IETF Logo Mail Archive

Re: [IPsec] Éric Vyncke's Yes on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 09 August 2022 14:36 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D967DC13CCCC; Tue, 9 Aug 2022 07:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.906
X-Spam-Level:
X-Spam-Status: No, score=-11.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=L0bNjrKH; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Mle/7fZ4
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwxSqUI3FFZ2; Tue, 9 Aug 2022 07:36:21 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2F3AC13CCED; Tue, 9 Aug 2022 07:36:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11862; q=dns/txt; s=iport; t=1660055781; x=1661265381; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=BLH3z7nFhxNRVuyw/k1mfxNiDyuj27qcdfkgpwSoJ38=; b=L0bNjrKHbNA/e6io9zJl1ZpDtVLpmJADOHbmYJixhtYRxu4XOdwQ+Gaq saRKnafrzXtiOCt1q6Ut1NZwRDWtQJIuxwvpmpGrvxPnfB6+LiiSylx3g wtWjSTgzDGRPKKqnwOZda7ep7DhskDF9Vy0gjXOYrbmqSgZyIp54LQNNY s=;
X-IPAS-Result: A0ARAAAFcPJimIsNJK1aHAEBAQEBAQcBARIBAQQEAQFAgTsHAQELAYFRKih/Alo6RYROg0wDhFBfhQuDAgOBKY8vinaBLBSBEQNUCwEBAQ0BATcLBAEBgVODNAIWhGICJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAQkUBwYMBQ4QJ4VoDYZDAQEBAgESEREMAQElDQUBDwIBCA4CCgImAgICMBUFCwIEAQkEBRYMglsBgm0DDSUDAQ+dBQGBPwKKH3qBMYEBgggBAQYEBIFNQYMCGII4AwaBESwBgySDHmJPgnAzhBknHIFJRIEVJxyCZz6CYgEBA4EoAQwGASEXgz83gi6LbYEbizIcOAMaKx5CAwtNBQgJFxIQEAIEERoLBgMWPgkCBA4DQAgNAxEEAw8YCRIIEAQGAzEMJQsDBQ8MAQYDBgUDAQMbAxQDBSQHAxkPIw0NBBgHHQMDBSUDAgIbBwICAwIGFQYCAk45CAQIBCskDwUCBy8FBC8CHgQFBhEIAhYCBgQEBAQWAhAIAggnFwcTGBsZAQVZEAkhHA4aCgYFBhMDIG0FCjsPKDIBNTwrHxsKgRIqKxUDBAQDAgYTAwMiAhAuMQMVBikTEi0JK3UJAgMiaQUDAwQqLgMJHx8HCSQpPQUFYgEbApdRgRoQLi0GAT0bCwQUDhkQCAQeb1MeCAkZBgsyCAORbyQGgw5GqzEKg1GLJ5R4BC6DdoxEA4ZfkUqFX5EhII0YlDgHJAiFDAIEAgQFAg4BAQY1gSyBJXBwFTsqAYI8URkPjiAZgQ0BA4JIhRSFSnU7AgYBCgEBAwkBgjqKBAEnBIE/XQEB
