IETF Logo Mail Archive

Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-ikev1-algo-to-historic-08: (with DISCUSS)

Warren Kumari <warren@kumari.net> Thu, 15 December 2022 14:32 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882BDC14CE4F for <ipsec@ietfa.amsl.com>; Thu, 15 Dec 2022 06:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSQfDV8XLCOX for <ipsec@ietfa.amsl.com>; Thu, 15 Dec 2022 06:32:17 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E80FC14CE40 for <ipsec@ietf.org>; Thu, 15 Dec 2022 06:32:17 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id a25so2695280qkl.12 for <ipsec@ietf.org>; Thu, 15 Dec 2022 06:32:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=W91QsV7llLuilkHRk/2J2OQTF6AZjLFiineTm4T4BiQ=; b=b7zMwaXR9BIAzuNhFhpVhlGZ5OYQRMS+yei1ydvO6qJ4pW3MP2XC/QoyqlTVOV9+c2 5YQU3eg8H8JyzD5Aw980emiIxpI4ZNvPE6YXwHKsy5vfNXuqnq3WkJlSgy2AGPayBJcQ CXjxK9t2Dyojfzegs/3QkRHMdldDRRkR+019JkAFSGaHTWuvuCzyv8jM2MsYYaKjfNz9 Cbel6LVrCa1ncXh2RP8pAa8ezaGEoL1GecmdsWz1sdR5u/QiXv24ZS5N+vG7qOr+UeBS /mS5fB/3iKgDky+NhWOUz5ygoQGJKvXqwlMkvtbDore5tGleId7pELXCgLUXnxFQ9cto 9eow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=W91QsV7llLuilkHRk/2J2OQTF6AZjLFiineTm4T4BiQ=; b=LXvYO899o713lsey0UGow2tiLhPd9oGxc2pLwPEPMvSETLGy+wEqcCTQB3V1IJFgB6 Ozjb7C7SCA3qirt500mKoNym7t7Ed7PL5xmnyll5gEwo9DKgHXatgqC+JfyjHLfS19i0 ybsf/p5nVQ1ZpJc6S3Y4YQCmKrlky7cOcSCG2yO7bc9/93uZM7Z6Xlv7QLF7IZf5n5HO s3fzbMjW9OjTs/hzR7Hu1BwBUHmBCpbixXJKNZtiJRe/IPXrCvNf4p/mHfqHrt3PeKXm DtrO1k36f0t4RMC88gE2WWZfNKSFWkBcQHRHF4IpBRD8YlhAges8wtUV8rys/iqazJNk 59pw==
X-Gm-Message-State: ANoB5pkDcgr2gO/HbvnscX5nxw0+rw/1Hyndqzpi0Rvln1msANGb3DxB PTYM+dTyjX7LSucgi7jDmfTOx6HUD9msHztNMbM//Q==
X-Google-Smtp-Source: AA0mqf7+E1kRRoZw0OXv4eJw29K+Wjeqaknw8UX89tQaiGwWI+63kQWLpvYLJdGTgWdylpfodl1hLYwtuV+7+DMFaqE=
X-Received: by 2002:a37:8c9:0:b0:6ff:1cd7:533d with SMTP id 192-20020a3708c9000000b006ff1cd7533dmr844896qki.113.1671114735841; Thu, 15 Dec 2022 06:32:15 -0800 (PST)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Thu, 15 Dec 2022 09:32:15 -0500
Mime-Version: 1.0
X-Superhuman-ID: lbp6jydp.084c3aa8-b3be-4530-867d-be7f9e789eb1
X-Superhuman-Draft-ID: draft00cd68f9bf2e3e8d
In-Reply-To: <CAHw9_i+5aaasAdWU-pu-geGX6StrR6vzHTHmzcVGCo8FYruaxQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
X-Mailer: Superhuman Desktop (2022-12-13T23:05:55Z)
References: <167094324735.45634.6215476133161483286@ietfa.amsl.com> <ca431827-6090-dba7-6280-20bed8ebf37d@nohats.ca> <CAHw9_i+5aaasAdWU-pu-geGX6StrR6vzHTHmzcVGCo8FYruaxQ@mail.gmail.com>
Date: Thu, 15 Dec 2022 09:32:15 -0500
Message-ID: <CAHw9_i+N=RG0bUjq9kUCTOj6eJRfpSyraF-+BVLTmwvgSHDHiA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev1-algo-to-historic@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
Content-Type: multipart/alternative; boundary="000000000000358b9505efdeb803"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Nj0GpEzQgzGvVB57U-BaD1ix96s>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-ikev1-algo-to-historic-08: (with DISCUSS)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2022 14:32:21 -0000

