Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Fri, 12 April 2024 07:40 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72EF2C14F69D; Fri, 12 Apr 2024 00:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztcg57_SWsO7; Fri, 12 Apr 2024 00:40:31 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D5DBC14EB17; Fri, 12 Apr 2024 00:40:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2snMuErzNJtXlxjBRM/RMRm5gJhFugxYkRUGBTy0/r8=; b=WLTu+GaYTRaXmWT/oA/Q/F6dwr CW2hOXqqeBcPv+XV+vNHS+YAGFS1ZMg6rE+ExEd4laD94yzIIZUcpRvsgwMoax7rEOhGuEpCSjk8S AI13ppoOOxw7P1KgNVEZzRvA5FNiM5pYWzm7ECmIPR5BhYHH1TP4h7ufxHLzTV8cuM5g=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1rvBW7-00055i-2l; Fri, 12 Apr 2024 10:40:12 +0300
Received: from mail.office.elvis.ru ([10.111.1.29]) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1rvBW6-00D89k-Qe; Fri, 12 Apr 2024 10:40:10 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Fri, 12 Apr 2024 10:40:10 +0300
Received: from BuildPC (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Fri, 12 Apr 2024 10:40:10 +0300
From: Valery Smyslov <svan@elvis.ru>
To: "'Eric Vyncke (evyncke)'" <evyncke@cisco.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <171282942898.60208.16082104712999966299@ietfa.amsl.com> <039901da8c13$72cb6310$58622930$@elvis.ru> <PH0PR11MB49665734085725294196F6BAA9052@PH0PR11MB4966.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB49665734085725294196F6BAA9052@PH0PR11MB4966.namprd11.prod.outlook.com>
Date: Fri, 12 Apr 2024 10:40:10 +0300
Message-ID: <043701da8cac$a5ec20b0$f1c46210$@elvis.ru>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0438_01DA8CC5.CB3A1C00"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKQ/B+n20FMeIdPXc9TaztnjeCv8AI++YmHATuB8K6v24Zs0A==
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/bGD7DQtErM9nUlAokcYW1pcqE6k>
Subject: Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 07:40:35 -0000
Hi Éric, please see inline. Thank you, Valery, for the prompt reply. See below for EVY> Regards -éric From: Valery Smyslov <svan@elvis.ru <mailto:svan@elvis.ru> > Date: Thursday, 11 April 2024 at 15:23 To: Eric Vyncke (evyncke) <evyncke@cisco.com <mailto:evyncke@cisco.com> >, 'The IESG' <iesg@ietf.org <mailto:iesg@ietf.org> > Cc: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org <mailto:draft-ietf-ipsecme-ikev2-auth-announce@ietf.org> <draft-ietf-ipsecme-ikev2-auth-announce@ietf.org <mailto:draft-ietf-ipsecme-ikev2-auth-announce@ietf.org> >, ipsecme-chairs@ietf.org <mailto:ipsecme-chairs@ietf.org> <ipsecme-chairs@ietf.org <mailto:ipsecme-chairs@ietf.org> >, ipsec@ietf.org <mailto:ipsec@ietf.org> <ipsec@ietf.org <mailto:ipsec@ietf.org> >, kivinen@iki.fi <mailto:kivinen@iki.fi> <kivinen@iki.fi <mailto:kivinen@iki.fi> > Subject: RE: Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT) Hi Éric, thank you for your comments, please see inline. > Éric Vyncke has entered the following ballot position for > draft-ietf-ipsecme-ikev2-auth-announce-09: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-auth-announce/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > # Éric Vyncke, INT AD, comments fordraft-ietf-ipsecme-ikev2-auth-announce-09 > > Thank you for the work put into this document. > > Please find below some non-blocking COMMENT points (but replies would be > appreciated even if only for my own education), and some nits. > > Special thanks to Tero Kivinen for the shepherd's detailed write-up including > the WG consensus and the justification of the intended status. > > I hope that this review helps to improve the document, > > Regards, > > -éric > > # COMMENTS (non-blocking) > > ## Abstract > > As the I-D is about authentication methods, I wonder whether `with multiple > different credentials` is the right wording, should it rather be "different > authentication methods" ? (of course with some text repetition). I believe "different credentials" may include "different authentication methods"? There are may also be some subtleties. For example, consider the situation when user has 2 certificates: RSA and ECDSA. In this case he/she has different credentials, but from IKEv2 point of view, both use the same authentication method, "Digital Signature", with different signature algorithms. I make