Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic
Daniel Migault <mglt.ietf@gmail.com> Tue, 29 June 2021 18:17 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1EDB3A3CB6 for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 11:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjNvWyVQvB_N for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 11:17:14 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B9313A3CB9 for <ipsec@ietf.org>; Tue, 29 Jun 2021 11:17:14 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id m15so11539928qvc.9 for <ipsec@ietf.org>; Tue, 29 Jun 2021 11:17:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VjE3oxhSEiTcFrB5FOfTy15vLsgiDMkkOZTGTPIILZg=; b=d6kcw2lwGfQV8OgpHp8fShPR0X+c1TgOoYzJfn9Sgpd+lXm+h9Kxlx6jbyPOyJ3PNm QiDpSLQXrxFrOtm27+7FjSOiAPdsGkhbc2BX/jhGQJL8H0q/DlLnTqMLX/fgKEsE+Oii i1RyZa4kBkdOkahYat0fLBZZt+naXw/CY2ViUUeBpsgrJN+Hj4pNkldvwJdE9SIOdfd7 ZBBrxNx2eLghynBbwKdtz1us8wsUyKFH3RZXYVuv3VgGP4ufja1tHjYL0Ld4+MfGvTAb A4A/0gR/OI+qp29KI6E8e34WdFy6afpCZzHmZCUJ9Tn0kLa0QutJESWZCTmWLjrPfOIQ Tmrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VjE3oxhSEiTcFrB5FOfTy15vLsgiDMkkOZTGTPIILZg=; b=eNfErI6jBHl1PdM2rigwBCrVtS0jC9e7domd9tIGPJfZYSBI0tdv2upJwkZ6RgV/bs kAwifIRUzpR83DQzRJ/BUjs0ZDMjFqKTMIA03jZJpmNDp6DASDZTSdL1LeIhrXMBjOOq GwoEDfR4tItDK2ztZFzr+wj9gX9PKaXHNnIIsirIZoSzz0JMfLUsS+Xx4dctCInFdghA LQUlBl8Qw69tKb7HalPElG4n7q7y9VPZvx6A28Ef9IkCFPBBkoriVXBG9YZTCQ6tI2ZG 2RH/d8DEQBh1P7GcsyS6gRb58/zZ/uUhvjmEsJyOZdV4AsBgbOlOxQYJR1TrbGdoPUL7 BAuw==
X-Gm-Message-State: AOAM532T4N8Cb1Z2vgvGkaX/HhIRBh0DLiD8IGSPqhQR1G91yPVTwPeU R6KMSdzer7py/7Czt8IeuUyYokQ7bfBl9hYdXJ8=
X-Google-Smtp-Source: ABdhPJyHe/LCkbP/wlfpi8yQvg3f0gyfpwDBgzP/dXnYZfNe+VltAWX3LPDb4OH4rBmkDjX2jj9g6upzLXuFPXeG5c4=
X-Received: by 2002:a05:6214:804:: with SMTP id df4mr31700233qvb.16.1624990632961; Tue, 29 Jun 2021 11:17:12 -0700 (PDT)
MIME-Version: 1.0
References: <315BBB8D-B55E-43C8-A988-ADC8780AD62E@gmail.com> <059201d76bf6$e29680c0$a7c38240$@gmail.com> <8ea212cf-ee37-ceed-f905-4fde94173c1d@lounge.org> <CADZyTk=Ge4XYCYStHi5Uerei53n_eyA=9CzLwZwvtVoO_i9spA@mail.gmail.com> <E0F5EAC8-9F0C-4619-8F9C-62B3BD923AB1@gmail.com>
In-Reply-To: <E0F5EAC8-9F0C-4619-8F9C-62B3BD923AB1@gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 29 Jun 2021 14:17:02 -0400
Message-ID: <CADZyTknzuALP1U6OZRLuc-8nmrRJhpkKzcGhTD4FBLenS06YqA@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Dan Harkins <dharkins@lounge.org>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000070e95305c5eb9d5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/O4pD02jS5ujb0EEyZmvoKUSsa9A>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 18:17:19 -0000
I thought the purpose of the draft was to be able to say "look at this document it says you MUST switch to IKEv2 if you want to remain IPsec interoperable. I am suprised I do not see the MUST in question. I am fine whatever chair/co-authors are fine with. Yours, Daniel On Tue, Jun 29, 2021 at 2:00 PM Yoav Nir <ynir.ietf@gmail.com> wrote: > [no hats] > I don’t want to start (or resume) a religious holy war about uppercase > MUSTs, but they’re usually about protocol compliance. What people should > (not SHOULD) do with their systems is not subject to requirements language, > because the IETF does not engineer administrators. What? You are not > compliant with RFC xxxx if you didn’t upgrade your systems already? > > I could understand a statement that Product yyyy is not compliant with RFC > xxxx because it still offers IKEv1, but I don’t like non-compliant > administrators. Not that I’m advocating to add that statement to the draft. > I think it’s fine as it is: just offering advice that systems should be > upgraded. > > Yoav > > On 29 Jun 2021, at 17:21, Daniel Migault <mglt.ietf@gmail.com> wrote: > > I believe that the first sentence of section 3 says it all. ship it! > > I still have some minor comments, though these may have already