Re: [IPsec] [saag] IETF 114 IPsecME report

Paul Wouters <paul@nohats.ca> Tue, 31 January 2023 16:22 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7C11C14F726 for <ipsec@ietfa.amsl.com>; Tue, 31 Jan 2023 08:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzW_dS_k8utc for <ipsec@ietfa.amsl.com>; Tue, 31 Jan 2023 08:22:43 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AC5FC14F720 for <ipsec@ietf.org>; Tue, 31 Jan 2023 08:22:43 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4P5r1W3xZWz37V; Tue, 31 Jan 2023 17:22:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1675182159; bh=th/7alYscZlyfLxNuRwjd1Q0GCw1ad9wK6Xoe5rB6mM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=brxSTQA301YPh/Toy2Ttk9mJ8YZvOEW978Z7S/9XAUiSwp0WSuNjxcAP7vetMfS6H oFs09NhlbIXSmIOd2AFYuaRAFDMky8aBhdPG++KNWVT1D3Mctu4u/Fx7hj0lABCvp0 lSdTChVZPn6NPWlN6FC5StJXMy9GAcxDlRzKDIZI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id G5WvS6l-lHzy; Tue, 31 Jan 2023 17:22:38 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 31 Jan 2023 17:22:37 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 0D950686BCF; Tue, 31 Jan 2023 11:22:37 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 0C687686BCE; Tue, 31 Jan 2023 11:22:37 -0500 (EST)
Date: Tue, 31 Jan 2023 11:22:37 -0500
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: 'Tero Kivinen' <kivinen@iki.fi>, 'Paul Wouters' <paul.wouters@aiven.io>, ipsec@ietf.org, 'Yoav Nir' <ynir.ietf@gmail.com>, 'Roman Danyliw' <rdd@cert.org>
In-Reply-To: <016f01d9357c$a86ec9b0$f94c5d10$@gmail.com>
Message-ID: <1fdb5082-fd42-08b6-64ce-c3c0d51b96e2@nohats.ca>
References: <25311.20490.971667.883557@fireball.acr.fi> <CAGL5yWbWUvqPPsC3e-rqEc5i00WWXAhe=_SurmiWDNzfF54rRg@mail.gmail.com> <CAGL5yWbpx2K3X7FpMVASUeTzQZ2A=tKDw9s5UBqWUKbGnTgxiw@mail.gmail.com> <25558.47779.655532.512440@fireball.acr.fi> <016301d93576$bb63c030$322b4090$@gmail.com> <b3438e48-84b0-d8bc-b9ef-b0b3ae00794c@nohats.ca> <016f01d9357c$a86ec9b0$f94c5d10$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/G3sEVsInjQPZaIzU8VqAi93q9LE>
Subject: Re: [IPsec] [saag] IETF 114 IPsecME report
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 16:22:47 -0000

On Tue, 31 Jan 2023, Valery Smyslov wrote:

>> The WG thought this would be a worse solution.
>
> This could be solved by adding only two new TS types
> TS_IPV4_ADDR_RANGE_WITH_CONSTRAINTS and TS_IPV6_ADDR_RANGE_WITH_CONSTRAINTS
> with a format that allows to add new constraints to the Traffic Selector.

Cute, but we have received an early code point in Jan 2021. This has been
implemented and deployed in libreswan v4.2 released February 2021. So
I don't think we can or want to change this anymore.

We went through 3 redesigns before we ended up on this one. I'm fine
with clarifying text, but we can't redesign it again this late in the
publication process.

Paul