the following change: s/multiple different credentials/multiple credentials of different type Is this better? EVY> I think so Great! > ## Section 3.1 > > `Regardless of whether the notification is received,` may be I am mis-reading > this, but why would the responder send the notification if the initiator does > not care anyway ? The responder doesn't know if the initiator cares or not. There is no negotiation of this feature, each party just makes its mind whether to send and whether to process this notification (if it is ever supported). EVY> sure it will work like described in the I-D, but I find it really weird that the initiator does not send its own list. In fact it does, but it sends this after the responder, in the following exchange. So, the responder sends its list first. This is to have the announcements and the list of trust anchors (in the CERTREQ payload) co-located in the same message. > ## Section 3.2 > > While the readers may guess some details, but let's be clear in a proposed > standard I-D: > > 1) `Notification Data field` does not appear in figure 4 > 2) role of C flag and its value > 3) value of Protocol ID > 4) saying that reserved field must be set to 0 by sender and ignored on the > receiver There is a reference to Section 3.10 of RFC 7296, which contains details of how a generic payload header should be filled in. The Protocol ID and SPI Size values are defined in this document (zero). EVY> I am off-line now so cannot check in the I-D whether the reference is there. But, may I suggest to state somewhere that the fields C/protocol id/reserved are specified in RFC 7296 ? I think that since we explicitly reference the description of the Notify Payload in RFC 7296, readers will be able to know how the generic payload header fields should be filled in, right? Im just trying to follow other IKEv2 extensions RFCs, where usually these details are omitted (if one wants to implement an IKEv2 extension, then we presume that he/she is familiar with IKEv2 enough to know how to construct a payload). What about the Protocol ID (and SPI Size), the text currently defines what should be there. The current text is: The Notify payload format is defined in Section 3.10 of [RFC7296]. When a Notify payload of type SUPPORTED_AUTH_METHODS is sent, the Protocol ID field is set to 0, the SPI Size is set to 0, meaning there is no SPI field, and the Notify Message Type is set to <TBA by IANA>. What about 1), well, the "Notification Data" is the generic name of this field in the Notify Payload. Its content depends on the type of the notify message. I quickly scanned other RFCs which defined new notifications and they all renamed the "Notification Data" to some name specific to the type of notification. So, to avoid confusion, I changed the text as follows: s/The Notification Data field/ Notification data Hope this eliminates the possible confusion. EVY> this would help indeed > ## Section 3.2.1 > > Let's be crisp and specify that the length is in octets. Done. > Is there a registry for authentication method ? or should this specification be > updated for every new authentication method ? https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ike v2-parameters-12 EVY> may I suggest to add a reference to this registry (again off-line and cannot check) It is already there (in the para describing the notification payload data, Section 3.2)! Authentication methods are represented as values from the "IKEv2 Authentication Method" registry defined in [IKEV2-IANA]. and later in the Normative references: [IKEV2-IANA] IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters", <https://www.iana.org/assignments/ikev2- parameters/ikev2-parameters.xhtml#ikev2-parameters-12>. I hope no, but I cannot predict how IKEv2 would be tweaked in the future :-) > # NITS (non-blocking / cosmetic) > > ## Section 1 > > The last sentence of the 2nd paragraph is rather long and I think that "that" > should be used in `the peer which supports wider range of`. Thank you, I've been always mixing when to use "which" or "that" :-) I changed s/which/that EVY> ;-) I had to learn it myself (not easy for non English speaker) Indeed J Regards, Valery.
- [IPsec] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)