IronPort-PHdr: A9a23:Fo1kNxZ5Z803nShzFnSWQ0T/LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:huL6haPYL/CF4SXvrR0ql8FynXyQoLVcMsEvi/4bfWQNrUoi1GAAx 2sZWGuEbPaCamTyfdglaIm39EwP68LQzIJmGXM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCcaphyFBcwnz/1WlTbhSEUOZqgG/ytU4YoBggrHVU+EHd52Eo68wIEqtcAbeaRUlvlV eza+6UzCHf9s9KjGjtJg04rgEoHUMXa4Fv0jHRnDRx4lAO2e00uMX4qDfrZw00U7WVjNrXSq +7rlNlV945ClvsnIovNfr3TKiXmTlNOVOSDoiI+ZkSsvvRNjiwq7JpiLP8VUH1Wix65r9Nf8 fBmmaXlHG/FPoWU8AgcexBcFyc7Nqpc9fqZZ3O+qseUiUbBdhMAwd03UxpwZtNeo70xWDofn RAbAGhlghSrivynxrm4R8Fnh98oK4/gO4Z3VnRInGmAUal9GcmbK0nMzYF+8DAzrMtTJM/hO ucQOCRUZjqQTxIabz/7D7pnzLv32RETaQZwokiUrKwf4m7VyxJ4zLnqNsHRc9bMQ8hJ9m6bp 3zH+Wn/KhAZNZqRyFKt82q3i+TnnC7nVsQVDrLQ3v9ym1CYw2FWAx0fVEGgifi0lkD4XMhQQ 2QY4CMgse0z+VClC9jlRBCzpXPBpBAXC4AKQuc78ymMx7bapQGDCQAsTzNaZ/QnudM4Azsw2 TehhM3gAxRitKOUUjSH69+pQSiaMCwRKyoJYjUJCFVD6Nj4q4Z1hRXKJjp+LEKrpt3tJw2p2 zWDlRI/h54jvc0l7oCQ0WmS1lpAuaP1ZgIy4wzWWEes4QV4eJOpauSUBb7zsKwowGGxEwfpg ZQUpySNxLtVVMjSykRhVM1ITe/3uKfcWNHJqQQ3d6TN4QhB7JJKkWp4yTV6KUEB3i0sJmKxO RS7Ve+8GPZu0JaCZKtzZce6DN4niPamHtX+XfeSZd1LCnSQSONl1Hw+DaJz9zmw+KTJrU3ZE c3GGSpLJS1BYZmLNBLsG48gPUYDn0jSP1/7S5Hh1AiA2rGDfnOTQrptGALQM7FovPjY+1WFo og32y62J/N3DbKWjs7/rN57ELz2BSRT6W3e8pYOLbfTfmKK5kl4UaeLqV/eR2CVt/0FyriXl p1MckRZ01H4zWbWMhmHb2sLVV8cdcgXkJ7PBgR1ZQzA8yF6Oe6Htf5DH7NqLehP3LEylpZcE qhaE+3eWa4nYmqcpFwggWzV8dYKmOKD31zeZkJIoVEXIvZdeuA+0oW0JluyqHZTU3HfWAlXi +TI6z43iKErH2xKZPs6otr2p79tlRDxQN5PYnY=
IronPort-HdrOrdr: A9a23:RSNT4KBsiRs/HVHlHegIsceALOsnbusQ8zAXPh9KKCC9I/b3qy nxppsmPEfP+UkssHFJo6HmBEEZKUmsu6KdkrNhQ4tKOzOW+VdATbsSorcKpgeBJ8SQzJ8n6U 4NSdkaNDS0NykHsS+Y2nj5Lz9D+qj8zEnAv463pB0BIXAIGsNdBkVCe3um+yZNNW977O8CZe KhD7181kOdkBosH6CGL0hAe9KGi8zAlZrgbxJDLQUg8hOygTSh76O/OwSE3z8FOgk/gosKwC zgqUjU96+ju/a0xlv3zGnI9albn9Pn159qGNGMsM4IMT/h4zzYJriJGofy+Qzdktvfr2rCo+ O85SvI+P4Dsk85S1vF5ScFHTOQiArGpUWSkmNwykGT0PARDAhKe/apw7gpKCcwLyEbzY1BOG Uh5RPFi3MfN2KzoMy2jeK4JC1Chw66p2EvnvUUiGEaWYwCaKVJpYha509NFowcdRiKorzPPd MeRP003swmOm+yfjTcpC1i0dasVnM8ElOPRVUDoNWc13xTkGpix0UVycQDljNYnahNB6Vs9q DBKOBlhbtORsgZYeZ0A/oAW9K+DijITQjXOGyfLFz7HOUMOm7LqZTw/LIpjdvaNaAg3d83gt DMQVlYvWk9dwbnDtCPxoRC9lTXTGC0TV3Wu4hjDlhCy8vBrZbQQFm+oQoV4r6dSt0kc7rmZ8 o=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.93,224,1654560000"; d="scan'208";a="901473010"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Aug 2022 14:36:19 +0000
