Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
"Gunter van de Velde (Nokia)" <gunter.van_de_velde@nokia.com> Thu, 11 April 2024 08:38 UTC
Return-Path: <gunter.van_de_velde@nokia.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FFFBC14F5FD; Thu, 11 Apr 2024 01:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.145
X-Spam-Level:
X-Spam-Status: No, score=-4.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nokia.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49hLgEvdLRTN; Thu, 11 Apr 2024 01:38:50 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2075.outbound.protection.outlook.com [40.107.22.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3385BC14F5FC; Thu, 11 Apr 2024 01:38:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ro7qC+6hl3lGFyTFAvCQfr+BMYHQZHL3J8A0D9e6n3CgcCgfiwDa73zUTA8OyaUXKFl+DtDb8N0mmW3/oZncW2IQXD6RymrSOqcvLkmUbOXMhrTOxQI4YBtQ48e4JFa9KCy9uM0V9IBpKKUWHZtCIigMXO96S++PmK10+4LwxsO5rEgZ8TboXHfrO/nzaGJecagBoylu5ZAsFnx1LFCD0OIz6yp9Dg3Z8s6gsZjrFZ6zaheg4CytuSkeU0SH0GyVsQ9wq6rEugNG59At+b5DEg7UvTcQSssQNzt/1x3c8vDMdXsxLmK5NmOV+E0nMEg+slfSL8tiBGFRvp0O8oJw5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XkcVg50+Ww/YiXJkk5iw5DgXyJHePQMLvi3ZWNEPyz4=; b=RcLyTE+Da1pJcsMSl1XDIQySZYLmPWgB9589Oh9fAuhaWV159CP6uG5gYaXDqyEfQqW5PlJzY5y3Oajomiv+cgoIseAZVYArVNNG0PE1kzv5Ru1QgwzPPZF71J4NSmfvsVvuO2ygiXTrofrs3C/RpgiOryozSTFBeFzOWZz9LDiLaPIBFMjttrP1ll8e6AdEc/66NcT65Vg7uV9zF6S4yvOzQjVXmUx/bHRavlkClbIhKaf1h+Sbrf3I7COFiXceMgMmooNh9gULBTgLBrxNB1W17TlkRQOnAV1QFJlFeUfFxuuf/YjafGcg+H6ctUZ/uks/AC7tlcy9oqBjlNCB/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XkcVg50+Ww/YiXJkk5iw5DgXyJHePQMLvi3ZWNEPyz4=; b=LSXa8ph8Tnz5SDSFCZEuw66cdmjyszLUI6/ZBYZ6dSqay/LG8gYu5xNPJVl+QhNl4HiRfzptZRLDmN7glke4ze6VBTTIFnSdVK/m2+upTTXx4wYDAqSDNjwghpjtciuogUGYfjVat4QaEmPVlKE1Z0lygJpJhU/GaHW7nV63hrNVxj3byzT+hoYtXMDd+NyRGHVR5Yh5FK13SpDYITRU23VgT2UCQqqxdOh9cg2JLci26ynz8d+PCqrCh2BJC7wm75OVJl3mozh1v1A2JER/cjtenR7Qkk2tal6UaTLMyY6U5MF5d9D5i7i4K8rbfl+8wNXRNim5E2rHe2165ZOPnw==
Received: from AS1PR07MB8589.eurprd07.prod.outlook.com (2603:10a6:20b:470::16) by DB9PR07MB7883.eurprd07.prod.outlook.com (2603:10a6:10:2a5::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.55; Thu, 11 Apr 2024 08:38:46 +0000
Received: from AS1PR07MB8589.eurprd07.prod.outlook.com ([fe80::c316:8cd6:216e:d7a8]) by AS1PR07MB8589.eurprd07.prod.outlook.com ([fe80::c316:8cd6:216e:d7a8%6]) with mapi id 15.20.7409.042; Thu, 11 Apr 2024 08:38:46 +0000
From: "Gunter van de Velde (Nokia)" <gunter.van_de_velde@nokia.com>
To: Valery Smyslov <svan@elvis.ru>, "gunter@vandevelde.cc" <gunter@vandevelde.cc>, 'The IESG' <iesg@ietf.org>
CC: "draft-ietf-ipsecme-ikev2-auth-announce@ietf.org" <draft-ietf-ipsecme-ikev2-auth-announce@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "kivinen@iki.fi" <kivinen@iki.fi>
Thread-Topic: Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
Thread-Index: AQHai6Yr0uWSpyCPpk28YyeRkGSwGLFitDoAgAAJkYCAAAD2EA==
Date: Thu, 11 Apr 2024 08:38:46 +0000
