Re: [IPsec] Orie Steele's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Tue, 09 April 2024 08:02 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF64C14F61D; Tue, 9 Apr 2024 01:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4WN4KFCzeNHb; Tue, 9 Apr 2024 01:02:12 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67A0C14F60D; Tue, 9 Apr 2024 01:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dSK6iDllIoaRv8KbuEvtvB8hq4FPNvGVTHFc73Aa10A=; b=BoFfA/OtS9mDfnAkwCJaqXa4cX cXJxaR3W5u676ztcAS6TU054+id1tJpwSprXRL8La1iaQFNqT2vKJyo2bH53dxwqlnlvMkr1pl2Aj tgBI1q7xmxTkQpjgHQml2Ey2LFXHOYrbm2P6uoAipPgsC9AlsThHY3EsqIPRg4iy05Xg=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ru6QB-0000sn-9S; Tue, 09 Apr 2024 11:01:37 +0300
Received: from mail.office.elvis.ru ([10.111.1.29]) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1ru6QB-00CMuF-1l; Tue, 09 Apr 2024 11:01:35 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 9 Apr 2024 11:01:34 +0300
Received: from BuildPC (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Tue, 9 Apr 2024 11:01:34 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Orie Steele' <orie@transmute.industries>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <171260591564.47966.18234371575338162758@ietfa.amsl.com>
In-Reply-To: <171260591564.47966.18234371575338162758@ietfa.amsl.com>
Date: Tue, 09 Apr 2024 11:01:34 +0300
Message-ID: <025001da8a54$2425bd70$6c713850$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHZxPordIIMTW6RiFRsxq+24bg+JrFhCbYg
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/9GcAGHm203xinZpg2dE6wptmiWY>
Subject: Re: [IPsec] Orie Steele's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 08:02:22 -0000
Hi Orie, thank you for your comments, please see inline. > Orie Steele has entered the following ballot position for > draft-ietf-ipsecme-ikev2-auth-announce-09: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-auth-announce/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > # Orie Steele, ART AD, comments for draft-ietf-ipsecme-ikev2-auth-announce-09 > CC @OR13 > > https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf- > ipsecme-ikev2-auth-announce-09.txt&submitcheck=True > > ## Comments > > Thanks to Marc Blanchet for the ARTART review, and to Valery for addressing his > feedback. > > ``` > 175 then the responder MAY choose not to send actual list of the > 176 supported authentication methods in the IKE_SA_INIT exchange and > 177 instead ask the initiator to start the IKE_INTERMEDIATE exchange for > 178 the list to be sent in. > ``` > > Why not "SHOULD not send..."? Because we don't want to give one of the option more weight than the other. The responder is free to act either way, since the possible issues with IP fragmentation are sometimes subtle and additional considerations can be evaluated by the responder. With "SHOULD" the responder would have to almost always ask for IKE_INTERMEDIATE (since SHOULD is very close to MUST). > ``` > 189 the SUPPORTED_AUTH_METHODS notification. Otherwise, the initiator > 190 MAY start the IKE_INTERMEDIATE exchange just for this sole purpose by > 191 sending an empty IKE_INTERMEDIATE request. The initiator MAY also > 192 indicate its identity (and possibly the perceived responder's > 193 identity too) by including the IDi payload (possibly along with the > 194 IDr payload) into the IKE_INTERMEDIATE request. This information > 195 could help the responder to send back only those authentication > 196 methods, that are configured to be used for authentication of this > 197 particular initiator. If these payloads are sent, they MUST be > 198 identical to the IDi/IDr payloads sent later in the IKE_AUTH request. > ``` > > Why not SHOULD instead of MAY? For the same reason - to leave an initiator a freedom of choice. For example, the initiator can be not interested in receiving the responder's list of supported auth methods (e.g., the initiator itself may be able to authenticate itself with the only one method, thus no point to know that the responder supports more, thus no point to waste a round trip). The same for the second "MAY" - the initiator may be not willing to send its identity in the IKE_INTERMEDIATE exchange for the same reason (in case the IKE_INTERMEDIATE is started anyway for some other purposes). Using "SHOULD" here would have left the initiator with less freedom of choice. > ``` > 226 HDR, SAi1, KEi, Ni --> > 227 <-- HDR, SAr1, KEr, Nr, [CERTREQ,] > 228 [N(SUPPORTED_AUTH_METHODS)()] > > 230 HDR, SK {..., [IDi, [IDr,]]} --> > 231 <-- HDR, SK {..., [CERTREQ,] > 232 [N(SUPPORTED_AUTH_METHODS)(...)] } > ``` > > Is the "()" vs "(...)" significant, or meant to indicate the empty IKE_INTERMEDIATE > ? > What does "(...)" expand to? "()" means an empty SUPPORTED_AUTH_METHODS notification, while "(...)" means a non-empty one (containing some auth methods). > ``` > 347 Signature" (1), "DSS Digital Signature" (3), "ECDSA with SHA-256 on > 348 the P-256 curve" (9), "ECDSA with SHA-384 on the P-384 curve" (10) > 349 and "ECDSA with SHA-512 on the P-512 curve" (11). Note however, that > 350 these authentication methods are currently superseded by the "Digital > 351 Signature" (14) authentication method, which has a different > ``` > > I think you mean P-521 curve, also known as secp521r1. You are right, this is a typo. Fixed in my local copy, thank you. > ## Nits > > ``` > 531 This appendix shows some examples of announcing authentication > 532 methods. This appendix is purely informative; if it disagrees with > 533 the body of this document, the other text is considered correct. > ``` > > You will see errata filed either way... > I recommend omitting the second sentence. This is more or less standard text copied from other RFCs. See, for example, Appendix C in RFC 7296. Regards, Valery.
- [IPsec] Orie Steele's No Objection on draft-ietf-… Orie Steele via Datatracker
- Re: [IPsec] Orie Steele's No Objection on draft-i… Valery Smyslov