IETF Logo Mail Archive

Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike

mohamed.boucadair@orange.com Tue, 09 November 2021 12:03 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DB4A3A0FBD; Tue, 9 Nov 2021 04:03:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUYj5oe6vsks; Tue, 9 Nov 2021 04:03:40 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B0F43A0F4D; Tue, 9 Nov 2021 04:03:40 -0800 (PST)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar23.francetelecom.fr (ESMTP service) with ESMTPS id 4HpRTQ5GndzBsPh; Tue, 9 Nov 2021 13:03:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1636459418; bh=eW+SGsap7XeI+G0vQm1yelQJlbMnM9vVYz/tkP9yYDU=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=TuNXcTzWlT6YRpE1Wm8tHHTac5fowRfX0CM9zab8VJHJJMBeUNXsWEfNT3gCtYID8 03zrYfh4WktgN3Q7ylLcYw4lvAQU7q7Xw77on+m2EfTfOHvNOuE98GdrHupzsIqpXi d8t07KfSV8TUWRiryNTs2w6LlKIsWYTX2SLsnT5PpmCsgDBse1etHk1hr5nPwbMeMg p0/1QQtQyDpEuCA6URazNN0pDazaxO+03Fzt2z69fjxDTAKsQkvbRdwj4eFHI2I/8K DbIfWOs5+lStjv7GXEgXQzTrYDcN9/D8F2PrA8l6mjkD7YXFtPTw7nmJtW2Shc8SGK XgdzQz1wqsr5A==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfedar05.francetelecom.fr (ESMTP service) with ESMTPS id 4HpRTQ40QHz2xCW; Tue, 9 Nov 2021 13:03:38 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Paul Wouters <paul.wouters@aiven.io>
CC: Tero Kivinen <kivinen@iki.fi>, "ipsec@ietf.org" <ipsec@ietf.org>, "draft-btw-add-ipsecme-ike@ietf.org" <draft-btw-add-ipsecme-ike@ietf.org>
Thread-Topic: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
Thread-Index: AQHX1LQTv/Z3pzLJrUinsBKqSui6sqv5wAKwgAAcaICAATka8A==
Content-Class:
Date: Tue, 09 Nov 2021 12:03:37 +0000
Message-ID: <23906_1636459418_618A639A_23906_93_6_787AE7BB302AE849A7480A190F8B93303544C625@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <24969.12660.103330.619294@fireball.acr.fi> <ccdfdc-634-5989-839b-3cbd17e86d99@nohats.ca> <3996_1636386534_618946E6_3996_297_6_787AE7BB302AE849A7480A190F8B93303544BD42@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <88f8206a-6c2-5816-ada3-e8666ec05e38@nohats.ca>
In-Reply-To: <88f8206a-6c2-5816-ada3-e8666ec05e38@nohats.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2021-11-09T11:47:10Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=4bdacaca-fc02-4939-9a20-f6de50df5291; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YkSTThc1hhNa2eCI8C3Ag3-h7Yw>
Subject: Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 12:03:45 -0000