Message-ID: <AS1PR07MB85896FF2698393BD43F16918E0052@AS1PR07MB8589.eurprd07.prod.outlook.com>
References: <171279487047.60184.16698739447210749606@ietfa.amsl.com> <034d01da8be5$c3bd0f90$4b372eb0$@elvis.ru> <035301da8bea$8cb19f70$a614de50$@elvis.ru>
In-Reply-To: <035301da8bea$8cb19f70$a614de50$@elvis.ru>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS1PR07MB8589:EE_|DB9PR07MB7883:EE_
x-ms-office365-filtering-correlation-id: ea25bb66-f78e-44fa-55da-08dc5a02cd75
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7S1FQ626+ZzlQQnS/dEkcGn5hCXuil7/CYxEKosUe720p/GKm/PlHKIt+xlM3hGr1V4mE92t4tG8pKMJOefCtrpyP6PlebP2wOcg7EyWKHEOa4UkL9NmeuouEFNMFEiUrPtTeeVLtTQrjhfj3cpEHpBiuJ5w9V8mjoXs6G8U3Z0hYzbJGKg5nh3H8XW9kTI7MzmeSiXKSXFxUwdaKCxN4liB85Z2kSSMggR68wNS2AOeV8nR4MRh5SFho8oxxibXVU1vsLz5leW6XEZvtll9F8tgYKN35nuLsPBQ8cXUQufFG27t3cfomKcGDzS3bW+wIyQvLwZzZT6+Jfaw1RIeLZLgtfbJ+gGM8e+pUYWWsh680WvHw+Uyws9o5MBZNM415ulEtngKtoFr2Lf+PTMuAixKpeL8pDymE/7hNOuCg9sCPTuiRMfcLJxAzh1HFEGn1RYOGwiWNSJzyCXlqIhxnCCBGa6KflW0Yg3qGLYLbyEvCiAofQavpwH7cQMIF/8YcrnZ735i0NA1f9SuK5JtVIvflEi9sZp9MIkHWxUKET4423aiaYBR8+CWo7ZuvdUVvGiBmCw4zr1XtzjI1wIP5mQfW2SyhQMZP21OuCC0pIbwJO6APvd1w7x7ltd7WoBUHkZHyGPRdaPPSt2rTxKQtcraxRaXH25q6Uoj4fVwAnw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS1PR07MB8589.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GPDvsp5ie9fh2BdeSjUuX0hWxqVAYFKYnu7rrNZw//z/sbAK0CXcvYEMDws1jE1ysOR9jnSatPZetpXOBoiCWmLzyyOaOxZuaUbIMl+9G7VdYzN3lh36Abvc5iOnaARMcJUiTyEHGg9KrTfTqFnqZOaNHnMtX7fW1ZPL+dE1qLbBtMyZl2dAczJrzj25uKpVQ1JF5Sv32wwvg035KH+HyqKzpfVpOzlPqYzGsUpWkAVwzeSEDAktXxooItUGgBdJpp1drjlR9PdpJRMnikSgR/oqA0rJA23lGMJSfAi0rfvxz/4FjpBM4nfejLfmPRVmDodr/ztwOrpRXm2JV3REeKqIfTfdlGlelt0ISj0w22DxvN1xufy+ln3lczIWMiI4eR3zSFkKPbE02NhswiEmvgytOVNQXWyayp0HlI6f3mGFZhKkJ3nJBel17TAPI3YjybOtjYRYPRfzjRaawxGrr1P5Xx2TrDp94gnVXwISF2Wuo/1VrdjKeLvKth7l2jM61b9B3M9zNwTgIGaMn973D1DexEaW0Ukk/kbiB4d//p5xR+/eIYi1PTV3rkhtBBIB1cDLddBglI7npxZTDbt3U2LahUe6eCeqN4Sjf702P/5A/eKfOOUrZouhm6Wm0F93yayUvpKPyLKXAv/aJkATSDu4wcEcJhgzPLHVGGAv25Z6twmmcFyaKUordEuEls/z165qdWClEU6p+iMzZ9suGAsQkTCPUpYyGwj/ubFmNxyQ1OQj2TwyhZG5jz3z6/XQtfEjbmHVtxXFam9JccEuG65CaE+1gK41OaklmDhyqCRGHKa5btYs6/bV5ez73IJ6yOd9T6bfgexKcxv2txQDNO5jFSrC53RmADWfLgoKBxOZh6ybfNQVREiKe315DHGqKK0ZeYX+PLuk8s3NznJswvprEffaDlDe2yztAyL2hYcaTkjEmQBUAuLsUSi/9wmnh0kAvk/Aqkppt3ApIQBqTPl5mx0v02QUs2QAyxeHhuNGVBBKrc587qDLqbK1K7o5FnZqHXTitnW+5KhLvwHXmZvvENvIKYf/MfQYZCH/cYF3612e5w7FDhs6QWGmLHdLhUoKwMAVnGG0Be5YIVTGZT+TvzFOYg3kur9TW4lF12vQdIqBS9EkQfcvT/pnqQ7B8XZP4nHVtebvQczHfkIayn0YlzfiWQwvoBHMczG5R+F7dzWhJAoME7mtduFXzy6wh0RqAwsgIFudPWPdIYZnQHL6KXb1KAj/vPefHPvzF/tBVjQnecCUeO2InVq78NatmwcQVDmnnHitAb0cnNcOUdFruIPg/YaA0l/VNtwx3+SHQ5p2WrvALEUCE2hQ8yy+q8zejq6Cyon5UjRlVSlHgdM6oAirIQ5PS236BSEvUAs+MuFDFBjZYvDsjrd4F8ULIguh4MghqZKOHP2y3jtJ5hgKlWMx3n9NrUgd7H9cEqHTzNQPdK79qtOb1zHwTrsfcZRNnqfbGRQ1weShzIE6DYFl0IeoDy04qm5Nf2prK55BpY04j5TbzA+mHDsEZ08/gTz/meNlcs8+hnIm2A8GpdEA2pWyxvqh5V/JWOWeBQHj2fWfm2wZ7WRiNgelGV5suPnNeB6YWu0us+hNTeQ9opRf8jnBzQSH00rAoJrIuP1z6xEGuAwL59bExjnPSwonKpIeHyLNONiBYhiVDYUAeQ==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS1PR07MB8589.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ea25bb66-f78e-44fa-55da-08dc5a02cd75
