IETF Logo Mail Archive

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 14 October 2020 06:26 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CBD3A13A0; Tue, 13 Oct 2020 23:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9C0bws-Jqtw9; Tue, 13 Oct 2020 23:26:53 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70FD3A0A60; Tue, 13 Oct 2020 23:26:52 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id a4so1900034lji.12; Tue, 13 Oct 2020 23:26:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=FlV/H2C/dsw1g9K0iFEddMb03n7NnWeR8lYj28AFeBA=; b=LPw4pa+li2u/nkd8GsoePLBTV7Yi2RhPm2Be5Op+8L26VhZVshA7uoeUKYZtnLI7UT xOvRkjyKA9XCYKBe26Rjwf/xTTHLUhtZn1soOB0P/acmlr9tvIfHlbr5cIoJEOzd7rH4 Cdxa/mX/D8gawSQuNjvvDtggIQ3eTRuTUnd9Nk3/tKc1O6lBNvabPTZ9mHesu3uM4yI9 99Pw0GOxTFhSObJQpQBEUmSAbkxSfY5yGi+H/WXpYX9ExKiYccKdUoox+ExvDTdP673P 0Rr+0WvxX7BqtVdkwTPooqVQHW2d/KtMNTMJRtIjrqCzykmRCdj0W0Qc0QoPMWoZ+57V +hgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=FlV/H2C/dsw1g9K0iFEddMb03n7NnWeR8lYj28AFeBA=; b=a9GQ3sXILszI/3vvLaNn+gV6igfEKRGG/cu0Z+bO0gePKelNyrPzVPP9gV1AzhWjiD SLdRkuAMidYjAxXOqbBqoDiZv/0NaBGlaMEcWvsySviUU+froAu9YI5XPxBBy6nLnRhQ IvS0g/+hEyt6N74uasgsldXGNENWfQol35z9xiLJkq0t5Y5ihgPHyhFOd6sD8kTn6VDG o268kW4O02UuNygRJqZ3MuDrZlActfkhIUBm2ZcmwEZABzdRhJ+XNeSyG2EIN8OmY3yB NLNZJvB6n2vIocpKt3J42BmmShGOiK0PW/9j6QkXn1Te/JOUTI59k0chQvTs8J4Wn+Ue S+MQ==
X-Gm-Message-State: AOAM5304KwbLhJt6j7qJZlTm4gB2OUzSlD0PJ4+TFyHHocXFFy7GIN3r fo0y5aWX+hLA7oXp6GeM1M3gFHaH0gM=
X-Google-Smtp-Source: ABdhPJyycypU6YgRQ9MIrAK162ZaZdI95spW40lNvPTKxiXBReAIh4NWWZnrh3gX6+g+IQdtAZ113Q==
X-Received: by 2002:a2e:92d5:: with SMTP id k21mr1159991ljh.258.1602656810975; Tue, 13 Oct 2020 23:26:50 -0700 (PDT)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id o14sm754600lfc.29.2020.10.13.23.26.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Oct 2020 23:26:50 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Lou Berger' <lberger@labn.net>, 'Christian Hopps' <chopps@chopps.org>, ipsec@ietf.org
Cc: ipsecme-chairs@ietf.org
References: <160148315262.3746.2680691950315422865@ietfa.amsl.com> <27659521-C1B0-4F0E-A6CC-C6F4B8938FFE@chopps.org> <1ab401d6a131$ae279f30$0a76dd90$@gmail.com> <ab981da9-9735-b6a9-851d-736330748ce6@labn.net> <1b0b01d6a163$15ddcce0$419966a0$@gmail.com> <47f569bf-de43-3aa4-ad4f-5149b82b35f6@labn.net> <1b2401d6a16a$12110940$36331bc0$@gmail.com> <86bb0855-927d-defb-374c-d6f6be13eb50@labn.net> <1b3001d6a16e$6e614030$4b23c090$@gmail.com> <2af84d55-539a-cc37-5952-731d4d86473b@labn.net>
In-Reply-To: <2af84d55-539a-cc37-5952-731d4d86473b@labn.net>
Date: Wed, 14 Oct 2020 09:26:43 +0300
Message-ID: <000c01d6a1f2$fd2ef940$f78cebc0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01D6A20C.227E7B30"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLBR9Dg1QdoZI0c6Vo/AaLkIdpDHgLCxSxRAjbXs18B6rBqnQEamLQSAoWVN8MCQOm3xwKebyejAclKvHwCPz51A6cl78UA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AxvmmOWKohUVxvKAevSovXPRCCY>
Subject: Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 06:26:58 -0000

Hi Lou,

Valery, 

>    If IKE is used to negotiate using IP-TFS, then such switching MUST NOT take place.

I read this added line as saying you can switch from tunnel to TFS, I think you mean that use of TFS is controlled via IKE.  How about?

   If IKE is used to negotiate using IP-TFS, then use of
   TFS is controlled per Section 5.1.
 
              I think the text is still a bit ambiguous,  since previous sentence uses a normative SHOULD
              to support switching from tunnel to IPTFS and the proposed text doesn’t forbid this
              behavior explicitly if IKE is used. I’d like to see more explicit language for IKE case.
              How about:
 
   If IKE is used to negotiate using IP-TFS, then use of
   TFS is controlled per Section 5.1, and thus the option of switching
   to IP-TFS receive-side operation on receipt of the first IP-TFS payload
   MUST NOT be used.
 
              Feel free to change the text keeping its sense...
 
              Regards,
              Valery.

Lou

On 10/13/2020 10:37 AM, Valery Smyslov wrote:

Valery,

How about this:

OLD
   Receive-side operation of IP-TFS does not require any per-SA
   configuration on the receiver; as such, an IP-TFS implementation
   SHOULD support the option of switching to IP-TFS receive-side
   operation on receipt of the first IP-TFS payload.

NEW
   Receive-side operation of IP-TFS does not require any per-SA
   configuration on the receiver; as such, for tunnels created 
   without IKE, an IP-TFS implementation
   SHOULD support the option of switching to IP-TFS receive-side
   operation on receipt of the first IP-TFS payload for tunnels.

I can live with MAY, but would prefer SHOULD.

 

 
Does this work for you?
 
              Yes, with the following addition.
 
   Receive-side operation of IP-TFS does not require any per-SA
   configuration on the receiver; as such, for tunnels created 
   without IKE, an IP-TFS implementation
   SHOULD support the option of switching to IP-TFS receive-side
   operation on receipt of the first IP-TFS payload for tunnels.
   If IKE is used to negotiate using IP-TFS, then such switching
   MUST NOT take place.
 
              With this addition I don’t mind having SHOULD for ike-less case.
 
              Regards,
              Valery.
 

 

 

             
Lou
 

On 10/13/2020 10:06 AM, Valery Smyslov wrote:

I can live with MAY.

 
OK, but it must be negotiable in any case if you plan to use it with IKE.
Otherwise we'll get black holes.
 

On 10/13/2020 9:16 AM, Valery Smyslov wrote:

If you badly need this feature, then please make it MAY and negotiable,
so that people can ignore it. SHOULD is too strong for it,
leaving it non-negotiable is just unacceptable, IMHO.

 
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
 





_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email