICE bits by
> section number.

it is either adapted from ICE (by e.g. changing "agent" to "host" or
referencing the ICE spec (by sections). Based on the earlier reviews,
the text has evolved now into the following:

  The rules in section 5.1.1 in [RFC8445] for candidate gathering
are   followed here.  A number of host candidates (loopback, anycast
and   others) should be excluded as described in section of the
ICE   specification [RFC8445].  Relayed candidates SHOULD be gathered
in   order to guarantee successful NAT traversal, and
implementations   SHOULD support this functionality even if it will not
be used in   deployments in order to enable it by software
configuration update if   needed at some point.  Similarly as explained
in section of   the ICE specification [RFC8445], if an IPv6-
only host is in a network   that utilizes NAT64 [RFC6146] and DNS64
[RFC6147] technologies, it   may also gather IPv4 server- reflexive
and/or relayed candidates from   IPv4-only Control or Data Relay
Servers.  IPv6-only hosts SHOULD also   utilize IPv6 prefix discovery
[RFC7050] to discover the IPv6 prefix   used by NAT64 (if any) and
generate server-reflexive candidates for   each IPv6-only interface,
accordingly.  The NAT64 server-reflexive   candidates are prioritized
like IPv4 server-reflexive candidates.

> - paragraph 6: I'm confused in that I thought the previous text said
> that
> native ICE-HIP does not use STUN.

you mean paragraph 7?

   Gathering of candidates MAY also be performed by other means than
   described in this section.  For example, the candidates could be
   gathered as specified in Section 4.2 of [RFC5770] if STUN servers 
   are available, or if the host has just a single interface and no
   STUN or Data Relay Server are available.

Nothing prevents an implementation from gathering candidates via STUN
but the recommended way is HIP control Relay as the "MAY" indicates

> §6: I am skeptical of the assertion that the security considerations
> for Native
> ICE-HIP are no different than those for Legacy ICE-HIP.

I have changed this now to a more precise statement:

   Since the control plane protocol and Control Relay Server are
   essentially the same (with some minor differences) in this document
   as in Legacy ICE-HIP [RFC5770], the same security considerations (in
   Section 6.1, Section 6.2, Section 6.3 and Section 6.4,) are still
   valid, but are repeated here for the sake of completeness.  New
   security considerations related to the new Data Relay Server are
   discussed in Section 6.5, and considerations related to the new
   connectivity check protocol are discussed in Section 6.6 and
   Section 6.7 .

> Editorial Comments:
> §1, 2nd paragraph:
> - "responsible of NAT traversal": s/of/to
> - "responsible of end-host": s/of/to

I changed to "for", I assume that would do the trick as well

> §4.3: "This section describes the usage of a new non-critical
> parameter type.
> ": Which is?

It says now:

  This section describes the usage of a non-critical parameter type
   called NAT_TRAVERSAL_MODE with a new mode called ICE-HIP-UDP. 

> §4.6, first paragraph: 2nd sentence is hard to parse.

I reworded this as follows:

The address of the Control Relay Server MUST NOT be used as a
destination for data plane traffic unless the server supports also Data
Relay Server functionality, and the Client has successfully registered
to use it.