IETF Logo Mail Archive

Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

Tero Kivinen <kivinen@iki.fi> Tue, 03 November 2020 20:07 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6303A1115; Tue, 3 Nov 2020 12:07:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.347
X-Spam-Level:
X-Spam-Status: No, score=-2.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Kc8JmWbwgLK; Tue, 3 Nov 2020 12:07:48 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 542063A0DEC; Tue, 3 Nov 2020 12:07:46 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 62002205BB; Tue, 3 Nov 2020 22:07:43 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604434063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZyBSGUJkYO/DxJ8kCNiY4JOCI+Aj5j6KROQd9EYQtSo=; b=MXfdR2VaHddR5IDMlsWUCUq+3wNTY1DQ3pvpu7qxHrqEUsP1Ig0qIeEZZIz2DncPLH2Moa 0HdN8Zu6Q36Ajp0es1aqf0r7DZl9+V5m9olHh1wIq5K3QnQ6ahiQNWdtd8n4a+9f6Th0xH Hzg8u/EcfuBvl+yZSI4SZ7XmeZ7YawQ=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 09F8B25C0FFA; Tue, 3 Nov 2020 22:07:43 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24481.47246.986256.641311@fireball.acr.fi>
Date: Tue, 03 Nov 2020 22:07:42 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: tom petch <daedulus@btconnect.com>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, 'Roman Danyliw' <rdd@cert.org>, 'Fernando Pereniguez-Garcia' <fernando.pereniguez@cud.upct.es>, i2nsf@ietf.org, 'Gabriel Lopez' <gabilm@um.es>, ynir.ietf@gmail.com, ipsec@ietf.org, last-call@ietf.org, 'Rafa Marin-Lopez' <rafa@um.es>
In-Reply-To: <5FA14709.6080903@btconnect.com>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com> <834a668ac559460a9f356bbb6c16b8fd@cert.org> <24476.38596.868667.906930@fireball.acr.fi> <5F9D62C0.5030908@btconnect.com> <000001d6af8e$43baa2d0$cb2fe870$@gmail.com> <5FA14709.6080903@btconnect.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 16 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604434063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZyBSGUJkYO/DxJ8kCNiY4JOCI+Aj5j6KROQd9EYQtSo=; b=f8wBgc/GqvvhcJ/HvkAqHzREB9IpipRFSJg0o48O12KqiyiBalFG+KTtlM2RJy0+7q7iX5 //+EeIvtc87MNbevtx409/mXuLpQQHTtvNCF5jfXweQ8NnrA+GSxAJInG0LArTqkoBzfMf 2biHtTudWO/woKqPzVLhm5WQjWrqU0c=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1604434063; a=rsa-sha256; cv=none; b=bR5eq7Vvhh71ieerrgTXH0UH4V0GUy5rtL1yjIqb0oLvwj3oaQfNWG8fH+9V35aB+byjdR FU880BB31lG7090ePDeKspelOMIMX2L2kCj/JYWsXCnSFutd3elBQE+FqB/5AaeleKNLIC OAOiyacWyAWwyvQrP3x/nLFg14JNgBI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/6YCZxBmTrXzuAP89d9_Xv3YfWUY>
Subject: Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 20:07:51 -0000

tom petch writes:
> The problem I see is where to direct readers of the i2nsf-sdn to for 
> more information, about which algorithms are recommended, or not, and, a 
> secondary consideration, whether they are AEAD or not, since the latter 
> affects the YANG module.  The I-D has lots of references to RFC7296 and 
> that RFC is very clear - for up-to-date information go to IANA.

Not exactly. RFC7296 says:
----------------------------------------------------------------------
	.... Readers should refer to [IKEV2IANA] for the latest
   values.
----------------------------------------------------------------------
meaning it says that the tables in RFC7296 might not be complete, as
there are more values allocated by IANA than what is in there, and to
get complete list of values in each table, you need to go to the IANA
registry.

Then in section "3.3.4. Mandatory Transform IDs" it says:

----------------------------------------------------------------------
   The specification of suites that MUST and SHOULD be supported for
   interoperability has been removed from this document because they are
   likely to change more rapidly than this document evolves.  At the
   time of publication of this document, [RFC4307] specifies these
   suites, but note that it might be updated in the future, and other
   RFCs might specify different sets of suites.
----------------------------------------------------------------------

Which points us to RFC4307 which was obsoleted by the RFC 8247 which
is the latest version of that document.

So RFC7296 is quite clear that you go in different places to find the
list of numbers (IANA) and to find which algorithms are mandatory to
implement.

> The RFC that update RFC7296 do not appear to update that advice.

RFC 8247 was actually marked as Updating 7296, so anybody reading 7296
will find that version too, even without going through RFC4307. 

> And the i2nsf I-D also contains references to IANA often alongside a
> reference to an RFC. You seem to be saying that IANA is only a good
> reference if it points to an RFC that says so which may not match
> the expectations of users (particularly those who are familiar with
> the approach of the TLS WG). If they are pointed to IANA they may
> well expect IANA to be the best source of information but you seem
> to be saying that the WG decided not to support that, rather
> expecting people to read the RFC. If IANA said 'use this to find the
> RFC but do not otherwise trust this information' that would be fine,
> well in a manner of speaking:-)

The IANA contains the tables that maps the numbers used in the IKEv2
to the names and references where they are specified. As others have
pointed out, some of those algorithms are not recommended all the
time, but only for specific use cases and or for specific key lengths,
like ENCR_AES_CBC, where RFC8247 has text like this:

   ENCR_AES_CBC is raised from SHOULD+ for 128-bit keys and MAY for
   256-bit keys in [RFC4307] to MUST. 192-bit keys remain at the MAY
   level.  ENCR_AES_CBC is the only shared mandatory-to-implement
   algorithm with RFC 4307 and as a result, it is necessary for
   interoperability with IKEv2 implementation compatible with RFC 4307.

or ENCR_AES_CCM_8:

   ENCR_AES_CCM_8 was not considered in RFC 4307.  This document
   considers it as SHOULD be implemented in order to be able to interact
   with IoT devices.  As this case is not a general use case for non-IoT
   VPNs, its status is expected to remain as SHOULD.  The 8-octet size
   of the ICV is expected to be sufficient for most use cases of IKEv2,
   as far less packets are exchanged in those cases, and IoT devices
   want to make packets as small as possible.  The SHOULD level is for
   128-bit keys, 256-bit keys remains at MAY level.

To explain this kind of things in the IANA registry would get quite a
lot of more columns....

> So, question.  What references should draft i2nsf-sdn point readers to 
> for up-to-date information on algorithms (assuming that they do not 
> track the IETF WG that updates information on IKEv2 ie like me)?

It should use IANA registry for the mapping between numbers,
algorithms and references; and then for algoritm implementation
requirements and usage guidance it should point to RFC8247 for IKEv2,
and to RFC8221 for ESP.

> Currently that is both a reference to the IANA registry and to an RFC; 
> is that your best advice?

Yes.

> Were I an author of this I-D, as opposed to a reader thereof, then based 
> on what you say I would remove references to the IANA website or at 
> least qualify them with some statement that they need to check the RFC 
> for current information!

You always need to check the RFC of the current information if you are
planning to implement any of the algorithms. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email