[IPsec] Re: Comments on draft-pwouters-ipsecme-delete-info

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 31 July 2024 06:16 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BE9FC151091 for <ipsec@ietfa.amsl.com>; Tue, 30 Jul 2024 23:16:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zY0_S875xu51 for <ipsec@ietfa.amsl.com>; Tue, 30 Jul 2024 23:16:43 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94D6AC14F6B7 for <ipsec@ietf.org>; Tue, 30 Jul 2024 23:16:43 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-52efd08e6d9so8102042e87.1 for <ipsec@ietf.org>; Tue, 30 Jul 2024 23:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722406601; x=1723011401; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=HIvwxmg628hVIoHYEOVOgquASADDNhyC+4mtQzkTSYU=; b=i4lZnm4mJtvd3SqPJeD6/gFZIF2UfYNY2p4pJty+vg+Ht9hFMHDrGNebjvXBU/Z/6f OcDXDwFvjR8Hl2ejZVqSzVKR0X6HAxRuwD0qsMEDVqTZWx2trXjh60g2JuDAwlg3cNAq aBg1hgzJN1DEVnTvSk5vdswqYXBHKbkOJ7I3wgxemMPZQqqMKShir/0i5ewLcRGJTiXg TMkN7x40bgkoyJymlUB3svK+S7+UB4Ta/uUWwEPfD7X+vJdJfO8MuzWQvn45cZILYuJK Kk+oDMl3wihv6dC+CPbBLZxp/X6x1I6iKJL6JUyCU2Lh0d1uOljn8kNnKgF6M5PofZSa uWiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722406601; x=1723011401; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HIvwxmg628hVIoHYEOVOgquASADDNhyC+4mtQzkTSYU=; b=CeBawbq0foA0QFuCMblV4YLAbvN56YQkWkutJieLxYXo0IRU8BpUnI1in3XvH3IWDY dhflHVVcF/x0nyUuGqw7W3gQlkVqlKa5REZavOaE9gqc+xrFAHP3heAKVPlg+wyhvGNT mN9NUuRa1upy7AMEXCvoEflKFfySSz1p/ngLeyvkk8ilq4AaDtN075lfy60orbkVbnvv e+vqbl1iJP7TcgGUgZmSFi8cWkEktzc4avdomQpc5JH3n0AkBCv5wEWZ4Fvu4g18BASB ha7280MUSW5mOSGHecCWo1QoWLuPBgtVIimqrgQFbEp4MrRKxHCwMIXupkqkSvHzG1Hl Qu0A==
X-Gm-Message-State: AOJu0Yzo8fN9i+k3CmaGFcsRvS+VW+hm3OWB8UkT5862wDZV0shRvY7m FBNXQEwCBkYFyFYLERMECSsJ9spYLFTuQ2WmyMlBp3xYcOuCmn8i
X-Google-Smtp-Source: AGHT+IGWsAm0Tlnjzfzz0IkbVEcHy43CXSVLqzIhz3Agsu02bjysBJ4saOLMe9zs9gHnYPAnAI+6Fw==
X-Received: by 2002:a05:6512:3da2:b0:52c:df3d:4e9d with SMTP id 2adb3069b0e04-5309b2b6e7amr10729485e87.37.1722406600668; Tue, 30 Jul 2024 23:16:40 -0700 (PDT)
Received: from BuildPC ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52fd5bd12fbsm2126951e87.109.2024.07.30.23.16.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jul 2024 23:16:40 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Christian Hopps' <chopps@chopps.org>
References: <020701dae1b9$b6741070$235c3150$@gmail.com> <m21q3cb5og.fsf@ja.int.chopps.org> <02a301dae287$ea759e10$bf60da30$@gmail.com> <m2ttg6adfh.fsf@ja.int.chopps.org>
In-Reply-To: <m2ttg6adfh.fsf@ja.int.chopps.org>
Date: Wed, 31 Jul 2024 09:16:39 +0300
Message-ID: <02f701dae311$34de1610$9e9a4230$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKTXxMcsL+OEoqUquj1O3JZgb5E3gHpVGO2AcJDj20CXFFkE7BvIbiw
Content-Language: ru
Message-ID-Hash: KQXKKIZOTMNA6PHT7OTIWE6XHGB24MAT
X-Message-ID-Hash: KQXKKIZOTMNA6PHT7OTIWE6XHGB24MAT
X-MailFrom: smyslov.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ipsec@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [IPsec] Re: Comments on draft-pwouters-ipsecme-delete-info
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LyF3gkPTqFkI14yYePbibxaa1k4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>

