Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
"Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com> Thu, 23 March 2017 16:26 UTC
Return-Path: <jun.hu@nokia.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66E11298AA; Thu, 23 Mar 2017 09:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.697
X-Spam-Level:
X-Spam-Status: No, score=-4.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9GFPb6v1rnJ; Thu, 23 Mar 2017 09:25:58 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0095.outbound.protection.outlook.com [104.47.2.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2E171294A0; Thu, 23 Mar 2017 09:25:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0iv+moMiCxRcjgx661pGIZKIuUcF1fEzmMPhIMdriDM=; b=RKmAuiJGHxeFKlVNntHbrZPtKYx1J9LqNasrpoI+y+FQTR+gy89xpmbzG4BhQdWmJllTfIAH1qOL94IFk9fzqyQn9K7vXrTscChG9Sct77F5Ds5F56Z8WSzC+0wLFRls9Myn3ZF9QR3v4xRVzAK+Ll8u2yV2+r4eIoXJX7jTxQ4=
Received: from HE1PR07MB1417.eurprd07.prod.outlook.com (10.169.122.15) by HE1PR07MB1420.eurprd07.prod.outlook.com (10.169.122.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4; Thu, 23 Mar 2017 16:25:53 +0000
Received: from HE1PR07MB1417.eurprd07.prod.outlook.com ([10.169.122.15]) by HE1PR07MB1417.eurprd07.prod.outlook.com ([10.169.122.15]) with mapi id 15.01.0991.013; Thu, 23 Mar 2017 16:25:53 +0000
From: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>
To: "Paul.Koning@dell.com" <Paul.Koning@dell.com>, "kivinen@iki.fi" <kivinen@iki.fi>
CC: "draft-ietf-ipsecme-rfc7321bis@ietf.org" <draft-ietf-ipsecme-rfc7321bis@ietf.org>, "ben@nostrum.com" <ben@nostrum.com>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "paul@nohats.ca" <paul@nohats.ca>, "david.waltermire@nist.gov" <david.waltermire@nist.gov>
Thread-Topic: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
Thread-Index: AQHSo7kV5lIftz+KZECrKBONojl6I6GiZKaAgAA3Y6A=
Date: Thu, 23 Mar 2017 16:25:53 +0000
Message-ID: <HE1PR07MB14175CF7CFDD646783F73741953F0@HE1PR07MB1417.eurprd07.prod.outlook.com>
References: <148962889979.14189.965850110922865986.idtracker@ietfa.amsl.com> <alpine.LRH.2.20.999.1703161300150.32675@bofh.nohats.ca> <22739.38728.808538.27709@fireball.acr.fi> <F28C3A8C-4811-430C-BABE-4AD1D782E6D9@dell.com>
In-Reply-To: <F28C3A8C-4811-430C-BABE-4AD1D782E6D9@dell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dell.com; dkim=none (message not signed) header.d=none;dell.com; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [98.210.180.51]
x-microsoft-exchange-diagnostics: 1; HE1PR07MB1420; 7:smiOPRribQVhro0Sx2D0A/Th+eVsMNxL93pXklbHIL3P24HS+pu9q50QF78lz6/nxL3DMA2uIUT3Pn4wsYnEC1plcCYr6kEY8JY6t/mMC6OGudaKTGBZ3aUMfzi5MJet695TMt5E9Ruz73rs9hExiuiyG3wmQzyApBfZi1ySc37ij8UZVUJfdvBz1swsoNpQjw/NyycDika7mYpadkKSAtkGCiRailfagrxcv+1BWm2X+i8wQfHkpdhyghng3sXmsDhD2PjXo5HQnlixIeyphZFMxEFhzlVq06DJg8nrOc8KbsPJREQwwmfy3yYc5ZLXntMhTFUTfZvC+GndCIac1A==
x-ms-office365-filtering-correlation-id: 050f4651-c67d-4a67-c963-08d4720946e8
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:HE1PR07MB1420;
x-microsoft-antispam-prvs: <HE1PR07MB14209C15F381D1D549FD1020953F0@HE1PR07MB1420.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(56004941905204);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123562025)(20161123560025)(20161123564025)(20161123558025)(6072148); SRVR:HE1PR07MB1420; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB1420;
x-forefront-prvs: 0255DF69B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39840400002)(39450400003)(39410400002)(39850400002)(52314003)(13464003)(24454002)(54094003)(377454003)(3660700001)(86362001)(50986999)(7736002)(189998001)(93886004)(7696004)(76176999)(74316002)(8936002)(54356999)(8676002)(2900100001)(81166006)(305945005)(122556002)(25786009)(66066001)(53546009)(4326008)(102836003)(55016002)(2906002)(2501003)(230783001)(77096006)(33656002)(3846002)(2950100002)(3280700002)(6116002)(6506006)(9686003)(6246003)(6436002)(53936002)(6306002)(5660300001)(38730400002)(8656002)(229853002)(99286003)(8666007)(54906002); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR07MB1420; H:HE1PR07MB1417.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2017 16:25:53.3393 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB1420
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RwItzR2ndVlRrAVawssuN_fh8aY>
Subject: Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 16:26:01 -0000
A very real use case is OSPFv3 authentication (RFC 4552), all major router vendor supports OSPFv3 implement that, and it is deployed around world; Plus I don't see any realistic alternative for the use case > -----Original Message----- > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of > Paul.Koning@dell.com > Sent: Thursday, March 23, 2017 6:05 AM > To: kivinen@iki.fi > Cc: draft-ietf-ipsecme-rfc7321bis@ietf.org; ben@nostrum.com; ipsecme- > chairs@ietf.org; ipsec@ietf.org; iesg@ietf.org; paul@nohats.ca; > david.waltermire@nist.gov > Subject: Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: > (with COMMENT) > > > > On Mar 23, 2017, at 5:37 AM, Tero Kivinen <kivinen@iki.fi> wrote: > > > > Paul Wouters writes: > >>> -3: I wonder why "... is not to be used..." is not "... MUST NOT be > >>> used...". But the section goes on to say if you do it anyway, you > >>> MUST NOT use certain cryptosuites. So, does "... is not to be > >>> used..." mean "SHOULD NOT"? Or is this one of those "MUST NOT BUT WE > KNOW YOU WILL" > >>> sort of requirements? > >> > >> It is indeed. I think a SHOULD NOT would actually be appropriate ? > > > > We do not want to make the implementation of the manual keying MUST > > NOT, as it is still useful in testing and similar situations, but we > > do not want anybody using it in any real world use cases. As this > > document is mostly about the implementation and tries to stay out from > > the issues about what should be used (as explained in the 2nd > > paragraph of the section 1.3). > > The problem is that currently USGv6 mandates support for manual keying > based on earlier RFC text. I wonder if the proposed text is strong enough to > make them understand this is wrong. This is why I was pushing for MUST NOT. > > Exotic test scenarios aren't all that good an argument, for those you can hack > the code and ignore the RFC. > > paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-… Ben Campbell
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Waltermire, David A. (Fed)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Ben Campbell
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Frankel, Sheila E. (Fed)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Tero Kivinen
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Eric Rescorla
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Russ Housley
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Eric Rescorla