Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes
<mohamed.boucadair@orange.com> Fri, 03 May 2019 06:57 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B828B120044 for <ipsec@ietfa.amsl.com>; Thu, 2 May 2019 23:57:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uabCptRHw49a for <ipsec@ietfa.amsl.com>; Thu, 2 May 2019 23:57:55 -0700 (PDT)
Received: from orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D19F12006B for <ipsec@ietf.org>; Thu, 2 May 2019 23:57:55 -0700 (PDT)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) by opfedar24.francetelecom.fr (ESMTP service) with ESMTP id 44wNHj3tQCz5wlt; Fri, 3 May 2019 08:57:53 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.26]) by opfedar05.francetelecom.fr (ESMTP service) with ESMTP id 44wNHj2z6zz2xCJ; Fri, 3 May 2019 08:57:53 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM31.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0439.000; Fri, 3 May 2019 08:57:53 +0200
From: mohamed.boucadair@orange.com
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes
Thread-Index: AQHU/qYb3HfUY8UNAEyhkEccw2niI6ZUOIFAgABdCwCAACGpIIADUrcAgADu0QA=
Date: Fri, 03 May 2019 06:57:52 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA6A854@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <23734.7331.402882.289451@fireball.acr.fi> <01b201d4f4f1$e617eb90$b247c2b0$@gmail.com> <636D1D4B-3E3F-47F1-B64C-A266BF871010@nohats.ca> <787AE7BB302AE849A7480A190F8B93302EA67B69@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.21.1904300938050.17071@bofh.nohats.ca> <787AE7BB302AE849A7480A190F8B93302EA67EB7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.21.1905021420360.1269@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1905021420360.1269@bofh.nohats.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3iS-FnifCLKsznGgMXIZdYvOA6U>
Subject: Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 06:57:58 -0000
Hi Paul, Please see inline. Cheers, Med > -----Message d'origine----- > De : Paul Wouters [mailto:paul@nohats.ca] > Envoyé : jeudi 2 mai 2019 20:25 > À : BOUCADAIR Mohamed TGI/OLN > Cc : ipsec@ietf.org > Objet : Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes > > On Tue, 30 Apr 2019, mohamed.boucadair@orange.com wrote: > > >> Why would the initiator that is allowed by policy to do both v4 and v6 > >> not ask for both at once? > > > > [Med] I do fully agree that requesting both when supported would be > straightforward, but I'm afraid that some implementations may not follow that > behavior. > > Do we currently have a large scale implementation issue, or are you > predicting that this may happen in the future. While I am okay with > doing it if it fixes a large deployment issue, I'm not okay with it > to pre-emptively support expected implementation issues. > > > Such implementations may do that: > > * for arbitrary reasons given that existing specs do not forbid such > separate requests. > > So what is the problem with bad implementations doing bad things? [Med] This may double the load on the responder. Sending systematically a second request while a responder will discard it because it does support only one AF is suboptimal (think about IPv6-only voice over WLAN for example). Why > would this notify tell them to do things differently next time? [Med] The notification message will provide an information to the initiator whether it is useful or not to send a request for the other AF. > > > * or, in some contexts such cellular devices, mimic a similar behavior for > requesting separate PDP contexts instead of a dual-stack one. > > Is this actually happening at scale, or is this just a feared bad way > things will get implemented? > > >> I don't see the "use of separate requests" as a real use case. Can you > >> explain how this would actually happen in a real world? > > > > [Med] See the cases above. There is also the case of a responder that wants > (for policy reasons) requests to be made as separate IKE SAs. For this case, > requests will need to be done separately. > > If the "policy reason" is there, why would a notify change their > behaviour? If they are already sending a v4 and a separate v6 > request, what value does the notify add? [Med] I'm not sure to understand your comment. The policy is at the responder side. The responder will honor one AF per request. Returning the supported AFs to the initiator will trigger a separate request from the initiator to get the other AF (if needed). > > Paul
- [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Tero Kivinen
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Valery Smyslov
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes mohamed.boucadair
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes mohamed.boucadair
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Paul Wouters
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Valery Smyslov
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes mohamed.boucadair
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Paul Wouters
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Paul Wouters
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes mohamed.boucadair
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Paul Wouters
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Paul Wouters
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes mohamed.boucadair
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Valery Smyslov
- Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes Paul Wouters