> >> humans are capable of reading text in a language w/o needing a tag to
> > identify it.
> >
> > I emphatically disagree. If I send you the following reason message,
> > will it help you?
> >
> > Сервер отключен для пусконаладочных работ на три часа
> 
> This example doesn't make sense to me, it seems contrived to make some point
> but it's not realistic.
> 
> People aren't contacting random IPsec servers that are mis-configured for their
> users. If the user wouldn't understand the above language then the operator
> wouldn't configure it.

There are a lot of VPN services in the wild that provide access
to the Internet worldwide from where it is restricted. Some of them use IKEv2/IPsec
and they don't care about the languages their users understand. For the users
it is a just a "random IPsec server".

Regards,
Valery.

> Thanks,
> Chris.
> 
> >
> > You will probably use Google translate and it will ask you what
> > language it is in?
> > Sometimes it can correctly guess the language (and the text above is
> > an easy example), but often not.
> > I also want to point out that some languages (e.g. Finnish) are very
> > difficult for machine translation.
> >
> > FWIW, using language tags is not my whim. If we leave human-readable
> > text in the protocol, then we MUST support multiple languages and MUST
> > be able to transfer language information to be compliant with BCP18
> > (RFC 2277, Section 4.2, Section 4.4).
> > I don't want to deal with all this issues, so I'd rather to not
> > include fields with human-readable text in IKEv2.
> >
> > Regards,
> > Valery.
> >
> >> I do think the encoding might need to be specified, since that is
> > something the
> >> computer may need to understand.
> >>
> >> Thanks,
> >> Chris.
> >>
> >>
> >>
> >> >
> >> >     In general, I think it is a bad idea to transmit text strings
> >> > to be read by users in a low level
> >> >     protocol which IKEv2 is. This is an UI issue, and it is the UI
> >> > that should properly display to the user in a user
> >> >     chosen language what is happening.
> >> >
> >> > 2. The list of reasons looks to me both incomplete and excessive at
> >> > the same time.
> >> >     For example, CONFIGURATION_CHILD_REMOVED and
> >> CONFIGURATION_IKE_REMOVED
> >> >     are not needed, since you either delete IKE SA or Child SA in a
> >> > single exchange, so it is
> >> >     always clear what configuration is removed and only one such
> >> > reason would suffice.
> >> >     SIMULTANEOUS_REKEY adds no new information,
> >> >     since you always understand this reason from local logs. On the
> >> > other hand,
> >> >     it is not specified what to indicate in the reason when ESP SA
> >> > is being deleted
> >> >     in response to deleting the tied ESP SA for the other direction.
> >> >
> >> >    In general, I think that indicating the reason the SA is deleted
> >> > doesn't help much the user much.
> >> >    In many cases it can be inferred from local logs. And if it
> >> > cannot, then you probably
> >> >    will to contact the other end in any case to get more detailed
> >> > information on the reason,
> >> >    in which case sending the reason on the wire has little value.
> >> >
> >> > 3. Perhaps the most useful field is Downtime. But thinking more
> >> > about
> > this,
> >> >    I believe that since this value is only a hint, you will
> >> > probably not trust it.
> >> >    For example, if you have to communicate to the peer ASAP and it
> > deletes
> >> >    SA indicating that downtime is 1 hour, you will not wait for all
> >> > this time,
> >> >    you will try to establish new SA every minute (it costs you
> >> > nothing,
> > but
> >> >    you have a chance to get it up earlier).
> >> >
> >> > Regards,
> >> > Valery.
> >> >
> >> > _______________________________________________
> >> > IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email
> >> > to ipsec-leave@ietf.org