Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Thu, 11 April 2024 08:30 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7900BC14F5F7; Thu, 11 Apr 2024 01:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4aUKD2ckP06; Thu, 11 Apr 2024 01:30:51 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C331C14F5EF; Thu, 11 Apr 2024 01:30:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Vr56NOmcXLSjM3mWT1G1qbqGtGHaRCkZiYHu+4VrnVw=; b=tYlP7y1atUksutubDAJ4xHaraV 7DEzjZs6u2UJm1CZTk5hwStgKnS2s0jFapV7WmoI3BXRSc0BiSr0iqbLNgeEZ5R3QjeyIGYM0K1K6 xm6Ufi19YVpH9JBL5D97+SlRUU7IpTRC+krU0u3rfyNENhzK095KsJmdV5UR25YModp0=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ruppW-0003hP-C3; Thu, 11 Apr 2024 11:30:46 +0300
Received: from mail.office.elvis.ru ([10.111.1.29]) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1ruppW-00Cswh-4G; Thu, 11 Apr 2024 11:30:46 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 11 Apr 2024 11:30:45 +0300
Received: from BuildPC (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 11 Apr 2024 11:30:45 +0300
From: Valery Smyslov <svan@elvis.ru>
To: gunter@vandevelde.cc, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <171279487047.60184.16698739447210749606@ietfa.amsl.com> <034d01da8be5$c3bd0f90$4b372eb0$@elvis.ru>
In-Reply-To: <034d01da8be5$c3bd0f90$4b372eb0$@elvis.ru>
Date: Thu, 11 Apr 2024 11:30:45 +0300
Message-ID: <035301da8bea$8cb19f70$a614de50$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIQ7pSdzu1h3LlhmMTBFeqLn2NSHQGwvvUnsOhoyEA=
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/6jTIPjhdJElUuA0iDsLERWNmBMc>
Subject: Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 08:30:55 -0000
Hi, for some reason I didn't receive a message with comments from Gunter, but I noticed his comments at the ballot page (it seems that the e-mail wasn't requested to be sent, as indicated in the datatracker). I'm not sure if the message will be sent later and I want to respond to these comments, so I take the opportunity to reply to the Mahesh's e-mail once again and comment on Gunter's comments :-) First, thanks for these comments, I copy-pasted them from the datatracker. Plese, see inline. > Document reviewed: draft-ietf-ipsecme-ikev2-auth-announce-09.txt > > Many thanks for this write-up. I see no issues from my side to progress this document. > During my review cycle i noted some observations that you may consider if you find beneficial > > typos: > s/overriden/overridden/ Fixed, thanks. > [idnits] entries when runing idnits captured by shepherd review > > Review comments: > 14 supported authentication methods to their peers while establishing > 15 IKEv2 Security Association (SA). This mechanism improves > > This draft is written for IKEv2, however would the proposed technology be used potentially by newer IKE flavors? > (as networking generalist i am unclear about dynamics of IKE evolutions). If the IKEv2 is 'always' implicit > implied, then does it add value to mention IKEv2 here again? (i am ok with it either way, only questioning the extra characters in the abstract) I agree that using both 'IKE' and 'IKEv2' adds some confusion for readers, but this is a long habit in IPsec. To the point - this draft is written for IKEv2 (we don't know what IKEv3 would look like), so it is always implicitly implied. Sometimes it is also stated explicitly. > 84 selecting authentication credentials. The problem may arise when > 85 there are several credentials of different types configured on one > 86 peer, while only some of them are supported on the other peer. > > Not sure that saying "The problem" is accurate? there is added complexity or credential > inconsistency, but by itself that is not a problem. > > What about this rewrite suggestion to nail this down: > > "SA establishment failure between peers may arise when there are several credentials of different types > configured on one peer, while only some of them are supported on the other peer." I used this text, thank you. > 116 When establishing IKE SA each party may send a list of authentication > 117 methods it supports and is configured to use to its peer. For this > > Here is mentioning of IKE and not IKEv2. was this intentional. Is there a benefit in being consistent in terminology wrt IKE vs IKEv2? As I said, there is a habit to mix 'IKE' and 'IKEv2' in IPsec world. > 121 the party sending it. The sending party may additionally specify > 122 that some of the authentication methods are only for use with the > 123 particular trust anchors. Upon receiving this information the peer > > what does 'the' in the above phrase "**the** particular trust anchors" refer towards? > (i am not so familiar with IKE so much, so am trying to understand how SUPPORTED_AUTH_METHODS is correlated, and trust anchors was not mentioned before. > (i do assume its well known terminology though) List of trust anchors are sent in the CERTREQ payload. This extension allows to link each of the announced digital signature auth method with the particular trust anchor (meaning that *this* algorithm should be used with *this* CA). > 132 message. This notification contains a list of authentication methods > 133 supported by the responder, ordered by their preference. > > how is this correlating towards the trust anchor mentioned in above comment? The order of preference is not correlated with the trust anchors. The correlation is described above. > 287 announcements for these methods. Implementations MUST ignore > 288 announcements which semantics they don't understand. > > s/which/with/ Changed to s/which/whose as Mahesh proposed. > 390 4. Interaction with IKE Extensions concerning Authentication > > is there a reason why IKE is mentioned instead of IKEv2 ? Changed to 'IKEv2'. Regards, Valery.
- [IPsec] Mahesh Jethanandani's No Objection on dra… Mahesh Jethanandani via Datatracker
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Valery Smyslov
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Valery Smyslov
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Gunter van de Velde (Nokia)
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Mahesh Jethanandani
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Valery Smyslov
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Mahesh Jethanandani