On Tue, Dec 13, 2022 at 12:51 PM, Warren Kumari <warren@kumari.net> wrote:

> On Tue, Dec 13, 2022 at 10:36 AM, Paul Wouters <paul@nohats.ca> wrote:
>
>> On Tue, 13 Dec 2022, Warren Kumari via Datatracker wrote:
>>
>> [speaking with author hat on]
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>>
>> Be ye not afraid -- see
>> https://www.ietf.org/about/groups/iesg/statements/
>> handling-ballot-positions/ on handling ballots, especially DISCUSS
>> ballots...
>>
>>
>>
>> Can the IETF actually deprecate / make a protocol historic? (as stated in
>> "Internet Key Exchange version 1 (IKEv1) has been deprecated" and "IKEv1
>> has been moved to Historic status.")
>>
>>
>> I agree that **making the documents that describe these** be historic is
>> the right thing to do, and also that the IETF can strongly recommend that
>> people don't use/deploy/whatever IKEv1, but I don't really know if we (or
>> anyone) have the power to deprecate a protocol. We are not the protocol
>> police, and we cannot instruct people to e.g deploy protocol foo, so I
>> don't know if we can deprecate a protocol either -- but I suspect that this
>> might be because I don't actually know what "IKEv1 has been deprecated"
>> actually *means*.
>>
>> Again, I'm not trying to block what this document is attempting to *do*,
>> but rather make it clear what it is actually doing.
>>
>> What it means is that the IETF has stopped maintaining it. It will not
>> allow any new registrations into the related IANA registries and no new
>> work will be started on this protocol version.
>>
>
>
> Perhaps you could add something to the document saying that (or, even
> better, drop in a reference to an RFC that says that)? From Rob's ballot:
> "I do wonder exactly how well understood "deprecated" is in the wider
> community." - it's not just "in the wider community", because it wasn't
> clear to me *exactly* what it meant.
>


Just following up before the telechat - if we agree to add a clarification
I can clear.

W



>
>> It does not make any recommendations to users or administrators on
>> whether they should stop running it and migrate, although it is a pretty
>> strong hint that this protocol is dying and it would be wise to move away
>> from it.
>>
>> It also means that other documents that want to depend on IKE, have to
>> ensure it works (and references) IKEv2, not IKEv1.
>>
>> The IETF does not tell you which protocols to use or not use. However,
>> other organizations that do, often base their requirements on IETF
>> recommendations. This is where the IETF and others (eg NIST, PCI-DSS) play
>> a careful balancing act. The IETF tries to nudge people in the right
>> direction. But it is indeed not the protocol police.
>>
>
> Yes, we have the BCP series, which "endorses" technical information and
> "define and ratify the community's best current thinking on a statement of
> principle or on what is believed to be the best way to perform some
> operations." That isn't the IETF telling someone what to do, but it is
> basically standing up, pointing, and saying "This thing over here! We think
> that this is a good thing to do!".
>
> Note that the document itself does not deprecate anything.
>>
>
> Well, now I'm confused:
> "This document deprecates those unmentioned algorithms that are no longer
> advised but for which there are no known attacks resulting in their earlier
> deprecation."
> and
> "5.  Deprecating obsolete algorithms
>
> This document deprecates the following algorithms: [...]"
>
> It cannot. Only the IESG can change a document static to historic.
>>
>
>
> I'm unclear if you are arguing that a document doesn't do anything until
> the IESG formally approves it", which feels like a very semantic point. We
> very commonly say that draft-ietf-foo-bar does X (e.g change registry
> policy), even if technically we mean "draft-ietf-foo-bar does X, but only
> after it has completed IETF LC and then IESG Eval and had all of the
> DISCUSSES addressed and then approved"
>
> Perhaps when you said "the document itself does not deprecate anything"
> you were meaning "does not make other documents historic, that is handled
> by the status-change document - https://datatracker.ietf.org/doc/
> status-change-ikev1-to-historic/  " ?
>
> See your other work item on the telechat where this is requested.
>>
>
> Yes. That is partly what drove me to this discussion — in that case, the
> document had originally said: "The document marks as historic…" and Pete
> Resnick (correctly) pointed out that document don't mark things as
> historic, and suggested the new text "The document deprecates the use of
> [..]"
>
> W
>
>>
>> Only after that request passes the IESG, can this document move further
>> and say that
>> "it has happened".
>>
>>
>> Paul
>>
>

v2.23.0 | Report a Bug | By Email