Received: from mail.cisco.com (xfe-aln-004.cisco.com [173.37.135.124]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 279EaJA7030133 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Tue, 9 Aug 2022 14:36:19 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Tue, 9 Aug 2022 09:36:18 -0500
Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Tue, 9 Aug 2022 09:36:18 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Tue, 9 Aug 2022 10:36:18 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j87Pt39zo/SnEMf1yOCJuzMa/nwLm7yj6nK8Pdoo56Xia+wloAhAWqMi09td3IvjED28NA00H5s8kwoGR3EkVj5ypbYRYXee0o7tTnzZqr/zITeUaP+g3Bn7BCLRjezw/ObDHyo8qApv0pBIBqpd8/S3tERA6zEKBiHwJS0QNziOQTY+F6Zff43s1sYLHuDYIp0ywEuGQN5zfpw5STWVoNnQ/ocXh290kd4W4AqJek2f3Vjml1f/N+17n9kUWmswlVXmsYal9uIF4FmvsjUfe6tduCnbUzz7rRkXpV3fLL2VorFWHNwvWfannQxeAQsG9OkVVJldiMDSTkimGN9sNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BLH3z7nFhxNRVuyw/k1mfxNiDyuj27qcdfkgpwSoJ38=; b=NvF7XoDQXsAyRRQ1Iig82SQBf97TGjE/TZLYYMaZ38XzizKmxVHvUZU90Co1rQjQdtpGP8e8Z8l4ZfawwZfjeKylm7TW7UvF14XaKk/YzjQdew5yKKfW8qpRwWyZdUMC8+YJMIqtYRCjf0oe9K2wsA/qtyQLANRspQwIDBj9g6ku/b0I1u25kvRW3D7V3OspvqQ05CijlRXwjkdnOryDGRyl7Tias8qORGWBPPDLBo504n53g6LcbXwfezuysC3PddfZ8DqIlkIRLx/N+aYFP8G+V31TCDc9avm5zsaGTj1KCF6WWQHYJ8EGLqeC7yI4bNmWX1DG4jZI/6DMFIT0jg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BLH3z7nFhxNRVuyw/k1mfxNiDyuj27qcdfkgpwSoJ38=; b=Mle/7fZ4dy2c3HzB7yiq/3ZJ3y0eM/VwxPHY6PO487qBtWouFRhLENYmof8d/OC++2Ve9FexKqgKmi+Xv2VhLi9e171ZiBYDet7kIa2KKavIEvMoNtras9xpslZvxTOdZ2ndOUct78Kt5s80Q6HRvwDriZbAaVDg2yhNkfR3C6w=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by BN6PR1101MB2083.namprd11.prod.outlook.com (2603:10b6:405:58::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.14; Tue, 9 Aug 2022 14:36:16 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::d49a:9e3c:8d44:2a40]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::d49a:9e3c:8d44:2a40%6]) with mapi id 15.20.5504.020; Tue, 9 Aug 2022 14:36:16 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Valery Smyslov <svan@elvis.ru>, 'The IESG' <iesg@ietf.org>
CC: "draft-ietf-ipsecme-rfc8229bis@ietf.org" <draft-ietf-ipsecme-rfc8229bis@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "kivinen@iki.fi" <kivinen@iki.fi>, "brian@innovationslab.net" <brian@innovationslab.net>
