IETF Logo Mail Archive

Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

tom petch <daedulus@btconnect.com> Tue, 03 November 2020 12:04 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA9173A08F6; Tue, 3 Nov 2020 04:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.148
X-Spam-Level:
X-Spam-Status: No, score=-2.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.247, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id asLvhtCfmXj0; Tue, 3 Nov 2020 04:04:12 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2134.outbound.protection.outlook.com [40.107.20.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B6E3A08E7; Tue, 3 Nov 2020 04:03:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I/L09wXI6yjRHxbgcqJRZQh7aMLXHwRLTj7cTJllFK8tL62WCYp2CZ4oXN+Jl/gFq2axDeF0hKoEPg7cwOmvSXgiT12gVDlOzBoQBJYAign4sRgSaacXpbTky/YNPHQJU1Jp86/7CYzcPa5aXbpC8q1ugqdulKpxp8o/xxjU6FTwIdDu1W3qM2z4P3IICJe7r1TSNhTz/FD1cEYyUkp9UkgkKjlW2xbMOHROBsPStdQhV/IFtcz14IHQb8cp/xoP7qfPBIoz5psz5H2VQd46DCuh6IzdFRvii9aq3xf6/4aKVsLyQNtZQHxy/WJRDxtd4ZhcfSfPIIYMZXZIJtgCVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yU+243sWsVjlvTpyC+n/blcCohvYRQq/uL9Dv9Z5A7I=; b=Voba3GzPpG8UqYvFv7u0xTkyGQRmr/xf+h1zUl4Q17AjhBTf3cpSQx7Gw/Jk9OTraCl0xZ4MQd5J+TWssHSFeevbj8xP5i7IHocMlByg4QyQKSqzt76Q9yhivNx6GYCNinSD8zTohkbkq133fc0mCHI6uUVSzUH57MGJT/359eqStr6GNLIBRIlL8JZjUDCbYEdGkQQ4B+KH1v8lrQ77YLJk70R6ylMiMAs+XOoZQxHRDSUItYOAzkKwMcwL0/ub9mCyE3lLmuKeh0ZDDSvBUeEWoCgvT/R4Ek62lClK3WyPk/Wnz6OPoVXqbbB4jg6BljBCGs33asoDaKCBx6qa1g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yU+243sWsVjlvTpyC+n/blcCohvYRQq/uL9Dv9Z5A7I=; b=AtY84deyx96QcCEh40cNO92SXHUkUC85Il5vyEvdclYfa1R1Zit5Z9f8aummrCXx5R6MrDuK7HFVB3lIXM3ZD5fVBrgvE5WVTAHCSK8lM22P8NIOJQrFpV9PfGBkpIAlQZ2kzWbORRPFJXga9Ef7tWyxKKLVDqBITe7eVyJUC4U=
Authentication-Results: um.es; dkim=none (message not signed) header.d=none;um.es; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR07MB6335.eurprd07.prod.outlook.com (2603:10a6:800:136::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.10; Tue, 3 Nov 2020 12:03:23 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6407:6ea2:f517:eeae]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6407:6ea2:f517:eeae%7]) with mapi id 15.20.3541.015; Tue, 3 Nov 2020 12:03:23 +0000
To: Valery Smyslov <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>, 'Roman Danyliw' <rdd@cert.org>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com> <834a668ac559460a9f356bbb6c16b8fd@cert.org> <24476.38596.868667.906930@fireball.acr.fi> <5F9D62C0.5030908@btconnect.com> <000001d6af8e$43baa2d0$cb2fe870$@gmail.com>
Cc: 'Fernando Pereniguez-Garcia' <fernando.pereniguez@cud.upct.es>, i2nsf@ietf.org, 'Gabriel Lopez' <gabilm@um.es>, ynir.ietf@gmail.com, ipsec@ietf.org, last-call@ietf.org, 'Rafa Marin-Lopez' <rafa@um.es>
From: tom petch <daedulus@btconnect.com>
Message-ID: <5FA14709.6080903@btconnect.com>
Date: Tue, 03 Nov 2020 12:03:21 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <000001d6af8e$43baa2d0$cb2fe870$@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LNXP265CA0033.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::21) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LNXP265CA0033.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3499.18 via Frontend Transport; Tue, 3 Nov 2020 12:03:22 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bc1d44c2-b899-4930-bf52-08d87ff076d3
X-MS-TrafficTypeDiagnostic: VI1PR07MB6335:
X-Microsoft-Antispam-PRVS: <VI1PR07MB63357D0580D1A34B3F30568FC6110@VI1PR07MB6335.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 5xu97lQzWoS/Lvpn0dhgq3P8OG92IJOtO6x4evJjnSwruypJhpKR8D/ND7bfC+z8qMBTFE40pTX24LWIVFCV4d/tcRGgcOrh0N8b4ENGi93L1whymRbEacEVx/KkCIBNr1bqOTEzXmz3W3fV5sZhHpKewpRffavujxH3fvTgj24VREqPEmjy0TDqV95kfnMx/HDFiIn/nXPIqaMFY1IYafod8Dv3G012to7geS5ympb+Ig0qsfCAATwGRyveNJ0HlzMVmYAK/IV+W//4hGL76rmmzG4LO1YYYc6lx2z3DEfRuJ6dNgrzVvx4Krs9kQq2WXCjmsSFKvtpCo0QvpvWmA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(54906003)(110136005)(33656002)(83380400001)(53546011)(66946007)(8936002)(16576012)(186003)(8676002)(66476007)(66556008)(15650500001)(4326008)(26005)(16526019)(498600001)(7416002)(956004)(87266011)(86362001)(2906002)(36756003)(6486002)(52116002)(2616005)(5660300002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: ZpcijTR1a/0EMbQNlBKxYSq9MkT+oKMnxf18hKxTKG1TtFFr8N65rTDq9743/o+o4U1GRBbRKXHukOYA2NN+XpPWI6Nuz0XymxdnkHCeWw6yqy8aui7rCSFEAoHdFZttgEalQqf+ckD6lmL9Op2S90nJ1UGpxbMB6s9V1JFXh65euXpJ/aK5W/6nUDFsP6XZPYb8xbE0d2saQRyMry163yaIQFVVfZeROpWuUjSfy8PU31VOCTsXhvJCntHzNQFvD81sJR6nvs5A78A+xggupU1w4SeexwahlzohteDlFXfeMnOfb7ax0307Yb1ILNL9H0/UxxKQpKbl5r8+eALMUFIfwHhiAgQMYfZa2MkOGuI/lrCTSkbEz4KNcFV1Hc9JQIvYFB7RD6twR6fDMcSbpk4xSHbUextz6KVA1YidpxOGUpQxVa6ozW3q977EIrBqNgrdFmfdEEiCSZx4KYKhhJ5+mBrkYao6S60AXpULbFAuahFMhXEOCPRvatDOPLen3+JkI913jdXetE0lG6ywxoNfdh7GRyiB6PFEXsO1nlTPtRt8PV3gAN9BBBGoEsVDZhH9KixP3YT6DCx8kHPMPHoxppkOgfxOSCNmbY1TfdtdZKqLZfgfQ9GrxgQ/0QIoq9OQ0MLfT9Bg+PC0+ae4bA==
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bc1d44c2-b899-4930-bf52-08d87ff076d3
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Nov 2020 12:03:23.7194 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 8ZxRiuOLRqOE+ompzBu4FoUvuKMEjUep/kp5L3+1wG+biSpzHJqsh9PDFpeoNSu1J4k+ug5pXG+sBEHUHytnmg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6335
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Sdv3OF4cCIqmLdO7c62O7TaMaYc>
Subject: Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 12:04:14 -0000

