Re: [IPsec] Dnsdir last call review of draft-ietf-ipsecme-add-ike-09
mohamed.boucadair@orange.com Fri, 17 March 2023 14:00 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E57F3C1522A4; Fri, 17 Mar 2023 07:00:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDJGbivtsMJA; Fri, 17 Mar 2023 06:59:58 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B91ECC151547; Fri, 17 Mar 2023 06:59:57 -0700 (PDT)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar25.francetelecom.fr (ESMTP service) with ESMTPS id 4PdQk40tryz8t7L; Fri, 17 Mar 2023 14:59:56 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1679061596; bh=pw3OPCtWjuJXqCtlx3CYZfw7zVdPsjIfKWdTSfWbo5Y=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=WxGDKxX3ezgjQY+ikk4GiBUfbz6O6grtsx9AzAUuive65fBeA9zK5ZnetS2B/7jVD ZWMHo6pfcGzJakpKy7WKv9UnWmptxK62OefacYr2+gaLDLuograDkO+CKhdxknZlON y1wJog6xZKMrYNZ5WbJPpUCEUKTAYFQntbzXn7KbOJOweLfZI/R3i0YpSPsENAl627 UA3rnxqcUlKZsXSYuKdKoa4JQxkXtlVGNTPzYQOzEtp/3At9Duz9V3aPzgbZYE8IQG GqasVHTvKJzFCR3UE4+uWwWp3KTyo4IsRffBvhKL+7pQxxSMzMZ5Ub+zyNFSQvSnUG b7HnU5z66p0CA==
From: mohamed.boucadair@orange.com
To: Tero Kivinen <kivinen@iki.fi>
CC: Patrick Mevzek <ietf-datatracker@ext.deepcore.org>, "dnsdir@ietf.org" <dnsdir@ietf.org>, "draft-ietf-ipsecme-add-ike.all@ietf.org" <draft-ietf-ipsecme-add-ike.all@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Dnsdir last call review of draft-ietf-ipsecme-add-ike-09
Thread-Index: AQHZWNR4lVgVKqA3gEGieI/Q3jWcSa7+/G+w
Content-Class:
Date: Fri, 17 Mar 2023 13:59:55 +0000
Message-ID: <5789_1679061595_6414725B_5789_369_2_6e1502201e0a4fe5a9175893f58b83d2@orange.com>
References: <167899946604.826.16271744983493705402@ietfa.amsl.com> <4399_1679049495_64144317_4399_388_1_6c866c11ab584e4d8158d5f8ded3ec3c@orange.com> <25620.27436.363210.343938@fireball.acr.fi>
In-Reply-To: <25620.27436.363210.343938@fireball.acr.fi>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-03-17T13:49:45Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=e935c0ad-58ff-4330-8f37-cae34a91b874; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.52]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/arw6Kj_BbPXdxB0E60AjDk7pu5c>
Subject: Re: [IPsec] Dnsdir last call review of draft-ietf-ipsecme-add-ike-09
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2023 14:00:02 -0000
Hi Tero, Please see inline. Cheers, Med > -----Message d'origine----- > De : Tero Kivinen <kivinen@iki.fi> > Envoyé : vendredi 17 mars 2023 14:29 > À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com> > Cc : Patrick Mevzek <ietf-datatracker@ext.deepcore.org>; > dnsdir@ietf.org; draft-ietf-ipsecme-add-ike.all@ietf.org; > ipsec@ietf.org; last-call@ietf.org > Objet : RE: Dnsdir last call review of draft-ietf-ipsecme-add-ike- > 09 > > mohamed.boucadair@orange.com writes: > > > At the IETF process level, which I don't master, because of > last > > > note in §4, shouldn't that document explicitly say it updates > > > RFC8598? > > > > [Med] We discussed this point at the time (and I was personally > for > > adding the header), but we didn't because the convention in > ipsecme WG > > is to not add the Update header if implementations are clearly > able to > > distinguish the cases when an extension is being used even if > the > > extension would change the behavior defined in the existing > RFCs. In > > this spec, if the initiator receives any of ENCDNS_IP* > attributes, it > > will know that it should not expect the INTERNAL_IP*_DNS even if > it > > receives INTERNAL_DNS_DOMAIN too. The note you are referring to > is to > > make that clear. > > I think we usually use updates header if implementations > supporting old RFC but not this, needs to change their behavior. > > I.e., if we just add new attributes, and the implementations of > old RFC simply ignore them then everything is fine. > > But my understanding is that this is not the case here, as if you > send INTERNAL_DNS_DOMAIN without INTERNAL_IP*_DNS but with > ENCDNS_IP* to implementations supporting old RFC, [Med] Responders know when it will break. They will basically supply the encrypted DNS to initiators who indicated support as per: Initiators first indicate support for encrypted DNS by including ENCDNS_IP* attributes in their CFG_REQUEST payloads. Responders supply encrypted DNS configuration by including ENCDNS_IP* attributes in their CFG_REPLY payloads. If responders decide to ignore the capabilities of the initiators, returning **only** the ENCDNS_IP* won't break only split horizon but the full DNS service! then that RFC > will consider this as a fatal error, and tear down the whole IKE > SA, instead of silently ignoring ENCDNS_IP* and > INTERNAL_DNS_DOMAIN attributes. > > So in this case it would be better for the old Split DNS > Configuration for IKEv2 RFC8598 implementations to be changed in a > way that they recognize this situation and do not consider it as a > fatal error. > > Update to the RFC8598 would not be needed if the RFC8598 > implementations would simply ignore both the INTERNAL_DNS_DOMAIN > and > ENCDNS_IP* in configuration payload, but I do not think that is > the case here. > > So question is not whether it is possible to recognize the > situation, it is what happens when you combine new and old > implementations. If things works without a need to change old > implementations then no updates is needed, if you need to update > the old implentations too, then you do need updates header. > -- > kivinen@iki.fi _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [IPsec] Dnsdir last call review of draft-ietf-ips… Patrick Mevzek via Datatracker
- Re: [IPsec] Dnsdir last call review of draft-ietf… mohamed.boucadair
- Re: [IPsec] Dnsdir last call review of draft-ietf… Tero Kivinen
- Re: [IPsec] Dnsdir last call review of draft-ietf… mohamed.boucadair
- Re: [IPsec] Dnsdir last call review of draft-ietf… Tero Kivinen
- Re: [IPsec] Dnsdir last call review of draft-ietf… Valery Smyslov
- Re: [IPsec] Dnsdir last call review of draft-ietf… Tero Kivinen
- Re: [IPsec] Dnsdir last call review of draft-ietf… mohamed.boucadair
- Re: [IPsec] Dnsdir last call review of draft-ietf… Tero Kivinen