Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
Paul Wouters <paul.wouters@aiven.io> Mon, 08 November 2021 18:06 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078373A0C94 for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 10:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1iDWwFVufNm for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 10:06:10 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FFD13A0C82 for <ipsec@ietf.org>; Mon, 8 Nov 2021 10:06:10 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id r12so65778308edt.6 for <ipsec@ietf.org>; Mon, 08 Nov 2021 10:06:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=95V29qAXtEnh/v46sYoFqDdKl95V+YZUfRkH+ZJzrOU=; b=c0/4vHtheL4V6XTyvh83u+n1SW3fyTi63Ya7TsZMo3jYCpGsp7nMcEk1XmIx4Ok8Bs O16wlel56HQBuuAmuRlmkuxJBfmUQ1L/XqgeIxnXxHH+5BdXQIjJBJaGqnm6NW65FiJW 8QpG4Dk+GT1Z0/HrsUcpjViRTUIEYbGYIMXj4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=95V29qAXtEnh/v46sYoFqDdKl95V+YZUfRkH+ZJzrOU=; b=BZrIgS3Y3Bo6sZ7jBJq1OZ2++GZr2Ux5GhNTR23wG3DQbGOq22A54mNk6ksM2OZOBN Rj/ZRJ9U6NrAbFOawKt9GGRhKcU02PIxXsL3C3ytaT6/DzThfTOuBCUkH/DhW5J/Dell rVzjSIOJVEorZbIyDvSUl1gPFCCjfPyhEAMUdlSGG6GnAByWw9x4FosbQsDlLhVWeIPR xgO6Hthy0S9/mBspVDEVssFiY3FoAnGRasB1Pc8XdDPzFTjOPxjivjYIaVWPc54DZH7I kfzE3rZC7A09LvUUnSdcxQuqLmFiNOD4+wWpqjRQ/i8t0WSpxv7qG5vgeVONTPxwe7Yn 9DQA==
X-Gm-Message-State: AOAM530ZVSA9eU0O1rDqe+P8sj+yIWivVV1W1qrdffd19JLT5PjrU7zP IlnXZkLzdFIHO1GapXp4u1PJSw==
X-Google-Smtp-Source: ABdhPJwjOqT30izdy5xmIe1fZsTV8zGZQk1HsxDOND+yuooXRnDMcaV2nSfTmlFMEy5Cs3SOsdrY1w==
X-Received: by 2002:aa7:d2cc:: with SMTP id k12mr1232651edr.227.1636394767479; Mon, 08 Nov 2021 10:06:07 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id e12sm8442751ejs.86.2021.11.08.10.06.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Nov 2021 10:06:07 -0800 (PST)
Date: Mon, 08 Nov 2021 13:06:03 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: mohamed.boucadair@orange.com
cc: Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <3996_1636386534_618946E6_3996_297_6_787AE7BB302AE849A7480A190F8B93303544BD42@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Message-ID: <88f8206a-6c2-5816-ada3-e8666ec05e38@nohats.ca>
References: <24969.12660.103330.619294@fireball.acr.fi> <ccdfdc-634-5989-839b-3cbd17e86d99@nohats.ca> <3996_1636386534_618946E6_3996_297_6_787AE7BB302AE849A7480A190F8B93303544BD42@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QCjtpS5f7ov7fTgD-hl4RVXpw2o>
Subject: Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 18:06:15 -0000
On Mon, 8 Nov 2021, mohamed.boucadair@orange.com wrote: >> Note the text of the draft claims it updates RFC 8598 but doesn't do so >> via an Updates: statement. > > [Med] We considered to have an "update" header because we were concerned with some MUSTs in 8598. We finally didn't include the update header because of a comment we received from you prior to publishing the first version of the draft. FWIW, here is the exchange we had at that time: > > ****** > Med: I have a question for you: now that we don't depend anymore on INTERNAL_IP*_DNS and given that a client can be supplied with 8598 attributes and that 8598 says the following: > > == > If an INTERNAL_DNS_DOMAIN attribute is > included in the CFG_REPLY, the responder MUST also include one or > both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the > CFG_REPLY. > > .. > > the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a > single list of Split DNS domains that applies to the entire list of > INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. > > == > > Should we add an update to our daft to indicate that first "MUST" does not apply and that the domains are associated with **ANY** supplied server? > > Paul: You cannot update that RFC for that kind of processing. The above really says that it makes no sense to have "internal domains" without providing "internal DNS servers". > **** Note that what I said there was that you should not update the _mechanism_ of how CFG requests/responds are done. You should use the existing mechanism with a new value, but use the same negotation mechanism. So the client sends FOO(x) and the server respones with FOO(y) x can be empty (eg the client has no previous notion or preference for FOO. Or if it has one, it can suggest it. The server takes that value only as a preference of the client, but the server is the one making the ultimate decsion if it returns "x" or "y". So your draft should not say the initiator MUST send a zero size request for FOO. That is changing the mechanism. What I was saying in my last email was that making a protocol update where a server receiving a INTERNAL_IP4_DNS may choose not to return any INTERNAL_IP4_DNS is an update to the protocol that would require the Updates: clause to warn implementers to read this document too, as it updates older RFC text. > Also, I think the relaxing of the requirement >> is actually wrong, as it might cause lack of interop between newer servers >> and older clients not being able to negotiate working DNS if the new >> servers no longer serve INTERNAL_IP*_DNS CFG payloads. > > [Med] Older clients can always ask for INTERNAL_IP6_DNS or INTERNAL_IP4_DNS. We will update the note to make this clearer. They can indeed. So I think you should just stick with the CFG request/response semantics and not talk about omitting INTERNAL_IP*_DNS replies if the client asks for those via CFG. This way, the ENC_DNS* payloads are simply defined as new CFG options, and clients and servers will do the right thing when encountering them. And it requires no Updates: clause because it does not modify the behaviour with respect to INTERNAL_IP*_DNS. You might want to say a client SHOULD prefer ENC_DNS* servers over INTERNAL_IP*_DNS servers. >> I am also not clear on the real use of negotiating hash algorithms for the >> digest receiving of the ADD server "identity?", as the document states the >> authentication happens as per Section 8 of [RFC8310] which lists WebPKI or >> DANE authentication against the name and these methods do not use this >> digest. I also do not understand the use of the digest. For >> authentication, is it not needed as the entire IKEv2 exchange is >> authenticated. > > [Med] We added the digest to address one of the comments raised in a previous ipsecme meetings: allow to not rely on PKI for validating the encrypted DNS server certificate but convey the end-entity certificate in IKEv2 itself. Ah, I see. I would probably use some different terminology then, and extend the text talking aboyt "as per Section 8 of [RFC8310]" to clarify that. I'll see about producing some text for you. Paul
- [IPsec] WG Adoption call for draft-btw-add-ipsecm… Tero Kivinen
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… tirumal reddy
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Michael Richardson
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Valery Smyslov
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Tommy Pauly
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- [IPsec] WG Adoption call for draft-btw-add-ipsecm… Tero Kivinen
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair