IETF Logo Mail Archive

[IPsec] Alissa Cooper's No Objection on charter-ietf-ipsecme-11-01: (with COMMENT)

Tero Kivinen <kivinen@iki.fi> Fri, 13 July 2018 02:22 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DC2130F88; Thu, 12 Jul 2018 19:22:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MJz4q3jRM37g; Thu, 12 Jul 2018 19:22:01 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3411130EAC; Thu, 12 Jul 2018 19:22:00 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6D2LqeL003664 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Jul 2018 05:21:52 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6D2LpHF002421; Fri, 13 Jul 2018 05:21:51 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23368.3263.416115.132129@fireball.acr.fi>
Date: Fri, 13 Jul 2018 05:21:51 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Alissa Cooper <alissa@cooperw.in>
Cc: The IESG <iesg@ietf.org>, ipsecme-chairs@tools.ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org
In-Reply-To: <152831367012.6362.4051379754783235897.idtracker@ietfa.amsl.com>
References: <152831367012.6362.4051379754783235897.idtracker@ietfa.amsl.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 31 min
X-Total-Time: 33 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8ZL1WMgciPisSy8827h7oSb4lzA>
Subject: [IPsec] Alissa Cooper's No Objection on charter-ietf-ipsecme-11-01: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 02:22:05 -0000

I seem to have missed this email somehow. 

Alissa Cooper writes:
> Alissa Cooper has entered the following ballot position for
> charter-ietf-ipsecme-11-01: No Objection
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Substantive comments:
> 
> (1) I don't see the value in having an expiration date in a WG charter because
> it's not enforced in practice. 

This has been the way we have been working in the IPsecME WG for long
time (I think it was since from the beginning). Most people in the
IETF seem to work better if they do have deadline that they need to
meet.

> The previous version of this charter said the WG would close if the
> charter wasn't updated by Dec 2017, but the WG continued to exist
> without the charter being updated. This charter seems tightly scoped
> enough to just get the work done according to the milestone dates or
> close sooner if people lose interest.

We did start charter discussion in the November 2017 meeting [1], and
did have the charter proposal ready early 2018 (February 2016 [2]).
Then we added two more hanging items to it and forwarded it to the ADs
on March 19... So from our point of view we were 3 months late...

[1] https://datatracker.ietf.org/doc/agenda-100-ipsecme/
[2] https://www.ietf.org/mail-archive/web/ipsec/current/msg11820.html

If you feel this is something that we cannot have in charter, we can
remove it, but we rather keep it there to make sure we keep charter up
to date, and update it every few years. 

> (2) I think it might be worth a few words to state the reason why the goal was
> for the new IKEv2 mode to have the same quantum resistant properties as existed
> in IKEv1, rather than better/fuller quantum resistance.

If you are refering to this item:

	IKEv1 using shared secret authentication was partially
	resistant to quantum computers. IKEv2 removed this feature to
	make the protocol more usable. The working group will add a
	mode to IKEv2 or otherwise modify IKEv2 to have similar
	quantum resistant properties than IKEv1 had.

Then that is part of the already accepted agenda and the work there is
already done, and should be ready to go out very soon (most likely
after Montreal IETF).

There is another item later in the charter:

	Postquantum Cryptography brings new key exchange methods. Most
	of these methods that are known to date have much larger
	public keys then conventional Diffie-Hellman public keys.
	Direct using these methods in IKEv2 might lead to a number of
	problems due to the increased size of initial IKEv2 messages.
	The working group will analyze the possible problems and
	develop a solution, that will make adding Postquantum key
	exchange methods more easy. The solution will allow post
	quantum key exchange to be performed in parallel with (or
	instead of) the existing Diffie-Hellman key exchange.

Which goes further protecting against protection against quantum
computers, and also explaines what are the issues with it (i.e., why
this items is much bigger than the first item). 

> Nits:
> 
> Based on the number of grammar and wording errors I found in this charter, I
> would strongly suggest doing a clean-up pass to make sure all of the text reads
> properly. Here is what I found:
> 
> (1)
> s/to have similar quantum resistant properties than IKEv1 had/to have similar
> quantum resistant properties that IKEv1 had/

Agree.

> (2)
> s/in form of counter/in the form of a counter/

Agree.

> (3)
> I can't parse this sentence:
> 
> "A growing number of use cases for constrained network - but not
> limited to - have shown interest in reducing ESP (resp. IKEv2)
> overhead by compressing ESP (resp IKEv2) fields."

Unfortunately I have no problem parsing the sentence, so I do not know
what should be done to fix it. For me it is clear. I.e., there are
constrained networks, which want to reduce ESP overhead and because of
that want to compress ESP fields. Same for IKEv2. And those needs are
not only limited to constrained networks, also other use cases needs
them.

If you think the text is unclear I would need to have proposal for
better text.

> (4)
> OLD
> Currently IKE peers have no explicit way
> to indicate each other which signature format(s) the support, that
> leads to ineroperability problems.
> 
> NEW
> Currently IKE peers have no explicit way
> to indicate to each other which signature format(s) they support. That
> leads to ineroperability problems.

Agreed.

> (5) The milestones need to be updated. Some of the dates and draft names are
> wrong.

I would have assumed the datatracker would have known how to follow
replaced drafts automatically, but that does not seem to happen. This
means that the draft-mglt-ipsecme-implicit-iv needs to be replaced
with draft-ietf-ipsecme-implicit-iv, and draft-pauly-ipsecme-split-dns
with draft-ietf-ipsecme-split-dns.

Note, all of these draft names are from the old charter, and they have
not been updated when the drafts were replaced year ago. All of the
dates which are in past are for old chatered drafts, and one of them
is already sent to the AD 3 months ago (i.e., before the April
deadline), and another two should be ready go out to AD after
Montreal.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email