Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs
Sean Turner <sean@sn3rd.com> Fri, 12 February 2021 14:30 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C3B3A16EC for <ipsec@ietfa.amsl.com>; Fri, 12 Feb 2021 06:30:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHnhdbQMq_2c for <ipsec@ietfa.amsl.com>; Fri, 12 Feb 2021 06:30:50 -0800 (PST)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A547A3A16EA for <ipsec@ietf.org>; Fri, 12 Feb 2021 06:30:50 -0800 (PST)
Received: by mail-qt1-x82b.google.com with SMTP id c5so6819607qth.2 for <ipsec@ietf.org>; Fri, 12 Feb 2021 06:30:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=spBZX1iMr6jhKFejyj3uX4lt+5G/NEs9l9IrhEk+zME=; b=bfTWJkldZPd9HkDjp8lzvHeg2zK/bBAljHuDEg5xu6pF15/rNSeVXXWvrnJtL/l2g/ 2Rim+43g9JzHM5EArs+yhSvqavHyhjN4Myw2AXwd97Q9l50DMBAgRMUIlG8naYLXMOXB Nxuf+IDuiPFgG1uk/LbrKRCTi+m/Ifsi/1aek=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=spBZX1iMr6jhKFejyj3uX4lt+5G/NEs9l9IrhEk+zME=; b=A8oLhPuDRtotj+gYgJwCypl9HFDLoebv1SL1Y9ryO44aIwb7G6bydSwLEkdOFSAaNF DXLFfAKplqEOgg6n+wR7BjtrQ/2OGTEqRGKviKA6T4If1qHsphaPX7NXkwgdh4ZNervE 9i+nYDt7CtAw2VXRd+YNQBNj/FydqhR90StssD1Iv1UISdMdqOTw2Gb7nPQYRdbgCc+N kw0uS6OWNdE2lfy+Yilde6Bnpj4rjTxrq1Ie1Pj76US72S6kZCTqoxvCOUo3ZxuR3vjI M04Oe81OMTkGGcM7+T/0OfuNye4naLBuniODqJWajWXmoC9y1UVUBLbKWVFDcFeoHHFO ie4g==
X-Gm-Message-State: AOAM530DZcpeepM7sSAw7Qf4cLSn7nGX9D/Q/7qoSUE5weKJdoL+mjBj NdYa2h7mEjEnK1Vax8RQ9f60Qg==
X-Google-Smtp-Source: ABdhPJzBo2HAmQeEeE8Aa8qGu52ClBeJYwRlh0pXNZE2qWaNNQdZLu1iFFJaqMRS/pidZU4sVAIjew==
X-Received: by 2002:ac8:5854:: with SMTP id h20mr2634097qth.301.1613140249443; Fri, 12 Feb 2021 06:30:49 -0800 (PST)
Received: from [192.168.1.152] (pool-108-31-39-252.washdc.fios.verizon.net. [108.31.39.252]) by smtp.gmail.com with ESMTPSA id c127sm6382430qkd.87.2021.02.12.06.30.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Feb 2021 06:30:48 -0800 (PST)
From: Sean Turner <sean@sn3rd.com>
Message-Id: <E590345D-A79C-4FD7-A0C5-53D932016093@sn3rd.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_E4D51EF1-20E6-4F88-8A9F-DE9F0A749F71"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Fri, 12 Feb 2021 09:30:47 -0500
In-Reply-To: <2B7B497D-8759-4E48-85A3-190DC213A5C6@chopps.org>
Cc: ipsec@ietf.org
To: Christian Hopps <chopps@chopps.org>
References: <24590.9470.995873.674029@fireball.acr.fi> <569B8D50-F0B3-4EA1-8A1D-EFB9BD674578@sn3rd.com> <2B7B497D-8759-4E48-85A3-190DC213A5C6@chopps.org>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/E4r4nvlsLX4hoswmXYdyO_mzsUs>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 14:30:54 -0000
Chris, Thanks for wading through these. Incorporating these will certainly remove any issues I had. As far as the style suggestions goe, that’s fine the GENART, IESG, and RFC editor will also ask for their pound of flesh ;) Spt > On Feb 8, 2021, at 18:19, Christian Hopps <chopps@chopps.org> wrote: > > > >> On Feb 3, 2021, at 10:38 PM, Sean Turner <sean@sn3rd.com> wrote: >> >> Hi! I mostly just have nits, but there are a couple of questions interspersed below. > > Hi Sean, > > Thanks so much for this very thorough review! > > I have made the vast majority of the suggested changes with only a few style exceptions (and incorporated Paul's input in his follow-on email). > > I will post a new version soon with these changes (noted below) as well as addressing some from Valery as well. > >> s1, para 1: s/While one may directly obscure the data through the use of/While directly obscuring the data with > > Fixed > >> s1, para 1: s/it’s/its >> > > Fixed > >> s1, para 3: s/IP-TFS/IP-TFS (IP Traffic Flow Security) > > Fixed > >> >> s1, last para: s/IP-TFS provides for dealing with network congestion/IP-TFS addresses network congestion > > "Additionally, IP-TFS provides for operating fairly within congested networks" > >> s1: You mention full TFC. Is it partial TFC if you use a non-constant send-rate? if so that might be good to qualify in the 3rd paragraph with something like: > >> OLD: >> >> A non- >> constant send-rate is allowed, but the confidentiality properties of >> its use are outside the scope of this document. >> >> NEW: >> >> A non- >> constant send-rate is allowed to support partial TFC, but the >> confidentiality properties of its use are outside the scope of >> this document. > > There are other ideas being studied to achieve full TFC w/o use of constant send-rate (e.g., using some sort of randomizing), I'm fairly