IETF Logo Mail Archive

Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

Roman Danyliw <rdd@cert.org> Sat, 31 October 2020 01:12 UTC

Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77773A14A3; Fri, 30 Oct 2020 18:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0yzAyzJfa_U; Fri, 30 Oct 2020 18:12:44 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3487F3A14A1; Fri, 30 Oct 2020 18:12:43 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09V1CYfR003916; Fri, 30 Oct 2020 21:12:34 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 09V1CYfR003916
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1604106755; bh=RFkuzr3HWVoGN8xSoMUI8oY29LQEwrQaNrkKm+N7uxA=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=Q2AxARZ+zbJ6UJyrQrQxVLlh6TILgsK/SS4lwAkbYNDjtPOyzguv/HLuVB+EuAJo3 QTiecJppMnuMyfrEuII2RASuxRc5PdQTO9OqZfp7+y2p1P0Ma7lT7X14SyQE2oc0ms GSXbQFcEKdOB7oneVB4zSYihGPtnesGajSV2ZVjs=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09V1CUmr018108; Fri, 30 Oct 2020 21:12:31 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 30 Oct 2020 21:12:30 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Fri, 30 Oct 2020 21:12:30 -0400
From: Roman Danyliw <rdd@cert.org>
To: Tero Kivinen <kivinen@iki.fi>
CC: Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, Rafa Marin-Lopez <rafa@um.es>, tom petch <daedulus@btconnect.com>
Thread-Topic: [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
Thread-Index: AQHWreX0c88acJXFBk2yYgVjsJF2bKmvCuOA///cU0CAAVuUAP//zZ2AgADyqwD//+IF8A==
Date: Sat, 31 Oct 2020 01:12:29 +0000
Message-ID: <4cd0a090e912445280b33d2842714cb1@cert.org>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com> <834a668ac559460a9f356bbb6c16b8fd@cert.org> <24476.38596.868667.906930@fireball.acr.fi>
In-Reply-To: <24476.38596.868667.906930@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.126]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/W-aZWBUynxD25jEv4M7f7tpc0z4>
Subject: Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 01:12:47 -0000

Hi Tero!

> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Tero Kivinen
> Sent: Friday, October 30, 2020 6:42 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>;
> i2nsf@ietf.org; Gabriel Lopez <gabilm@um.es>; ynir.ietf@gmail.com;
> ipsec@ietf.org; last-call@ietf.org; Rafa Marin-Lopez <rafa@um.es>; tom petch
> <daedulus@btconnect.com>
> Subject: Re: [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-
> ipsec-flow-protection-11.txt
> 

> Roman Danyliw writes:
> > > >> It seems to me that the IANA entries for IKEv2 are incomplete.
> > > >> RFC8247 does a fine job of specifying algorithms and adding
> > > >> information such as status (MUST/SHOULD+), IoT, AEAD and so on,
> > > >> information which is not present on IANA.  The policy for, e.g.
> > > >> Transform Type 1, is expert review and entries have been added
> > > >> via draft-smyslov-esp-gont but the IANA entries lack this
> > > >> information and, looking at the I-D, I see no such information
> > > >> (nor is there any reason for it to be there).  Yet
> > > >> draft-ietf-i2nsf-sdn... needs this information as references in the YANG
> module show.
> 
> I am lost what information is missing from the IANA registry. 

Thanks for the analysis and feedback.

I think the deep threading may have confused who said what.  The above snip and all of the snips below are from Tom's assessment of the IANA registry situation (https://mailarchive.ietf.org/arch/msg/last-call/Cg66LRwtJjhJ5zNe8AEBWqKDll0/ and https://mailarchive.ietf.org/arch/msg/last-call/MMO9NsRif_x1WkGbJFlgKiLOGYQ/) 

My feedback in the earlier in the part of the thread (https://mailarchive.ietf.org/arch/msg/last-call/vSU21Yqbczthq9Uii0N0roHQI7c/) was that RFC8247 is cited by draft-ietf-i2nsf-sdn-ipsec-flow-protection to describe implementation requirements (as represented in the YANG module) and that no IANA changes should be needed.

In a follow-on messages (https://mailarchive.ietf.org/arch/msg/last-call/7eC7LH9_EWHxkA22YbST6Ghc4tc/) which added ipsec@ietf, I was noting that IPSecme is the WG with expertise and scope  that is best positioned to discuss management of the IKE registries

