Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
Valery Smyslov <smyslov.ietf@gmail.com> Mon, 26 December 2022 13:10 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A69C1522BD for <ipsec@ietfa.amsl.com>; Mon, 26 Dec 2022 05:10:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kskVcHmBffAe for <ipsec@ietfa.amsl.com>; Mon, 26 Dec 2022 05:10:16 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C632C14CF00 for <ipsec@ietf.org>; Mon, 26 Dec 2022 05:10:16 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id v23so1067106ljj.9 for <ipsec@ietf.org>; Mon, 26 Dec 2022 05:10:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=vBYrqQk4u++DwtbU5GQbrZ+i4WBpQFPqaHJhS72Esus=; b=QtmbYfZecNErD0uda0nKX/eqbVaaaWZeAqFT5MyGFsNWpFhRfXrCK3EeVfQ/1oLkTs eDn/coftaPzEBKndT3z683uWQTKgAeLgY/kxSR0J1L0/Vh4eQpr4lvcAGjpBjowC8SCN RT+Oted71bYSSTUrjfrgeCPaOmnnRCrMD3bbgoWHfDThiXaCx5DvxG+GLu1ISoe8bZ/k aJ03sSo5hTvat7i2raXTh37YhnEU01MHoX346U+XB03tOgAEyORwFuZCrX887uZz73hA jAsNs1Z8HFADCUmtLH7AgvBhCI1GpEo+eOoEU1O8npIMsFWpQlXlrqEmPWa54EApqv2L 0D7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vBYrqQk4u++DwtbU5GQbrZ+i4WBpQFPqaHJhS72Esus=; b=ne5pXs9NWAoFXZxf/aYqiunFGL4IoZw6dCuqMdglN6IDXV8QOF/sJneBbaw4Elj6uS 5AWggP5N/w83GMaQpmSbP1iyhb012yAgNL116dGp81IewsN1lLZkIFfd6TDX69umDGS9 GYQPcFlqkKWKTVkedcnFg+peK40KQvHHXI5dqgreO+GMGFCjLI4mxDIGn4xujlwIhaQ/ UyS3ZcWsI7WP4EgSPBJRdItna3haAfmmZ01EK/yISdmmRTHo0Zaplx7HvAIowrWiP3h/ vI/x0heZd8ujSl1xQcWXZrJKlQdsEPIEYatnpYJMaJrTJ0RkUMsX3Uk1jsXgzjHoWx7A jL5Q==
X-Gm-Message-State: AFqh2kog5hc79tJgb5mVXYOssIpRtju5aoGkio2IEEFndTfR7HE+/Em/ 0RhQff4wkzhC1hK/OZLDpj6ls4dF6dI=
X-Google-Smtp-Source: AMrXdXspYoiBctzxu9YSyBkE4rFHb6M515uHoX5oJV9ixJnh40HY8c8Zu+BSgq30NfOaEautK4njsQ==
X-Received: by 2002:a2e:a604:0:b0:27f:7075:9585 with SMTP id v4-20020a2ea604000000b0027f70759585mr4224161ljp.11.1672060214461; Mon, 26 Dec 2022 05:10:14 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id g10-20020a2ea4aa000000b00279811b20aasm1304449ljm.2.2022.12.26.05.10.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Dec 2022 05:10:13 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>
Cc: ipsec@ietf.org, bew.stds@gmail.com
References: <11505.1671563270@localhost> <257b01d9151c$a16579f0$e4306dd0$@gmail.com> <9470.1671641738@localhost> <261c01d915e3$50ef2670$f2cd7350$@gmail.com> <14222.1671724652@localhost> <268e01d916a2$1ad7bec0$50873c40$@gmail.com> <27837.1671814151@localhost>
In-Reply-To: <27837.1671814151@localhost>
Date: Mon, 26 Dec 2022 16:10:13 +0300
Message-ID: <27d301d9192b$645265b0$2cf73110$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKeBWC6qo76WkEy8zM45q+l9j6TWgGzCTsyAnEMrYcCmknuMQIab9ZYAeHz0tIBSrb5N6yVypiA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YJYH62URoPfIIYon-bXT4nAQjco>
Subject: Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Dec 2022 13:10:16 -0000
> >> > Thus, what do you want to see in the third column? "Defined in RFC > >> > 7296"/"Defined in this document"? > >> > >> You could say, "STD79", and "Section X" if you like. > > > I prefer "RFC7296", as it's better known than "STD79" :-) > > Yet, it's incorrect. I'm not sure. > It fails to include the updates, and it goes stale. The table of payloads in the G-IKEv2 spec will not contain updates anyway. It lists the payloads defined in RFC 7296 and thus it seems appropriate to reference a document where they are defined, not its future updates. As, for example, IANA registries do. > It also wastes all the effort we put into bringing it to Internet Standard. Bad or good, I believe it is a common practice in IETF, no? For example, a well-known RFC 822 is also STD 11, but it is rarely referenced by the latter name... > > The similarity between IKE_AUTH and GSA_AUTH is that both complete > > authenticating peers and creating IKE SA. The difference is that > > IKE_AUTH in addition creates unicast Child SA, so the set of payloads > > It does? I'm puzzled. Do you have any doubts? Quoting RFC 7296 Section 1 (Introduction): In the common case, there is a single IKE_SA_INIT exchange and a single IKE_AUTH exchange (a total of four messages) to establish the IKE SA and the first Child SA. Am I missing the point? > >> > Note, that RFC 7296 includes a concept of one-way IKEv2 messages > >> (for > error notification in case no IKE SA exists). > >> > >> Fair enough, but those are inside the IKEv2 PARENT_SA, while GSA_REKEY > >> is not. > > > GSA_REKEY is "inside" a multicast rekey SA (which is different from > > initial GM<->GCKS IKE SA). > > I think that this new SA needs to be introduced. It is introduced. Section 1: Group rekeys are accomplished using ... the GSA_REKEY pseudo-exchange (a single message distributed to all GMs, usually as a multicast message) ... > I think that there need to be some diagrams. Figure 1 shows the case where rekeying is being done over multicast. Do you think more clarifications are needed? Regards, Valery. > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > >
- [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07 Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Paul Wouters
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Paul Wouters