IETF Logo Mail Archive

Re: [IPsec] [IANA #111200] [old message] Possible update to isakmp-registry

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 09 February 2012 17:59 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC28121E8021 for <ipsec@ietfa.amsl.com>; Thu, 9 Feb 2012 09:59:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.836
X-Spam-Level:
X-Spam-Status: No, score=-102.836 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_RECV_BEZEQINT_B=0.763, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fkNg3PYigRMl for <ipsec@ietfa.amsl.com>; Thu, 9 Feb 2012 09:59:51 -0800 (PST)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id D64DF21E8014 for <ipsec@ietf.org>; Thu, 9 Feb 2012 09:59:50 -0800 (PST)
Received: by werm10 with SMTP id m10so1949225wer.31 for <ipsec@ietf.org>; Thu, 09 Feb 2012 09:59:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=cybn8NKGVaO7u7xkLIWSmylcyuOij/RNddBbAzBAE64=; b=eMzFRg4UBO8uWPkogf5QCVcVBJb5VlZ1xqKJUaSs/SdYudJUREQ0oINJOQqMxIwp4q IB55Ea6LaP00ZabSJ5pNcL4W4d8aKw7BnWs7IeF6bXvQ0EDUkNfWVLKHy62WkjghrCiV 7bVBN0l/TCJsHQ0Gqq1P7DejcL9zOZINgPV84=
Received: by 10.180.19.97 with SMTP id d1mr4386585wie.12.1328810388520; Thu, 09 Feb 2012 09:59:48 -0800 (PST)
Received: from [192.168.3.141] (bzq-218-164-247.red.bezeqint.net. [81.218.164.247]) by mx.google.com with ESMTPS id da8sm8225213wib.6.2012.02.09.09.59.46 (version=SSLv3 cipher=OTHER); Thu, 09 Feb 2012 09:59:48 -0800 (PST)
Message-ID: <4F340992.5030502@gmail.com>
Date: Thu, 09 Feb 2012 19:59:46 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0
MIME-Version: 1.0
To: iana-matrix@iana.org
References: <RT-Ticket-111200@icann.org> <rt-3.8.HEAD-29275-1311783924-532.111200-7-0@icann.org> <rt-3.8.HEAD-15630-1318444488-609.111200-7-0@icann.org> <rt-3.8.HEAD-11399-1320163223-1013.111200-7-0@icann.org> <20162.16194.361337.415232@fireball.kivinen.iki.fi> <rt-3.8.HEAD-5313-1321353058-1814.111200-7-0@icann.org> <rt-3.8.HEAD-26615-1325909894-588.111200-7-0@icann.org> <20235.3284.301719.250098@fireball.kivinen.iki.fi> <rt-3.8.HEAD-8934-1326126279-1071.111200-7-0@icann.org> <rt-3.8.HEAD-25431-1328666879-1704.111200-7-0@icann.org>
In-Reply-To: <rt-3.8.HEAD-25431-1328666879-1704.111200-7-0@icann.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org, turners@ieca.com, liang@icann.org, kivinen@iki.fi, stephen.farrell@cs.tcd.ie
Subject: Re: [IPsec] [IANA #111200] [old message] Possible update to isakmp-registry
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 17:59:52 -0000

Hi Pearl, Tero,

Regarding the first change (IPsec Auth Methods), I prefer the existing 
language. Even though IKEv1 has been obsoleted, I think change control 
of this central piece of the protocol needs to still require a higher 
bar than just "specification required".

I'm afraid my co-chair disagrees, but he can surely speak for himself...

