Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike

[mohamed.boucadair@orange.com]

Hi Tommy, 

All good points. Thanks. 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : IPsec <ipsec-bounces@ietf.org> De la part de Tommy Pauly
> Envoyé : jeudi 11 novembre 2021 15:08
> À : Tero Kivinen <kivinen@iki.fi>; ipsec@ietf.org
> Objet : Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
> 
> I support adoption of this work. The mechanism of specifying the
> authentication domain name and service parameters is sound, and the right
> direction.
> 
> I do agree with Paul Wouter’s comments, and I think the parts of the
> document that deal with requirements for config requests need work.
> Ideally, this doesn’t need to update split-DNS, but instead just reference
> the fact that the encrypted resolvers MUST always be preferred when
> present.

[Med] We will need to decide if we keep this as SHOULD/RECOMMENDED or use a strong language (MUST) as you suggest.  

> 
> The text also needs to be careful about not over-mandating behavior. For
> example, the text currently says the following:
> 
>    If the IPsec connection is a split-tunnel configuration and the
>    initiator negotiated INTERNAL_DNS_DOMAIN as per [
> RFC8598
> ], the DNS
>    client MUST resolve the internal names using ENCDNS_IP* DNS servers.
> 

[Med] Agree this should be better worded. The case we had in mind is when INTERNAL_DNS_DOMAIN is negotiated but INTERNAL_*_DNS attributes are not present. In such case, the name are resolved using ENCDNS_IP* servers. There is a MUST in RFC8598 that I do still think is problematic and need to be relaxed in the presence of ENCDNS_IP*. 

> RFC 8598 has a bit more leeway, explaining that there may be some domains
> that are prohibited by local policy from being claimed by the IKE tunnel.
> This needs to be maintained.
> 
> For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
>    prohibited by local policy, the client MUST use the provided
>    INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only
>    resolvers for the listed domains and its subdomains, and it MUST NOT
>    attempt to resolve the provided DNS domains using its external DNS
>    servers.
> 
> Best,
> Tommy
> 
> > On Nov 8, 2021, at 6:17 AM, Tero Kivinen <kivinen@iki.fi> wrote:
> >
> > This is the start of 2 week WG adoption call for this document, ending
> > 2021-11-22. Please send your reply about whether you support adopting
> > this document as WG document or not.
> > --
> > kivinen@iki.fi
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.