IETF Logo Mail Archive

Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 23 December 2022 16:49 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFEBBC1516E9 for <ipsec@ietfa.amsl.com>; Fri, 23 Dec 2022 08:49:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jwc4u02Xk-ka for <ipsec@ietfa.amsl.com>; Fri, 23 Dec 2022 08:49:13 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8CE1C14F749 for <ipsec@ietf.org>; Fri, 23 Dec 2022 08:49:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id EA0163898E; Fri, 23 Dec 2022 12:16:43 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Q5zAHN0uhqUj; Fri, 23 Dec 2022 12:16:43 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 5647B3898D; Fri, 23 Dec 2022 12:16:43 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1671815803; bh=1lN4jKsUF37SIB5z0UL3zJRf7GsiKwvIR08Rb3MUi44=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=Iiot3dYbv5Q0d0z97bUWbxuvaivPPPtEyQ9wGk/ExepFyxuzkkX1CepC1UyLykU3R KuJiEedNU2tFTEL719+3aGW+2CEzrj19Bo0qBMwRaXwRN3KIhjYjvuszebYkyFEoLB rms6tUjBFPQPmCyFrwym2zx3np8QxqLLvvc585PxJLN92+5t7xGQrwizboibkCEgDM 62ZAs0yEHIOlh2uZlF3WDolaLwylM3Gy6hXWaq1Z/YkyYuGPV/L7gpENZjqyILwLoz Nb3yl9ytFEV+D3uDChnKPIKbPdPes7PRqH7btLvUEMCsXb2y692T4WKT7n3qJRi9HH OLANgCuOBwZ2Q==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0CCF88B8; Fri, 23 Dec 2022 11:49:11 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: ipsec@ietf.org, bew.stds@gmail.com
In-Reply-To: <268e01d916a2$1ad7bec0$50873c40$@gmail.com>
References: <11505.1671563270@localhost> <257b01d9151c$a16579f0$e4306dd0$@gmail.com> <9470.1671641738@localhost> <261c01d915e3$50ef2670$f2cd7350$@gmail.com> <14222.1671724652@localhost> <268e01d916a2$1ad7bec0$50873c40$@gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 23 Dec 2022 11:49:11 -0500
Message-ID: <27837.1671814151@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HWyNHUl_fwLibAL_YN1BguOgQu0>
Subject: Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2022 16:49:18 -0000

Valery Smyslov <smyslov.ietf@gmail.com> wrote:
    >> > Thus, what do you want to see in the third column?  "Defined in RFC
    >> > 7296"/"Defined in this document"?
    >>
    >> You could say, "STD79", and "Section X" if you like.

    > I prefer "RFC7296", as it's better known than "STD79" :-)

Yet, it's incorrect.
It fails to include the updates, and it goes stale.
It also wastes all the effort we put into bringing it to Internet Standard.

    > The similarity between IKE_AUTH and GSA_AUTH is that both complete
    > authenticating peers and creating IKE SA. The difference is that
    > IKE_AUTH in addition creates unicast Child SA, so the set of payloads

It does?

    >> > Note, that RFC 7296 includes a concept of one-way IKEv2 messages
    >> (for > error notification in case no IKE SA exists).
    >>
    >> Fair enough, but those are inside the IKEv2 PARENT_SA, while GSA_REKEY
    >> is not.

    > GSA_REKEY is "inside" a multicast rekey SA (which is different from
    > initial GM<->GCKS IKE SA).

I think that this new SA needs to be introduced.
I think that there need to be some diagrams.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email