[IPsec] Comments for draft-ietf-ipsecme-labeled-ipsec-04
Valery Smyslov <smyslov.ietf@gmail.com> Wed, 20 January 2021 13:09 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0713A1200 for <ipsec@ietfa.amsl.com>; Wed, 20 Jan 2021 05:09:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQGS8rFwYRqL for <ipsec@ietfa.amsl.com>; Wed, 20 Jan 2021 05:09:50 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC2D3A1201 for <ipsec@ietf.org>; Wed, 20 Jan 2021 05:09:50 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id x23so25955848lji.7 for <ipsec@ietf.org>; Wed, 20 Jan 2021 05:09:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=jFiEWWvwldOzF/DIhT+y1E+aFvxuNmDTJnUq2XGzPSM=; b=N0T9SpDsqJNTkULlwj5ibuiuV6rJuhJ9buAuF8yBwZaWpTxT+7Bmg48Wl+ZNHdZ20o KBC1QQSCMW49fPl7QDpFF2fFqz8v3O184s4TBaGD4Mf1wY44VnPFyhWP9l40HptE/aiG Vg73yuIICgsxDAmiK0C61qWu188tYZgO1/MvdmxcEYJgxWgwR+3jXCbjVDzkoEUdE3xa 9TReKtkLLFOyV6iEllAIN6+1N6HaZozCLc8DEv6n4bDuo59Rp41/rPgQDdWRUIqjJb+t QjF/wx8Tzy8EhwMH8k3A1qoJwKI/rWX2StD5eeVHsejCS7E31kt8MHYDJyKomc59klZU 1Mmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=jFiEWWvwldOzF/DIhT+y1E+aFvxuNmDTJnUq2XGzPSM=; b=bc6AcpTYH/N7+ZEUpom2+dCcPOd4chUmSadgODTTvCEuYsOgj1foChJTi02PovqbVS vwlPAAkzIUevQXA1Ydy+OtiZxpmY2sw1HhMeM3AA6+Ci16s9mvVt/RYSabQwtxtODoMh dqS81jhAokpJWf+F7XVFk4DKq+/TKGkJI0QIDzMNcNJkwV7DRuqy885TFlzcwc14+Y1J gvsDzG0N9b7hYnwENJ9UOJdI5tsurVBnpZu79mx3aUExbsXM6WgPftuc/hjsigwr7Rm7 RmCN77t4oUm7Te4yVn++Lh7Vha9kJpsCYo3sJ3GxRT8hF3LUc3meSbk5UUd2nDlGildy 227w==
X-Gm-Message-State: AOAM532IRqfNaEgEFyp+vjZs+e/Cq/j2qQO/Dp4JfZUP1hjkyA/1ILMb KlUmzTIfovaPqhGCMx9QWGdOngghAB4=
X-Google-Smtp-Source: ABdhPJwANRdKDrtBVkA0lXA5oG0wzcYWxM22XcHZRC9lbdWe94ZgLgHhS3s3e/icY5Oy6v6zDsr4yg==
X-Received: by 2002:a2e:9b1a:: with SMTP id u26mr4406717lji.187.1611148187581; Wed, 20 Jan 2021 05:09:47 -0800 (PST)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id 70sm195069lfb.165.2021.01.20.05.09.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Jan 2021 05:09:45 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: IPsecME WG <ipsec@ietf.org>
Cc: Paul Wouters <paul@nohats.ca>, Sahana Prasad <sahana.prasad07@gmail.com>
Date: Wed, 20 Jan 2021 16:09:49 +0300
Message-ID: <03e801d6ef2d$88820f00$99862d00$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdbvLX9B4gzHloX0Qk2ypVqkmsDHEw==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/J1aqv0QkJZnb-ysRm_NVJrNP1_k>
Subject: [IPsec] Comments for draft-ietf-ipsecme-labeled-ipsec-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 13:09:55 -0000
Hi, after reading draft-ietf-ipsecme-labeled-ipsec-04 I have a couple of comments. First, it's not clear for me why zero length TS_SECLABLE is prohibited. The draft currently says A zero length Security Label MUST NOT be used. If a received TS payload contains a TS_TYPE of TS_SECLABEL with a zero length Security Label, that specific Traffic Selector MUST be ignored. I wonder what's rational behind this restriction. From my point of view zero length TS_SECLABLE can be used to express that using Security Labels is optional. I.e. initiator can include zero length TS_SECLABEL Traffic Selector along with other TS_SECLABEL Traffic Selectors to indicate that responder is free to not use security labels for the SA. Currently draft suggests the initiator to perform several attempts to establish IPsec SA with and without TS_SECLABEL Traffic Selectors in such situation, which is more complicated and less efficient. Am I missing something? Another my concern is that draft allows security labels to differ in TSi and TSr without giving any possible semantic interpretation for this. This looks weird. I think that at least some possible interpretation of such situation must be given, e.g. TS_SECLABEL in TSi is used for traffic from initiator to responder and TS_SECLABEL in TSr is used for the return traffic. In this case it is clear that they can differ in some situations. And the last (but not the least). It seems to me that Section 3 (which aims to update Section 2.9 of RFC 7296) oversimplifies the negotiation process. In particular, the sentence A responder MUST create its TS response by selecting one of each TS_TYPE present in the offered TS by the initiator. is inaccurate in my opinion, since it implies (as I read it) that responder can pick exactly one traffic selector of each TS_TYPE and can only return it unmodified. If fact, with regard to TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE, all the proposed traffic selectors are semantically combined and represent the set of traffic the initiator believes is appropriate for the SA. The responder then can select several traffic selectors from the proposed list and even modify some or all of them provided that the resulted set of traffic they represent is a subset of set of traffic proposed by the initiator. This logic is lost in the draft and since the draft intends to update RFC 7296 in this regard, readers may decide that this logic is no more actual. In this Section 3 must be rewritten to describe the changes more accurately. Regards, Valery.
- [IPsec] Comments for draft-ietf-ipsecme-labeled-i… Valery Smyslov
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Paul Wouters
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Valery Smyslov
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Paul Wouters
- Re: [IPsec] Comments for draft-ietf-ipsecme-label… Valery Smyslov