Thanks,
	Yaron

On 02/08/2012 04:07 AM, Pearl Liang via RT wrote:
> Hi, Tero,
>
> This is very useful information.  I've revised the ipsec-registry to
> include your edits (included below).  Though I have a few remaining
> questions:
>
> - For Registry Name: IPSEC Authentication Methods (Value 3)
>> Registry Name: IPSEC Authentication Methods (Value 3)
>> Current: Standards-track RFC
>>
>> There is nothing about this in the RFC2409, so I would say either "RFC
>> required" or "Specification required" would be ok. There is draft
>> http://tools.ietf.org/html/draft-harkins-ike-iana-update-00 already
>> proposing this change.
>
> Question1: since a new document is in work to update this,
> the registration procedures will be updated when the document is made
> to IETF Last call.  Would it be okay to not change the listed
> registration procedures at this time?
>
> - For Registry Name: PRF (Value 13)
>> Registry Name: PRF (Value 13)
>> Current: Standards-track or Informational RFC
>>
>> There is nothing about this in the RFC2409, so I would say either "RFC
>> required" or "Specification required" would be ok.
>>
>
> Question2: Would it be sufficient to list "RFC required" only?
>
> - For these 'early assignment' registrations as per ietf-ipsec-ike-ecc-groups,
> you commented the following:
>
>>> 6 EC2NGF163Random2
>>> 7 EC2NGF163Koblitz
>>> 8 EC2NGF283Random
>>> 9 EC2NGF283Koblitz
>>> 10 EC2NGF409Random
>>> 11 EC2NGF409Koblitz
>>> 12 EC2NGF571Random
>>> 13 EC2NGF571Koblitz
>>
>> These are from the
>> http://tools.ietf.org/html/draft-ietf-ipsec-ike-ecc-groups-04 version,
>> i.e. the registry was updated at some point in 2002 even when the
>> registry had registration policy of "RFC Required" and the document
>> was still draft (and was never published as RFC).
>>
>> I think you should remove "Panjwani" and "Blake-Wilson" and put
>> "ipsec-ike-ecc-groups" for all of them, and put some down a footnote
>> saying that the registry was updated too early and the draft never
>> made it to the RFC, but as these values might be used by some
>> implementations they are left there in the registry, but new
>> implementations should not use them. Also the reference could point
>> out that the values in the registry match the -04 version of the
>> document.
>
> [pl] I have removed the version number from the draft string.  (I was
> unable to locate those assignments (e.g. EC2NGF163Random2) in version 4.)
> I have also remove both "Panjwani" and "Blake-Wilson" from the registry.
> I have also marked the draft-ipsec-ike-ecc-group as expired in
> the registry since it has never made it to an RFC.
> Regarding the footnote, I've drafted something as follows:
>
> [[
> Note: these values were reserved as per draft-ipsec-ike-ecc-groups which
> never made it to the RFC.  These values might be used by some
> implementations as currently registered in the registry, but new
> implementations should not use them.
> ]]
>
> Question: does the above look okay?  Please comment.  When I receive
> your edits, I will add the "Note" to the registry.
>
> Please see: http://www.iana.org/assignments/ipsec-registry
>
> When you have updates for the isakmp-registry, please send them
> to us.
>
> Thank you again for your help,
> ~pearl
>
>
> On Mon Jan 09 08:24:39 2012, kivinen@iki.fi wrote:
>> [I CCed the ipsec@ietf.org list, as this changes the registration
>> policies, and we have already had some discussion about this earlier
>> on the list and other people there might also have their opinion about
>> the matter.]
>>
>> Pearl Liang via RT writes:
>>> 1) What are the registration procedures for these sub-registries
>>> listed in http://www.iana.org/assignments/ipsec-registry:
>>>
>>> - Exchange Type
>>> - Additional Exchanges Defined-- XCHG values
>>> - Next Payload Types
>>> - Notify Message Types
>>>    - Notify Messages - Error Types (1-8191)
>>>    - Notify Messages - Status Types (16384-24575)
>>>
>>> ?  I would like to update "Not defined" if possible.
>>
>> For most of those it is not defined... I.e the original RFC does not
>> specify any registration procedures for them (or for some other
>> registries we have there).
>>
>> I would most likely think it would be best to put them as
>> "Specification required" or "RFC required".
>>
>> Actually I think we should go through the RFC2407-2409 and see from
>> there for which registries they do specify any registration policies,
