IETF Logo Mail Archive

Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic

Daniel Migault <mglt.ietf@gmail.com> Tue, 29 June 2021 18:17 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1EDB3A3CB6 for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 11:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjNvWyVQvB_N for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 11:17:14 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B9313A3CB9 for <ipsec@ietf.org>; Tue, 29 Jun 2021 11:17:14 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id m15so11539928qvc.9 for <ipsec@ietf.org>; Tue, 29 Jun 2021 11:17:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VjE3oxhSEiTcFrB5FOfTy15vLsgiDMkkOZTGTPIILZg=; b=d6kcw2lwGfQV8OgpHp8fShPR0X+c1TgOoYzJfn9Sgpd+lXm+h9Kxlx6jbyPOyJ3PNm QiDpSLQXrxFrOtm27+7FjSOiAPdsGkhbc2BX/jhGQJL8H0q/DlLnTqMLX/fgKEsE+Oii i1RyZa4kBkdOkahYat0fLBZZt+naXw/CY2ViUUeBpsgrJN+Hj4pNkldvwJdE9SIOdfd7 ZBBrxNx2eLghynBbwKdtz1us8wsUyKFH3RZXYVuv3VgGP4ufja1tHjYL0Ld4+MfGvTAb A4A/0gR/OI+qp29KI6E8e34WdFy6afpCZzHmZCUJ9Tn0kLa0QutJESWZCTmWLjrPfOIQ Tmrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VjE3oxhSEiTcFrB5FOfTy15vLsgiDMkkOZTGTPIILZg=; b=eNfErI6jBHl1PdM2rigwBCrVtS0jC9e7domd9tIGPJfZYSBI0tdv2upJwkZ6RgV/bs kAwifIRUzpR83DQzRJ/BUjs0ZDMjFqKTMIA03jZJpmNDp6DASDZTSdL1LeIhrXMBjOOq GwoEDfR4tItDK2ztZFzr+wj9gX9PKaXHNnIIsirIZoSzz0JMfLUsS+Xx4dctCInFdghA LQUlBl8Qw69tKb7HalPElG4n7q7y9VPZvx6A28Ef9IkCFPBBkoriVXBG9YZTCQ6tI2ZG 2RH/d8DEQBh1P7GcsyS6gRb58/zZ/uUhvjmEsJyOZdV4AsBgbOlOxQYJR1TrbGdoPUL7 BAuw==
X-Gm-Message-State: AOAM532T4N8Cb1Z2vgvGkaX/HhIRBh0DLiD8IGSPqhQR1G91yPVTwPeU R6KMSdzer7py/7Czt8IeuUyYokQ7bfBl9hYdXJ8=
X-Google-Smtp-Source: ABdhPJyHe/LCkbP/wlfpi8yQvg3f0gyfpwDBgzP/dXnYZfNe+VltAWX3LPDb4OH4rBmkDjX2jj9g6upzLXuFPXeG5c4=
X-Received: by 2002:a05:6214:804:: with SMTP id df4mr31700233qvb.16.1624990632961; Tue, 29 Jun 2021 11:17:12 -0700 (PDT)
MIME-Version: 1.0
References: <315BBB8D-B55E-43C8-A988-ADC8780AD62E@gmail.com> <059201d76bf6$e29680c0$a7c38240$@gmail.com> <8ea212cf-ee37-ceed-f905-4fde94173c1d@lounge.org> <CADZyTk=Ge4XYCYStHi5Uerei53n_eyA=9CzLwZwvtVoO_i9spA@mail.gmail.com> <E0F5EAC8-9F0C-4619-8F9C-62B3BD923AB1@gmail.com>
In-Reply-To: <E0F5EAC8-9F0C-4619-8F9C-62B3BD923AB1@gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 29 Jun 2021 14:17:02 -0400
Message-ID: <CADZyTknzuALP1U6OZRLuc-8nmrRJhpkKzcGhTD4FBLenS06YqA@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Dan Harkins <dharkins@lounge.org>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000070e95305c5eb9d5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/O4pD02jS5ujb0EEyZmvoKUSsa9A>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 18:17:19 -0000

I thought the purpose of the draft was to be able to say "look at this
document it says you MUST switch to IKEv2 if you want to remain IPsec
interoperable. I am suprised I do not see the MUST in question. I am fine
whatever chair/co-authors are fine with.

