Re: [IPsec] AD review of draft-ietf-ipsecme-rfc4307bis
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 06 January 2017 20:51 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C891295D1 for <ipsec@ietfa.amsl.com>; Fri, 6 Jan 2017 12:51:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBFoCTPvXNbT for <ipsec@ietfa.amsl.com>; Fri, 6 Jan 2017 12:51:11 -0800 (PST)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657E11295CC for <ipsec@ietf.org>; Fri, 6 Jan 2017 12:51:11 -0800 (PST)
Received: by mail-qk0-x236.google.com with SMTP id s140so63858775qke.0 for <ipsec@ietf.org>; Fri, 06 Jan 2017 12:51:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=69lhbWsh9aoRKc0vszYty6wu5qtXTSRikOv/RgUkhBk=; b=iAG5yeMzkjYzcy2NkYiOxr6nh+yfBtG+tKgdR7IU1XgvwZdZuYwYY2qrVJAoK0TBC8 QH7R/kd41CuqLEXsYIJjVynHtTQ3E+q1MDoM982whDjvDg5lZ8vlYTSCVa4AQlLdvwmL n6ySPlxMKvBYW376WmGskQpaRdb7ULWcuZbk6cUoV2B1l0cLEJ5U6fv+Zvfuhmi+mHyn bLaGF3J1isaLmQCVgIRs4mfFWw4GzG0icf1qt4aGzrvAdkzRR9uiM9MYj/2dhlQEsCCU jr9C7dMDLnQujkFkzZgLp/N4YDcLPE/XsqULegDxGH0Kv+oItlx5J8ad/MJgfT4V0lFG FogA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=69lhbWsh9aoRKc0vszYty6wu5qtXTSRikOv/RgUkhBk=; b=t/F4nBmpBm308TL0JzwIguFA4Ob3s/Il4tGpboWgK9peD0PkUU3Xq71hgv/xiNctf5 yxkobNFMrAV1Jm28f9cZD7XbsfK8FA6Ud5ILj/EEXVey9W6K8sLKSMgLPEHj8uZb+Gfo 3G1BeCxlpKKs4obh74cjLEVh8Qf6r3JrKAquWbKbWG9ujjiVxW/+oif/ieJ256xr2QyB 22en4h7B5r903VK+/3O4FGWoZYY/e2BrAgo2ZnIEeGjGcknF/No2OQA8ryX4lrPrF43n V7UMYezR3kuz4GXZn5528iUP0IMgz6CFASFh/YK81ENhX07aQuXatRwRp5ojuC9jphm/ 8h+Q==
X-Gm-Message-State: AIkVDXL7Fd0+urdVGzSPzMlPAXYFnSJ04y9JNQubhgA0wqKZkHRiKMXRT+BqphsnBWChTcPGYNZC+oY874JVKw==
X-Received: by 10.55.215.202 with SMTP id t71mr14831397qkt.114.1483735870593; Fri, 06 Jan 2017 12:51:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.161.101 with HTTP; Fri, 6 Jan 2017 12:51:10 -0800 (PST)
In-Reply-To: <CAHbuEH4MgqDpWR_yc21Z8-HNU1Pvy8Hyz0NvW9qntwtxFuZmmw@mail.gmail.com>
References: <CAHbuEH4pqTK-kc65FVh98X-t+YsVe+9=J7_PjB8hESsY+5=-PQ@mail.gmail.com> <alpine.LRH.2.20.1612121254150.14930@bofh.nohats.ca> <CAHbuEH4MgqDpWR_yc21Z8-HNU1Pvy8Hyz0NvW9qntwtxFuZmmw@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 06 Jan 2017 15:51:10 -0500
Message-ID: <CAHbuEH7RROEheNbAJ9RpE+V8TiP1DYa92CbXEMQcas7wDUoYKg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="001a1149971e81e6040545732d77"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/5kdUn2JOzs5F6rMH9-z8ZBz5QpY>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-rfc4307bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 20:51:13 -0000
Hello, I never got an answer as to whether or not I should wait on the last call, so I pushed it through. No comments came in during the holiday period. Should last call be extended? Or does the WG feel the reason was because the document is ready? If the latter then I'll get it ready for an IESG telechat. I'd prefer to put it on 2/2/2017 as there are already a fair number of documents on the telechat in 2 weeks. Thanks, Kathleen On Fri, Dec 16, 2016 at 3:44 PM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Hi Paul, > > Thanks for your response and sorry for my delayed response. > > On Mon, Dec 12, 2016 at 1:10 PM, Paul Wouters <paul@nohats.ca> wrote: > >> On Fri, 9 Dec 2016, Kathleen Moriarty wrote: >> >> Hello, >>> Thanks for your work on draft-ietf-ipsecme-rfc4307bis. I reviewed the >>> draft and just have a few questions, the first is a nit. >>> >>> >>> Nit: >>> In the second paragraph of 1.3, you can drop the last two words of this >>> sentence as they are redundant: >>> >>> This document does not give any recommendations for the use of >>> algorithms, it only gives implementation recommendations for >>> implementations. >>> >> >> Will do if we do a new draft version, or else will remind RFC editor of >> it. > > > Great. > >> >> >> In section 3.2 & 3.3, why isn't there a bigger jump down to SHOULD or >>> SHOULD- for: >>> >>> PRF_HMAC_SHA1 | MUST- | >>> >>> | AUTH_HMAC_SHA1_96 | MUST- The justifications seems like a bigger >>> jump would be appropriate. >>> >> >> In 4307 itself, we only had one MUST and that was SHA1. The SHOULD+ >> candidate was AES_XCBC but it was been overtaken in reality by SHA2. >> And AESPRF/AES_MAC is not as widely implemented (example: not >> available in NSS) so even those implementors who picked the MUST >> and SHOULD algorithm only have SHA1 and AESPRF/AES_MAC. If a 4307bis >> implementation only implements the MUST algorithms, it would not interop >> with a 4307 implementation that implemented all the MUST and SHOULDs, >> if we made SHA1 a SHOULD- or less. >> >> I think the available options we have are MUST- or SHOULD-. I think >> MAY or SHOULD NOT would lead to interoperability issues. I think the >> MUST- is still the best choice. >> >> Note also that all SHA1 use here is still safe (HMAC and PRF are >> different from plain SHA1) >> >> Note though that I would like to keep the status for Type 2 and Type 3 >> the same, because all sane implementations will use the same INTEG and >> PRF algorithms for a given IKE session, so these two are tightly >> coupled. > > > Yeah, I knew it was fine, but the justification provided was enough to > drop it further, so I wanted to poke at that a bit as it'll take the next > update to drop it further. If that's what the WG agreed to, that's fine. > I'll push this through to IETF last call unless the WG wants me to wait > until after the holidays. > > Thank you, > Kathleen > >> >> >> Paul >> > > > > -- > > Best regards, > Kathleen > -- Best regards, Kathleen
- [IPsec] AD review of draft-ietf-ipsecme-rfc4307bis Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Waltermire, David A. (Fed)
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc43… Waltermire, David A. (Fed)