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2024 08:38:46.3044 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iinZTMVyw2YxRAtx6VgcCG1FGBxyjzw6/sx+DMyGoxeyhOhr/t3xNDL3xMVGSd78sUGsfh2ZsJuQX7r0gUscOL7eHC7FeVrv2YKVvNN2KE8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7883
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LYpQOvpMo70INdtDv_JL64jy7wo>
Subject: Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 08:38:55 -0000
Thank you Valery for your kind consideration of the review comments. You were correct that indeed I did not hit the 'send update' radio button because my comments were non-blocking and I intended to reduce generic email noise. Unfortunately I did not realize that not sending email voids easy opportunity to draft authors to reply to the comment. My apologies for inconvenience G/ -----Original Message----- From: iesg <iesg-bounces@ietf.org> On Behalf Of Valery Smyslov Sent: Thursday, April 11, 2024 10:31 AM To: gunter@vandevelde.cc; 'The IESG' <iesg@ietf.org> Cc: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org; ipsecme-chairs@ietf.org; ipsec@ietf.org; kivinen@iki.fi Subject: RE: Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT) [You don't often get email from svan@elvis.ru. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information. Hi, for some reason I didn't receive a message with comments from Gunter, but I noticed his comments at the ballot page (it seems that the e-mail wasn't requested to be sent, as indicated in the datatracker). I'm not sure if the message will be sent later and I want to respond to these comments, so I take the opportunity to reply to the Mahesh's e-mail once again and comment on Gunter's comments :-) First, thanks for these comments, I copy-pasted them from the datatracker. Plese, see inline. > Document reviewed: draft-ietf-ipsecme-ikev2-auth-announce-09.txt > > Many thanks for this write-up. I see no issues from my side to progress this document. > During my review cycle i noted some observations that you may consider > if you find beneficial > > typos: > s/overriden/overridden/ Fixed, thanks. > [idnits] entries when runing idnits captured by shepherd review > > Review comments: > 14 supported authentication methods to their peers while establishing > 15 IKEv2 Security Association (SA). This mechanism improves > > This draft is written for IKEv2, however would the proposed technology be used potentially by newer IKE flavors? > (as networking generalist i am unclear about dynamics of IKE > evolutions). If the IKEv2 is 'always' implicit implied, then does it > add value to mention IKEv2 here again? (i am ok with it either way, > only questioning the extra characters in the abstract) I agree that using both 'IKE' and 'IKEv2' adds some confusion for readers, but this is a long habit in IPsec. To the point - this draft is written for IKEv2 (we don't know what IKEv3 would