Re: [IPsec] Benjamin Kaduk's No Objection on draft-ietf-ipsecme-implicit-iv-08: (with COMMENT)
Daniel Migault <daniel.migault@ericsson.com> Sat, 19 October 2019 01:41 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2799812012E; Fri, 18 Oct 2019 18:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Level:
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9KiIz3Y-yQd; Fri, 18 Oct 2019 18:41:18 -0700 (PDT)
Received: from mail-ua1-f52.google.com (mail-ua1-f52.google.com [209.85.222.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC18D120105; Fri, 18 Oct 2019 18:41:17 -0700 (PDT)
Received: by mail-ua1-f52.google.com with SMTP id j5so2368032uak.12; Fri, 18 Oct 2019 18:41:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jpRbF7t7lduSSR7E7WqxA1bQw9tiXFcyNB96ixvm4Qs=; b=ljbFPkorxBYsyiaz44p3MazRre+zKWoGLsTxGzKPkZ4HSPmGnX+wq01KJ5v0eCyqFi W9DAd4whV96uwh0ZMG2FewdQFXtGLagw1/xGXV6xQ46fT/YK1qb6g2B6zJ7v7cKMQAvV VBYYtna4X+Cwy0+X+th1psghe0PAuejm1GegvnaOgSVSWAFZpZvRsDjqU8BhzXkOezzf GlM9NNclmHqCjpBmG3u0uVpk6mmmwviin5zHStuBDYzVCSu97sjN6eOwfLHbkvmQ3tht WU1rwnYzT4zlYn3ONwFtr69xB2GRNFoQO0v/rKnECPwNnrUXcJ/jwf4Sv56gFZfHzSVY FRTg==
X-Gm-Message-State: APjAAAXYthfiCnCPrRk+o0B2iXhJ2sFlRs+PaZHaGSan7UapSghjN1fA zO/il+IBYPk5gn/x7XK759K7fkhcGNhFnbNVdEU=
X-Google-Smtp-Source: APXvYqyK445LgdzB8QhYUPO0A7DEkw80T4AIk7F8E9AEDNFB9cWAKE91bha6k+LBTkmp0Z2C5myrE6iJ+7AS5gWpzE4=
X-Received: by 2002:a9f:3673:: with SMTP id s48mr7042099uad.119.1571449276575; Fri, 18 Oct 2019 18:41:16 -0700 (PDT)
MIME-Version: 1.0
References: <157128300620.9968.15171563029563358723.idtracker@ietfa.amsl.com> <CADZyTknmOH=WV-ET8mjr+99sawcgt6H+5aooJvwz_hS+idAM3Q@mail.gmail.com> <20191018194329.GK43312@kduck.mit.edu>
In-Reply-To: <20191018194329.GK43312@kduck.mit.edu>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Fri, 18 Oct 2019 21:41:05 -0400
Message-ID: <CADZyTkkwOJrq24K75QMKRCa2ViMO1M04KdeZsf9YtmV+dcegYw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IPsecME WG <ipsec@ietf.org>, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-implicit-iv@ietf.org, The IESG <iesg@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="000000000000e9b6a10595398b1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ak5yJJ5FwH0XPPW4bO8j39qPUmQ>
Subject: Re: [IPsec] Benjamin Kaduk's No Objection on draft-ietf-ipsecme-implicit-iv-08: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Oct 2019 01:41:21 -0000
Thank you for the response, I just published a new version with the mentioned text. Thank you again for the comments! Yours, Daniel On Fri, Oct 18, 2019 at 3:43 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > On Thu, Oct 17, 2019 at 10:37:10PM -0400, Daniel Migault wrote: > > Hi Benjamin, > > Thanks you for the comments. Please see in line my responses. > > Yours, > > Daniel > > On Wed, Oct 16, 2019 at 11:30 PM Benjamin Kaduk via Datatracker > > <noreply@ietf.org> wrote: > > > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-ipsecme-implicit-iv-08: No Objection > > > > When responding, please keep the subject line intact and reply to > all > > email addresses included in the To and CC lines. (Feel free to cut > this > > introductory paragraph, however.) > > > > Please refer to > > https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/ > > > > > ---------------------------------------------------------------------- > > COMMENT: > > > ---------------------------------------------------------------------- > > > > Thanks for addressing my Discuss! > > > > A few new comments on the -08: > > > > Abstract > > > > If we're going to differentiate between nonce and IV, I think that > > the algorithms require a unique but not necessarily unpredictable > > *nonce*, > > rather than *IV*. > > > > I would preferred to have IV instead of nonce is that IPsec provides > > constraints on the IV, not the nonce. I expected to have switched from > > algorithms to their implementations by writing "when used with IPsec" > in > > the previous sentence. In order to flip-flop from algorithm to their > > implementations with IPsec, I propose to clarify this as follows: > > OLD: > > These > > algorithms require a unique IV but do not require an unpredictable IV. > > NEW: > > This IV must be unique but can be predictable. > > Thanks! > > > > > Section 2 > > > > nit: s/Initialize/Initialization/ > > > > Fixed > > > > nit: s/similar mechanism/similar mechanisms/ plural > > > > Fixed > > > > > > Section 7 > > > > My previous ballot was trying to note that the sender/receiver > counters > > MUST be reset (as noted here) even without this document, as part of > > the core ESP requirements. So we don't need to use the "MUST" here > as > > if it's a new requirement; we can just say that this behavior is > already > > present due to the preexisting requirements > > > > Well, the reason I included it was that - at least my reading of ESP > - ESP > > seems to require key to be rekeyed when the SN reaches its limit only > when > > anti-replay is activated. In our case, we need to have this property > even > > without anti replay protection. Here is the text I considered rfc4303 > > section 2.2 > > """ > > > > The sender's counter and the receiver's counter are initialized to 0 > > when an SA is established. (The first packet sent using a given SA > > will have a sequence number of 1; see Section 3.3.3 for more details > > on how the sequence number is generated.) If anti-replay is enabled > > (the default), the transmitted sequence number must never be allowed > > to cycle. Thus, the sender's counter and the receiver's counter MUST > > be reset (by establishing a new SA and thus a new key) prior to the > > transmission of the 2^32nd packet on an SA. > > > > """ > > Ah, it seems I was reading too quickly and missed the precondition. > Thanks for the attention to detail! > > -Ben > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [IPsec] Benjamin Kaduk's No Objection on draf… Daniel Migault
- Re: [IPsec] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk
- Re: [IPsec] Benjamin Kaduk's No Objection on draf… Daniel Migault