Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
Tero Kivinen <kivinen@iki.fi> Mon, 02 November 2020 18:34 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FC5D3A0A93; Mon, 2 Nov 2020 10:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.346
X-Spam-Level:
X-Spam-Status: No, score=-2.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0mtZeSGVevv; Mon, 2 Nov 2020 10:34:24 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229913A0A8D; Mon, 2 Nov 2020 10:34:22 -0800 (PST)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 1363C20A2E; Mon, 2 Nov 2020 20:34:19 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604342059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1UPsgwmObMclOhlJEZrKI9LqYxqQXTbWOQJgQxrkPqU=; b=f6f+PNqmief9SIQ5NIcmn2rgVczHKilQdQLCieNpgDnRslp9PKMWvAEWxfWaIM8A+amFJk OFvHxyZyIe1HO1rI/VVun6/D9lDZ4ZNN6Pn8haLk8mnG8JNTxRe4cOgLVuPxC8pYLEpezV TEnVDUIvPi72wIGizwNEaDbgSs6tEt0=
Received: by fireball.acr.fi (Postfix, from userid 15204) id AEE0425C121D; Mon, 2 Nov 2020 20:34:18 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24480.20778.648771.190786@fireball.acr.fi>
Date: Mon, 02 Nov 2020 20:34:18 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: tom petch <daedulus@btconnect.com>
Cc: Roman Danyliw <rdd@cert.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <gabilm@um.es>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, Fernando Pereniguez-Garcia <fernando.pereniguez@cud.upct.es>, "last-call@ietf.org" <last-call@ietf.org>, Rafa Marin-Lopez <rafa@um.es>
In-Reply-To: <5F9D62C0.5030908@btconnect.com>
References: <160337357077.29083.9236626834026808055@ietfa.amsl.com> <EE5AB669-73BB-4517-A6F4-23B7807FB36E@um.es> <5F9815D1.9010303@btconnect.com> <DDE550B1-9A9E-4954-B6F9-C0A33ECE1275@um.es> <5F99B221.3040504@btconnect.com> <56155C91-BFE8-4BA9-A55C-46B12E59CD94@um.es> <5F9AEFD3.90903@btconnect.com> <059aaae84a354411ad1023afa2a837ba@cert.org> <5F9BF578.6000101@btconnect.com> <834a668ac559460a9f356bbb6c16b8fd@cert.org> <24476.38596.868667.906930@fireball.acr.fi> <5F9D62C0.5030908@btconnect.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 43 min
X-Total-Time: 74 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1604342059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1UPsgwmObMclOhlJEZrKI9LqYxqQXTbWOQJgQxrkPqU=; b=j5+qr5EnhfnWwxB/dGQJuRXsq5GiCdBBk9RWUwsjvIIxblXzoorKh9knHfUYf2638khWCS o0whCJD/wnrE4Q7BpaG9U64wDsWPHKTBwNTc/cbX2ejdK3V5NM2YQWIO+rbaSZecLZGqyZ TJM/5ptVno5tyUpEcMARCPFk0zGY+lU=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1604342059; a=rsa-sha256; cv=none; b=zG5PHcLtUc2cQiBDAJc23pYgQ+efsMKsAgGXHsjuP2gyj/D93eqcFpNUv1svY7+NEeAdTq 5u7YEUNrzEp7ZISwLr3ac/mfb/dmV+hNakcZJz/2juxYMeFbSy2v+fngPvtGjfL8+dtnQX tAdGj1bvA69v83gAuzZxr9O2I+BRnMY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/iIkKZ3heh0e9frxTjZhwOZdcr8g>
Subject: Re: [I2nsf] [IPsec] [Last-Call] New Version Notification for draft-ietf-i2nsf-sdn-ipsec-flow-protection-11.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 18:34:33 -0000
tom petch writes: > And RFC8247 specifies which algorithm are AEAD, the web page does not. Actually RFC8247 does not specify which algorithms are AEAD. It only specifies that information for those algorithms it lists. For example it does not mention ENCR_AES_CCM_16 at all, thus it does not list whether it is AEAD algorithm or not. > The YANG module behaves differently depending on whether or not the > algorithm is AEAD; YANG implementors need to know, having this > information on the web page would make it easier for YANG implementors. I can see some benefits for having the "AEAD?" column added to the IANA registry, as there are differences how things are processed depending whether the algorithm is AEAD or not. Currently the only way to find whether the algorithm is AEAD is to read the RFC describing the algorithm. Also as that information is static, meaning it will not change over time (compared to the recommendation levels which do change every time we make new version of Algorithm Implementation Requirements and Usage Guidance document), there is no problem for not having history available, or having conflicting information in different places (RFC vs IANA page). On the other