IETF Logo Mail Archive

Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike

Paul Wouters <paul@nohats.ca> Wed, 10 November 2021 22:23 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1546B3A1409; Wed, 10 Nov 2021 14:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7c7KKMvm9Q25; Wed, 10 Nov 2021 14:23:42 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 288773A142E; Wed, 10 Nov 2021 14:23:41 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4HqKBL0Sgtz406; Wed, 10 Nov 2021 23:23:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1636583018; bh=sdfaN4rsoXP77bevjslxLIZlQ7yAFfizaGEKCiYlRtE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=MB2M63jIlBH3r5bGWtv3KAjNUD18QQE+4AKIsuRhEarwhWj+uhGfWNuAj0Mgm5LAb H17IAfM+5pCykL+PC8KqEq2fbiRlZm19Y3gYNPS/2WHzRpghQ3yg9eAeQNU75WdDSV qr1IwS+PRxsFZfesLcU0TcsOjf23wkBHLlWVTBN8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id BNCxH8114YTD; Wed, 10 Nov 2021 23:23:37 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 10 Nov 2021 23:23:36 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D64B81337FF; Wed, 10 Nov 2021 17:23:35 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CD0C81337FE; Wed, 10 Nov 2021 17:23:35 -0500 (EST)
Date: Wed, 10 Nov 2021 17:23:35 -0500
From: Paul Wouters <paul@nohats.ca>
To: mohamed.boucadair@orange.com
cc: Paul Wouters <paul.wouters@aiven.io>, "ipsec@ietf.org" <ipsec@ietf.org>, "draft-btw-add-ipsecme-ike@ietf.org" <draft-btw-add-ipsecme-ike@ietf.org>, Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <19332_1636529432_618B7518_19332_252_1_787AE7BB302AE849A7480A190F8B93303544E768@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Message-ID: <67dbbdea-5110-90d0-4f6d-df6147a2cf38@nohats.ca>
References: <24969.12660.103330.619294@fireball.acr.fi> <ccdfdc-634-5989-839b-3cbd17e86d99@nohats.ca> <3996_1636386534_618946E6_3996_297_6_787AE7BB302AE849A7480A190F8B93303544BD42@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <88f8206a-6c2-5816-ada3-e8666ec05e38@nohats.ca> <23906_1636459418_618A639A_23906_93_6_787AE7BB302AE849A7480A190F8B93303544C625@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <ee27dc52-b8a4-c926-ec0-d8479b3a285@nohats.ca> <19332_1636529432_618B7518_19332_252_1_787AE7BB302AE849A7480A190F8B93303544E768@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3xgbu-ebTPBY3UkXM2KLRzUZlrA>
Subject: Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 22:23:47 -0000

On Wed, 10 Nov 2021, mohamed.boucadair@orange.com wrote:

>>>> So the client sends FOO(x) and the server respones with FOO(y)
>>>>
>>>> x can be empty (eg the client has no previous notion or preference
>>>> for FOO. Or if it has one, it can suggest it. The server takes that
>>>> value only as a preference of the client, but the server is the one
>>>> making the ultimate decsion if it returns "x" or "y".
>>>>
>>>> So your draft should not say the initiator MUST send a zero size
>>>> request for FOO.
>>>
>>> [Med] We are not saying that in the draft.
>>
>> Section 3.1 states:
>>
>> o  Length (2 octets, unsigned integer) - Length of the data in
>>        octets.  In particular, this field is set to:
>>
>>        *  0 if the Configuration payload has types CFG_REQUEST or
>>           CFG_ACK.
>>
>>
>> So it says for a CFG_REQUEST the length is 0.
>
> [Med] This is the length of the ENCDNS_IP* attribute. This is used in requests to indicate that the client is requesting this attribute.

https://datatracker.ietf.org/doc/html/rfc7296#section-3.15.1

    The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request
    information from its peer.  If an attribute in the CFG_REQUEST
    Configuration payload is not zero-length, it is taken as a suggestion
    for that attribute.  The CFG_REPLY Configuration payload MAY return
    that value, or a new one.  It MAY also add new attributes and not
    include some requested ones.  Unrecognized or unsupported attributes
    MUST be ignored in both requests and responses.

I see no reason why ENCDNS_IP* should do this differently from all the
other CFG attributes, especially INTERNAL_IP*_DNS.


>> But note that I rather that the responder just responds to the received
>> CFG requests with CFG replies it supports and has data for. So if the
>> client asks for INTERNAL_IP4_DNS and ENCDNS_IP4, the responder should
>> return both with values. I also think that in case the encrypted DNS
>> fails, it would be good for the IKEv2 client to have the INTERNAL_IP4_DNS
>> as fallback option. Say if the TLS fails for some reason (incompatible
>> algorithms, expired TLS certificate, DoH server down, etc)
>
> [Med] The current version allows somehow for this as the behavior is policy-based. However, I understand that you prefer to systematically return both and leave the client decide. I can live with this as well.

The policy can be enforced by not returning INTERNAL_IP*_DNS payloads in
the CFG_REPLY. Although if the client did not ask for ENCDNS_IP* and the
server does not return INTERNAL_IP*_DNS, the client would not be able
to get functional DNS.

I still believe the CFG mechanism is to exchange network topology
information, and not network policy. But you can (ab)use it for that
if you want. The protocol allows it without requiring the change
that you suggest that the sender MUST use 0 length. And this requirement
would force your policy onto everyone else who would be happy to let
the client suggest something (eg 8.8.8.8 or 9.9.9.9) and have the
responder maybe accept those as trustworthy.

In short, if this document just defines standard CFG REQUEST/REPLY for
ENCDNS_IP* with no additional restrictions, everyone's use case is
supported AND you don't have to Update: RFC 7296 because no existing
behaviour is changed.

Paul

v2.23.0 | Report a Bug | By Email