sure that this just reduces to a lower logical fixed send rate that utilizes burstiness. In any case since I am aware of there being research being done in this area I think leaving the text as is makes sense (i.e., I don't want to claim anything not fixed-rate must be partial TFC). > >> >> s1.1, para 1: Use updated terminology para from 8174 ("BCP 14” is missing): >> >> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL >> NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", >> "MAY", and "OPTIONAL" in this document are to be interpreted as >> described in BCP 14 [RFC2119] [RFC8174] when, and only when, they >> appear in all capitals, as shown here. > > Fixed. > >> >> s2, para 1: >> >> is the "(SA)" needed? ... tunnel (SA) ... >> s/it’s/its > > Fixed. > >> s2, 2nd para: I tripped over this para a couple of times. Does this get the same point across? >> >> OLD: >> >> The primary input to the tunnel algorithm is the requested bandwidth >> used by the tunnel. Two values are then required to provide for this >> bandwidth, the fixed size of the encapsulating packets, and rate at >> which to send them. >> >> NEW: >> >> The primary input to the tunnel algorithm is the requested >> bandwidth for the tunnel. Two values needed to determine >> the bandwidth are the fixed size of the encapsulating >> packets and the rate at which to send them. > > Changed to: > > The primary input to the tunnel algorithm is the requested bandwidth > to be used by the tunnel. Two values are then required to provide for > this bandwidth use, the fixed size of the encapsulating packets, and > rate at which to send them. > >> s2, 3rd para: s/or could be/or be > > Fixed > >> s2, 4th para: s/requested tunnel used bandwidth/ >> requested tunnel bandwidth > > Changed to: > > "requested bandwidth to be used" > > and "The packet send rate is the requested bandwidth to be used divided by the size of the encapsulating packet." > > >> s1, last para to make it match the rest of the sentence: s/The egress of the IP-TFS/The egress (receiving) side of the IP-TFS > > Fixed. > >> >> s2.1, 1st para: s/In order to maximize bandwidth IP-TFS/ >> In order to maximize bandwidth, IP-TFS > > Fixed > >> >> s2.1, 3rd para: Does this say the same thing: >> >> OLD: >> >> This is accomplished using a new Encapsulating Security Payload (ESP, >> [RFC4303]) type which is identified by the number AGGFRAG_PAYLOAD >> (Section 6.1). >> >> NEW: >> >> IP-TFS uses a new Encapsulating Security Payload (ESP, [RFC4303]) >> type identified by the number assigned to AGGFRAG_PAYLOAD >> (Section 6.1). > > I think I prefer the original text, if that's OK, as it is saying how it does the paragraph above vs. just making another statement (i.e., I think it ties the text together better). > >> s2.2: I had a really hard time parsing this sentence: >> >> The AGGFRAG_PAYLOAD payload content defined in this document is >> comprised of a 4 or 24 octet header followed by either a partial, a >> full or multiple partial or full data blocks. >> >> There are three options: partial, full or multiple partial, or full data? Maybe it’s just missing a comma: s/multiple partial or/multiple partial or, > > Changed to: > > The AGGFRAG_PAYLOAD payload content defined in this document is > comprised of a 4 or 24 octet header followed by either a partial > datablock, a full datablock, or multiple partial or full datablocks. > >> >> s2.2.1: Should we be specific about the IPv4 and IPv6 length’s field name: >> >> OLD: >> >> Likewise, the length of the data block is extracted from the >> encapsulated IPv4 or IPv6 packet's length field. >> >> NEW: >> >> Likewise, the length of the data block is extracted from the >> encapsulated IPv4’s Total Length or IPv6’s Payload Length fields. > > Fixed > >> >> s2.2: s/It’s/It is >> s2.2.3: s/to be able to reassemble/to reassemble >> s2.2.3: s/This possible interleaving/This interleaving >> s2.2.3: s/sender to always be able to send a/sender to always send a >> s2.2.3, 4th para: s/Finally, we note/Finally, note >> s2.2.3, 5th para: s/As the amount of reordering that may be present is hard to predict the window/As the amount of reordering that may be present is hard to predict, the window > > Fixed. > >> >> 2.2.3, 5th para: I am all about not littering I-Ds with 2119-language, but here it looks like you are burying the MUST in the parenthetical. BTW - I think the sentence stands on its own without the "i.e.” and