IETF Logo Mail Archive

Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic

Dan Harkins <dharkins@lounge.org> Tue, 29 June 2021 19:25 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03E2B3A011D for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 12:25:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.237
X-Spam-Level:
X-Spam-Status: No, score=-2.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.338, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7UtqmA-Ny0j for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 12:25:21 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 628E43A0113 for <ipsec@ietf.org>; Tue, 29 Jun 2021 12:25:21 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QVH04GI09Y8R9@wwwlocal.goatley.com> for ipsec@ietf.org; Tue, 29 Jun 2021 14:25:20 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QVH004DK9X8H7@trixy.bergandi.net> for ipsec@ietf.org; Tue, 29 Jun 2021 12:24:45 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Tue, 29 Jun 2021 12:24:44 -0700
Date: Tue, 29 Jun 2021 12:25:19 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CADZyTknzuALP1U6OZRLuc-8nmrRJhpkKzcGhTD4FBLenS06YqA@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: IPsecME WG <ipsec@ietf.org>
Message-id: <73e6e489-bc1b-765b-5442-05220b463fd3@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_gRm57FIQrn2cqBqMRFzf2g)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <315BBB8D-B55E-43C8-A988-ADC8780AD62E@gmail.com> <059201d76bf6$e29680c0$a7c38240$@gmail.com> <8ea212cf-ee37-ceed-f905-4fde94173c1d@lounge.org> <CADZyTk=Ge4XYCYStHi5Uerei53n_eyA=9CzLwZwvtVoO_i9spA@mail.gmail.com> <E0F5EAC8-9F0C-4619-8F9C-62B3BD923AB1@gmail.com> <CADZyTknzuALP1U6OZRLuc-8nmrRJhpkKzcGhTD4FBLenS06YqA@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [210625] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AZgfNezjPxpb1y-F3UV8qjXRCus>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 19:25:26 -0000

   Hi Daniel,

   That seems to be part of the problem. The IETF isn't in the business 
of dictating
administrative behavior through normative language. Protocols comply. 
People can use
compliant protocols or not, and if they decide to use protocols which 
are non-compliant,
or if they use proprietary protocols, it doesn't make them somehow 
"non-compliant".

   This effort seems to have gained steam due to developers being told 
by their project
management co-workers to do things to their IKEv1 code which they did 
not think was
appropriate given the state of IKEv2. I can certainly relate to such 
difficult interactions.
That said, the give-and-take of engineering and project/product 
management is not really in
the IETF's bailiwick. If people want to take an RFC to the 
project/product management
team and say, "look, the IETF has spoken!" then good luck, but that is a 
misuse of the
imprimatur of the IETF and don't try and standardize _that_ behavior.

   We can move a standard to historic. We can decide not to do any more 
development on it.
We can't force people to do anything and we can't declare they are 
"non-compliant" if
they decide to use a protocol we don't approve of.

   It's interesting how SCEP has survived and actually thrived despite 
its restricted
use and it's well-known security problems when EST, an IETF standard, 
exists. People
strung the SCEP draft through multiple dozens of versions, dragging it 
out, it was made
historic as a sop to this effort yet people still want to use it. I 
don't understand but
a very large vendor of tablet and phone hardware/software (who 
ironically stole their OS
name from the company that developed SCEP) decided to use it in their 
BYOD offering
and so product/project management teams all say we must continue to use 
SCEP and update
our SCEP code in order to work with these products that we can't avoid 
due to their
massive market share. Sure, continued use of IKEv1 is a problem but it's 
a molehill
compared to the mountain of today's use of SCEP. Yet here we are.

   Dan.

