Re: [IPsec] Martin Vigoureux's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
Martin Vigoureux <martin.vigoureux@nokia.com> Thu, 09 January 2020 12:01 UTC
Return-Path: <martin.vigoureux@nokia.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252CE120885; Thu, 9 Jan 2020 04:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pG8dPGSqMe3k; Thu, 9 Jan 2020 04:01:12 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2103.outbound.protection.outlook.com [40.107.22.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED4D120890; Thu, 9 Jan 2020 04:01:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m4BgYANWgsjrb1EExBNu9o1kBMHh97kGSiUBPyCQNb6GBTgBJzPbojkNXMxgt74JEGDMQhNOHy6rY51F2r4F6DSmzQOhJH6WjFSsF95PIHyHspDbghHZnr0QBspqXVEEskDrRS9/efN0ODPo7wk/eB4LwHoTmJIm2F3PzoKqx2Wu8ltdCDSe0WPXt8x3u/1dSKhFKup2ydEuCfQkTSzcP6T/DOZDjf2ZaDO4GMCZoTvbigl0rcYtzkXUITKrcnT1evv9b80UGzGqqawqLZcmeml2YOIXMO3woL3/yQg/Qkt83g3u5Khjac/Lx1WYNWwm9L8p4MBPdHYcZZ7cHMe0ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=go1jGdUlzx+OMXA+svltOarHLBSxPVqx+Ckwb6zps9U=; b=lDtwx4OarIrSASv6w03ZIOdl5Lj7KKI5N6stQpueyXeMAy1l0pPI1YWZI6IC6thPRbhHcdcbYCGLshl6oncKOjsxeJBZ7tCj81JLhw58k2aA4gT6adkPzMfC9OH3RKGAlkLPwOouZDPIVC7Wm9INbCbPA7Gd2tNOxvDwY3pUREvXbUB2Ba1GZRNcQWgaWORgZFxr3n8aAUdFSyKLzwYnh4XJdzZhdtGHoYP+mQtzMPfspbuoDbu6Oc112JLAEtI4h7DbKyiF0RZx1WfIKGMHuhYwqCQKCZtklpvf8J1rYtZ3EoFj+RbG2N4wMAZSq1DhlZqNomruH0+Q0VcJMY9L3w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=go1jGdUlzx+OMXA+svltOarHLBSxPVqx+Ckwb6zps9U=; b=QOufRyKde8mvOQaqifYBsxhjqSYR5EbIyAHBG8ghnxNQPF+mjVOk3Dte2vfGRYk9ua7nlaIMtyBUlT4C5dqp5JsynwqMk6tvJsTPt+idBy8KmGIPP+1B7mtZMPgaKba0byhmivY8nJ0U5mdgzensxlWNBooO609d/DZYUfYtFIM=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=martin.vigoureux@nokia.com;
Received: from DB7PR07MB4140.eurprd07.prod.outlook.com (52.134.96.142) by DB7PR07MB5627.eurprd07.prod.outlook.com (20.178.47.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.7; Thu, 9 Jan 2020 12:01:09 +0000
Received: from DB7PR07MB4140.eurprd07.prod.outlook.com ([fe80::b1d0:9cc:48cb:e49]) by DB7PR07MB4140.eurprd07.prod.outlook.com ([fe80::b1d0:9cc:48cb:e49%5]) with mapi id 15.20.2644.006; Thu, 9 Jan 2020 12:01:09 +0000
To: Valery Smyslov <svan@elvis.ru>, 'The IESG' <iesg@ietf.org>
Cc: draft-ietf-ipsecme-qr-ikev2@ietf.org, 'David Waltermire' <david.waltermire@nist.gov>, ipsecme-chairs@ietf.org, ipsec@ietf.org
References: <157852009927.22485.15123997628919595988.idtracker@ietfa.amsl.com> <08de01d5c6c3$6ba47500$42ed5f00$@elvis.ru>
From: Martin Vigoureux <martin.vigoureux@nokia.com>
Message-ID: <09c7f062-b7f0-84d4-97cf-bd268d655255@nokia.com>
Date: Thu, 09 Jan 2020 13:01:05 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
In-Reply-To: <08de01d5c6c3$6ba47500$42ed5f00$@elvis.ru>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: PR0P264CA0168.FRAP264.PROD.OUTLOOK.COM (2603:10a6:100:1b::36) To DB7PR07MB4140.eurprd07.prod.outlook.com (2603:10a6:5:1::14)
MIME-Version: 1.0
Received: from [172.30.2.230] (131.228.2.20) by PR0P264CA0168.FRAP264.PROD.OUTLOOK.COM (2603:10a6:100:1b::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9 via Frontend Transport; Thu, 9 Jan 2020 12:01:08 +0000
X-Originating-IP: [131.228.2.20]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 1126ac40-db6a-4000-8788-08d794fb9d27
X-MS-TrafficTypeDiagnostic: DB7PR07MB5627:
X-Microsoft-Antispam-PRVS: <DB7PR07MB56275624440F255FB89D39FF8C390@DB7PR07MB5627.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 02778BF158
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(366004)(199004)(189003)(52314003)(2906002)(81166006)(8676002)(36756003)(16526019)(31686004)(186003)(8936002)(26005)(4326008)(66574012)(5660300002)(52116002)(81156014)(498600001)(66946007)(6666004)(66556008)(66476007)(110136005)(6486002)(16576012)(966005)(956004)(44832011)(2616005)(86362001)(31696002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB5627; H:DB7PR07MB4140.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
Received-SPF: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1NgZgoa72oCK/LjTR/Fmee2T+P7sDsYaGjyixr1LakCzL4llqJHB1On/o4PACojZzBuE6Om/Y428WYeJBlREeYmQScyRjrtiKyqnwWnPc1vregQuf7jAPCvcMaj1i8A5nras7P91uREus4Rd/vy0v2+kTU1GScw3fAJeo5kQ4ZJ7wRIZuJkHk96GuWj7M8vl/D4FnRwMgBsI46mviYWmtqCXfJmFcO4WymGM7JXutssNV7KKoaBHVFhuD5loQMEYEEIKffZWFF/+P9O+eYwnUb49lP7lgLeE8NyGzS925a5NvkqLhY1NfuwJZMkv3MJgiUTMg80eCDXunKTlJ71mGUB9PXc2Wwrt42aJs9I0sRwpDUHNZSMNGXQM0K79hUHPEIhOkwFowVK9X7+XwdsCGrM3NHK4DFVx953orv+lw4bhQCLDQ+02M1QnSivAMRaAvqaHGPNGizEl+ersOAzYqx8Aa1DjsbYmIF5aTLJZR4vq3s/NYv34myt0pf6p/KR23gJQcQKL9dGuD2fhTJn2eX1Ctl02uQ7qg9EmAty6txBl3PxqDVyqo7IskmNshkM+
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1126ac40-db6a-4000-8788-08d794fb9d27