look like), so it is always implicitly implied. Sometimes it is also stated explicitly. > 84 selecting authentication credentials. The problem may arise when > 85 there are several credentials of different types configured on one > 86 peer, while only some of them are supported on the other peer. > > Not sure that saying "The problem" is accurate? there is added > complexity or credential inconsistency, but by itself that is not a problem. > > What about this rewrite suggestion to nail this down: > > "SA establishment failure between peers may arise when there are > several credentials of different types configured on one peer, while only some of them are supported on the other peer." I used this text, thank you. > 116 When establishing IKE SA each party may send a list of authentication > 117 methods it supports and is configured to use to its peer. For this > > Here is mentioning of IKE and not IKEv2. was this intentional. Is there a benefit in being consistent in terminology wrt IKE vs IKEv2? As I said, there is a habit to mix 'IKE' and 'IKEv2' in IPsec world. > 121 the party sending it. The sending party may additionally specify > 122 that some of the authentication methods are only for use with the > 123 particular trust anchors. Upon receiving this information the peer > > what does 'the' in the above phrase "**the** particular trust anchors" refer towards? > (i am not so familiar with IKE so much, so am trying to understand how SUPPORTED_AUTH_METHODS is correlated, and trust anchors was not mentioned before. > (i do assume its well known terminology though) List of trust anchors are sent in the CERTREQ payload. This extension allows to link each of the announced digital signature auth method with the particular trust anchor (meaning that *this* algorithm should be used with *this* CA). > 132 message. This notification contains a list of authentication methods > 133 supported by the responder, ordered by their preference. > > how is this correlating towards the trust anchor mentioned in above comment? The order of preference is not correlated with the trust anchors. The correlation is described above. > 287 announcements for these methods. Implementations MUST ignore > 288 announcements which semantics they don't understand. > > s/which/with/ Changed to s/which/whose as Mahesh proposed. > 390 4. Interaction with IKE Extensions concerning Authentication > > is there a reason why IKE is mentioned instead of IKEv2 ? Changed to 'IKEv2'. Regards, Valery.
- [IPsec] Mahesh Jethanandani's No Objection on dra… Mahesh Jethanandani via Datatracker
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Valery Smyslov
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Valery Smyslov
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Gunter van de Velde (Nokia)
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Mahesh Jethanandani
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Valery Smyslov
- Re: [IPsec] Mahesh Jethanandani's No Objection on… Mahesh Jethanandani