Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Fri, 21 February 2020 09:36 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B4AA1200E6; Fri, 21 Feb 2020 01:36:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CnFQhzIw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Y+FOc9Ho
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmT3IrXbw4gU; Fri, 21 Feb 2020 01:36:03 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF4D1200B6; Fri, 21 Feb 2020 01:36:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=31435; q=dns/txt; s=iport; t=1582277763; x=1583487363; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=1mA40tgjbI+TT7R25WQx0bHUCSFFUYWVa1eRYrvyx4c=; b=CnFQhzIw0jOCPcj41UnEwwcs1QSIyqdq5HexNGbo/+rByQeqHZaGPtp/ JDVLc/FmB6O6xpvlIjlG9gwfXETnCvKAv+pXscKkOSqYinLKph1hoWtbg fV1w1aljQi7pXCDIPO5asTUSGwI0BfcyoMLzUTJXfuL+PPLAEGxdr0nG3 k=;
IronPort-PHdr: 9a23:HYJsiRYjv91oqwgCMze0+sT/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavncT08F8dPfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ChBwAxo09e/5NdJa1mHAEBAQEBBwEBEQEEBAEBgXuBJS8pJwVsWCAECyqEFINGA4pxgjolmBOBQoEQA1QJAQEBDAEBIwoCBAEBgUyCdAIXgXEkOBMCAw0BAQUBAQECAQUEbYU3DIVmAQEBAQMSER0BATcBDwIBCBEDAQIhBwMCAgIwFAkIAgQBDQUigwQBgX1NAy4BDqFdAoE5iGJ1gTKCfwEBBYFDQYNDGIIMAwaBOIwkGoFBP4ERJwwUgkw+gmQCAQIBgSwBEgEJOA0JgloygiyNb4I6O4VwmE92CoI8h1CFTYlHHIJJiBuQSY5wgU2HLpJLAgQCBAUCDgEBBYFpIio9WBEIcBVlAYJBUBgNjh0MFxVvAQWCRoUUhUF0AoEni0OCMgEB
X-IronPort-AV: E=Sophos;i="5.70,467,1574121600"; d="scan'208,217";a="433801416"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Feb 2020 09:36:02 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 01L9a2Aw013519 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 21 Feb 2020 09:36:02 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 21 Feb 2020 03:36:01 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 21 Feb 2020 04:36:00 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 21 Feb 2020 04:36:00 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kq77hyHiZftIMLOeBHLVbUYTuOKapyaFVdybOPxUkTgzjKutR+GeF3S3oyzclmG0+maHej1uyn+St9f/BjN9dll7J7vQ3wqO6tI++oHVFolQ3Ob3zK8WxMcyGE0dLhmpZf9Oz2Qv2RpxJQMs2q28Ic3l7k0i1xN0+IPe6vEY2icitzoPZ/tLuO3mHr069l2Y94+r6EUSCJCze8kbPouSHk6zGfNqGGDzTpMiBV/a4Lxq0CoOkgdiskxYqyZNtu7voiAJmjfqPojPTbrLFbyrLd8g4qksJu3x8gmHvofGrqfCP1VLPbLpALEc5Lf0YZBnFBW6j0ZfmkMObqS6Uormzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1mA40tgjbI+TT7R25WQx0bHUCSFFUYWVa1eRYrvyx4c=; b=i6OA9y6V6TDqoI1gcawFB5aWGN9HbG1McVYnMlrJi7kUoCFwKl/73SjcqrvE575YwlTGROZ9YWUtWaW7mPfHJOZyJh8URupDV/5AlptHY/DKmFZzGZNODYhim6AwzAT6yk2ojuyL1VEksdwwl1sZRSqnnsXD30MCdScaYEplEHPYRzJhA7T5jJVrOCSVh8Zt5dOv4ineFc+x/0rvOT6m06W/IUaOASg0IGcTEiEEaPqQ4j3kZRG/6XDDqAcVEAkL1AOBJ74NI4Nc4YKQtEg1px7Y9O1yZPSC+xshCFltYsUY41Gx0fZk+Ku2iyVuhoWFBWnklS0HlTF8pRbBRLfRGg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1mA40tgjbI+TT7R25WQx0bHUCSFFUYWVa1eRYrvyx4c=; b=Y+FOc9HoLgm8dJBwusKZC+qkYyx6WEecchMvN7RDNrAmpSo7tRzoHMxNDAMevdcQmkzIBcq2OTp5m1Amq6CMlqo2TdRrRQL/3PFrxChktOx7HjwkHEI+EnRQySuU58PfswikMcunbg0NKaDNG0CVVrcxAINDEOLsSsQxD2AKrjM=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB1738.namprd11.prod.outlook.com (2603:10b6:3:110::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Fri, 21 Feb 2020 09:35:59 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca%3]) with mapi id 15.20.2750.021; Fri, 21 Feb 2020 09:35:59 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Ben Campbell <ben@nostrum.com>, Miika Komu <miika.komu@ericsson.com>
CC: "hipsec@ietf.org" <hipsec@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>
Thread-Topic: Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Thread-Index: AQHT6ANZz4Lx+ERWNkqYmGlFCSDyRqgm+nEAgAG9yQCAAL0mgA==
Date: Fri, 21 Feb 2020 09:35:58 +0000
Message-ID: <56958922-3C5C-44F3-A3F8-287CE05BB4B9@cisco.com>
References: <152591791834.10400.6957331555512925079.idtracker@ietfa.amsl.com> <3ac040a545036ed86f5db5bcfd9e50a7de41ac61.camel@ericsson.com> <68B28C7A-8CD9-44AC-8AC7-3B29C948D7B3@nostrum.com>
In-Reply-To: <68B28C7A-8CD9-44AC-8AC7-3B29C948D7B3@nostrum.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:40ba:933b:a7c0:5ae]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b2c35cc-09c3-426b-cf14-08d7b6b17562
