Re: [IPsec] Role of the IANA expert reviewer
Sean Turner <turners@ieca.com> Tue, 02 August 2011 12:47 UTC
Return-Path: <turners@ieca.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDE7A21F8D55 for <ipsec@ietfa.amsl.com>; Tue, 2 Aug 2011 05:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.204
X-Spam-Level:
X-Spam-Status: No, score=-102.204 tagged_above=-999 required=5 tests=[AWL=0.394, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFw+YFHtPYv6 for <ipsec@ietfa.amsl.com>; Tue, 2 Aug 2011 05:47:26 -0700 (PDT)
Received: from nm27.access.bullet.mail.mud.yahoo.com (nm27.access.bullet.mail.mud.yahoo.com [66.94.237.92]) by ietfa.amsl.com (Postfix) with SMTP id F216621F8D70 for <ipsec@ietf.org>; Tue, 2 Aug 2011 05:47:25 -0700 (PDT)
Received: from [66.94.237.201] by nm27.access.bullet.mail.mud.yahoo.com with NNFMP; 02 Aug 2011 12:47:30 -0000
Received: from [98.139.221.60] by tm12.access.bullet.mail.mud.yahoo.com with NNFMP; 02 Aug 2011 12:47:29 -0000
Received: from [127.0.0.1] by smtp101.biz.mail.bf1.yahoo.com with NNFMP; 02 Aug 2011 12:47:29 -0000
X-Yahoo-Newman-Id: 723047.35639.bm@smtp101.biz.mail.bf1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: If63Xq8VM1lZ9Y.l7Co8dH3jj3ZKb6jsVsAH1bcE_sjMw6l s.pfGzsjwxpk.jsazKKM3HFvakjXYWTgqa6WKwEchjTx0IsQ0J6LNntAXd6Z J1ycwUdjiNd.cHheMBRlt53nJ5R7Dw90chWGqvOQOp_3rLNMbzTy3q1cCeo7 HipMfbgS5NPxKfnpNdZ0Di.dcIoTdwdJDuVVimgg7enS2Wamk8g9rW_kQext nv6ZU000mUdsCKezEQPh7hc.wjAjz11uLZykzwE4hLG1KuD4dl587wQ1W9G2 6ZQ_uIL0k5Xnl01ZXhFNSfw_9AbO2_JG0Ki4PBLgqm__RxET.1ecbz3200gV D.3rnZ7dF5L72ZF2pK2hEegA-
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
Received: from thunderfish.westell.com (turners@96.231.121.225 with plain) by smtp101.biz.mail.bf1.yahoo.com with SMTP; 02 Aug 2011 05:47:25 -0700 PDT
Message-ID: <4E37F1D2.90305@ieca.com>
Date: Tue, 02 Aug 2011 08:47:14 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <20110727164459.29853.48303.idtracker@ietfa.amsl.com> <7C54FFE2-FFE0-4B4C-BF7E-142A6B10DF6B@checkpoint.com> <78B594BA-9406-44A2-AB8E-0BF5A425AEC1@vpnc.org> <7828ad8727dd860ccd6c5eb5acd52c19.squirrel@www.trepanning.net> <4E30F876.70200@gmail.com> <20017.29145.171495.225683@fireball.kivinen.iki.fi> <4E332698.20900@gmail.com> <20022.47973.373596.130885@fireball.kivinen.iki.fi> <3B741203-FDF8-48EE-8942-C3FF3A2B5CF0@vpnc.org>
In-Reply-To: <3B741203-FDF8-48EE-8942-C3FF3A2B5CF0@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IPsecme WG <ipsec@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] Role of the IANA expert reviewer
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 12:47:27 -0000
On 8/1/11 12:11 PM, Paul Hoffman wrote:
> On Aug 1, 2011, at 7:42 AM, Tero Kivinen wrote:
>
>> As we have seen from the ipsec list the community does not seem to
>> care too much, but I myself as a member of the community and also the
>> person responsible for the IANA registries do care.
WRT who is responsible ...
Technically, IANA is responsible for maintaining the registries in
accordance with the registration rules documented in the RFC that
creates/defines the registry.
The IANA experts (who are appointed by the IESG) are responsible for
reviewing requests for additions and modifications in the registries
that they are designated for.
The IETF/IESG is ultimately responsible for the registry as (most of
them) are a product of the IETF process.
> You are *not* responsible for the IANA registries. RFC 5226 says:
>
> It should be noted that a key motivation for having designated
> experts is for the IETF to provide IANA with a subject matter expert
> to whom the evaluation process can be delegated. IANA forwards
> requests for an assignment to the expert for evaluation, and the
> expert (after performing the evaluation) informs IANA as to whether
> or not to make the assignment or registration.
>
> . . .
>
> Designated experts are expected to be able to defend their decisions
> to the IETF community, and the evaluation process is not intended to
> be secretive or bestow unquestioned power on the expert. Experts are
> expected to apply applicable documented review or vetting procedures,
> or in the absence of documented criteria, follow generally accepted
> norms, e.g., those in Section 3.3.
>
> I do not believe that you can defend a decision to reject registrations based on what is in RFC 4306. If you disagree, please show which text you are referring to.
My understanding is that Tero is stating early that he would deny the
requests based scarcity of code points, which is allowed per RFC 5226:
Possible reasons to deny a request include:
- scarcity of code points, where the finite remaining code points
should be prudently managed, or when a request for a large
number of code points is made, when a single code point is the
norm.
>> I have stated my reasons why I consider allocating multiple payload
>> numbers etc for exactly same thing a bad thing.
>
> The three proposals do not do "exactly the same thing": they each have different cryptographic and administrative properties. This has been widely discussed in the WG.
But, they're for the same "thing": extension(s) to IKEv2 to allow
mutual authentication based on "weak" (low-entropy) shared
secrets.
spt
>> As it seems that IKEv2 might be used with other things than IPsec too
>> in the future (KARP, 802.15.4, 802.11ai etc) I do see challenges in
>> the IKEv2 IANA registries.
>>
>> Even if those use cases are not IPsec they most likely will reuse most
>> of the registries from the IPsec. We could overlap their numbers with
>> each other, but on the other hand that can cause confusion, so it
>> might be better to make sure they do not have overlapping numbers,
>> i.e. use of unique numbers for different things and mark those as
>> reserved in the registries which do not use them.
>>
>> This is bit what IKEv1 and IKEv2 did, for example we are not using
>> payload numbers 1-32 as they are reserved in IKEv2 registry as IKEv1
>> used them. Same way our exchange numbers 0-33 are reserved etc.
>>
>> I am not sure whether we are doing that in the future or not. I want
>> to think more about this and see the actual protocols before deciding.
>
> This should be a WG/IETF decision, not that of a single person.
>
>> But on the other hand I want to keep our options open, which means I
>> do not want to fill our registries with multiple registrations for the
>> exactly same thing.
>
> See above.
>
>> Can you explain me what problems will it cause if the
>> draft-kuegler-ipsecme-pace-ikev2 is changed so it uses the
>> draft-kivinen-ipsecme-secure-password-framework framework just like
>> other secure password method drafts have already done?
>
>
>> In my understanding there will be 2 extra bytes in the IKE_SA_INIT
>> notification phase to indicate the PACE inside
>> N(SECURE_PASSWORD_METHODS) and there will be one extra byte (or two
>> depending how you do it) in the ENONCE and PKEi/PKEr payloads.
>>
>> So in total the technical differences will be 7 extra bytes. Is there
>> anything else?
>
> Regardless of what the authors of this document do, that question is not relevant to whether or not you, as the designated expert, give them a codepoint.
>
> --Paul Hoffman
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
- [IPsec] Last Call: <draft-kivinen-ipsecme-secure-… The IESG
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Yoav Nir
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Tero Kivinen
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Paul Hoffman
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Dan Harkins
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Yaron Sheffer
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Dan Harkins
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Tero Kivinen
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Tero Kivinen
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… David Arnold
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Nico Williams
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Yaron Sheffer
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Yaron Sheffer
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Dan Harkins
- Re: [IPsec] Last Call: <draft-kivinen-ipsecme-sec… Tero Kivinen
- [IPsec] Role of the IANA expert reviewer Paul Hoffman
- Re: [IPsec] Role of the IANA expert reviewer Dan Harkins
- Re: [IPsec] Role of the IANA expert reviewer Sean Turner
- [IPsec] Role of the IANA expert reviewer Tero Kivinen
- Re: [IPsec] Role of the IANA expert reviewer Paul Hoffman
- Re: [IPsec] Role of the IANA expert reviewer Paul Hoffman
- Re: [IPsec] Role of the IANA expert reviewer Yoav Nir
- Re: [IPsec] Role of the IANA expert reviewer Tero Kivinen
- Re: [IPsec] Role of the IANA expert reviewer Tero Kivinen
- Re: [IPsec] Role of the IANA expert reviewer Yoav Nir
- Re: [IPsec] Role of the IANA expert reviewer Yaron Sheffer
- Re: [IPsec] Role of the IANA expert reviewer Yoav Nir
- Re: [IPsec] Role of the IANA expert reviewer Yaron Sheffer
- Re: [IPsec] Role of the IANA expert reviewer Sean Turner