On 31/10/2020 14:01, Valery Smyslov wrote:
> Hi Tom,
>
> we discussed with the chairs the usefulness of adding "Recommended/Not
> recommended" column
> (as TLS WG did) into the IKEv2 algorithm registries back in 2018 in Bangkok
> and I was one who
> of those who initially suggested this. However, Tero made a very good point
> that
> IANA doesn't have any public history. So, in the ipsecme WG another approach
> was taken - we have RFCs that say which algorithms are recommended/not
> recommended
> for ESP and for IKEv2 and these RFCs are updated periodically.
>
>> Thanks for getting back to me.  What is missing from the IANA registry
>> is the guidance as to the status of the algorithm, how highly it is
>> recommended or not.  This I-D tells people to go to RFC8247 and the IANA
>> Registry for advice; RFC8247 gives that advice; the IANA web page does
> not.
>
> As Tero said, the IANA web page references current RFCs (8221 & 8247 at the
> moment)
> that list recommended algorithms. Just one more level of indirection. All
> algorithms that are not listed
> in these RFC are treated as "not recommended" by default, including newly
> added algorithms.
>
>> And RFC8247 specifies which algorithm are AEAD, the web page does not.
>> The YANG module behaves differently depending on whether or not the
>> algorithm is AEAD; YANG implementors need to know, having this
>> information on the web page would make it easier for YANG implementors.
>
> Is is a problem to open corresponding RFC or I-D? Or do you want to say that
>
> YANG implementers don't need any other information about algorithms
> except whether it's AEAD and whether it's recommended?

Valery

The problem I see is where to direct readers of the i2nsf-sdn to for 
more information, about which algorithms are recommended, or not, and, a 
secondary consideration, whether they are AEAD or not, since the latter 
affects the YANG module.  The I-D has lots of references to RFC7296 and 
that RFC is very clear - for up-to-date information go to IANA.  The RFC 
that update RFC7296 do not appear to update that advice.  And the i2nsf 
I-D also contains references to IANA often alongside a reference to an 
RFC.  You seem to be saying that IANA is only a good reference if it 
points to an RFC that says so which may not match the expectations of 
users (particularly those who are familiar with the approach of the TLS 
WG).  If they are pointed to IANA they may well expect IANA to be the 
best source of information but you seem to be saying that the WG decided 
not to support that, rather expecting people to read the RFC.  If IANA 
said 'use this to find the RFC but do not otherwise trust this 
information' that would be fine, well in a manner of speaking:-)

So, question.  What references should draft i2nsf-sdn point readers to 
for up-to-date information on algorithms (assuming that they do not 
track the IETF WG that updates information on IKEv2 ie like me)? 
Currently that is both a reference to the IANA registry and to an RFC; 
is that your best advice?

Were I an author of this I-D, as opposed to a reader thereof, then based 
on what you say I would remove references to the IANA website or at 
least qualify them with some statement that they need to check the RFC 
for current information!

What would you advise?

Tom Petch

>
> Regards,
> Valery Smyslov.
>
>> And RFC8247 specifies IoT, which I do not think is yet a consideration
> here.
>>
>> As I said, we are currently ok but as new algorithms get added, by
>> Expert Review, then that information is needed and may not be available
>> as there is no requirement for the Expert Reviewer to make it available.
>>
>> As I said to Roman, the TLS WG found that they needed to add extra
>> columns to their web pages of algorithms.  Different columns (e.g. DTLS
>> not AEAD) but I think that the situation is otherwise identical so I am
>> anticipating that in a year or two you will see what I mean:-).  In
>> passing, the TLS WG determine by consensus what the status is for a new
>> algorithm but the Expert Reviewer makes it available via the web site
>> whether or not it is in an RFC.
>>
>> I take your point about duplicating data - no relational databases here!
>> - but the answer is to specify which is authoritative and for me that
>> should be the IANA pages as it is for many assignments in the context of
>> YANG and before that SMI going back decades.
>>
>> Tom Petch
>>

v2.23.0 | Report a Bug | By Email