IETF Logo Mail Archive

Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tommy Pauly <tpauly@apple.com> Fri, 12 May 2017 22:29 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42EEE12EC35 for <ipsec@ietfa.amsl.com>; Fri, 12 May 2017 15:29:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgSKjLpdvDnq for <ipsec@ietfa.amsl.com>; Fri, 12 May 2017 15:29:10 -0700 (PDT)
Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CD7E13088A for <ipsec@ietf.org>; Fri, 12 May 2017 15:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1494627912; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=0dpv4ZBwqeQqX75cMlUPzL23Hs/FHcsliivsNlgOo/w=; b=E5dvhWP+5gkvQhbB99TvoPoxtKyHzVUmrxEHv6Dd7/WVdvO4KdFs3jLUrDQvNQPn dsH6YHhDvwXaos/Tj3PKc6joH/J7ruHZoI6jMHrF1EpfasCWv1QzNycXZiR+Cvk9 eACExpPWE1B+isYsVczreUW6ZBAy5UrcNNNN+qLoNeme0Wux2BSVb6t0finIBhYe WBSUHBmulugWkcCPG52/lEkcsDtTOLXjBos4EMAvMtFt5lkZV6fWpI6pNPG10UJ0 ZqDw/0WCtp8cDkAJjluUvy9Ycm88xo8m15A837iu3q6LukxnjRtc2zoPVmwZ2ZfX Bkg9dlFEwbYXnTitHRf+8w==;
Received: from relay4.apple.com (relay4.apple.com [17.128.113.87]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id EE.BF.26227.64636195; Fri, 12 May 2017 15:25:11 -0700 (PDT)
X-AuditID: 11973e15-0b9fb70000006673-fe-59163646cb18
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by relay4.apple.com (Apple SCV relay) with SMTP id 60.25.02523.64636195; Fri, 12 May 2017 15:25:10 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.153.52.242] (unknown [17.153.52.242]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OPV00KN329YTJ40@nwk-mmpp-sz11.apple.com>; Fri, 12 May 2017 15:25:10 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <F1859DB7-AB24-49DA-A5B1-AAE74201368A@kuehlewind.net>
Date: Fri, 12 May 2017 15:25:09 -0700
Cc: Eric Rescorla <ekr@rtfm.com>, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, IESG <iesg@ietf.org>, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, Tero Kivinen <kivinen@iki.fi>, IPsecME WG <ipsec@ietf.org>, Mark Nottingham <mnot@mnot.net>
Content-transfer-encoding: quoted-printable
Message-id: <A078B858-687C-42E2-A1A2-8123949DC317@apple.com>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net> <CABcZeBMj9UpzD+CpvOMKOkUsYNSL-UQCwuYt__5XCXtH=zyesA@mail.gmail.com> <22fac532-f30b-03e3-0757-aed213e5a346@kuehlewind.net> <22785.64570.259658.376130@fireball.acr.fi> <277aa94d-5aa1-7a28-94c7-81da0966c172@kuehlewind.net> <41594727-9667-42BD-ABB1-4583A3B00EA2@apple.com> <CAKKJt-fb1vx=SzpJ_9gvtJ+SEH08nyBRGqb7F36PGw0EyJ6zmA@mail.gmail.com> <853700CB-D5DD-4BC7-A1F5-5AB61330E70D@apple.com> <22792.20148.255067.132946@fireball.acr.fi> <82B5E72F-C518-420B-B941-E4CE4DD1BF87@kuehlewind.net> <22792.31378.769444.232365@fireball.acr.fi> <78A72CF3-E011-4E8D-9F66-63C7918A8236@kuehlewind.net> <22793.40707.624092.66793@fireball.acr.fi> <c0fad3b5-54b1-a347-0ea1-bec24dab0e36@kuehlewind.net> <CAKKJt-ceDuYKWGBFb6RKc8K_AcB55doOXMf11Ke807f6kc+UFA@mail.gmail.com> <CABcZeBPz0BN5643j9QHQx-5LfxXLbTGj2XmUrOfkU7PsHpcZcg@mail.gmail.com> <F1859DB7-AB24-49DA-A5B1-AAE74201368A@kuehlewind.net>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