>> and use those values for only those registries and put everything else
>> as "Specification required" or "RFC Required".
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Attribute Classes
>> Current: Standards-track RFC
>> RFC2409: 11.1 Attribute Classes
>>
>>     Attributes negotiated in this protocol are identified by their class.
>>     Requests for assignment of new classes must be accompanied by a
>>     standards-track RFC which describes the use of this attribute.
>>
>> ->  Standards-track RFC, already OK
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name:  Encryption Algorithm Class Values (Value 1)
>> Current: Standards-track or Informational RFC
>> RFC2409: 11.2 Encryption Algorithm Class
>>
>>     Values of the Encryption Algorithm Class define an encryption
>>     algorithm to use when called for in this document. Requests for
>>     assignment of new encryption algorithm values must be accompanied by
>>     a reference to a standards-track or Informational RFC or a reference
>>     to published cryptographic literature which describes this algorithm.
>>
>> ->  Specification required, currently this is Standards-track or
>>     Informational RFC, but I think Specification required is closer to
>>     what the RFC says about "a reference to published cryptographic
>>     literature".
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Hash Algorithm (Value 2)
>> Current: Standards-track or Informational RFC
>> RFC2409: 11.3 Hash Algorithm
>>
>>     Values of the Hash Algorithm Class define a hash algorithm to use
>>     when called for in this document. Requests for assignment of new hash
>>     algorithm values must be accompanied by a reference to a standards-
>>     track or Informational RFC or a reference to published cryptographic
>>     literature which describes this algorithm. Due to the key derivation
>>     and key expansion uses of HMAC forms of hash algorithms in IKE,
>>     requests for assignment of new hash algorithm values must take into
>>     account the cryptographic properties-- e.g it's resistance to
>>     collision-- of the hash algorithm itself.
>>
>> ->  Specification required, see above.
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: IPSEC Authentication Methods (Value 3)
>> Current: Standards-track RFC
>>
>> There is nothing about this in the RFC2409, so I would say either "RFC
>> required" or "Specification required" would be ok. There is draft
>> http://tools.ietf.org/html/draft-harkins-ike-iana-update-00 already
>> proposing this change.
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Group Description (Value 4)
>> Current: Standards-track or Informational RFC
>> Registry Name: Group Type (Value 5)
>> Current: Standards-track or Informational RFC
>> RFC2409: 11.4 Group Description and Group Type
>>
>>     Values of the Group Description Class identify a group to use in a
>>     Diffie-Hellman exchange. Values of the Group Type Class define the
>>     type of group. Requests for assignment of new groups must be
>>     accompanied by a reference to a standards-track or Informational RFC
>>     which describes this group. Requests for assignment of new group
>>     types must be accompanied by a reference to a standards-track or
>>     Informational RFC or by a reference to published cryptographic or
>>     mathmatical literature which describes the new type.
>>
>> Group Description (Value 4) ->  RFC required
>> Group Type (Value 5) ->  Specification required
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Life Type (Value 11)
>> Current: Specification Required
>> RFC2409: 11.5 Life Type
>>
>>     Values of the Life Type Class define a type of lifetime to which the
>>     ISAKMP Security Association applies. Requests for assignment of new
>>     life types must be accompanied by a detailed description of the units
>>     of this type and its expiry.
>>
>> ->  Hmm... this is vague, I would expect it means "Specification
>>     required", so ok already.
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: PRF (Value 13)
>> Current: Standards-track or Informational RFC
>>
>> There is nothing about this in the RFC2409, so I would say either "RFC
>> required" or "Specification required" would be ok.
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Exchange Type
>> Current: Not defined
>>
>> There is nothing in RFC2409/RFC2408. There has not been additions to
