Re: [IPsec] [***SPAM***] RE: SvcParams encoding (was RE: AUTH48: RFC-to-be 9464 <draft-ietf-ipsecme-add-ike-14> for your review)
Valery Smyslov <svan@elvis.ru> Thu, 05 October 2023 10:04 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6C17C13AE34; Thu, 5 Oct 2023 03:04:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUR9U_6HTXYi; Thu, 5 Oct 2023 03:04:37 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B7E0C1522D3; Thu, 5 Oct 2023 03:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LiEyKCv9rgiyRz8rAVODsqjpJYUPeVHgGCE5+n/iYeI=; b=ZZ+BMs8Ahe6RaIkSzWmMyW6191 GW6OlIG9uIOBtqooTfZHAVkZ7tgNjPHTxQSOwTiatlDh8ZaGE37yvk1Gk82zXqP6Lq7eo0lRzJqyi QD6HmOCM0+JGP/EyydotJ4o7GFKYc2gJ1HJQ0bY4KDysFAei3qqIUE2NEH8Qm6d9LdBI=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1qoLDY-0001nF-A1; Thu, 05 Oct 2023 13:04:29 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1qoLDY-009Hwl-1T; Thu, 05 Oct 2023 13:04:28 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 5 Oct 2023 13:04:37 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 5 Oct 2023 13:04:37 +0300
From: Valery Smyslov <svan@elvis.ru>
To: mohamed.boucadair@orange.com, 'Tommy Pauly' <tpauly@apple.com>, 'Paul Wouters' <paul@nohats.ca>
CC: ipsec@ietf.org, ipsecme-ads@ietf.org, ipsecme-chairs@ietf.org, 'Dan Wing' <dan@danwing.org>, 'Tirumaleswar Reddy' <kondtir@gmail.com>
References: <DU2PR02MB10160F7F0279206469CD4ECA488CBA@DU2PR02MB10160.eurprd02.prod.outlook.com> <0D2A2345-E0A5-4514-866C-8A1DD4246490@nohats.ca> <AE450E26-D598-4D60-810E-09B3C15CF818@apple.com> <DU2PR02MB101603F956299CF918CD64C0688CAA@DU2PR02MB10160.eurprd02.prod.outlook.com>
In-Reply-To: <DU2PR02MB101603F956299CF918CD64C0688CAA@DU2PR02MB10160.eurprd02.prod.outlook.com>
Date: Thu, 05 Oct 2023 13:04:30 +0300
Message-ID: <0a9701d9f773$54f2d380$fed87a80$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHZK7vwvogNuYCtdSI9bTOjTcBNAgJNVlrvApyfqzoCKgJP7rAD7kCA
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/D76Rr33174J5cKaspTdiZuNOgUQ>
Subject: Re: [IPsec] [***SPAM***] RE: SvcParams encoding (was RE: AUTH48: RFC-to-be 9464 <draft-ietf-ipsecme-add-ike-14> for your review)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2023 10:04:42 -0000
Hi Med, Tommy, all, > Hi Tommy, all, > > One comment on this part: > > > the binary format for the parameters, and it doesn’t require the IKE > > implementation to do any parsing, etc. on that. > > Actually, it should because we have some restriction on params in DNR/IKE. Blindly passing the > information to DNS libraries may induce some issues, e.g., when IP hints are present but !=IP addresses. In addition, RFC 8598 specifies that Domain Name is in DNS presentation format. So, if encrypted DNS is used with Split DNS, then I suspect the parsing will be needed (am I missing something?). Regards, Valery. > For this reason and also to provide guidance for future params that might (not) be suitable for DNR/IKE, > do you see a value in tagging these in the IANA SVCB registry? See more at: > https://boucadair.github.io/dnr-svcb-registry/draft-wb-add-svcb-registry-update.html (not published > yet). > > For server configuration files (including small ones in CPEs) based on human-readable parameters, the > DHCP/IKE libraries will do the conversion for sending them using the wire format. Making use of new > svcparams won’t be automatic as we might ideally hope but some effort will be needed to convince > vendors that new svcparams are useful for DNR/IKE beyond what is included in the DNR/IKE RFCs. The > proposed update would help in that maintenance front. > > Cheers, > Med > > > -----Message d'origine----- > > De : Tommy Pauly <tpauly@apple.com> > > Envoyé : jeudi 5 octobre 2023 04:44 > > À : Paul Wouters <paul@nohats.ca> > > Cc : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; > > ipsec@ietf.org; Valery Smyslov <svan@elvis.ru>; ipsecme-ads@ietf.org; > > ipsecme-chairs@ietf.org; Dan Wing <dan@danwing.org>; Tirumaleswar > > Reddy <kondtir@gmail.com> > > Objet : Re: [IPsec] SvcParams encoding (was RE: AUTH48: RFC-to-be 9464 > > <draft-ietf-ipsecme-add-ike-14> for your review) > > > > As with DNR, I definitely think we should be using the wire format > > here (for