IETF Logo Mail Archive

Re: [IPsec] Éric Vyncke's Yes on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

Valery Smyslov <svan@elvis.ru> Tue, 09 August 2022 13:59 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50D4BC13CCD4; Tue, 9 Aug 2022 06:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjHXpDixD8ez; Tue, 9 Aug 2022 06:59:14 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09B85C13CCD2; Tue, 9 Aug 2022 06:59:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TFqRF2itJUuQByyzGpkgcuxHycTMt0liybseMlD3XBg=; b=bkayMaGqHu8Oh0J8Y2iUaTqjcc J/5v2P5tPn7RhBHD5qFrySl/iJVQESgZJYliGLCgTs/Bt7p6mgp1Kv8HuAS3zzTjpisnxkgnr+Iro 7UgWwu9nWXqxddcZiPtdAVALq//neGzOzBoYeMd6DEbiaHKo1Yis3rV9Dvx3DxS/1y/Y=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1oLPlA-0004MJ-NS; Tue, 09 Aug 2022 16:59:04 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1oLPlA-0000Bs-Fm; Tue, 09 Aug 2022 16:59:04 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 9 Aug 2022 16:59:04 +0300
Received: from svannotebook (10.100.100.6) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Tue, 9 Aug 2022 16:59:03 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Éric Vyncke' <evyncke@cisco.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-rfc8229bis@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi, brian@innovationslab.net
References: <166004817697.29912.10227463273197951736@ietfa.amsl.com>
In-Reply-To: <166004817697.29912.10227463273197951736@ietfa.amsl.com>
Date: Tue, 09 Aug 2022 16:59:04 +0300
Message-ID: <060301d8abf8$2fdfe0f0$8f9fa2d0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQMpYBIk82HaYTdipU6jSCXKvreKxqsFGFiA
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/08/09 11:49:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/08/09 10:46:00 #20084579
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QST23Nt9tAjcOiA_L4UyV4TlXI8>
Subject: Re: [IPsec] Éric Vyncke's Yes on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 13:59:19 -0000

Hi Éric,

thank you for your comments. Please see inline.

> Éric Vyncke has entered the following ballot position for
> draft-ietf-ipsecme-rfc8229bis-07: Yes
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-
> ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc8229bis/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> # Éric Vyncke, INT AD, comments for draft-ietf-ipsecme-rfc8229bis-07
> CC @evyncke
> 
> Thank you for the work put into this document. There must be several use
> cases
> for it.
> 
> Please find below some non-blocking COMMENT points (but replies would be
> appreciated even if only for my own education).
> 
> Special thanks to Tero Kivinen for the shepherd's detailed write-up including
> the WG consensus, but it lacks the justification of the intended status.
> 
> Thanks as well to Brian Haberman for his INT directorate review, his review has
> a 'ready' status.
> 
> I hope that this review helps to improve the document,
> 
> Regards,
> 
> -éric
> 
> ## COMMENTS
> 
> ### UDP blocked even with QUIC
> 
> As there are more and more traffic relying on QUIC (a wild guess of mine...),
> is it still the case that middle boxes are blocking UDP ? Just out of
> curiosity... feel free to ignore.

Well, I don't have statistics for the current situation and tend to agree that wide adoption
of QUIC may improve the situation. But I think blocking UDP still happens.
Note also that some proposed extensions to IKEv2 rely on TCP transport
to be able to reliably transfer very large public keys of PQ algorithms
(draft-tjhai-ikev2-beyond-64k-limit).

> ### Section 1
> 
> ```
> Devices on these
>    networks that need to use IPsec (to access private enterprise
>    networks, to route Voice over IP calls to carrier networks, or
>    because of security policies) are unable to establish IPsec SAs.
> ```
> 
> The above appears like an exhaustive list while it is not. Suggest to add ",
> etc.".

OK.

> ### Section 1
> 
> `Some peers default to using UDP encapsulation` is "peer" so well-defined in
> the IPsec world ? 'some' is also rather vague, perhaps cite one implementation
> ? or use "some peers may default to" ?