Thread-Topic: Éric Vyncke's Yes on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
Thread-Index: AQHYq+u4un3K/MNFTUO/VQkBqSE9+62mmIcAgAAr6oA=
Date: Tue, 09 Aug 2022 14:36:16 +0000
Message-ID: <B68C8C58-AAF6-47ED-AF3A-6E43C4189F48@cisco.com>
References: <166004817697.29912.10227463273197951736@ietfa.amsl.com> <060301d8abf8$2fdfe0f0$8f9fa2d0$@elvis.ru>
In-Reply-To: <060301d8abf8$2fdfe0f0$8f9fa2d0$@elvis.ru>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 19c44974-7a93-47ad-60af-08da7a14845b
x-ms-traffictypediagnostic: BN6PR1101MB2083:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: V5pQIIxe7RAZ46RlIocCqoQ4HwyNzvYWECCmAqeexw3yZF2V9NwgppTbRdnrwUSTePYG9xnl89G4dASWCA7OI/p47ycv7IhVsdy9VxiyDBAcYZMg+Jeq/HjfsZcuTKoI9+9g2gwEhEtvSwl0CVWzN8llKbrdbqNOr6ks1XhivpXz7HsFvTFrd+tG5GID1Y4fp9b5DkXouEl4y11CvgL2X2Qq4Hsl1f7EXBvQnkIX6KkQdjd1afRKlUk7ZW9c4pposCjW/WdRKjnb95GHlqp+ih0FCOnatBgBRAMDOdPyyXh9qy7yI8AnglGvb2bJRIFiza2qjyFRfN64pqcZmUNOpcMZdX4qoi3iM6GxSZOdDR4SpEKO9nGIfRcQWiMOQizAPdxCEcEznTtkRGJcJdwgjCRgtJBvOlUd7HHAeldZbpEG5xtLL/qFVNiDdwcf6XketlrYlAeNLlYe+BkAdhwkGJVx7GLZ/JabjmY22YQc8/sY4MmitcpBjcHMNd9jem3ILei3N8NM5LhZEsTmfk/erMRxLDtURy3K+6HAyD9nMitHUJLGKo/dihsu8RaM32O41LgQ+j8/4sK4aj46VtlRyzsS0uG2eFTBy/WPhIyfCSCiW5fAPrkSsCwbJIlVF5b8dYe+yxVNJhYP40SnN5UxV7UsejPHCTPKbQ5MOnyycvy4q2lhXN84lYtcu1j2FhXIBehkNZaw4UQj0tcxNEFlEo42J+sUbM8uVyvaGJ2RNUzHCGLGJ8BYun821eCB4bL/Q8rWGYaEUrPa+YANGsLTxdFNoE6FqdBbsQCb67cvFP02GCg8nxHVHDtgY0/VDtb2U/xvrfyoZE6uAJDB5hRmcgYVt4K9oPlRvFwT529JVOS54sObmmh1xawmj+wMyhdwugjUkZ+9P/EX+a17LFAf6A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(376002)(396003)(39860400002)(366004)(346002)(83380400001)(316002)(38070700005)(66574015)(110136005)(54906003)(8936002)(5660300002)(86362001)(66556008)(76116006)(4326008)(66476007)(91956017)(66946007)(6506007)(41300700001)(64756008)(71200400001)(33656002)(2616005)(6512007)(186003)(38100700002)(966005)(478600001)(122000001)(224303003)(66446008)(6486002)(2906002)(36756003)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tlSusqYSjplPD4pQ46v6LOtaJQdX1tMa+91tBSgJ3thS6kSFre7ptQ34wU4VFot3ojxoCJ+ZVjAdBOLSkbxK23SUjFdqhYykS/040VUlRP5WmuWfj+mqeoki3BJ1ykdk6pd5v3t6wWAOt8VBnL5bLy5JfoIvRT30YcmgfJ8I2TKjoEfh25FwR9zuSx4llVlXemVu+JjScUa/NPJUe0Ai/FqBiEBRMBWfYzfmIXu2Go2/c+2EPea5lTuurSRUeqmcLOD+e5uLwc096mNVJZyKqicjzPR9qSMR8xydwBT7FfOEXdzRp5lSOjKxFamo1cnc2xoK5QdeluTrQquWuPO621amvPBhkzZ0HBhu19NGgHkMDqdRWAcBp5RoI1IIMgHq/mBWyexWdoyK5BFssIjFtjEw+ORfJRz+q28BiXubmFbc3ZniSAkcFLVw1vFKHAjQApz+n96bXtiCWbRYB+KyyelVixNrTYLj8ReJesgYK53UfwHxLXQGpLXApN6J5/LSHm/FeBzfyKEAyu1RD71KTwMGyzvZ04X+dl5qGYPzjzMWStP6I3dbScwCeGsS98+1mttc/n1uNLkPT5++ypT/xlfEH6mAoEXA1z9Q3tneEINc3ttlwHIDxA1l9fOpPtE5X4+ks7rjipNXG9a0VAvJPInJW04I8G+GFhehzpncrLJ1SB86GKbfF7QcTRtJwW7BFe+wDDaYPf/p/Uy6GoSv/5lBMPPYOkSBG+lkr9hAYCyZww5stJGGWYjQcDJS+Yu1xW4zgCTY8xczh1L/KGX+6A3KCUg4eytXG/va8Rid3jE5reKdrDIe9Wzy9nWzO9aTAEeQ+9QRSyUOalqVhKW7FcEJq4vv8BPH46rLhdXKHl7hy53Alv3plPuHzVB+AQBUtA98n417R7iEFbGmXcEZxdF1FOIPCKz2+zsstm6rU78nh1rU+b75ci2WWEfd80ZnsQZ1A2CgeBnA/lMIhWkObls3wTvOmt/G0lmCn0n/M1sEUERAH4AcA5WZQoC+54jpIlSUzmftgTGPX78k9IspgtTIrQXJsQ2HxHlWsm37VoMs6jxayZv3lzTUh7z7/hINeYXsoJZiTK8iLO2hZxVuA4mBslYOlWvylduVsD5JkAUkADQ4v0Po1TRp/zMkkjps9YZJMhYc6me/+DrRksfnYZCya69+qDRYxnlGH72g2xi0CIHoCwVIxBXASK9p+7giNZjFaXON1xZGTOqfRZJ0aBx2VyDEG/w+Yugs1kYgn0WQwKacn8VKXouG4Qd1JsJvk1IS8kUiF+9m8CpH3zfRV6vROaqAL+lytcVXGViVXQtegiFpxwMELzuzCUnD/CdpFq281CTsyhTHyKZTi659kLjy9QdLxnYDtJGwZSjihxkses1np7+T691pCNJGBOqN90lAHDcgQn4XIhdBV9luNL4+4S/F1QkyzqzR6atFdSkMiVHGZFULr+sIUNuGvf+ITf4Hte7fmF4QLPV3h7+FkuEzA9M0v6hDIh8Ok+Z2fJagHeXYA2ItBQUfgHygjKVY5PyUtUMIAPl7WZZr5YJiO9ESf7CeMjtkRz81QiUCifVafWo7oAjL9wMbJ0gpuIw0tTmpbuV9iQ1hDk6TIeKeutbN6HloCxiEwy53ekJl3tFO93urjUqtbBU82plAjHMG
Content-Type: text/plain; charset="utf-8"
Content-ID: <CC378D252BB9814D83AF543E6BA20026@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 19c44974-7a93-47ad-60af-08da7a14845b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2022 14:36:16.4236 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fKepw5acsKBzjgVJqIMhxWBKKctX6HDpiqsSpa7wWZ+vl95dz+1fJ8tpkIcKqkFp6GjENzjNRAYgRwHNjsVU9g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2083
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.124, xfe-aln-004.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/lPZb3LrBuIqBTmtMMSCkhQgIGBw>
Subject: Re: [IPsec] Éric Vyncke's Yes on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 14:36:24 -0000