communicating on the wire). The IKE option here would carry > > the binary format for the parameters, and it doesn’t require the IKE > > implementation to do any parsing, etc on that. > > > > Since it looks like there’s good consensus on the DNR side in the ADD > > WG, I think the most important thing to do is ensure the same format > > is used for IKE as is used elsewhere. For DDR, DNR, and this IKE > > extension, they should all use the same format, whether the > > information is in a DNS packet, a DHCP packet, or an IKE packet. > > > > Thanks, > > Tommy > > > > > On Oct 4, 2023, at 5:28 AM, Paul Wouters <paul@nohats.ca> wrote: > > > > > > As I said over the other side, I prefer presentation format. Here > > that is even more true than over at the dhcp server because ike > > daemons (server AND client) tend to not implement dns wire format. > > > > > > Presentation format would be to reject this change. > > > > > > But whichever is picked, if I am in the rough, do make it the same > > format for both drafts. > > > > > > Paul > > > > > > Sent using a virtual keyboard on a phone > > > > > >> On Oct 4, 2023, at 06:33, mohamed.boucadair@orange.com wrote: > > >> > > >> Hi all, = > > >> > > >> > > >> This document is already in AUTH48-DONE but still not published yet > > >> because= of a normative dependency (see more about the cluster at > > >> > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww > > >> .rfc- > > %2F&data=05%7C01%7Cmohamed.boucadair%40orange.com%7C9255f776e6cc > > >> > > 4c03710d08dbc54d09a2%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C638 > > >> > > 320706888240742%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > > >> > > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=j1S53uWVH > > >> CJoqPS%2BIWoKaFJRUjaz1zC1k2h1FKLEAoQ%3D&reserved=0= > > >> editor.org/auth48/C461). > > >> > > >> A late issue was raised about the encoding of the service > > parameters > > >> (repre= sentation format vs wire format). A summary can be found > > at: > > >> https://mailar= > > chive.ietf.org/arch/msg/add/qU_TaosKNhojs3h3ojUb0B_bpXg/. > > >> > > >> In order to be consistent with the consensus in ADD, I suggest we > > >> update RF= C-to-be 9464 as follows: = > > >> > > >> > > >> OLD: > > >> Service Parameters (SvcParams) (variable) - Specifies a set of > > >> service parameters that are encoded following the rules in > > >> Section 2.1 of [RFC9460]. = > > >> > > >> > > >> NEW: > > >> Service Parameters (SvcParams) (variable) - Specifies a set of > > >> service parameters that are encoded following the same rules > > >> for encoding SvcParams using the wire format specified > > >> in Section 2.2 of [RFC9460]. = > > >> > > >> > > >> The text may seem verbose but the intent is to avoid ambiguity and > > be > > >> expli= cit about which part of Section 2.2 of [RFC9460]. > > >> > > >> Unless we hear an objection by the end of the week, we will request > > >> the RFC= Editor to make this change. = > > >> > > >> > > >> Cheers, > > >> Med > > >> > ______________________________________________________________________________________ > ______________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne > doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez > le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles > d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be > protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its > attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or > falsified. > Thank you.
- [IPsec] SvcParams encoding (was RE: AUTH48: RFC-t… mohamed.boucadair
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… Paul Wouters
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… Tommy Pauly
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… mohamed.boucadair
- Re: [IPsec] [***SPAM***] RE: SvcParams encoding (… Valery Smyslov
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… Ben Schwartz
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… mohamed.boucadair
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… Ben Schwartz
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… mohamed.boucadair
- Re: [IPsec] SvcParams encoding (was RE: AUTH48: R… Paul Wouters