Re: [IPsec] Martin Vigoureux's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Thu, 09 January 2020 08:04 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03CE812002E; Thu, 9 Jan 2020 00:04:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vyK-DXQzOAm; Thu, 9 Jan 2020 00:04:29 -0800 (PST)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1EB120013; Thu, 9 Jan 2020 00:04:29 -0800 (PST)
Received: from kmail2.elvis.ru ([93.188.44.210]) by akmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ipSnq-0000R2-Gw; Thu, 09 Jan 2020 11:04:26 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail2.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ipSnq-0000XB-4u; Thu, 09 Jan 2020 11:04:26 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 9 Jan 2020 11:04:25 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 9 Jan 2020 11:04:25 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Martin Vigoureux' <martin.vigoureux@nokia.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-qr-ikev2@ietf.org, 'David Waltermire' <david.waltermire@nist.gov>, ipsecme-chairs@ietf.org, ipsec@ietf.org
References: <157852009927.22485.15123997628919595988.idtracker@ietfa.amsl.com>
In-Reply-To: <157852009927.22485.15123997628919595988.idtracker@ietfa.amsl.com>
Date: Thu, 09 Jan 2020 11:04:30 +0300
Message-ID: <08de01d5c6c3$6ba47500$42ed5f00$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLead1yXvl74INi5I0QBk6sINiU7qXQpXdw
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2020/01/09 06:53:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2020/01/09 05:07:00 #14996825
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in akmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Gpnb59M5y5gI8WEkJGSrFLeJAyI>
Subject: Re: [IPsec] Martin Vigoureux's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 08:04:32 -0000
Hi Martin, > Martin Vigoureux has entered the following ballot position for > draft-ietf-ipsecme-qr-ikev2-10: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Hi, > > It seems to me there are places where 2119/8174 keywords would make sense. > Few examples, with suggestions: > If the initiator is configured to use a post-quantum preshared key > with the responder (whether or not the use of the PPK is mandatory), > then it will include a notification USE_PPK in the IKE_SA_INIT > request message as follows: > >>MUST include Isn't it just a protocol description and not a requirement? Anyway, I have no problem with using RFC2119 language here, but a few years ago I was told by one of ADs that I improperly used RFC2119 language when I wrote a very similar sentence: "if initiator is configured with foo it MAY include a bar notification in its request"; I was told then that plain English must be used in this case :-) > If the initiator needs to resend this initial message with a cookie > (because the responder response included a COOKIE notification), then > the resend would include the USE_PPK notification if the original > message did. > >>MUST (or SHOULD?) include I don't think it is needed here. Section 2.6 of RFC7296 has already a requirement, that ...the initiator MUST then retry the IKE_SA_INIT request, and include the COOKIE notification containing the received data as the first payload, and all other payloads unchanged. So we don't impose new requirement, we just remind readers that USE_PPK will also be included in the resend message. > by the way, if it is a resend of the message described in the paragraph above, > then "if the original message did" seems superfluous. It is a resend, but the resending message is a bit different from the original, since it includes the cookie received from the responder. See section 2.6 of RFC7296 for details. > Otherwise the responder replies with the IKE_SA_INIT message including a > USE_PPK notification in the response: > >>MUST reply > > initiator and the responder. The responder can use the PPK_ID to > look up the corresponding PPK value. Not all implementations are > able to configure arbitrary octet strings; to improve the > potential interoperability, it is recommended that, in the > PPK_ID_FIXED case, both the PPK and the PPK_ID strings be limited > to the base64 character set, namely the 64 characters 0-9, A-Z, > a-z, + and /. > >>RECOMMENDED The "recommended" here is intentionally made non-normative, otherwise the requirement is too strong (there are a number of use cases, where the requirement for PPK to be base64 limited makes a little sense, like hardware tokens etc.). So it's just a general recommendation. > values 3-127 are reserved for IANA; > Maybe it's just because I'm not used to that wording, but why "reserved for > IANA" ? The table seems to qualify them as unassigned. Is there a difference? I've been thinking that "reserved for IANA" means that these values are currently unassigned, but IANA will use them for future assignments... Thank you, Valery.
- [IPsec] Martin Vigoureux's No Objection on draft-… Martin Vigoureux via Datatracker
- Re: [IPsec] Martin Vigoureux's No Objection on dr… Valery Smyslov
- Re: [IPsec] Martin Vigoureux's No Objection on dr… Martin Vigoureux