it could safely be deleted. Would this rewording work: >> >> Gaps in the sequence numbers will not work for this document, >> therefore ESP sequence number stream MUST increase monotonically >> by 1 for each subsequent packet. > > Fixed > >> >> s2.2.3, penultimate para: s/b/c/because > > Fixed > >> s2.2.3, last para: Should the I-D state what happens if the implementation does send initial fragments of an inner packet using one SA and subsequent fragments in a different SA. I.e., motivate the SHOULD NOT. >> >> s2.2.3, last para: implementation here refers to sender right so maybe: senders SHOULD NOT > > Simplified to "senders MUST NOT"... :) > >> s2.2.3.1: Implementations here refers to senders so maybe: >> s/An implementation/Senders >> s/Implementation implementing/Senders implementing ;) > > Fixed > >> s2.2.4: s/In order to support/To support > > Fixed > >> s2.2.5, 1st para: >> s/(by design!)/(by design) ;) >> s/although an implementation/although a sender >> s/An implementation SHOULD/A sender SHOULD > > Fixed > >> s2.2.5, 2nd para: >> s/an implementation/a sender >> s/([RFC3168])/[RFC3168] > > Fixed > >> s2.2.6, 1st para: s/([RFC0791])/[RFC0791] > > Fixed, and update other single refs to not use parens. > >> s2.2.6, 2nd para: 2119 the should?: s/should be/SHOULD be. Is there a reason you would want to handle the errors differently? If not then would the following also be true (i.e., replace "should be" with "are": >> >> Any errors (e.g., ICMP errors arriving back at the tunnel ingress due >> to tunnel traffic) are handled the same as with non IP-TFS >> IPsec tunnels. > > Fixed > >> s2.2.7, 1st para: s/am implementation/a sender > > Fixed > >> >> s2.2.7, 2nd para: s/([RFC4301])/[RFC4301] > > Fixed > >> s2.3: Does this work? >> >> OLD: >> >> It is not the intention of this specification to allow >> for mixed use of an AGGFRAG_PAYLOAD enabled SA. >> >> NEW: >> >> This document does not specify mixed use of an >> AGGFRAG_PAYLOAD enabled SA. > > Fixed > >> s2.4.1, 1st para: s/In the non-congestion controlled mode IP_TFS /In the non-congestion controlled mode, IP-TFS > > Fixed > >> s2.4.1, 2nd para: >> Should the should be SHOULD? >> s/In this case packet/In this case, packet >> There is a reference to a user. Is it really a user? > > I think it's a should (non-normative), as this is guidance on the right way to deploy IPTFS, but not how to implement it. > >> s2.4.2, 2nd para: >> s/the ingress sends/the ingress side sends >> Maybe just swap this around? >> >> OLD: >> >> An example of an implementation of the [RFC5348] algorithm which >> matches the requirements of IP-TFS (i.e., designed for fixed-size >> packet and send rate varied based on congestion) is documented in >> [RFC4342]. >> >> NEW: >> >> [RFC4342] provides an example of the [RFC5348] algorithm which >> matches the requirements of IP-TFS (i.e., designed for fixed-size >> packet and send rate varied based on congestion. > > Fixed. > >> s2.4.2, 3rd para: s/In particular these/In particular, these > > Fixed > >> s2.4.2, 4th para: >> Should the must be MUST? >> s/The lack of receiving this information/Not receiving this information > > Yes, and fixed. > >> s2.4.2, 4th and 5th paras: s/it’s/its > > Fixed > >> s2.4.2, 6th para: Does this work? >> >> OLD: >> >> When an implementation is choosing a congestion control algorithm (or >> a selection of algorithms) one should remember that IP-TFS is not >> providing for reliable delivery of IP traffic, and so per packet ACKs >> are not required and are not provided. >> >> NEW: >> >> When choosing a congestion control algorithm (or >> a selection of algorithms) note that IP-TFS is not >> providing for reliable delivery of IP traffic, and so per packet ACKs >> are not required and are not provided. > > Fixed > >> s2.4.2, last para: s/It’s/It is > > Fixed > >> s3, 1st para: >> s/and also be able to approximate/and also to approximate >> s/([RFC5348])/[RFC5348] >> s/In order to obtain these values the/ >> In order to obtain these values, the >> s/Thus in order, to support/Thus, to > > Fixed > >> s/is used to convey/conveys > > This is a style one I think that I'd like to leave be, I think it better highlights that one needs to send these empty payloads in this case. > >> s3, 1st and 3rd para: s/it’s/its > > Fixed. > >> >> s3, 3rd para: Nits complained about this so I am assuming it’s MUST NOT here - s/MUST not/MUST NOT > > Fixed > >> >> s3.1, 1st para: s/egress endpoint/egress (receiving) side > > Fixed > >> s3.1, last para: s/For this reason ECN/For this reason, ECN/ > Fixed > >> s4: s/should be able to be specified/should be specified > > Fixed > >> s4.1: s/For non-congestion controlled mode the/For non-congestion controlled mode, the > > Fixed > >> s4.1: Does this work: >> >> OLD: >> >> For congestion controlled mode one can configure the >> bandwidth or have no configuration and let congestion >> control discover the maximum bandwidth available. >> >> NEW: >> >> For congestion controlled mode, the bandwidth can be >> configured or the congestion controller discovers >> the maximum bandwidth available. > > Changed to: > > "For congestion controlled mode, the bandwidth can be configured or the congestion control algorithm discovers and uses the maximum bandwidth available." > >> >> s5.1, 2nd para: s/is used to enable use of/enables the > > Fixed > >> s5.1, 3rd para: >> s/To request using the/To request use of the >> s/then response/then the response > > Fixed > >> s5.1, penultimate para: Should the should not be SHOULD NOT? > > Fixed > >> s6.1: s/8 bit/8-bit >> s6.1: s/specification/document > > Fixed > >> s6.1.1: s/"DataBlocks” data/“DataBlocks" ? > > I'm going to leave this as the ``"DataBlocks" data'' as it is referring to that area of the packet data. DataBlocks may be spread across multiple packets or there may be multiple DataBlocks in a single packet. > >> s6.1.1: s/16 bit/16-bit >> s6.1.2: s/7 bit/7-bit >> s6.1.2: s/1 bit/1-bit >> s6.1.2 x3: s/32 bit/32-bit >> s6.1.2: s/22 bit/22-bit >> s6.1.2 x2: s/21 bit/21-bit >> s6.1.3: s/4 bit/4-bit >> s6.1.3.1/s6.1.3.2/s6.1.3.3: s/4 bit/4-bit >> s6.1.3.1/s6.1.3.2: s/16 bit/16-bit >> s6.1.3.3: s/extends/Extends > > Fixed > >> s6.1.4: s/As discussed in Section 5.1 a/As discussed in Section 5.1, a > > Fixed > >> s6.1.4, D bullet (make it match C): s/Don't Fragment bit, if/Don't Fragment bit. If > > Fixed > >> s7: I may have missed this in earlier discussions but why is the registration policy Standards Action? I thought that most of the registries were trending more towards Expert Review. > > No particular reason other than it was the conservative choice. :) > >> s8, 1st para: s/Traffic Flow Confidentiality/TFC > > Fixed > >> s8: >> >> You warned in s1 about using a non-constant send-rate, but shouldn’t that be echoed here? > > As mentioned previously it's not necessarily less secure to use a non-constant send rate (research being done by others here), we are only claiming use of constant send rate is more secure. > >> Likewise maybe repeat the ECN covert channel statement. > > Repeated. > >> >> s9.2: r/[draft-iab-wire-image]/[RFC8546] > > Fixed. > >> Appendix B: YMMV here but since this is an Appendix and you’re repeating the current practice s/SHOULD/should > > Fixed. > > Thanks again for the very thorough review! > > Thanks, > Chris. > >> >> Cheers, >> spt >> >>> On Jan 24, 2021, at 20:55, Tero Kivinen <kivinen@iki.fi> wrote: >>> >>> This is the start of 3 week WGLC on the document, ending 2021-02-15. >>> Please submit your comments to the list, also send a note if you have >>> reviewed the document, so we can see how many people are interested in >>> getting this out. >>> -- >>> kivinen@iki.fi >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] WGLC for draft-ietf-ipsecme-iptfs Tero Kivinen
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Don Fedyk
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Sean Turner
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Valery Smyslov
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Lou Berger
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Valery Smyslov
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Valery Smyslov
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Tero Kivinen
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Sean Turner
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Tero Kivinen
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Michael Richardson
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Michael Richardson
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Michael Richardson
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Michael Richardson
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Michael Richardson
- Re: [IPsec] WGLC for draft-ietf-ipsecme-iptfs Christian Hopps
- [IPsec] WGLC Summary [Re: WGLC for draft-ietf-ips… Christian Hopps