IETF Logo Mail Archive

Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tommy Pauly <tpauly@apple.com> Wed, 31 May 2017 18:37 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBCB5129AB3 for <ipsec@ietfa.amsl.com>; Wed, 31 May 2017 11:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQdtooESGe1k for <ipsec@ietfa.amsl.com>; Wed, 31 May 2017 11:37:52 -0700 (PDT)
Received: from mail-in24.apple.com (mail-out24.apple.com [17.171.2.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 854D1129AAD for <ipsec@ietf.org>; Wed, 31 May 2017 11:37:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1496255867; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=zZXO35hIu6h16NwoXFIajJOwdsPrHlGsQrHiuKjCXYw=; b=QC6mjifHT4DFPQIvcg3GEjIxJhkrcpH5DInLuFmrrTpI02lmSWdlnXIO+TCk4hLp QGJU06sBsnuuWSeFBt7gVj2eYhtBW18jIJ7bEVa4T1/boz9AjnD13KeO0EhO0pmx thmMbeGg0gHLX2nOUCeYwaKOggcZCymmcPtTMWzXAqRerycCopgGEBsD23JnlFDk 5bhG6sDbf4x6Hd0ZA3a1k8pd/HebpJBHMklo4bD4IPot02gyT6pVM4Sc/U3IE/jd oOsokTSXNlbiNYk36PlLG7jotrG/kpMzYEv+OoKRAKpOBxxJXhlSan3CYuUVKz/e slJ2curH0tI6/iYdU4xMAw==;
Received: from relay3.apple.com (relay3.apple.com [17.128.113.83]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in24.apple.com (Apple Secure Mail Relay) with SMTP id 5A.2E.17842.A7D0F295; Wed, 31 May 2017 11:37:47 -0700 (PDT)
X-AuditID: 11ab0218-4df929a0000045b2-9a-592f0d7a21ac
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by relay3.apple.com (Apple SCV relay) with SMTP id F0.66.15148.A7D0F295; Wed, 31 May 2017 11:37:46 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_/JGGw0B+ynts9aqbjOaWsQ)"
Received: from [17.153.35.59] (unknown [17.153.35.59]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OQT004OOYEW6E30@nwk-mmpp-sz11.apple.com>; Wed, 31 May 2017 11:37:46 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <34C32236-D200-421F-AF6E-F953DA79A869@apple.com>
Date: Wed, 31 May 2017 11:37:27 -0700
In-reply-to: <A078B858-687C-42E2-A1A2-8123949DC317@apple.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, IESG <iesg@ietf.org>, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-tcp-encaps@ietf.org, Tero Kivinen <kivinen@iki.fi>, IPsecME WG <ipsec@ietf.org>, Mark Nottingham <mnot@mnot.net>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
References: <149312449263.5884.11168631631187069210.idtracker@ietfa.amsl.com> <1CD2BB99-CDA2-472A-9833-741FB14CAE4A@apple.com> <752dde8c-0592-288e-6920-53a211834740@kuehlewind.net> <CABcZeBMj9UpzD+CpvOMKOkUsYNSL-UQCwuYt__5XCXtH=zyesA@mail.gmail.com> <22fac532-f30b-03e3-0757-aed213e5a346@kuehlewind.net> <22785.64570.259658.376130@fireball.acr.fi> <277aa94d-5aa1-7a28-94c7-81da0966c172@kuehlewind.net> <41594727-9667-42BD-ABB1-4583A3B00EA2@apple.com> <CAKKJt-fb1vx=SzpJ_9gvtJ+SEH08nyBRGqb7F36PGw0EyJ6zmA@mail.gmail.com> <853700CB-D5DD-4BC7-A1F5-5AB61330E70D@apple.com> <22792.20148.255067.132946@fireball.acr.fi> <82B5E72F-C518-420B-B941-E4CE4DD1BF87@kuehlewind.net> <22792.31378.769444.232365@fireball.acr.fi> <78A72CF3-E011-4E8D-9F66-63C7918A8236@kuehlewind.net> <22793.40707.624092.66793@fireball.acr.fi> <c0fad3b5-54b1-a347-0ea1-bec24dab0e36@kuehlewind.net> <CAKKJt-ceDuYKWGBFb6RKc8K_AcB55doOXMf11Ke807f6kc+UFA@mail.gmail.com> <CABcZeBPz0BN5643j9QHQx-5LfxXLbTGj2XmUrOfkU7PsHpcZcg@mail.gmail.com> <F1859DB7-AB24-49DA-A5B1-AAE74201368A@kuehlewind.net> <A078B858-687C-42E2-A1A2-8123949DC317@apple.com>
X-Mailer: Apple Mail (2.3430.2)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplkeLIzCtJLcpLzFFi42IRbCgM1q3m1Y802PpU0uL9nzOMFiten2O3 mPFnIrPFi+sfmS32b3nBZjFzzgcWi6Pnn7NZrP/0mNFi2ZQ9zA6cHjtn3WX3WLLkJ5PH4a8L WTxaPi5k9di4+Durx+THbcwBbFFcNimpOZllqUX6dglcGWt+72cqeBtX0dvxirGB8Zx/FyMn h4SAicSsSW0sXYxcHEICa5gk/myayQqTuLpwJTtE4hCjxKHp8xhBErwCghI/Jt9jAbGZBcIk Lt15zQpR1M8kcfTIaeYuRg4OYQEJic17EkFq2ARUJI5/28AM0WsjsezjGnYQW1ggVeL1/V1s IDaLgKrExN+dYDM5BWwldsx7wAwyk1lgKpPEm0lLmEASIgLGEocnf4da9oVD4vTfRiaIU+Ul tj29zgaSkBCYzi6x9vFL5gmMQrOQXDsLybWzgA5kFlCXmDIlFyKsLfHk3QVWCFtNYuHvRUzI 4gsY2VYxCucmZuboZuYZmeglFhTkpOol5+duYgTF32omiR2MX14bHmIU4GBU4uEVuKgXKcSa WFZcmXuIUZqDRUmc9/o93UghgfTEktTs1NSC1KL4otKc1OJDjEwcnFINjPm7N0Wo+Wa8WPXZ KiYwe4f7+3TN44tjnkbrLYrtCVj5ZcZjrfNiWZk3dK9O+1ngkv3pyockTtu/7+Jt/n5MtU1h tMh6/8ViveaP3N9CS45aOTu6egR/4M4WWXttcfC06QrZz3e9/fBhUrP5gv/ZUmfXHmuf/0Lj ga+PnG4P07Ps7UemHvv1564SS3FGoqEWc1FxIgAghctOoAIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUi2FA8W7eKVz/S4P5WSYv3f84wWqx4fY7d YsaficwWL65/ZLbYv+UFm8XMOR9YLI6ef85msf7TY0aLZVP2MDtweuycdZfdY8mSn0weh78u ZPFo+biQ1WPj4u+sHpMftzEHsEVx2aSk5mSWpRbp2yVwZaz5vZ+p4G1cRW/HK8YGxnP+XYyc HBICJhJXF65k72Lk4hASOMQocWj6PEaQBK+AoMSPyfdYQGxmgTCJS3des0IU9TNJHD1ymrmL kYNDWEBCYvOeRJAaNgEViePfNjBD9NpILPu4hh3EFhZIlXh9fxcbiM0ioCox8Xcn2ExOAVuJ HfMeMIPMZBaYyiTxZtISJpCEiICxxOHJ36GWfeGQOP23kQniVHmJbU+vs01g5J+F5MBZSA6c BXQTs4C6xJQpuRBhbYkn7y6wQthqEgt/L2JCFl/AyLaKUaAoNSex0lgvsaAgJ1UvOT93EyM4 WgqDdzD+WWZ1iFGAg1GJh1fgol6kEGtiWXFlLjCUOJiVRHi7mPUjhXhTEiurUovy44tKc1KL DzFOZAR6cyKzlGhyPjCW80riDU1MDEyMjc2Mjc1NzGkprCTOy8oJdJFAemJJanZqakFqEcxR TBycUg2M7DsT9nr2xrzh8290jLzZcfB15C/G9Wcdb8+/1n7n/nO7qwaCm9x5D5T9K2ELuJi8 7PmUEh+bL6U2Am9tlu67qDQhaEFxwBmezexfclsStx4PPb7hb/1zBtEatynFRpdX/PubHTlX a+HKrLlRBnNL9i+Uin76dNK5m5FHFiufvDZlQ7N/pluEixJLcUaioRZzUXEiAEgPd2QJAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/EZuy8u-l1quWiZc8oo8PeBqVl2A>
Subject: Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 18:37:54 -0000

