Re: [IPsec] [Gen-art] Genart last call review of draft-ietf-ipsecme-split-dns-12
Alissa Cooper <alissa@cooperw.in> Mon, 19 November 2018 20:40 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73F46130E34; Mon, 19 Nov 2018 12:40:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=WWStcfLN; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=rC+RXcdg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4H2JKCf87NC; Mon, 19 Nov 2018 12:40:26 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E10E130E65; Mon, 19 Nov 2018 12:40:26 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 950F8CD9; Mon, 19 Nov 2018 15:40:25 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Mon, 19 Nov 2018 15:40:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= from:message-id:content-type:mime-version:subject:date :in-reply-to:cc:to:references; s=fm1; bh=bhgzd7XqXe5Z9Ph996jQnyH jYKdUr5IRc9U9cvgY7BA=; b=WWStcfLNVle1k4mPdHf2NxJa6SfvN4FwK+LV8QC sezv0heNM+/9/Gn2OrHfrbAegioIQ/alW3X7MWvN25hP8GqVQGF+ItBptzfbFNDE IrX47qT+S1Ed4J7pIlrNHYnrKe80LNXMrzPiKDjbgz9vl8fcYC2nOSx1Bl/efH8d xPSm8I/BcgrkCJQV2EcBsIVmqYhp5Wg30XpajNKshfy3mkERMM+BPVvTJuVTUZq/ 7130HkVa5KIBfQfdglFd0GPIQXa6Uzh13Z01zCs4hD3vTfjXGjH5MgonmCecHlvg toswlx6gETrQvAPlM472swQZJwHEj0Wwk8+y6ugr1xuTJuA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=bhgzd7 XqXe5Z9Ph996jQnyHjYKdUr5IRc9U9cvgY7BA=; b=rC+RXcdgntrPArmkTw640H 5OAWMuIsTDQm2R479BOrKIgCdiSCnekol2yDrgYm0axemKkKC1GdhQnzzNlkwyAw KBS54HsQ7HvluFUTa6UcnW4BbGjx38Nx2CkDXLh9OaU4K12XussVWR+Ix9NTn4/p +qd1otPI7y7ok0JI9ShNHYuQkJFJ0ZVjEn15PiwFHqTxkxuuhdaKroc/9+KgbaFO TtHI8UApnv2WX5augQ6sduewNYtkGFjQ0hucNDepT9YXI/7A/DoldeALcfI8GZYx yleJGZA5i7kINVgdsGMEvRxNLz8vagMsknhB/mwRjeBSG1oKbnD89w5PSzYwtd8Q ==
X-ME-Sender: <xms:uB_zW_Iqk7_dEkYU6E5Wmow3jTfBOJoOJibC83dZXaxDaFDHwi0dQA>
X-ME-Proxy: <xmx:uB_zW_ddyv_UugxCA3yhimbRZg_WJoqsG2C87IQMBVAw-Av4POQUHw> <xmx:uB_zW1bikr9CkAL05v5CI7tuTVERHhVzHxB0xWTPimNLGibDo46q5g> <xmx:uB_zW6XrBeyUtWKtZgC2OluJcvTOf40Vhos7bW42Y140CX7Tj8Yxtg> <xmx:uB_zW_gQHgzrRYQ_O-_FsaruVZ0gy6M0yE60ORq4E_2OwdUE0XSQ7A> <xmx:uB_zWwX1Q37lwOQSzzVC77FkIUy3yA3d6sAmq4vo2v_fqS8NS1sBMw> <xmx:uR_zW-QaUGKxWLRrdqBBzwz22If8No5jiQYDPA3pqd15-TAQco6RdQ>
Received: from rtp-alcoop-nitro5.cisco.com (unknown [173.38.117.73]) by mail.messagingengine.com (Postfix) with ESMTPA id B1BCCE4307; Mon, 19 Nov 2018 15:40:23 -0500 (EST)
From: Alissa Cooper <alissa@cooperw.in>
Message-Id: <8F85E7FC-DEEA-404E-A0B2-A376ADEECD32@cooperw.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_857818F6-0CA2-4007-8E62-820B13DA5DAF"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 19 Nov 2018 15:40:21 -0500
In-Reply-To: <FA979F31-FD60-482F-A4F2-91B4A5A05854@apple.com>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>
To: Tommy Pauly <tpauly@apple.com>, Christer Holmberg <christer.holmberg@ericsson.com>
References: <153448715569.12184.4843735916628840351@ietfa.amsl.com> <220503CD-69AA-4015-A954-DF48D071D522@apple.com> <c345ff86ec3d4bca9c88d85347a0789c@ericsson.com> <FA979F31-FD60-482F-A4F2-91B4A5A05854@apple.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-Z0BtqpSZyz5OIOF2lw25KNZGVQ>
Subject: Re: [IPsec] [Gen-art] Genart last call review of draft-ietf-ipsecme-split-dns-12
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 20:40:36 -0000
Christer, thank you for your review. Tommy, thank you for addressing Christer’s comments. I entered a No Objection ballot. Alissa > On Oct 22, 2018, at 4:26 PM, Tommy Pauly <tpauly@apple.com> wrote: > > Hi Christer, > > Thanks again for the review. I've addressed all three comments below in an update to the draft: > > https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13 <https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13> > https://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-13.txt <https://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-13.txt> > > Thanks, > Tommy > >> On Aug 19, 2018, at 1:39 PM, Christer Holmberg <christer.holmberg@ericsson.com <mailto:christer.holmberg@ericsson.com>> wrote: >> >> Hi Tommy, >> >> Please see inline. >> >> >> Minor issues: >> >> Q1: >> >>>> Section 3.1 contains some SHOULD-do statements, e.g.,: >>>> >>>> "the initiator SHOULD also include one or more INTERNAL_IP4_DNS and >>>> INTERNAL_IP6_DNS attributes in the CFG_REQUEST" >>>> >>>> "the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN attributes >>>> in the CFG_REQUEST." >>>> >>>> Is there a reason for not using MUST instead of SHOULD? >>> >>> In general, the CFG_REQUEST attributes are a bit loose—they're hints more than requirements. >>> >>> From section 3.15.1 of RFC7296: >>> >>> The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request >>> information from its peer. If an attribute in the CFG_REQUEST >>> Configuration payload is not zero-length, it is taken as a suggestion >>> for that attribute. The CFG_REPLY Configuration payload MAY return >>> that value, or a new one. It MAY also add new attributes and not >>> include some requested ones. Unrecognized or unsupported attributes >>> MUST be ignored in both requests and responses. >>> >>> So, the CFG_REPLY MUST have a DNS server to go along with the DNS domain, but I left the SHOULD in spirit >>> of the fact that the CFG_REQUEST is more of a suggestion. >>> >>> That being said, if others in the WG would like to see this be a MUST, I'm fine with that as well. I don't think we >>> should have the responder error out if it doesn't see both, however. >> >> Well, if it is only a suggestion, then I guess my question is why use something as strong as SHOULD :) SHOULD basically means MUST-unless-you-have-a-good-reason to. >> >> In general, is providing suggestions a SHOULD, or is it only for the attributes above? >> >> Anyway, if you want to have a SHOULD (or even a MUST) I won't object. But, when I see a SHOULD, I always ask about the background :) >> >> >> Q2: >> >>>> Section 3.2 says: >>>> >>>> "the initiator SHOULD behave as if Split DNS configurations are not supported >>>> by the server." >>>> >>>> Again, is there a reason for not using MUST? >>> >>> This one could be a MUST. The one exception I could see is if the initiator was statically configured with some split DNS domains to use as split domains >>> In case the responder didn't provide any in the CFG_REPLY, it should still use those and not send all DNS queries inside the tunnel. I wouldn't want this >>> MUST to disable the static configuration workarounds that implementations have done prior to allowing split DNS to be negotiated. >> >> Could you say: >> >> "the initiator MUST behave as if a Split DNS configurations are not supported, unless <insert text above the statically configuration case above>" >> >> >> >> Nits/editorial comments: >> >> Q3: >> >>>> Is there a need for the "Background" section? Since the text is related to what >>>> is described in the "Introduction", could the the text be moved there? >>> >>> The main new points that the Background section adds on top of the Introduction are: >>> - The prior art for split DNS in IKEv1 >>> - The fact that this is currently mainly seen in enterprise VPN deployments >>> >>> These points could indeed be moved to the introduction. I had felt they fit better as "background" since they're >>> not essential to the description of the protocol, but give context that is relevant now (and may be less so in the future). >> >> The first sections of both the Introduction and the Background sections talk about split DNS: >> >> "Split DNS is a common configuration for secure tunnels, such as >> Virtual Private Networks in which host machines private to an >> organization can only be resolved using internal DNS resolvers" >> >> "Split DNS is a common configuration for enterprise VPN deployments, >> in which one or more private DNS domains are only accessible and >> resolvable via an IPsec based VPN connection." >> >> So, isn't Split DNS already covered by the Introduction? What extra does the Background text bring? >> >> The second paragraph of the Background could be placed at the end of the Introduction, in my opinion. >> >> Regards, >> >> Christer >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org <mailto:IPsec@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec> > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
- [IPsec] Genart last call review of draft-ietf-ips… Christer Holmberg
- Re: [IPsec] Genart last call review of draft-ietf… Tommy Pauly
- Re: [IPsec] Genart last call review of draft-ietf… Christer Holmberg
- Re: [IPsec] Genart last call review of draft-ietf… Tommy Pauly
- Re: [IPsec] [Gen-art] Genart last call review of … Alissa Cooper