Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
Valery Smyslov <smyslov.ietf@gmail.com> Wed, 14 October 2020 06:26 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CBD3A13A0; Tue, 13 Oct 2020 23:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9C0bws-Jqtw9; Tue, 13 Oct 2020 23:26:53 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70FD3A0A60; Tue, 13 Oct 2020 23:26:52 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id a4so1900034lji.12; Tue, 13 Oct 2020 23:26:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=FlV/H2C/dsw1g9K0iFEddMb03n7NnWeR8lYj28AFeBA=; b=LPw4pa+li2u/nkd8GsoePLBTV7Yi2RhPm2Be5Op+8L26VhZVshA7uoeUKYZtnLI7UT xOvRkjyKA9XCYKBe26Rjwf/xTTHLUhtZn1soOB0P/acmlr9tvIfHlbr5cIoJEOzd7rH4 Cdxa/mX/D8gawSQuNjvvDtggIQ3eTRuTUnd9Nk3/tKc1O6lBNvabPTZ9mHesu3uM4yI9 99Pw0GOxTFhSObJQpQBEUmSAbkxSfY5yGi+H/WXpYX9ExKiYccKdUoox+ExvDTdP673P 0Rr+0WvxX7BqtVdkwTPooqVQHW2d/KtMNTMJRtIjrqCzykmRCdj0W0Qc0QoPMWoZ+57V +hgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=FlV/H2C/dsw1g9K0iFEddMb03n7NnWeR8lYj28AFeBA=; b=a9GQ3sXILszI/3vvLaNn+gV6igfEKRGG/cu0Z+bO0gePKelNyrPzVPP9gV1AzhWjiD SLdRkuAMidYjAxXOqbBqoDiZv/0NaBGlaMEcWvsySviUU+froAu9YI5XPxBBy6nLnRhQ IvS0g/+hEyt6N74uasgsldXGNENWfQol35z9xiLJkq0t5Y5ihgPHyhFOd6sD8kTn6VDG o268kW4O02UuNygRJqZ3MuDrZlActfkhIUBm2ZcmwEZABzdRhJ+XNeSyG2EIN8OmY3yB NLNZJvB6n2vIocpKt3J42BmmShGOiK0PW/9j6QkXn1Te/JOUTI59k0chQvTs8J4Wn+Ue S+MQ==
X-Gm-Message-State: AOAM5304KwbLhJt6j7qJZlTm4gB2OUzSlD0PJ4+TFyHHocXFFy7GIN3r fo0y5aWX+hLA7oXp6GeM1M3gFHaH0gM=
X-Google-Smtp-Source: ABdhPJyycypU6YgRQ9MIrAK162ZaZdI95spW40lNvPTKxiXBReAIh4NWWZnrh3gX6+g+IQdtAZ113Q==
X-Received: by 2002:a2e:92d5:: with SMTP id k21mr1159991ljh.258.1602656810975; Tue, 13 Oct 2020 23:26:50 -0700 (PDT)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id o14sm754600lfc.29.2020.10.13.23.26.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Oct 2020 23:26:50 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Lou Berger' <lberger@labn.net>, 'Christian Hopps' <chopps@chopps.org>, ipsec@ietf.org
Cc: ipsecme-chairs@ietf.org
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <1b3001d6a16e$6e614030$4b23c090$@gmail.com> <2af84d55-539a-cc37-5952-731d4d86473b@labn.net>
In-Reply-To: <2af84d55-539a-cc37-5952-731d4d86473b@labn.net>
Date: Wed, 14 Oct 2020 09:26:43 +0300
Message-ID: <000c01d6a1f2$fd2ef940$f78cebc0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01D6A20C.227E7B30"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLBR9Dg1QdoZI0c6Vo/AaLkIdpDHgLCxSxRAjbXs18B6rBqnQEamLQSAoWVN8MCQOm3xwKebyejAclKvHwCPz51A6cl78UA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AxvmmOWKohUVxvKAevSovXPRCCY>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 06:26:58 -0000
Hi Lou, Valery, > If IKE is used to negotiate using IP-TFS, then such switching MUST NOT take place. I read this added line as saying you can switch from tunnel to TFS, I think you mean that use of TFS is controlled via IKE. How about? If IKE is used to negotiate using IP-TFS, then use of TFS is controlled per Section 5.1. I think the text is still a bit ambiguous, since previous sentence uses a normative SHOULD to support switching from tunnel to IPTFS and the proposed text doesn’t forbid this behavior explicitly if IKE is used. I’d like to see more explicit language for IKE case. How about: If IKE is used to negotiate using IP-TFS, then use of TFS is controlled per Section 5.1, and thus the option of switching to IP-TFS receive-side operation on receipt of the first IP-TFS payload MUST NOT be used. Feel free to change the text keeping its sense... Regards, Valery. Lou On 10/13/2020 10:37 AM, Valery Smyslov wrote: Valery, How about this: OLD Receive-side operation of IP-TFS does not require any per-SA configuration on the receiver; as such, an IP-TFS implementation SHOULD support the option of switching to IP-TFS receive-side operation on receipt of the first IP-TFS payload. NEW Receive-side operation of IP-TFS does not require any per-SA configuration on the receiver; as such, for tunnels created without IKE, an IP-TFS implementation SHOULD support the option of switching to IP-TFS receive-side operation on receipt of the first IP-TFS payload for tunnels. I can live with MAY, but would prefer SHOULD. Does this work for you? Yes, with the following addition. Receive-side operation of IP-TFS does not require any per-SA configuration on the receiver; as such, for tunnels created without IKE, an IP-TFS implementation SHOULD support the option of switching to IP-TFS receive-side operation on receipt of the first IP-TFS payload for tunnels. If IKE is used to negotiate using IP-TFS, then such switching MUST NOT take place. With this addition I don’t mind having SHOULD for ike-less case. Regards, Valery. Lou On 10/13/2020 10:06 AM, Valery Smyslov wrote: I can live with MAY. OK, but it must be negotiable in any case if you plan to use it with IKE. Otherwise we'll get black holes. On 10/13/2020 9:16 AM, Valery Smyslov wrote: If you badly need this feature, then please make it MAY and negotiable, so that people can ignore it. SHOULD is too strong for it, leaving it non-negotiable is just unacceptable, IMHO. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] I-D Action: draft-ietf-ipsecme-iptfs-02.t… internet-drafts
- [IPsec] Update and WGLC request [Re: I-D Action: … Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Valery Smyslov
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Michael Richardson
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Paul Wouters
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Tero Kivinen
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Christian Hopps
- Re: [IPsec] Update and WGLC request [Re: I-D Acti… Lou Berger