other hand we would problably need three values for that column, one would be AEAD, another would non-AEAD and one would be MAC-only. The ENCR_NULL_AUTH_AES_GMAC, ENCR_KUZNYECHIK_MGM_MAC_KTREE and ENCR_MAGMA_MGM_MAC_KTREE are not really an AEAD algorithms as they do not encrypt anything but just put everything in the AAD of AEAD structure. > As I said to Roman, the TLS WG found that they needed to add extra > columns to their web pages of algorithms. Different columns (e.g. DTLS > not AEAD) but I think that the situation is otherwise identical so I am > anticipating that in a year or two you will see what I mean:-). In TLS do have bit more entries in its registry, mostly because they combine everything to one suite, meaning instead of adding separate algorithms, they usually add multiple combinations of algorithms as different suites, and when there started to be hundreds of those, maintaining that list got bit annoying and especially to know which one of them are something that implementations should implement. I think our a la carte method is better as it limits the the number of algorithms we are going to have, although the number of combinations that can be negotiated is much higher... > I take your point about duplicating data - no relational databases here! > - but the answer is to specify which is authoritative and for me that > should be the IANA pages as it is for many assignments in the context of > YANG and before that SMI going back decades. I would always consider the published RFC as more authorative than IANA pages, as IANA pages are updated by writing RFCs, and there have been mistakes and there will be mistakes when extracting that data from RFCs to IANA registry. RFCs (or other published standard documents) do have some kind of process to verify that the information is approved by the SDO, meaning lots of people do check them. IANA registries are then extracted by hand by people from those documents and only checked by handful of people before published. Usually IANA do want us to make an RFC to modify the registry, like we did add RFC8247 where we renamed 6 old algorithms so that the naming is more consistent (rename AES-GCM with a 8 octet ICV to ENCR_AES_GCM_8 etc). But not always. For example RFC4309 asks IANA to add "AES CCM with an {8,12,16}-octet ICV" and what I think IANA did was to add ENCR_AES-CCM_8 (underline, dash, underline), ENCR-AES-CCM_12 (dash, dash, underline), ENCR-AES-CCM_16 (dash, dash, underline) to registry, without consulting anybody, and which we then noticed 4 years later [1]. I think we managed to fix that dash -> underline error, by just going to the IANA desk in IETF and they did the change immediately, but for the more substanial changes they wanted us to make an RFC that did those changes. Thats why the RFC8247 has those quite unrelated renaming things in it... [1] https://mailarchive.ietf.org/arch/msg/ipsec/VmlenjxLKjWhldztreN5p9I3yP0/ -- kivinen@iki.fi
- [I2nsf] Fwd: New Version Notification for draft-i… Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] Fwd: New Version Notifica… tom petch
- Re: [I2nsf] Fwd: [Last-Call] New Version Notifica… Rafa Marin-Lopez
- Re: [I2nsf] Fwd: [Last-Call] New Version Notifica… tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Roman Danyliw
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez
- Re: [I2nsf] [Last-Call] New Version Notification … Roman Danyliw
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Tero Kivinen
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Roman Danyliw
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Valery Smyslov
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Yoav Nir
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Paul Wouters
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Tero Kivinen
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Tero Kivinen
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… Valery Smyslov
- Re: [I2nsf] [Last-Call] New Version Notification … tom petch
- Re: [I2nsf] [IPsec] [Last-Call] New Version Notif… tom petch
- Re: [I2nsf] [Last-Call] New Version Notification … Benjamin Kaduk
- Re: [I2nsf] [Last-Call] New Version Notification … Rafa Marin-Lopez