Yours,
Daniel

On Tue, Jun 29, 2021 at 2:00 PM Yoav Nir <ynir.ietf@gmail.com> wrote:

> [no hats]
> I don’t want to start (or resume) a religious holy war about uppercase
> MUSTs, but they’re usually about protocol compliance. What people should
> (not SHOULD) do with their systems is not subject to requirements language,
> because the IETF does not engineer administrators. What? You are not
> compliant with RFC xxxx if you didn’t upgrade your systems already?
>
> I could understand a statement that Product yyyy is not compliant with RFC
> xxxx because it still offers IKEv1, but I don’t like non-compliant
> administrators. Not that I’m advocating to add that statement to the draft.
> I think it’s fine as it is: just offering advice that systems should be
> upgraded.
>
> Yoav
>
> On 29 Jun 2021, at 17:21, Daniel Migault <mglt.ietf@gmail.com> wrote:
>
> I believe that the first sentence of section 3 says it all. ship it!
>
> I still have some minor comments, though these may have already been
> discussed. There are no normative MUST to upgrade ( and in general very
> little normative language).
> Shouldn't we have for example:
> Systems running IKEv1 should be upgraded and reconfigured to run IKEv2.
>
> moved to :
>
> Systems running IKEv1 MUST be upgraded and reconfigured to run IKEv2.
>
>
> There are overall very little number of SHOULD/MUST but maybe that is an
> editorial choice.
>
> Yours,
> Daniel
>
>
>
>
>
> Yours,
> Daniel
>
> On Mon, Jun 28, 2021 at 7:17 PM Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>>    Hi,
>>
>> On 6/28/21 1:23 AM, Valery Smyslov wrote:
>> > Hi,
>> >
>> > I think document is mostly ready. Few observations:
>> >
>> > - FWIW I think that Dan's efforts to make draft's language less
>> speculative and more concrete
>> >     are valid and should be reflected in the document.
>> >
>> > - Is it OK that the intended status is Standards Track? Shouldn't it be
>> BCP?
>> >
>> > - The draft states that it updates RFC 7296, 8221, 8247. What in
>> particular is being updated?
>> >     I believe the recent IESG directives require a short explanation of
>> what is being updated
>> >     to be present in Abstract. In any case, it should be clearly
>> indicated in the body of the document.
>> >     Have I missed it?
>> >
>> > - Section3: I think that phrase "IKEv2 is a more secure protocol than
>> IKEv1 in every aspect." is a bit too vague.
>>
>>    You know, that was bugging me too. "in every aspect" is laying it on
>> a bit thick. IKEv1
>> has a security proof. The much maligned PSK mode authenticates the key
>> as well as the
>> exchange which is better than what IKEv2 does (and why IKEv1 did not
>> need an update to do
>> PQC). So saying it's less secure "in every aspect" just isn't true. But
>> I couldn't figure
>> out a better way to say it....
>>
>> >    I believe it's better to list security aspects where we believe
>> IKEv2 is superior:
>> >
>> >    * IKEv2 supports modern cryptographic primitives, including AEAD
>> ciphers
>> >    * IKEv2 provides real defense against DoS (cookies, core spec) and
>> DDoS (puzzles, RFC 8019) attacks
>> >    * support for post-quantum crypto in IKEv2 is being developed
>> (draft-ietf-ipsecme-ikev2-multiple-ke)
>> >    * IKEv2 supports various authentication methods via integration with
>> EAP (core spec)
>> >    * an extension that allows build PAKE methods in IKEv2 exists (RFC
>> 6467)
>> >    * did I forget something?
>>
>>    But this is great! I agree that such a brief summary of the superior
>> features
>> would be better than a factually challenged "in every aspect" statement.
>>
>>    regards,
>>
>>    Dan.
>>
>> --
>> "The object of life is not to be on the side of the majority, but to
>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>>
>
>
> --
> Daniel Migault
> Ericsson
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email