"Peer" widely used in IPsec. But I seem to see your point. How about if we 

s/peers/implementations

?

> ### Section 2
> 
> Should "Implementations of this specification" be used in `Implementations
> MUST
> support TCP encapsulation on TCP port 4500, which is reserved for IPsec NAT
> traversal.` ?

This was already caught by Erik. Currently changed to:

Compliant implementations MUST support TCP encapsulation on TCP port 4500...

> ### Section 3 No AH
> 
> Even if AH is nearly no more used, I wonder whether there is a reason why AH
> is
> not supported by this I-D.

Well, it's a long story. AH has always been a headache for implementers 
from its birth and when UDP encapsulation of IPsec was specified 
(the work started 20 years ago), it was decided to not support AH for it 
(I vaguely recall there was a draft for UDP encapsulation of AH 
in the early stage of this work, but it appeared to be too complex).
So, it would be strange to support TCP encapsulation for AH,
when UDP encapsulation of it is not supported. 

> The sentence about AH should really come earlier in the document.

Hm, while not disagree, I'm a bit unsure where to put it.

 We can add a sentence:

	Note that AH is not supported by this specification.

at the end of the first para of Section 1. Is it OK?

> ### Section 3
> 
> ```
>    Although a TCP stream may be able to send very long messages,
>    implementations SHOULD limit message lengths to typical UDP datagram
>    ESP payload lengths.
> ```
> 
> What is the 'typical' length ?

It's usually the size of PMTU.

> ### Section 3.1
> 
> Suggest to add a description of "Non-ESP" header field below the description
> of
> the "length" field rather than in the text above.

OK.

> ### Section 5.1
> 
> `Since UDP is the preferred method of transport for IKE messages,` hem...
> previous text (and common sense) stated that direct is the preferred method.

Direct transport only applicable to ESP. Here text is about IKE, which 
uses UDP port 500/4500 by default.

> ### Section 6.1 what about IP address changes ?
> 
> ```
>    Since new TCP connections
>    may use different ports due to NAT mappings or local port allocations
>    changing, the TCP Responder MUST allow packets for existing SAs to be
>    received from new source ports.
> ```
> For some NAT devices (or IPv6 nodes w/o NAT but with temporary addresses),
> the
> IP address could also change. This document should describe what to do in this
> case.

The responder may have policy restricting source IP addresses. The whole point
of this text is that it should not restrict source ports, with TCP they are usually ephemeral.

> ### Section 6.5
> 
> The very last sentence deserves a paragraph on its own.

OK.

> ### Section 6.7
> 
> Please add that the DF bit is obvioulsy only for IPv4 (Hi, Tommy, I had to
> insert my mandatory IPv6-related comment ;-) )

Changed:

s/IP header/IPv4 header

is it OK?

> ### Section 9.3
> 
> I am not a transport person, but I would have used "MUST NOT" rather than
> "MAY
> NOT" in: ```

Do you mean rather than SHOULD NOT?

>    Individual packets
>    SHOULD NOT use different markings than the rest of the connection,
>    since packets with different priorities may be routed differently and
>    cause unnecessary delays in the connection.
> ```

Well, MUST NOT implies that it is prohibited and the receiver must log a fatal error
if this happens. The text meaning is that it is just makes no sense. So, you may 
do it, but the performance could degrade.

> Even if somehow obvious, should there be a statement about the IPv6 Flow-ID
> header field ?

Hm... Can you propose a text?

> ### TCP Fast Open support
> 
> Is TCP fast open supported by this doc ?

This was already asked by Erik, and the answer was that I see no reason why 
TCP fast open cannot be used with this spec. Probably Tommy would add more.

Thank you,
Valery.

> ## Notes
> 
> This review is in the ["IETF Comments" Markdown format][ICMF], You can use
> the
> [`ietf-comments` tool][ICT] to automatically convert this review into
> individual GitHub issues.
> 
> [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
> [ICT]: https://github.com/mnot/ietf-comments
> 
>

v2.23.0 | Report a Bug | By Email