Regards,
Roman

> The registry do
> include numbers from draft-smyslov-esp-gost document. The
> RFC8247 says:
> ----------------------------------------------------------------------
> 1.3.  Updating Algorithm Requirement Levels ...
>     .... As a result, any algorithm listed at the IKEv2
>    IANA registry not mentioned in this document MAY be implemented.
> ----------------------------------------------------------------------
> I.e., all algorithms not listed there are MAY to implement.
> 
> But I do not see any reason why the yang module should provide any other
> than pointer to the IANA registry, and the IANA registry already has pointer to
> the RFC8247 to indicate the requirement levels for algorithms.
> 
> > > >> It seems to me that this is a similar situation to that which the
> > > >> TLS WG found itself in and which led to a revision of the TLS
> > > >> IANA entries to provide what was needed via additional columns.
> 
> There was some requests to modify the IANA registry while we were publishing
> RFC 8247 and the WG decided against it, and instead decided to provide
> pointer to the RFC 8211 and RFC 8247 in the notes section.
> 
> The reason for that is that duplicating information always causes problems, and
> because there is no (public) history of the IANA registries, there is no way of
> finding out when and why specific change to the registry was done unless there
> happens to be RFC that actually did that change.
> 
> I myself as an IANA expert of those registries do think it is better that working
> group will do RFC that will update the levels, and that will leave audit trail and
> public working group mailing list discussion about the changes.
> 
> > > >> I think that the IANA pages for IKEv2 need revising so that that
> > > >> additional information that RFC8247 provides is required as
> > > >> additional columns in the IANA entries at least for Type 1, Type
> > > >> 2, Type 3, Type 4 and Authentication Method.
> 
> I fail to see why does that information need to be in the IANA registry? This is
> YANG model for IPsec, it should just refer to the IANA registry about the
> mapping from algorithms to numbers and other way around, but whether the
> algorithm is recommended or not, does not belong to the YANG model, as that
> is not something that can be modified by configuration or be part of running
> state.
> 
> This document seems to have wierd text in it:
> 
>       typedef encryption-algorithm-type {
>         type uint16;
>         description
>           "The encryption algorithm is specified with a 16-bit
>           number extracted from IANA Registry. The acceptable
>           values MUST follow the requirement levels for
>           encryption algorithms for ESP and IKEv2.";
> 
> I do not see what the last sentence of the text is trying to say? Does it mean
> that this yang model cannot be shown of running configuration where someone
> is using one the algorithms not considered safe anymore?
> In ietf we usually just try to say what implementors are implementing, we do
> not that often limit what adminstrators can configure. If the implementation
> happens to implement one of those weak ciphers for example for talking to one
> obsoleted old hardware that only supports them, then I do not see why this
> yang model should forbid showing running status of such configuration.
> 
> I think this document should just say that the algorithm numbers are from the
> IANA registry, and nothing more. There might be informal reference to the RFC
> 8221, and RFC 8247 but even that should not be needed, as anybody
> implementing IKEv2 or ESP will already follow those and only implement the
> algorithms from there that they seem proper. In some cases that selection
> might include algorithms which are on SHOULD NOT or even MUST NOT, if the
> backward compatibility to obsolete hardware is more important than
> conformance.
> 
> > > This I-D, as you quote, points to RFC8247 for guidance and that is
> > > fine. But security moves on and new algorithms will be needed and
> > > this I-D also points to the IANA registry, which is Expert Review,
> > > where new entries have been added already; and for those the IANA
> > > Registry gives no guidance and the I-D that IANA references for the
> > > new entries - written by the Expert Reviewer! - also gives no
> > > guidance. Over time we are likely to accrue algorithms with no
> > > guidance unless and until an RFC8247-bis appears or we require IANA
> > > to have columns for guidance. Currently the new algorithms are GOST
> > > and so perhaps of limited interest but on the TLS list I am always
> > > seeing new algorithms appear and there the new IANA entry is
> > > required to give guidance. My sense is that IKEv2 is a bit slower to
> > > take up new ones but, as with RFC8247, it does eventually.
> 
> The original cryptographic algorithm impelemtation requirements for ESP and
> AH was published as RFC4305 in 2007. It was replaced with
> RFC7321 in 2014, and that was replaced with RFC8221 in 2017. For IKEv2 we
> skipped the 2014 update, as that was not needed. We do have plans to keep
> that draft up to date, and update it when there is need for that, most likely in
> next 5 years or so, provided that implementation status of some of new
> algorithms progresses favorably.
> 
> > > I think that users need those extra columns that RFC8247 provides on
> > > the IANA website so that when new algorithms are added by Expert
> > > Review, then that guidance must be added as well. This is what the
> > > TLS WG came round to and I think that IKEv2 needs to do the same.
> 
> I as an Expert does not want to decide whether the individual request to add
> new 3rot13 cipher to the IANA registry should be MUST NOT, SHOULD NOT,
> MAY or what. If the field is in the IANA registry then whoever requests to add
> information to there can request whatever value they want for that field too.
> Of course as an IANA expert I can reject that by saying that 3rot13 is not MUST,
> but it is MUST NOT algorithm, and then we can have discussion about that.
> 
> I rather have that discussion in the working group when we are updating the
> requirements document next time. And as I said IANA registries do not have
> any (public) history, or any way of finding out why they got changed and who
> did the change. There has happened some changes in the registry where I as an
> IANA Expert was not aware of at all...
> 
> And if I need to find out when ENCR_MAGMA_MGM_KTREE was added or
> when some of those earlier algorithms was renamed, I need to go to my private
> mail archives.
> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email