Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Thu, 11 April 2024 13:23 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B518AC14F6FC; Thu, 11 Apr 2024 06:23:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDRf3YuKKEg5; Thu, 11 Apr 2024 06:23:49 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93998C14F691; Thu, 11 Apr 2024 06:23:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iwu0pEOi1hikEaXvB1FQGwmxj+EKHqiUhi9DLZUaPco=; b=bkh60nEP8MbjwVygkumCdwAhNw 8zcq/fKmHzw+VjMnzPErxvIZcjGCKuf8oQokc2VasbU9LB6GNUEBdHm1MffgwKc3eOpdqwhqEZYja NkBHNoab98iK6mrf8HDV4r51LhwhBGgz0vh7a7Zw4L46sYk03ePJVqBO66HdIuUjVwjQ=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ruuOq-0005wE-9a; Thu, 11 Apr 2024 16:23:32 +0300
Received: from mail.office.elvis.ru ([10.111.1.29]) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1ruuOq-00Cwhg-2H; Thu, 11 Apr 2024 16:23:32 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 11 Apr 2024 16:23:31 +0300
Received: from BuildPC (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 11 Apr 2024 16:23:31 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Éric Vyncke' <evyncke@cisco.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <171282942898.60208.16082104712999966299@ietfa.amsl.com>
In-Reply-To: <171282942898.60208.16082104712999966299@ietfa.amsl.com>
Date: Thu, 11 Apr 2024 16:23:31 +0300
Message-ID: <039901da8c13$72cb6310$58622930$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKQ/B+n20FMeIdPXc9TaztnjeCv8K/2GBIw
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Brgl3jt-uWK8q80Cm73_3qQZrUY>
Subject: Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 13:23:53 -0000
Hi Éric, thank you for your comments, please see inline. > Éric Vyncke has entered the following ballot position for > draft-ietf-ipsecme-ikev2-auth-announce-09: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-auth-announce/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > # Éric Vyncke, INT AD, comments fordraft-ietf-ipsecme-ikev2-auth-announce-09 > > Thank you for the work put into this document. > > Please find below some non-blocking COMMENT points (but replies would be > appreciated even if only for my own education), and some nits. > > Special thanks to Tero Kivinen for the shepherd's detailed write-up including > the WG consensus and the justification of the intended status. > > I hope that this review helps to improve the document, > > Regards, > > -éric > > # COMMENTS (non-blocking) > > ## Abstract > > As the I-D is about authentication methods, I wonder whether `with multiple > different credentials` is the right wording, should it rather be "different > authentication methods" ? (of course with some text repetition). I believe "different credentials" may include "different authentication methods"? There are may also be some subtleties. For example, consider the situation when user has 2 certificates: RSA and ECDSA. In this case he/she has different credentials, but from IKEv2 point of view, both use the same authentication method, "Digital Signature", with different signature algorithms. I make the following change: s/multiple different credentials/multiple credentials of different type Is this better? > ## Section 3.1 > > `Regardless of whether the notification is received,` may be I am mis-reading > this, but why would the responder send the notification if the initiator does > not care anyway ? The responder doesn't know if the initiator cares or not. There is no negotiation of this feature, each party just makes its mind whether to send and whether to process this notification (if it is ever supported). > ## Section 3.2 > > While the readers may guess some details, but let's be clear in a proposed > standard I-D: > > 1) `Notification Data field` does not appear in figure 4 > 2) role of C flag and its value > 3) value of Protocol ID > 4) saying that reserved field must be set to 0 by sender and ignored on the > receiver There is a reference to Section 3.10 of RFC 7296, which contains details of how a generic payload header should be filled in. The Protocol ID and SPI Size values are defined in this document (zero). What about 1), well, the "Notification Data" is the generic name of this field in the Notify Payload. Its content depends on the type of the notify message. I quickly scanned other RFCs which defined new notifications and they all renamed the "Notification Data" to some name specific to the type of notification. So, to avoid confusion, I changed the text as follows: s/The Notification Data field/ Notification data Hope this eliminates the possible confusion. > ## Section 3.2.1 > > Let's be crisp and specify that the length is in octets. Done. > Is there a registry for authentication method ? or should this specification be > updated for every new authentication method ? https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12 I hope no, but I cannot predict how IKEv2 would be tweaked in the future :-) > # NITS (non-blocking / cosmetic) > > ## Section 1 > > The last sentence of the 2nd paragraph is rather long and I think that "that" > should be used in `the peer which supports wider range of`. Thank you, I've been always mixing when to use "which" or "that" :-) I changed s/which/that > ## Section 3.2.1 > > Missing closing parenthesis in the last paragraph. Fixed. Regards, Valery.
- [IPsec] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)