On 6/29/21 11:17 AM, Daniel Migault wrote:
> I thought the purpose of the draft was to be able to say "look at this 
> document it says you MUST switch to IKEv2 if you want to remain IPsec 
> interoperable. I am suprised I do not see the MUST in question. I am 
> fine whatever chair/co-authors are fine with.
>
> Yours,
> Daniel
>
> On Tue, Jun 29, 2021 at 2:00 PM Yoav Nir <ynir.ietf@gmail.com 
> <mailto:ynir.ietf@gmail.com>> wrote:
>
>     [no hats]
>     I don’t want to start (or resume) a religious holy war about
>     uppercase MUSTs, but they’re usually about protocol compliance.
>     What people should (not SHOULD) do with their systems is not
>     subject to requirements language, because the IETF does not
>     engineer administrators. What? You are not compliant with RFC xxxx
>     if you didn’t upgrade your systems already?
>
>     I could understand a statement that Product yyyy is not compliant
>     with RFC xxxx because it still offers IKEv1, but I don’t like
>     non-compliant administrators. Not that I’m advocating to add that
>     statement to the draft. I think it’s fine as it is: just offering
>     advice that systems should be upgraded.
>
>     Yoav
>
>>     On 29 Jun 2021, at 17:21, Daniel Migault <mglt.ietf@gmail.com
>>     <mailto:mglt.ietf@gmail.com>> wrote:
>>
>>     I believe that the first sentence of section 3 says it all. ship it!
>>
>>     I still have some minor comments, though these may have already
>>     been discussed. There are no normative MUST to upgrade ( and in
>>     general very little normative language).
>>     Shouldn't we have for example:
>>     Systems running IKEv1 should be upgraded and reconfigured to run
>>     IKEv2.
>>
>>     moved to :
>>     Systems running IKEv1 MUST be upgraded and reconfigured to run IKEv2.
>>
>>     There are overall very little number of SHOULD/MUST but maybe
>>     that is an editorial choice.
>>
>>     Yours,
>>     Daniel
>>
>>
>>
>>     Yours,
>>     Daniel
>>
>>     On Mon, Jun 28, 2021 at 7:17 PM Dan Harkins <dharkins@lounge.org
>>     <mailto:dharkins@lounge.org>> wrote:
>>
>>
>>            Hi,
>>
>>         On 6/28/21 1:23 AM, Valery Smyslov wrote:
>>         > Hi,
>>         >
>>         > I think document is mostly ready. Few observations:
>>         >
>>         > - FWIW I think that Dan's efforts to make draft's language
>>         less speculative and more concrete
>>         >     are valid and should be reflected in the document.
>>         >
>>         > - Is it OK that the intended status is Standards Track?
>>         Shouldn't it be BCP?
>>         >
>>         > - The draft states that it updates RFC 7296, 8221, 8247.
>>         What in particular is being updated?
>>         >     I believe the recent IESG directives require a short
>>         explanation of what is being updated
>>         >     to be present in Abstract. In any case, it should be
>>         clearly indicated in the body of the document.
>>         >     Have I missed it?
>>         >
>>         > - Section3: I think that phrase "IKEv2 is a more secure
>>         protocol than IKEv1 in every aspect." is a bit too vague.
>>
>>            You know, that was bugging me too. "in every aspect" is
>>         laying it on
>>         a bit thick. IKEv1
>>         has a security proof. The much maligned PSK mode
>>         authenticates the key
>>         as well as the
>>         exchange which is better than what IKEv2 does (and why IKEv1
>>         did not
>>         need an update to do
>>         PQC). So saying it's less secure "in every aspect" just isn't
>>         true. But
>>         I couldn't figure
>>         out a better way to say it....
>>
>>         >    I believe it's better to list security aspects where we
>>         believe IKEv2 is superior:
>>         >
>>         >    * IKEv2 supports modern cryptographic primitives,
>>         including AEAD ciphers
>>         >    * IKEv2 provides real defense against DoS (cookies, core
>>         spec) and DDoS (puzzles, RFC 8019) attacks
>>         >    * support for post-quantum crypto in IKEv2 is being
>>         developed (draft-ietf-ipsecme-ikev2-multiple-ke)
>>         >    * IKEv2 supports various authentication methods via
>>         integration with EAP (core spec)
>>         >    * an extension that allows build PAKE methods in IKEv2
>>         exists (RFC 6467)
>>         >    * did I forget something?
>>
>>            But this is great! I agree that such a brief summary of
>>         the superior
>>         features
>>         would be better than a factually challenged "in every aspect"
>>         statement.
>>
>>            regards,
>>
>>            Dan.
>>
>>         -- 
>>         "The object of life is not to be on the side of the majority,
>>         but to
>>         escape finding oneself in the ranks of the insane." -- Marcus
>>         Aurelius
>>
>>         _______________________________________________
>>         IPsec mailing list
>>         IPsec@ietf.org <mailto:IPsec@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/ipsec
>>         <https://www.ietf.org/mailman/listinfo/ipsec>
>>
>>
>>
>>     -- 
>>     Daniel Migault
>>     Ericsson
>>     _______________________________________________
>>     IPsec mailing list
>>     IPsec@ietf.org <mailto:IPsec@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/ipsec
>>     <https://www.ietf.org/mailman/listinfo/ipsec>
>
>
>
> -- 
> Daniel Migault
> Ericsson

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email