X-Mailer: Apple Mail (2.3424)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrILMWRmVeSWpSXmKPExsUi2FAYruthJhZpsDba4v2fM4wWK16fY7eY 8Wcis8WL6x+ZLfZvecFmMXPOBxaLo+efs1ms//SY0WLZlD3MDpweO2fdZfdYsuQnk8fhrwtZ PFo+LmT12Lj4O6vH5MdtzAFsUVw2Kak5mWWpRfp2CVwZ5/c+ZS34r1jR8L6dvYGxR7qLkZND QsBEomXyD2YQW0hgNZNE10EFmPjWY9OA4lxA8UOMEo8W7GcFSfAKCEr8mHyPpYuRg4NZQF1i ypRciJqJTBJbZrxnB4kLC0hIbN6TCFIuLJAq8fr+LjYQm01AReL4tw1guzgFnCS6d95lArFZ BFQlvmzawg4yh1lgKpPEm0lLwBLMAtoST95dgNprI3Hzz342iGUHOSRadk1jBEmICBhLHJ78 nRXialmJCes2g10tIXCbTeLMp+3MExiFZyE5fBbC4bOQ7FjAyLyKUSg3MTNHNzPPTC+xoCAn VS85P3cTIyiOptuJ7mA8s8rqEKMAB6MSD6/iWtFIIdbEsuLK3EOM0hwsSuK8bdxAIYH0xJLU 7NTUgtSi+KLSnNTiQ4xMHJxSDYyysb8k7RTf5HPqb+Hzt13cGzPZkolDY9NcUdn1h9ffvbOO g+/b/EC9Pf+mtP/bHFHJ8PSFoO1iIW6/7p/5U9m+Jk4SnffJY/OMyW89F0w/1qCTc6n7ILvA e/fWLQEuoj3W1uEHtX03xDtyz08w25i4ZO3r0OmHtOVvXz7p7TRhhfG2Pyn7dA4osRRnJBpq MRcVJwIA5Jv4ToQCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrGLMWRmVeSWpSXmKPExsUi2FA8W9fNTCzSYMkEM4v3f84wWqx4fY7d YsaficwWL65/ZLbYv+UFm8XMOR9YLI6ef85msf7TY0aLZVP2MDtweuycdZfdY8mSn0weh78u ZPFo+biQ1WPj4u+sHpMftzEHsEVx2aSk5mSWpRbp2yVwZZzf+5S14L9iRcP7dvYGxh7pLkZO DgkBE4mtx6YxdzFycQgJHGKUeLRgPytIgldAUOLH5HssXYwcHMwC6hJTpuRC1Exkktgy4z07 SFxYQEJi855EkHJhgVSJ1/d3sYHYbAIqEse/bWAGsTkFnCS6d95lArFZBFQlvmzawg4yh1lg KpPEm0lLwBLMAtoST95dgNprI3Hzz342iGUHOSRadk1jBEmICBhLHJ78nRXialmJCes2M09g FJiF5NZZCLfOQjJ2ASPzKkaBotScxEoTvcSCgpxUveT83E2M4NAvDN/B+G+Z1SFGAQ5GJR7e ivWikUKsiWXFlbnAwOBgVhLhdRIXixTiTUmsrEotyo8vKs1JLT7EKM3BoiTO2/tGJFJIID2x JDU7NbUgtQgmy8TBKdXAOKM+uHxZy7QlsdN/Mu4Jv/5UIG5NYNnO6QEZIkt0bFY/O5185XJS +nWliOrK7uVPk9yO5k84W7yM06v7rsLOpY072E588l+7dV7DodSFE7zlc3uq8jeZJKz//e/A 9xILp/RFll+u+k9kYeuUTl/XHsxu1vku7ihL4eaJXp1i2p9VdguE/t3Kq8RSnJFoqMVcVJwI ANvvRct5AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7KJuOpOUAm8kML2mXjqsG1SlfLE>
Subject: Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 22:29:11 -0000


> On May 8, 2017, at 5:49 AM, Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> wrote:
> 
> Does the proposed text changes from Tommy still refer to 443 anywhere (lost track a bit but I guess the appendix still does right)?
> 
> Again I think we should talk about using 443 if that’s what’s done in reality. However my understanding is that real-life implementation use TCP/TLS which I think could be discussed in the body rather than the appendix.