x-ms-traffictypediagnostic: DM5PR11MB1738:
x-microsoft-antispam-prvs: <DM5PR11MB17384BC28B4A8CB6B6039059A9120@DM5PR11MB1738.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0320B28BE1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(376002)(366004)(346002)(136003)(199004)(189003)(966005)(5660300002)(36756003)(2906002)(33656002)(8936002)(86362001)(8676002)(81156014)(81166006)(6486002)(4326008)(71200400001)(6512007)(316002)(6506007)(53546011)(186003)(110136005)(54906003)(66446008)(66476007)(2616005)(64756008)(66556008)(478600001)(76116006)(66946007)(91956017)(21615005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1738; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nPFg7n5QBfxjFBG3T/AOg/cybRa7fb58LeVtG9uFLbcJRaraF0mvkU/gQ/2snh0grpriAoJgXwviknQDxMYEJuIa2G4OPNlkUIKkXV2Y6+L2fNj2m9EXpqja93wUoin7mNqYMk7QAxT5R2rsAa3/ug9w33GUg/9IZXROM+rCeltWFNdTNpK8daHFKPaljbLQSeI0hVpBFgSaWjT15l9jEiASMl2N0LvqrCnwAvHEenlUR0W7Ts8iwi38+q7qHXCVYxh/y8+/UHCaPyAmKiIlj+eKv0rMdKHQ0XqPo9uqCOBESqKzsMHFysnMqmekQYXpAnu5D/n5C7IK1pKf+zTj3+nzRDLi+39mX6O5aaWR1vZfvpl4mA3RfGXbNCSfo/lNq5OZkmKlwr7RXBW6hQMPLL4cwHT1EQV0x/LAYOiC8IjIq/EDPyaj7seuaU6zeGFZlCaCGJ9vuU9eM+mKctjWpLDSydrTxD6iCUHIjka08as63yZU/ISfjDBAtBxjhFOsuT0Z+Bt/AZq5W2WdLAe93Q==
x-ms-exchange-antispam-messagedata: UwoGWkNsclOl2EM6OTfB6PMPrexKjA1WMBJuXvugRuqXOp8+PHYPxnWibsIE2bO5pWnDudXSofkv43UZhNq1vtZiFDIKE0YhDx2QDCJ+M9RtQckFS/oWqbYyPh1hfmOL+yerLUFPh20r9vi5ZITDH43o9rfadY0zFXxcayPK6GFwywdBKpCINLW0FGUfVHCpPXa7uFAQqvH24v9Lyc0hPQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_569589223C5C44F3A3F8287CE05BB4B9ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b2c35cc-09c3-426b-cf14-08d7b6b17562
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2020 09:35:58.6812 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: T31FlT/FyKtvVLZ2K1Ch+68wOvPc7f1wefr9iozuz2rAu2itrlk/aO/D1mZmf7Vioe6Z5Mz1IA0mtG9ZbZpmrA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1738
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/y1WXhml47BEigeKemS70pqtJl6s>
Subject: Re: [Hipsec] Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 09:36:09 -0000
Thank you Ben, As a side note, I have observed that the authors have addressed all your review comments in the -29 version. The current plan is to do a new ballot as the IESG has changed since the last one. -éric From: iesg <iesg-bounces@ietf.org> on behalf of Ben Campbell <ben@nostrum.com> Date: Friday, 21 February 2020 at 00:19 To: Miika Komu <miika.komu@ericsson.com> Cc: "hipsec@ietf.org" <hipsec@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org> Subject: Re: Ben Campbell's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT) Hi, I am no longer an area director. I leave it to the current area directors to decide how to proceed with the updated version. Thanks, Ben. On Feb 19, 2020, at 2:43 PM, Miika Komu <miika.komu@ericsson.com<mailto:miika.komu@ericsson.com>> wrote: Hi Ben, thanks for your comments! My response below. ke, 2018-05-09 kello 19:05 -0700, Ben Campbell kirjoitti: Ben Campbell has entered the following ballot position for draft-ietf-hip-native-nat-traversal-28: Abstain When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ ------------------------------------------------------------------- --- COMMENT: ------------------------------------------------------------------- --- I support all points of Ekr's discuss and comment points. I think this either needs to use ICE mostly as is (maybe with some minor profiling) or it needs to be self-contained here. I understand the material in appendix B, but the current mix seems untenable for implementors. Therefore I am balloting "abstain". I will reconsider that position if there is a substantial reorganization. the current document has been organized for implementors of RFC5770 in mind. Substantive Comments: I share Alissa's question about why this is standard track when the previous work has been experimental. HIP WG decided to move all of its experimental work to standards track. §1, second