Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
Tero Kivinen <kivinen@iki.fi> Tue, 03 November 2020 20:07 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6303A1115; Tue, 3 Nov 2020 12:07:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.347
X-Spam-Level:
X-Spam-Status: No, score=-2.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Kc8JmWbwgLK; Tue, 3 Nov 2020 12:07:48 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 542063A0DEC; Tue, 3 Nov 2020 12:07:46 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 62002205BB; Tue, 3 Nov 2020 22:07:43 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604434063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZyBSGUJkYO/DxJ8kCNiY4JOCI+Aj5j6KROQd9EYQtSo=; b=MXfdR2VaHddR5IDMlsWUCUq+3wNTY1DQ3pvpu7qxHrqEUsP1Ig0qIeEZZIz2DncPLH2Moa 0HdN8Zu6Q36Ajp0es1aqf0r7DZl9+V5m9olHh1wIq5K3QnQ6ahiQNWdtd8n4a+9f6Th0xH Hzg8u/EcfuBvl+yZSI4SZ7XmeZ7YawQ=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 09F8B25C0FFA; Tue, 3 Nov 2020 22:07:43 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24481.47246.986256.641311@fireball.acr.fi>
Date: Tue, 03 Nov 2020 22:07:42 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: tom petch <daedulus@btconnect.com>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, 'Roman Danyliw' <rdd@cert.org>, 'Fernando Pereniguez-Garcia' <fernando.pereniguez@cud.upct.es>, i2nsf@ietf.org, 'Gabriel Lopez' <gabilm@um.es>, ynir.ietf@gmail.com, ipsec@ietf.org, last-call@ietf.org, 'Rafa Marin-Lopez' <rafa@um.es>
In-Reply-To: <5FA14709.6080903@btconnect.com>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com> <834a668ac559460a9f356bbb6c16b8fd@cert.org> <24476.38596.868667.906930@fireball.acr.fi> <5F9D62C0.5030908@btconnect.com> <000001d6af8e$43baa2d0$cb2fe870$@gmail.com> <5FA14709.6080903@btconnect.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 16 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604434063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZyBSGUJkYO/DxJ8kCNiY4JOCI+Aj5j6KROQd9EYQtSo=; b=f8wBgc/GqvvhcJ/HvkAqHzREB9IpipRFSJg0o48O12KqiyiBalFG+KTtlM2RJy0+7q7iX5 //+EeIvtc87MNbevtx409/mXuLpQQHTtvNCF5jfXweQ8NnrA+GSxAJInG0LArTqkoBzfMf 2biHtTudWO/woKqPzVLhm5WQjWrqU0c=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1604434063; a=rsa-sha256; cv=none; b=bR5eq7Vvhh71ieerrgTXH0UH4V0GUy5rtL1yjIqb0oLvwj3oaQfNWG8fH+9V35aB+byjdR FU880BB31lG7090ePDeKspelOMIMX2L2kCj/JYWsXCnSFutd3elBQE+FqB/5AaeleKNLIC OAOiyacWyAWwyvQrP3x/nLFg14JNgBI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/6YCZxBmTrXzuAP89d9_Xv3YfWUY>
Subject: Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 20:07:51 -0000
tom petch writes: > The problem I see is where to direct readers of the i2nsf-sdn to for > more information, about which algorithms are recommended, or not, and, a > secondary consideration, whether they are AEAD or not, since the latter > affects the YANG module. The I-D has lots of references to RFC7296 and > that RFC is very clear - for up-to-date information go to IANA. Not exactly. RFC7296 says: ---------------------------------------------------------------------- .... Readers should refer to [IKEV2IANA] for the latest values. ---------------------------------------------------------------------- meaning it says that the tables in RFC7296 might not be complete, as there are more values allocated by IANA than what is in there, and to get complete list of values in each table, you need to go to the IANA registry. Then in section "3.3.4. Mandatory Transform IDs" it says: ---------------------------------------------------------------------- The specification of suites that MUST and SHOULD be supported for interoperability has been removed from this document because they are likely to change more rapidly than this document evolves. At the time of publication of this document, [RFC4307] specifies these suites, but note that it might be updated in the future, and other RFCs might specify different sets of suites. ---------------------------------------------------------------------- Which points us to RFC4307 which was obsoleted by the RFC 8247 which is the latest version of that document. So RFC7296 is quite clear that you go in different places to find the list of numbers (IANA) and to find which algorithms are mandatory to implement. > The RFC that update RFC7296 do not appear to update that advice. RFC 8247 was actually marked as Updating 7296, so anybody reading 7296 will find that version too, even without going through RFC4307. > And the i2nsf I-D also contains references to IANA often alongside a > reference to an RFC. You seem to be saying that IANA is only a good > reference if it points to an RFC that says so which may not match > the expectations of users (particularly those who are familiar with > the approach of the TLS WG). If they are pointed to IANA they may > well expect IANA to be the best source of information but you seem > to be saying that the WG decided not to support that, rather > expecting people to read the RFC. If IANA said 'use this to find the > RFC but do not otherwise trust this information' that would be fine, > well in a manner of speaking:-) The IANA contains the tables that maps the numbers used in the IKEv2 to the names and references where they are specified. As others have pointed out, some of those algorithms are not recommended all the time, but only for specific use cases and or for specific key lengths, like ENCR_AES_CBC, where RFC8247 has text like this: ENCR_AES_CBC is raised from SHOULD+ for 128-bit keys and MAY for 256-bit keys in [RFC4307] to MUST. 192-bit keys remain at the MAY level. ENCR_AES_CBC is the only shared mandatory-to-implement algorithm with RFC 4307 and as a result, it is necessary for interoperability with IKEv2 implementation compatible with RFC 4307. or ENCR_AES_CCM_8: ENCR_AES_CCM_8 was not considered in RFC 4307. This document considers it as SHOULD be implemented in order to be able to interact with IoT devices. As this case is not a general use case for non-IoT VPNs, its status is expected to remain as SHOULD. The 8-octet size of the ICV is expected to be sufficient for most use cases of IKEv2, as far less packets are exchanged in those cases, and IoT devices want to make packets as small as possible. The SHOULD level is for 128-bit keys, 256-bit keys remains at MAY level. To explain this kind of things in the IANA registry would get quite a lot of more columns.... > So, question. What references should draft i2nsf-sdn point readers to > for up-to-date information on algorithms (assuming that they do not > track the IETF WG that updates information on IKEv2 ie like me)? It should use IANA registry for the mapping between numbers, algorithms and references; and then for algoritm implementation requirements and usage guidance it should point to RFC8247 for IKEv2, and to RFC8221 for ESP. > Currently that is both a reference to the IANA registry and to an RFC; > is that your best advice? Yes. > Were I an author of this I-D, as opposed to a reader thereof, then based > on what you say I would remove references to the IANA website or at > least qualify them with some statement that they need to check the RFC > for current information! You always need to check the RFC of the current information if you are planning to implement any of the algorithms. -- kivinen@iki.fi
- [I2nsf] Fwd: New Version Notification for draft-i… Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] Fwd: New Version Notifica… tom petch
- Re: [I2nsf] Fwd: [Last-Call] New Version Notifica… Rafa Marin-Lopez
- Re: [I2nsf] Fwd: [Last-Call] New Version Notifica… tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Roman Danyliw
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] New Version Notification … Roman Danyliw
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Tero Kivinen
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Roman Danyliw
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Valery Smyslov
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Yoav Nir
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Paul Wouters
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Tero Kivinen
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Tero Kivinen
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Valery Smyslov
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Benjamin Kaduk
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez