Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
mohamed.boucadair@orange.com Mon, 08 November 2021 15:49 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E58A3A1078 for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 07:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWilddsfBB7t for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 07:48:56 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE6423A107D for <ipsec@ietf.org>; Mon, 8 Nov 2021 07:48:55 -0800 (PST)
Received: from opfedar01.francetelecom.fr (unknown [xx.xx.xx.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar23.francetelecom.fr (ESMTP service) with ESMTPS id 4HnwWp1ccPzBsmG; Mon, 8 Nov 2021 16:48:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1636386534; bh=b4Le7+wbfyxZ55tcGztl93IxvIF14L8yROEhctk9Kyg=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=SDdQoKY4ra96AaPYFnMyWiKlVJkzO0A7zIttCFTNJj6G/LwdeZp8F+p2HzMkgc4yX o2p1rbH/wF83nepZdX+eEL2XN7gEnTkPmETxLrXmrsaFcSrEXg/2X1SXcq41Zsfxg1 vAZZHbFpO52p5VJfMnuHSr6JPSqVt4N2nCeoExFZEqmjcaNI/MAKF7xe07fp3wGR6T YHPzqsPNNUkYok9oaWNEO7mBPrMH2iVy/V7lA+HDI54yHfaXO+z9ILlGn4mAmX1buw cJ77c+lZ2DxlYDA9qYwOxcWyDklbLDVc0M8ZyJOxMZyObX3AtO4g+darrnEGrFIMwy bgXfE6hZO7WOQ==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfedar01.francetelecom.fr (ESMTP service) with ESMTPS id 4HnwWp0Sj9zBrLb; Mon, 8 Nov 2021 16:48:54 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Paul Wouters <paul@nohats.ca>, Tero Kivinen <kivinen@iki.fi>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
Thread-Index: AQHX1LQTv/Z3pzLJrUinsBKqSui6sqv5wAKw
Content-Class:
Date: Mon, 08 Nov 2021 15:48:53 +0000
Message-ID: <3996_1636386534_618946E6_3996_297_6_787AE7BB302AE849A7480A190F8B93303544BD42@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <24969.12660.103330.619294@fireball.acr.fi> <ccdfdc-634-5989-839b-3cbd17e86d99@nohats.ca>
In-Reply-To: <ccdfdc-634-5989-839b-3cbd17e86d99@nohats.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2021-11-08T15:48:08Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=c39217da-da61-4037-99ef-deb9200f2d85; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/iFvx5o2Cd_YsKrrihMbPKJVGvuY>
Subject: Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 15:49:00 -0000
Hi Paul, Please see inline. Cheers, Med > -----Message d'origine----- > De : IPsec <ipsec-bounces@ietf.org> De la part de Paul Wouters > Envoyé : lundi 8 novembre 2021 16:20 > À : Tero Kivinen <kivinen@iki.fi> > Cc : ipsec@ietf.org > Objet : Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike > > On Mon, 8 Nov 2021, Tero Kivinen wrote: > > > Subject: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike > > > > This is the start of 2 week WG adoption call for this document, ending > > 2021-11-22. Please send your reply about whether you support adopting > > this document as WG document or not. > > I support the idea of conveying a list of DNS servers that support > encryption. I am not sure if this draft's format and content is the right > way forward. [Med] Thanks. The format can always be updated to reflect the feedback from the WG. > > Note the text of the draft claims it updates RFC 8598 but doesn't do so > via an Updates: statement. [Med] We considered to have an "update" header because we were concerned with some MUSTs in 8598. We finally didn't include the update header because of a comment we received from you prior to publishing the first version of the draft. FWIW, here is the exchange we had at that time: ****** Med: I have a question for you: now that we don't depend anymore on INTERNAL_IP*_DNS and given that a client can be supplied with 8598 attributes and that 8598 says the following: == If an INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the responder MUST also include one or both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REPLY. .. the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a single list of Split DNS domains that applies to the entire list of INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. == Should we add an update to our daft to indicate that first "MUST" does not apply and that the domains are associated with **ANY** supplied server? Paul: You cannot update that RFC for that kind of processing. The above really says that it makes no sense to have "internal domains" without providing "internal DNS servers". **** Also, I think the relaxing of the requirement > is actually wrong, as it might cause lack of interop between newer servers > and older clients not being able to negotiate working DNS if the new > servers no longer serve INTERNAL_IP*_DNS CFG payloads. [Med] Older clients can always ask for INTERNAL_IP6_DNS or INTERNAL_IP4_DNS. We will update the note to make this clearer. > > I am also not clear on the real use of negotiating hash algorithms for the > digest receiving of the ADD server "identity?", as the document states the > authentication happens as per Section 8 of [RFC8310] which lists WebPKI or > DANE authentication against the name and these methods do not use this > digest. I also do not understand the use of the digest. For > authentication, is it not needed as the entire IKEv2 exchange is > authenticated. [Med] We added the digest to address one of the comments raised in a previous ipsecme meetings: allow to not rely on PKI for validating the encrypted DNS server certificate but convey the end-entity certificate in IKEv2 itself. > > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [IPsec] WG Adoption call for draft-btw-add-ipsecm… Tero Kivinen
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… tirumal reddy
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Paul Wouters
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Michael Richardson
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Valery Smyslov
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… Tommy Pauly
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair
- [IPsec] WG Adoption call for draft-btw-add-ipsecm… Tero Kivinen
- Re: [IPsec] WG Adoption call for draft-btw-add-ip… mohamed.boucadair