paragraph: The citation for the version of ICE used by "legacy ICE-HIP" should be RFC5245, not the bis version. thanks, corrected. §2: There are a number of lower-case keywords. Please use the RFC 8174 boilerplate. boilerplate added. Please comment some specific lower-case keyword is incorrect in your opinion. §4.2: - paragraph 5: Is everything in this paragraph from the ICE specification? I suspect not, but it's hard to tease out what is from ICE and what is new specification. It would be helpful to reference the ICE bits by section number. it is either adapted from ICE (by e.g. changing "agent" to "host" or referencing the ICE spec (by sections). Based on the earlier reviews, the text has evolved now into the following: The rules in section 5.1.1 in [RFC8445] for candidate gathering are followed here. A number of host candidates (loopback, anycast and others) should be excluded as described in section 5.1.1.1 of the ICE specification [RFC8445]. Relayed candidates SHOULD be gathered in order to guarantee successful NAT traversal, and implementations SHOULD support this functionality even if it will not be used in deployments in order to enable it by software configuration update if needed at some point. Similarly as explained in section 5.1.1.2 of the ICE specification [RFC8445], if an IPv6- only host is in a network that utilizes NAT64 [RFC6146] and DNS64 [RFC6147] technologies, it may also gather IPv4 server- reflexive and/or relayed candidates from IPv4-only Control or Data Relay Servers. IPv6-only hosts SHOULD also utilize IPv6 prefix discovery [RFC7050] to discover the IPv6 prefix used by NAT64 (if any) and generate server-reflexive candidates for each IPv6-only interface, accordingly. The NAT64 server-reflexive candidates are prioritized like IPv4 server-reflexive candidates. - paragraph 6: I'm confused in that I thought the previous text said that native ICE-HIP does not use STUN. you mean paragraph 7? Gathering of candidates MAY also be performed by other means than described in this section. For example, the candidates could be gathered as specified in Section 4.2 of [RFC5770] if STUN servers are available, or if the host has just a single interface and no STUN or Data Relay Server are available. Nothing prevents an implementation from gathering candidates via STUN but the recommended way is HIP control Relay as the "MAY" indicates here. §6: I am skeptical of the assertion that the security considerations for Native ICE-HIP are no different than those for Legacy ICE-HIP. I have changed this now to a more precise statement: Since the control plane protocol and Control Relay Server are essentially the same (with some minor differences) in this document as in Legacy ICE-HIP [RFC5770], the same security considerations (in Section 6.1, Section 6.2, Section 6.3 and Section 6.4,) are still valid, but are repeated here for the sake of completeness. New security considerations related to the new Data Relay Server are discussed in Section 6.5, and considerations related to the new connectivity check protocol are discussed in Section 6.6 and Section 6.7 . Editorial Comments: §1, 2nd paragraph: - "responsible of NAT traversal": s/of/to - "responsible of end-host": s/of/to I changed to "for", I assume that would do the trick as well §4..3: "This section describes the usage of a new non-critical parameter type. ": Which is? It says now: This section describes the usage of a non-critical parameter type called NAT_TRAVERSAL_MODE with a new mode called ICE-HIP-UDP. §4..6, first paragraph: 2nd sentence is hard to parse. I reworded this as follows: The address of the Control Relay Server MUST NOT be used as a destination for data plane traffic unless the server supports also Data Relay Server functionality, and the Client has successfully registered to use it.
- [Hipsec] Ben Campbell's Abstain on draft-ietf-hip… Ben Campbell
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Miika Komu
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Ben Campbell
- Re: [Hipsec] Ben Campbell's Abstain on draft-ietf… Eric Vyncke (evyncke)