>> this, and I do not expect there to be one (as all new stuff should be
>> done on the protocol which obsoleted this one). I would say "Standards
>> Action" would most likely be best for this.
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Additional Exchanges Defined-- XCHG values
>> Current: Not defined
>>
>> There is nothing in RFC2409/RFC2408. Same as above ->  "Standards
>> Action".
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: ISAKMP Domain of Interpretation (DOI)
>> Current: Standards-track RFC
>> RFC2408: Domain of Interpretation
>>
>>     The Domain of Interpretation (DOI) is a 32-bit field which identifies
>>     the domain under which the security association negotiation is taking
>>     place.  Requests for assignments of new DOIs must be accompanied by a
>>     standards-track RFC which describes the specific domain.
>>
>> ->  "Standards action" (i.e. Standards-track RFC)
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Next Payload Types
>> Current: Internet Draft
>>
>> There is nothing in RFC2409/RFC2408. There has been more of these, so
>> "RFC required", I think Internet Draft is bit too low, and not
>> matching the RFC5226 usages.
>>
>> ----------------------------------------------------------------------
>>
>> Registry Name: Notify Message Types
>> Current: Not defined
>> Sub-registry: Notify Messages - Error Types (1-8191)
>> Current: Not defined
>> Sub-Registry: Notify Messages - Status Types (16384-24575)
>> Current: Not defined
>>
>> No additions to these registries, but these are large registries, so
>> perhaps "RFC required".
>>
>> ----------------------------------------------------------------------
>>
>> There is a problem in the "IPSEC Authentication Methods (Value 3)" as
>> there is 3 values which do not have any real specification, i.e.
>>
>> 6             Encryption with El-Gamal	
>> 7             Revised encryption with El-Gamal	
>> 8             ECDSA signatures                        [Fahn]
>>
>> As there is no reference to any document or anything, I have no idea
>> how anybody could actually implement those in interoperable manner. I
>> would suggest changing those to:
>>
>> 6             Reserved (was Encryption with El-Gamal)
>> 7             Reserved (was Revised encryption with El-Gamal)
>> 8             Reserved (was ECDSA signatures)
>>
>> so it is clear that nobody knows how those should be implemented...
>>
>> ----------------------------------------------------------------------
>>
>>> 2) I've added the draft ietf-ipsec-ike-ecc-groups to ipsec-registry.
>>> I then noticed that the document also requests the following values
>>> as described in Table 2 in the IANA Considerations section:
>>>
>>> 6 EC2NGF163Random2
>>> 7 EC2NGF163Koblitz
>>> 8 EC2NGF283Random
>>> 9 EC2NGF283Koblitz
>>> 10 EC2NGF409Random
>>> 11 EC2NGF409Koblitz
>>> 12 EC2NGF571Random
>>> 13 EC2NGF571Koblitz
>>
>> These are from the
>> http://tools.ietf.org/html/draft-ietf-ipsec-ike-ecc-groups-04 version,
>> i.e. the registry was updated at some point in 2002 even when the
>> registry had registration policy of "RFC Required" and the document
>> was still draft (and was never published as RFC).
>>
>> I think you should remove "Panjwani" and "Blake-Wilson" and put
>> "ipsec-ike-ecc-groups" for all of them, and put some down a footnote
>> saying that the registry was updated too early and the draft never
>> made it to the RFC, but as these values might be used by some
>> implementations they are left there in the registry, but new
>> implementations should not use them. Also the reference could point
>> out that the values in the registry match the -04 version of the
>> document.
>>
>>> 22 ECPRGF192Random
>>> 23 EC2NGF163Random
>>> 24 ECPRGF224Random
>>> 25 EC2NGF233Random
>>> 26 EC2NGF233Koblitz
>>
>> These overlap with the already allocated other groups, so those should
>> not be added to the registry.
>>
>>> Question: are these, specifically 10-13&  22-26, no longer required
>>> by ietf-ipsec-ike-ecc-groups?  If we should leave them untouched,
>>> please let me know.
>>
>> The draft-ietf-ipsec-ike-ecc-groups document will most likely not be
>> going forward so adding the footnotes and comments to references might
>> be best.
>>
>> I did not yet check the isakmp-registry, I will do that later.
>>
>
> ~pearl
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email