Hello,

I've posted a new version of the draft that incorporates the changes discussed in this thread. Please review!

https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-tcp-encaps-10 <https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-tcp-encaps-10>

Thanks,
Tommy


> On May 12, 2017, at 3:25 PM, Tommy Pauly <tpauly@apple.com> wrote:
> 
> 
> 
>> On May 8, 2017, at 5:49 AM, Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> wrote:
>> 
>> Does the proposed text changes from Tommy still refer to 443 anywhere (lost track a bit but I guess the appendix still does right)?
>> 
>> Again I think we should talk about using 443 if that’s what’s done in reality. However my understanding is that real-life implementation use TCP/TLS which I think could be discussed in the body rather than the appendix.
> 
> The current state will not refer to 443 in the body, but specify TCP 4500, with the option to have both peers mutually agree on another port to use if necessary. The working group had felt that bringing TLS over 443 directly into the body would be inappropriate for the standard. We mention in the discussion of previous solutions that there are "SSL VPNs", which covers the current reality of how the problem is solved.
> 
>> 
>> And I would like to see a recommendation that HTTPS and TCPIKE should not be multiplexed the same time on the same port. My understanding from Tero’s feedback was that this is usually not done today and probably not necessary in future.
> 
> Yes, I think it makes sense to add to the text around the configuration that it is recommended to not run any other service on the same port as TCP Encapsulated IPsec.
> 
> Thanks,
> Tommy
> 
>> 
>> Mirja
>> 
>> 
>>> Am 05.05.2017 um 23:13 schrieb Eric Rescorla <ekr@rtfm.com>:
>>> 
>>> It seems like most of the issues are resolved here, except for that of muxing
>>> IKE and non-IKE protocols on the same port (especially 443). My understanding
>>> is that (although we may not like it) it's nevertheless a common practice, and
>>> yet we can't levy the requirement that no other protocol start with IKETCP<whatever>,
>>> so it seems like what we need is a warning note and potentially a request to reserve
>>> this string for some set of common protocols (HTTP,...?).
>>> 
>>> Mirja, would that work for you?
>>> 
>>> -Ekr
>>> 
>>> 
>>> On Wed, May 3, 2017 at 6:11 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
>>> 
>>> 
>>> On May 3, 2017 05:54, "Mirja Kühlewind" <ietf@kuehlewind.net> wrote:
>>> I didn't propose to obsolete RFC3947 in this document. I guess you can also file an error for this if you don't want to take any further actions. However, for updating the IANA registry, I would say the right action is to do this simply by IESG approval for UDP then.
>>> 
>>> Fwiw, that would work for me.
>>> 
>>> Spencer
>>> 
>>> 
>>> 
>>> Mirja
>>> 
>>> 
>>> 
>>> On 03.05.2017 11:12, Tero Kivinen wrote:
>>> Mirja Kuehlewind (IETF) writes:
>>> my thinking was that the main problem is that 3947 was not obsoleted
>>> and I’m assuming we need a document to fix that.
>>> 
>>> This is partly issue, but it is not issue we need to solve here, as
>>> this document is not something that should obsolete 3947.
>>> 
>>> Also 3947 only defines extension for the IKEv1 (RFC2409) and that is
>>> already obsoleted, so effectively RFC3947 is already obsoleted, as
>>> there is no way to implement 3947 without implementing obsoleted
>>> protocol...
>>> 
>>> This issue is not not important enough to require RFC now.
>>> 
>>> In this case that document could/should also fix the IANA entry for
>>> the UDP port. However, I’m actually not sure what the right
>>> processing would be to fix this forgotten obsolete… maybe other ADs
>>> know better…?
>>> 
>>> For now I would just leave it as it is, but fix the references in the
>>> IANA registry so that document will not be referenced, especially as
>>> the original IANA reference was not to the correct RFC in the first
>>> place.
>>> 
>>> Otherwise if you don’t want to do this, I don’t think it’s a good
>>> idea to merge kind of unrelated fixes into this spec. We can also
>>> fix that by using the IESG approval process (see RFC5226). I think
>>> that’s the better option!
>>> 
>>> That is true, but as this document already modifies the TCP/4500
>>> reference, fixing the UDP/4500 reference at the same time is not
>>> completely unrelated fix.
>>> 
>>> Obsoleting RFC3947 would be unrelated fix.
>>> 
>>> 
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email