IETF Logo Mail Archive

Re: [IPsec] a new IKEv2 labeled security draft is published

Jarrett Lu <jarrett.lu@oracle.com> Mon, 02 August 2010 16:08 UTC

Return-Path: <jarrett.lu@oracle.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15C713A697B for <ipsec@core3.amsl.com>; Mon, 2 Aug 2010 09:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nv4-s7a-rpv for <ipsec@core3.amsl.com>; Mon, 2 Aug 2010 09:08:58 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id F09703A67E6 for <ipsec@ietf.org>; Mon, 2 Aug 2010 09:08:57 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o72G9NhJ029464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Aug 2010 16:09:24 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o72DNipA012555; Mon, 2 Aug 2010 16:09:18 GMT
Received: from abhmt001.oracle.com by acsmt354.oracle.com with ESMTP id 477066641280765351; Mon, 02 Aug 2010 09:09:11 -0700
Received: from [192.168.2.101] (/71.202.69.40) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 02 Aug 2010 09:09:10 -0700
Message-ID: <4C56EDBD.6010401@oracle.com>
Date: Mon, 02 Aug 2010 09:09:33 -0700
From: Jarrett Lu <jarrett.lu@oracle.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090323)
MIME-Version: 1.0
To: Paul Moore <paul.moore@hp.com>
References: <4C4FDC80.5020603@oracle.com> <1280522982.4029.24.camel@flek.lan> <1280751488.2673.77.camel@moss-terrapins.epoch.ncsc.mil> <1280756168.3998.8.camel@flek.lan> <1280756248.2673.92.camel@moss-terrapins.epoch.ncsc.mil> <1280758344.3998.23.camel@flek.lan> <1280759549.2673.102.camel@moss-terrapins.epoch.ncsc.mil> <1280762656.3998.29.camel@flek.lan>
In-Reply-To: <1280762656.3998.29.camel@flek.lan>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsmt355.oracle.com [141.146.40.155]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090205.4C56EDB2.0170:SCFMA4539814,ss=1,fgs=0
Cc: ipsec@ietf.org, "David P. Quigley" <dpquigl@tycho.nsa.gov>
Subject: Re: [IPsec] a new IKEv2 labeled security draft is published
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2010 16:08:59 -0000

Paul Moore wrote:
> On Mon, 2010-08-02 at 10:32 -0400, David P. Quigley wrote:
>   
>> On Mon, 2010-08-02 at 10:12 -0400, Paul Moore wrote:
>>     
>>> I would encourage you to publish the LFS draft as soon as possible so
>>> that we can take a look at both specifications together since the IKE
>>> draft does have some reliance on the LFS draft.
>>>       
>> That's a good idea. I just published the document. You can find it at
>> the link below[1]. I also posted an email about it to the SAAG so
>> hopefully there will be some review from there as well.
>>
>> [1]http://www.ietf.org/id/draft-quigley-label-format-registry-00.txt
>>     
>
> Thank you.
>
>   
>>> While leaving large chunks of the protocol out of the specification
>>> definitely makes it easier to draft (and review for that matter), it
>>> makes me very nervous when people start implementing the specification
>>> later down the line as the assumptions you make when developing
>>> implementation "A" might not work well with the assumptions I make with
>>> developing implementation "B".  For something as critical as a security
>>> label protocol, this could have very serious repercussions for users.
>>>
>>> Granted, it is probably foolish (and perhaps not very desirable either)
>>> to ask for a specification that completely removes all ambiguity, but I
>>> think the IKE security label draft as currently written is far too vague
>>> to be useful.  Look at the CALIPSO RFC or even the other IPsec/IKE RFCs
>>> to see the level of specification detail that, in my opinion, should be
>>> present in an IETF RFC. 
>>>       
>> We are accepting text for the document so if there is something you
>> believe that should be in it such as handling unauthorized labels feel
>> free to write up some text and send it our way.
>>     
>
> Perhaps it would be better for you to document how you would assume the
> implementation to work with a level of detail similar to the other IKE
> and CALIPSO RFCs and then we can have another attempt at review?  I'm
> saying this not to be difficult, but rather because I feel that
> providing the amount of additional text that I feel is needed would be
> roughly the same as writing a draft in the first place.  To be honest, I
> look at this draft as an abstract for labeled IKE specification, not a
> draft specification itself.
>   

I suppose we can add more details / text on label validations and error
handling to avoid implementation ambiguities as much as possible. Our
intent is to add the label negotiation as a simple extension to IKEv2. It
really should be a short document.

Thanks.

Jarrett

v2.23.0 | Report a Bug | By Email