The current state will not refer to 443 in the body, but specify TCP 4500, with the option to have both peers mutually agree on another port to use if necessary. The working group had felt that bringing TLS over 443 directly into the body would be inappropriate for the standard. We mention in the discussion of previous solutions that there are "SSL VPNs", which covers the current reality of how the problem is solved.

> 
> And I would like to see a recommendation that HTTPS and TCPIKE should not be multiplexed the same time on the same port. My understanding from Tero’s feedback was that this is usually not done today and probably not necessary in future.

Yes, I think it makes sense to add to the text around the configuration that it is recommended to not run any other service on the same port as TCP Encapsulated IPsec.

Thanks,
Tommy

> 
> Mirja
> 
> 
>> Am 05.05.2017 um 23:13 schrieb Eric Rescorla <ekr@rtfm.com>:
>> 
>> It seems like most of the issues are resolved here, except for that of muxing
>> IKE and non-IKE protocols on the same port (especially 443). My understanding
>> is that (although we may not like it) it's nevertheless a common practice, and
>> yet we can't levy the requirement that no other protocol start with IKETCP<whatever>,
>> so it seems like what we need is a warning note and potentially a request to reserve
>> this string for some set of common protocols (HTTP,...?).
>> 
>> Mirja, would that work for you?
>> 
>> -Ekr
>> 
>> 
>> On Wed, May 3, 2017 at 6:11 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
>> 
>> 
>> On May 3, 2017 05:54, "Mirja Kühlewind" <ietf@kuehlewind.net> wrote:
>> I didn't propose to obsolete RFC3947 in this document. I guess you can also file an error for this if you don't want to take any further actions. However, for updating the IANA registry, I would say the right action is to do this simply by IESG approval for UDP then.
>> 
>> Fwiw, that would work for me.
>> 
>> Spencer
>> 
>> 
>> 
>> Mirja
>> 
>> 
>> 
>> On 03.05.2017 11:12, Tero Kivinen wrote:
>> Mirja Kuehlewind (IETF) writes:
>> my thinking was that the main problem is that 3947 was not obsoleted
>> and I’m assuming we need a document to fix that.
>> 
>> This is partly issue, but it is not issue we need to solve here, as
>> this document is not something that should obsolete 3947.
>> 
>> Also 3947 only defines extension for the IKEv1 (RFC2409) and that is
>> already obsoleted, so effectively RFC3947 is already obsoleted, as
>> there is no way to implement 3947 without implementing obsoleted
>> protocol...
>> 
>> This issue is not not important enough to require RFC now.
>> 
>> In this case that document could/should also fix the IANA entry for
>> the UDP port. However, I’m actually not sure what the right
>> processing would be to fix this forgotten obsolete… maybe other ADs
>> know better…?
>> 
>> For now I would just leave it as it is, but fix the references in the
>> IANA registry so that document will not be referenced, especially as
>> the original IANA reference was not to the correct RFC in the first
>> place.
>> 
>> Otherwise if you don’t want to do this, I don’t think it’s a good
>> idea to merge kind of unrelated fixes into this spec. We can also
>> fix that by using the IESG approval process (see RFC5226). I think
>> that’s the better option!
>> 
>> That is true, but as this document already modifies the TCP/4500
>> reference, fixing the UDP/4500 reference at the same time is not
>> completely unrelated fix.
>> 
>> Obsoleting RFC3947 would be unrelated fix.
>> 
>> 
>> 
>

v2.23.0 | Report a Bug | By Email