[IPsec] Robert Wilton's Discuss on draft-ietf-ipsecme-add-ike-11: (with DISCUSS and COMMENT)
Robert Wilton via Datatracker <noreply@ietf.org> Thu, 27 April 2023 09:19 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D56C151545; Thu, 27 Apr 2023 02:19:29 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Wilton via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ipsecme-add-ike@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi, kivinen@iki.fi
X-Test-IDTracker: no
X-IETF-IDTracker: 10.0.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Robert Wilton <rwilton@cisco.com>
Message-ID: <168258716961.30194.4411331064355666357@ietfa.amsl.com>
Date: Thu, 27 Apr 2023 02:19:29 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/_hnVo6dZ8EgUTgisSNLrDGAQOls>
Subject: [IPsec] Robert Wilton's Discuss on draft-ietf-ipsecme-add-ike-11: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2023 09:19:29 -0000
Robert Wilton has entered the following ballot position for draft-ietf-ipsecme-add-ike-11: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-add-ike/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Hi, Thanks for this document. This should be a trivial discuss to resolve, and only flagging it as a discuss because I think that it makes the spec unclear (or wrong): (1) p 4, sec 3.1. ENCDNS_IP* Configuration Payload Attributes * IP Address(es) (variable) - Includes one or more IP addresses that can be used to reach the encrypted DNS resolver identified by the Authentication Domain Name. For ENCDNS_IP4 this field contains one or more 4-octet IPv4 addresses, and for ENCDNS_IP6 this field contains one or more 16-octet IPv6 addresses. Shouldn't this be zero or more IP addresses? Otherwise, the example that only contains a domain and no IP address appears to be invalid. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Minor level comments: (2) p 0, sec This document specifies new Internet Key Exchange Protocol Version 2 (IKEv2) Configuration Payload Attribute Types to assign DNS resolvers that support encrypted DNS protocols, such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ). Are there any updates needed to RFC 9061 needed to cover manageability aspects/updates of the attributes defined in this draft? Note, I'm not requesting that they be added to this draft, but instead, I want to check if there is any need or plan to address them. (3) p 2, sec 2. Terminology Do53: refers to unencrypted DNS. This term only turns up a few (3 times) in this doc, and its not clear to me that it improves its readability. I didn't know what it meant, possibly just referencing to "Unencrypted DNS" would be better for the wider audience? (4) p 3, sec 3.1. ENCDNS_IP* Configuration Payload Attributes - 0 if the Configuration payload has types CFG_REQUEST (if no specific DNS resolver is requested) or CFG_ACK. If the 'Length' field is set to 0, then later fields shown in Figure 1 are not present. I found this text unclear & confusing when combined with the following two paragraphs. I would suggest rewording the first sentence to something like: 0, if the Configuration payload has (i) type CFG_REQUEST and no specific DNS resolver is requested or (ii) type CFG_ACK. (5) p 13, sec Appendix A. Sample Deployment Scenarios Readability may be slightly improved by adding a sentence here to explain what the purpose of this section is. (6) p 14, sec Appendix A. Sample Deployment Scenarios Enterprise networks are susceptible to internal and external attacks. To minimize that risk all enterprise traffic is encrypted (Section 2.1 of [I-D.arkko-farrell-arch-model-t]). Would "SHOULD be encrypted" be better than "is encrypted"? Or, alternatively, "Encrypting all internal enterprise traffic minimizes the risks of attacks (Section 2.1 of [I-D.arkko-farrell-arch-model-t]). (7) p 14, sec Appendix B. Examples I would suggest putting each of the two examples into its own subsection. Nit level comments: (8) p 4, sec 3.1. ENCDNS_IP* Configuration Payload Attributes - 0 if the Configuration payload has types CFG_REQUEST (if no specific DNS resolver is requested) or CFG_ACK. If the 'Length' field is set to 0, then later fields shown in Figure 1 are not present. - (4 + Length of the ADN + N * 4 + Length of SvcParams) for ENCDNS_IP4 attributes if the Configuration payload has types CFG_REQUEST or CFG_REPLY or CFG_SET; N being the number of included IPv4 addresses ('Num addresses'). Possibly "(4 + 'Length of the ADN' + (N * 4) + Length of SvcParams)", and similarly for IPv6, would be more explicit. (9) p 5, sec 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute * Length (2 octets, unsigned integer) - Length of the enclosed data in octets. This field MUST be set to "2 + 2 * number of included hash algorithm identifiers". For clarity, I suggest: "2 + (2 * 'number of included hash algorithm identifiers')" (10) p 6, sec 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute * Length (2 octets, unsigned integer) - Length of the enclosed data in octets. This field MUST be set to "2 + 2 * number of included hash algorithm identifiers". * Num Hash Algs (1 octet) - Indicates the number of included hash algorithm identifiers. This field MUST be set to "(Length - 2)/2". I suggest, included 'hash algorithm identifiers'. Regards, Rob
- [IPsec] Robert Wilton's Discuss on draft-ietf-ips… Robert Wilton via Datatracker
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… mohamed.boucadair
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… mohamed.boucadair
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… mohamed.boucadair
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… mohamed.boucadair
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)
- Re: [IPsec] Robert Wilton's Discuss on draft-ietf… Paul Wouters