been > discussed. There are no normative MUST to upgrade ( and in general very > little normative language). > Shouldn't we have for example: > Systems running IKEv1 should be upgraded and reconfigured to run IKEv2. > > moved to : > > Systems running IKEv1 MUST be upgraded and reconfigured to run IKEv2. > > > There are overall very little number of SHOULD/MUST but maybe that is an > editorial choice. > > Yours, > Daniel > > > > > > Yours, > Daniel > > On Mon, Jun 28, 2021 at 7:17 PM Dan Harkins <dharkins@lounge.org> wrote: > >> >> Hi, >> >> On 6/28/21 1:23 AM, Valery Smyslov wrote: >> > Hi, >> > >> > I think document is mostly ready. Few observations: >> > >> > - FWIW I think that Dan's efforts to make draft's language less >> speculative and more concrete >> > are valid and should be reflected in the document. >> > >> > - Is it OK that the intended status is Standards Track? Shouldn't it be >> BCP? >> > >> > - The draft states that it updates RFC 7296, 8221, 8247. What in >> particular is being updated? >> > I believe the recent IESG directives require a short explanation of >> what is being updated >> > to be present in Abstract. In any case, it should be clearly >> indicated in the body of the document. >> > Have I missed it? >> > >> > - Section3: I think that phrase "IKEv2 is a more secure protocol than >> IKEv1 in every aspect." is a bit too vague. >> >> You know, that was bugging me too. "in every aspect" is laying it on >> a bit thick. IKEv1 >> has a security proof. The much maligned PSK mode authenticates the key >> as well as the >> exchange which is better than what IKEv2 does (and why IKEv1 did not >> need an update to do >> PQC). So saying it's less secure "in every aspect" just isn't true. But >> I couldn't figure >> out a better way to say it.... >> >> > I believe it's better to list security aspects where we believe >> IKEv2 is superior: >> > >> > * IKEv2 supports modern cryptographic primitives, including AEAD >> ciphers >> > * IKEv2 provides real defense against DoS (cookies, core spec) and >> DDoS (puzzles, RFC 8019) attacks >> > * support for post-quantum crypto in IKEv2 is being developed >> (draft-ietf-ipsecme-ikev2-multiple-ke) >> > * IKEv2 supports various authentication methods via integration with >> EAP (core spec) >> > * an extension that allows build PAKE methods in IKEv2 exists (RFC >> 6467) >> > * did I forget something? >> >> But this is great! I agree that such a brief summary of the superior >> features >> would be better than a factually challenged "in every aspect" statement. >> >> regards, >> >> Dan. >> >> -- >> "The object of life is not to be on the side of the majority, but to >> escape finding oneself in the ranks of the insane." -- Marcus Aurelius >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> > > > -- > Daniel Migault > Ericsson > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > -- Daniel Migault Ericsson
- [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to… Yoav Nir
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Yoav Nir
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Dan Harkins
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Michael Richardson
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Yoav Nir
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Dan Harkins
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Dan Harkins
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Valery Smyslov
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Dan Harkins
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Daniel Migault
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Yoav Nir
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Daniel Migault
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Dan Harkins
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Benjamin Kaduk
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-alg… Michael Richardson