Hi Paul, 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Paul Wouters <paul.wouters@aiven.io>
> Envoyé : lundi 8 novembre 2021 19:06
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
> Cc : Tero Kivinen <kivinen@iki.fi>; ipsec@ietf.org
> Objet : Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
> 
> On Mon, 8 Nov 2021, mohamed.boucadair@orange.com wrote:
> 
> >> Note the text of the draft claims it updates RFC 8598 but doesn't do
> >> so via an Updates: statement.
> >
> > [Med] We considered to have an "update" header because we were concerned
> with some MUSTs in 8598. We finally didn't include the update header
> because of a comment we received from you prior to publishing the first
> version of the draft. FWIW, here is the exchange we had at that time:
> >
> > ******
> > Med: I have a question for you: now that we don't depend anymore on
> INTERNAL_IP*_DNS and given that a client can be supplied with 8598
> attributes and that 8598 says the following:
> >
> > ==
> > If an INTERNAL_DNS_DOMAIN attribute is
> >   included in the CFG_REPLY, the responder MUST also include one or
> >   both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the
> >   CFG_REPLY.
> >
> > ..
> >
> >   the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a
> >   single list of Split DNS domains that applies to the entire list of
> >   INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.
> >
> > ==
> >
> > Should we add an update to our daft to indicate that first "MUST" does
> not apply and that the domains are associated with **ANY** supplied
> server?
> >
> > Paul: You cannot update that RFC for that kind of processing. The above
> really says that it makes no sense to have "internal domains" without
> providing "internal DNS servers".
> > ****
> 
> Note that what I said there was that you should not update the _mechanism_
> of how CFG requests/responds are done. You should use the existing
> mechanism with a new value, but use the same negotation mechanism.
> 
> So the client sends FOO(x) and the server respones with FOO(y)
> 
> x can be empty (eg the client has no previous notion or preference for
> FOO. Or if it has one, it can suggest it. The server takes that value only
> as a preference of the client, but the server is the one making the
> ultimate decsion if it returns "x" or "y".
> 
> So your draft should not say the initiator MUST send a zero size request
> for FOO.

[Med] We are not saying that in the draft. 

 That is changing the mechanism.
> 
> What I was saying in my last email was that making a protocol update where
> a server receiving a INTERNAL_IP4_DNS may choose not to return any
> INTERNAL_IP4_DNS is an update to the protocol that would require the
> Updates: clause to warn implementers to read this document too, as it
> updates older RFC text.

[Med] OK. 

> 
> > Also, I think the relaxing of the requirement
> >> is actually wrong, as it might cause lack of interop between newer
> >> servers and older clients not being able to negotiate working DNS if
> >> the new servers no longer serve INTERNAL_IP*_DNS CFG payloads.
> >
> > [Med] Older clients can always ask for INTERNAL_IP6_DNS or
> INTERNAL_IP4_DNS. We will update the note to make this clearer.
> 
> They can indeed. So I think you should just stick with the CFG
> request/response semantics and not talk about omitting INTERNAL_IP*_DNS
> replies if the client asks for those via CFG. This way, the ENC_DNS*
> payloads are simply defined as new CFG options, and clients and servers
> will do the right thing when encountering them. And it requires no
> Updates: clause because it does not modify the behaviour with respect to
> INTERNAL_IP*_DNS. You might want to say a client SHOULD prefer ENC_DNS*
> servers over INTERNAL_IP*_DNS servers.

[Med] That's one approach. The one we have in the draft is to enforce a policy at the responder side:

      The behavior of the responder if it receives both ENCDNS_IP* and
      INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attributes is policy-based
      and deployment-specific.  However, it is RECOMMENDED that if the
      responder includes at least one ENCDNS_IP* attribute in the reply,
      it should not include any of INTERNAL_IP4_DNS/INTERNAL_IP6_DNS
      attributes.

This policy allows for more control vs. providing both to the client + let the client decide. 

This is an item for discussion/agreement when the document is adopted. Point recorded. Thanks. 

> 
> 
> 
> >> I am also not clear on the real use of negotiating hash algorithms
> >> for the digest receiving of the ADD server "identity?", as the
> >> document states the authentication happens as per Section 8 of
> >> [RFC8310] which lists WebPKI or DANE authentication against the name
> >> and these methods do not use this digest. I also do not understand
> >> the use of the digest. For authentication, is it not needed as the
> >> entire IKEv2 exchange is authenticated.
> >
> > [Med] We added the digest to address one of the comments raised in a
> previous ipsecme meetings: allow to not rely on PKI for validating the
> encrypted DNS server certificate but convey the end-entity certificate in
> IKEv2 itself.
> 
> Ah, I see. I would probably use some different terminology then, and
> extend the text talking aboyt "as per Section 8 of [RFC8310]" to clarify
> that. I'll see about producing some text for you.
> 

[Med] Great. Looking forward receiving your text proposal. 


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email