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jan 2020 12:01:09.1979 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: WJ9IXB7vUS7dPL7LN8XbzTSwdgtkDq5MFtdWQdixsA8LUcltn7+gqt/t6xHavcykXZIknz8kfmT0mrmNmQoJ5CzobLSlYPrvbtiYzHUyu6g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5627
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/CjHIkI522m8UntwIBjgQX5A6qk8>
Subject: Re: [IPsec] Martin Vigoureux's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 12:01:15 -0000
Hello Valery, thank you for your feedback. Please see in-inline. Le 2020-01-09 à 9:04, Valery Smyslov a écrit : > Hi Martin, > >> Martin Vigoureux has entered the following ballot position for >> draft-ietf-ipsecme-qr-ikev2-10: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Hi, >> >> It seems to me there are places where 2119/8174 keywords would make sense. >> Few examples, with suggestions: >> If the initiator is configured to use a post-quantum preshared key >> with the responder (whether or not the use of the PPK is mandatory), >> then it will include a notification USE_PPK in the IKE_SA_INIT >> request message as follows: >>>> MUST include > > Isn't it just a protocol description and not a requirement? it is, but for a implementation to behave like that I tend to think that having a requirement in the first place would make sense. > > Anyway, I have no problem with using RFC2119 language here, > but a few years ago I was told by one of ADs that > I improperly used RFC2119 language when I wrote > a very similar sentence: "if initiator is configured with foo > it MAY include a bar notification in its request"; > I was told then that plain English must be used in this case :-) ADs can have different points of view :-) Yet, I'm not seeking to change to the doc, so if you feel this is fine like that (and I agree that at least it's not wrong) then don't change anything. > >> If the initiator needs to resend this initial message with a cookie >> (because the responder response included a COOKIE notification), then >> the resend would include the USE_PPK notification if the original >> message did. >>>> MUST (or SHOULD?) include > > I don't think it is needed here. Section 2.6 of RFC7296 has already > a requirement, that > > ...the initiator MUST then retry the > IKE_SA_INIT request, and include the COOKIE notification containing > the received data as the first payload, and all other payloads > unchanged. my bad. I did a quick read of that section and obviously missed the last part of that sentence ... > > So we don't impose new requirement, we just remind readers that > USE_PPK will also be included in the resend message. > >> by the way, if it is a resend of the message described in the paragraph above, >> then "if the original message did" seems superfluous. > > It is a resend, but the resending message is a bit different from the original, > since it includes the cookie received from the responder. > See section 2.6 of RFC7296 for details. > >> Otherwise the responder replies with the IKE_SA_INIT message including a >> USE_PPK notification in the response: >>>> MUST reply >> >> initiator and the responder. The responder can use the PPK_ID to >> look up the corresponding PPK value. Not all implementations are >> able to configure arbitrary octet strings; to improve the >> potential interoperability, it is recommended that, in the >> PPK_ID_FIXED case, both the PPK and the PPK_ID strings be limited >> to the base64 character set, namely the 64 characters 0-9, A-Z, >> a-z, + and /. >>>> RECOMMENDED > > The "recommended" here is intentionally made non-normative, > otherwise the requirement is too strong (there are a number > of use cases, where the requirement for PPK to be base64 limited makes a little sense, > like hardware tokens etc.). So it's just a general recommendation. ok, understood. > >> values 3-127 are reserved for IANA; >> Maybe it's just because I'm not used to that wording, but why "reserved for >> IANA" ? The table seems to qualify them as unassigned. > > Is there a difference? I've been thinking that "reserved for IANA" means > that these values are currently unassigned, but IANA will use them for future assignments... As said, this is the first time I see this written this way, so I raised the question. If it is well understood that this means "unassigned" then fine. What is ultimately important is what is written in the table/registry. > > Thank you, > Valery. > > > regards, martin
- [IPsec] Martin Vigoureux's No Objection on draft-… Martin Vigoureux via Datatracker
- Re: [IPsec] Martin Vigoureux's No Objection on dr… Valery Smyslov
- Re: [IPsec] Martin Vigoureux's No Objection on dr… Martin Vigoureux