IETF Logo Mail Archive

Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt

Tero Kivinen <kivinen@iki.fi> Mon, 02 November 2020 18:34 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FC5D3A0A93; Mon, 2 Nov 2020 10:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.346
X-Spam-Level:
X-Spam-Status: No, score=-2.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0mtZeSGVevv; Mon, 2 Nov 2020 10:34:24 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229913A0A8D; Mon, 2 Nov 2020 10:34:22 -0800 (PST)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 1363C20A2E; Mon, 2 Nov 2020 20:34:19 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604342059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1UPsgwmObMclOhlJEZrKI9LqYxqQXTbWOQJgQxrkPqU=; b=f6f+PNqmief9SIQ5NIcmn2rgVczHKilQdQLCieNpgDnRslp9PKMWvAEWxfWaIM8A+amFJk OFvHxyZyIe1HO1rI/VVun6/D9lDZ4ZNN6Pn8haLk8mnG8JNTxRe4cOgLVuPxC8pYLEpezV TEnVDUIvPi72wIGizwNEaDbgSs6tEt0=
Received: by fireball.acr.fi (Postfix, from userid 15204) id AEE0425C121D; Mon, 2 Nov 2020 20:34:18 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24480.20778.648771.190786@fireball.acr.fi>
Date: Mon, 02 Nov 2020 20:34:18 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: tom petch <daedulus@btconnect.com>
Cc: Roman Danyliw <rdd@cert.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, "last-call@ietf.org" <last-call@ietf.org>, Rafa Marin-Lopez <rafa@um.es>
In-Reply-To: <5F9D62C0.5030908@btconnect.com>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com> <834a668ac559460a9f356bbb6c16b8fd@cert.org> <24476.38596.868667.906930@fireball.acr.fi> <5F9D62C0.5030908@btconnect.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 43 min
X-Total-Time: 74 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604342059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1UPsgwmObMclOhlJEZrKI9LqYxqQXTbWOQJgQxrkPqU=; b=j5+qr5EnhfnWwxB/dGQJuRXsq5GiCdBBk9RWUwsjvIIxblXzoorKh9knHfUYf2638khWCS o0whCJD/wnrE4Q7BpaG9U64wDsWPHKTBwNTc/cbX2ejdK3V5NM2YQWIO+rbaSZecLZGqyZ TJM/5ptVno5tyUpEcMARCPFk0zGY+lU=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1604342059; a=rsa-sha256; cv=none; b=zG5PHcLtUc2cQiBDAJc23pYgQ+efsMKsAgGXHsjuP2gyj/D93eqcFpNUv1svY7+NEeAdTq 5u7YEUNrzEp7ZISwLr3ac/mfb/dmV+hNakcZJz/2juxYMeFbSy2v+fngPvtGjfL8+dtnQX tAdGj1bvA69v83gAuzZxr9O2I+BRnMY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/iIkKZ3heh0e9frxTjZhwOZdcr8g>
Subject: Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 18:34:33 -0000

tom petch writes:
> And RFC8247 specifies which algorithm are AEAD, the web page does not. 

Actually RFC8247 does not specify which algorithms are AEAD. It only
specifies that information for those algorithms it lists. For example
it does not mention ENCR_AES_CCM_16 at all, thus it does not list
whether it is AEAD algorithm or not.

> The YANG module behaves differently depending on whether or not the 
> algorithm is AEAD; YANG implementors need to know, having this 
> information on the web page would make it easier for YANG implementors.

I can see some benefits for having the "AEAD?" column added to the
IANA registry, as there are differences how things are processed
depending whether the algorithm is AEAD or not. Currently the only way
to find whether the algorithm is AEAD is to read the RFC describing
the algorithm.

Also as that information is static, meaning it will not change over
time (compared to the recommendation levels which do change every time
we make new version of Algorithm Implementation Requirements and Usage
Guidance document), there is no problem for not having history
available, or having conflicting information in different places
(RFC vs IANA page).

On the other other hand we would problably need three values for that
column, one would be AEAD, another would non-AEAD and one would be
MAC-only.

The ENCR_NULL_AUTH_AES_GMAC, ENCR_KUZNYECHIK_MGM_MAC_KTREE and
ENCR_MAGMA_MGM_MAC_KTREE are not really an AEAD algorithms as they do
not encrypt anything but just put everything in the AAD of AEAD
structure. 

> As I said to Roman, the TLS WG found that they needed to add extra 
> columns to their web pages of algorithms.  Different columns (e.g. DTLS 
> not AEAD) but I think that the situation is otherwise identical so I am 
> anticipating that in a year or two you will see what I mean:-).  In 

TLS do have bit more entries in its registry, mostly because they
combine everything to one suite, meaning instead of adding separate
algorithms, they usually add multiple combinations of algorithms as
different suites, and when there started to be hundreds of those,
maintaining that list got bit annoying and especially to know which
one of them are something that implementations should implement.

I think our a la carte method is better as it limits the the number of
algorithms we are going to have, although the number of combinations
that can be negotiated is much higher...

> I take your point about duplicating data - no relational databases here! 
> - but the answer is to specify which is authoritative and for me that 
> should be the IANA pages as it is for many assignments in the context of 
> YANG and before that SMI going back decades.

I would always consider the published RFC as more authorative than
IANA pages, as IANA pages are updated by writing RFCs, and there have
been mistakes and there will be mistakes when extracting that data
from RFCs to IANA registry.

RFCs (or other published standard documents) do have some kind of
process to verify that the information is approved by the SDO, meaning
lots of people do check them. IANA registries are then extracted by
hand by people from those documents and only checked by handful of
people before published.

Usually IANA do want us to make an RFC to modify the registry, like we
did add RFC8247 where we renamed 6 old algorithms so that the naming
is more consistent (rename AES-GCM with a 8 octet ICV to
ENCR_AES_GCM_8 etc).

But not always. For example RFC4309 asks IANA to add "AES CCM with an
{8,12,16}-octet ICV" and what I think IANA did was to add
ENCR_AES-CCM_8 (underline, dash, underline), ENCR-AES-CCM_12 (dash,
dash, underline), ENCR-AES-CCM_16 (dash, dash, underline) to registry,
without consulting anybody, and which we then noticed 4 years later
[1].

I think we managed to fix that dash -> underline error, by just going
to the IANA desk in IETF and they did the change immediately, but for
the more substanial changes they wanted us to make an RFC that did
those changes. Thats why the RFC8247 has those quite unrelated
renaming things in it...

[1] https://mailarchive.ietf.org/arch/msg/ipsec/VmlenjxLKjWhldztreN5p9I3yP0/
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email