Hello Valery,

Thank you for the prompt reply. 

It looks like Erik Kline could be my twin brother as we often emit the same comments. FYI, I never read other ADs' ballot to avoid being biased.

I agree with all your replies and explanations except when there is EV>

Regards

-éric


On 09/08/2022, 15:59, "Valery Smyslov" <svan@elvis.ru> wrote:

    Hi Éric,

    thank you for your comments. Please see inline.

    > Éric Vyncke has entered the following ballot position for
    > draft-ietf-ipsecme-rfc8229bis-07: Yes
    > 
    > When responding, please keep the subject line intact and reply to all email
    > addresses included in the To and CC lines. (Feel free to cut this introductory
    > paragraph, however.)
    > 
    > 
    > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-
    > ballot-positions/
    > for more information about how to handle DISCUSS and COMMENT positions.
    > 
    > 
    > The document, along with other ballot positions, can be found here:
    > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc8229bis/
    > 
    > 
    > 
    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------
    > 
    > # Éric Vyncke, INT AD, comments for draft-ietf-ipsecme-rfc8229bis-07
    > CC @evyncke
    > 
    > Thank you for the work put into this document. There must be several use
    > cases
    > for it.
    > 
    > Please find below some non-blocking COMMENT points (but replies would be
    > appreciated even if only for my own education).
    > 
    > Special thanks to Tero Kivinen for the shepherd's detailed write-up including
    > the WG consensus, but it lacks the justification of the intended status.
    > 
    > Thanks as well to Brian Haberman for his INT directorate review, his review has
    > a 'ready' status.
    > 
    > I hope that this review helps to improve the document,
    > 
    > Regards,
    > 
    > -éric
    > 
    > ## COMMENTS
    > 
    > ### UDP blocked even with QUIC
    > 
    > As there are more and more traffic relying on QUIC (a wild guess of mine...),
    > is it still the case that middle boxes are blocking UDP ? Just out of
    > curiosity... feel free to ignore.

    Well, I don't have statistics for the current situation and tend to agree that wide adoption
    of QUIC may improve the situation. But I think blocking UDP still happens.
    Note also that some proposed extensions to IKEv2 rely on TCP transport
    to be able to reliably transfer very large public keys of PQ algorithms
    (draft-tjhai-ikev2-beyond-64k-limit).

    > ### Section 1
    > 
    > ```
    > Devices on these
    >    networks that need to use IPsec (to access private enterprise
    >    networks, to route Voice over IP calls to carrier networks, or
    >    because of security policies) are unable to establish IPsec SAs.
    > ```
    > 
    > The above appears like an exhaustive list while it is not. Suggest to add ",
    > etc.".

    OK.

    > ### Section 1
    > 
    > `Some peers default to using UDP encapsulation` is "peer" so well-defined in
    > the IPsec world ? 'some' is also rather vague, perhaps cite one implementation
    > ? or use "some peers may default to" ?

    "Peer" widely used in IPsec. But I seem to see your point. How about if we 

    s/peers/implementations

    ?

EV> perfect

    > ### Section 2
    > 
    > Should "Implementations of this specification" be used in `Implementations
    > MUST
    > support TCP encapsulation on TCP port 4500, which is reserved for IPsec NAT
    > traversal.` ?

    This was already caught by Erik. Currently changed to:

    Compliant implementations MUST support TCP encapsulation on TCP port 4500...

    > ### Section 3 No AH
    > 
    > Even if AH is nearly no more used, I wonder whether there is a reason why AH
    > is
    > not supported by this I-D.

    Well, it's a long story. AH has always been a headache for implementers 
    from its birth and when UDP encapsulation of IPsec was specified 
    (the work started 20 years ago), it was decided to not support AH for it 
    (I vaguely recall there was a draft for UDP encapsulation of AH 
    in the early stage of this work, but it appeared to be too complex).
    So, it would be strange to support TCP encapsulation for AH,
    when UDP encapsulation of it is not supported. 

    > The sentence about AH should really come earlier in the document.

    Hm, while not disagree, I'm a bit unsure where to put it.

     We can add a sentence:

    	Note that AH is not supported by this specification.

    at the end of the first para of Section 1. Is it OK?

EV> perfect

    > ### Section 3
    > 
    > ```
    >    Although a TCP stream may be able to send very long messages,
    >    implementations SHOULD limit message lengths to typical UDP datagram
    >    ESP payload lengths.
    > ```
    > 
    > What is the 'typical' length ?

    It's usually the size of PMTU.

EV> then it is worth mentioning


    > ### Section 3.1
    > 
    > Suggest to add a description of "Non-ESP" header field below the description
    > of
    > the "length" field rather than in the text above.

    OK.

    > ### Section 5.1
    > 
    > `Since UDP is the preferred method of transport for IKE messages,` hem...
    > previous text (and common sense) stated that direct is the preferred method.

    Direct transport only applicable to ESP. Here text is about IKE, which 
    uses UDP port 500/4500 by default.

EV> shame on me... I should try to learn how to read __

    > ### Section 6.1 what about IP address changes ?
    > 
    > ```
    >    Since new TCP connections
    >    may use different ports due to NAT mappings or local port allocations
    >    changing, the TCP Responder MUST allow packets for existing SAs to be
    >    received from new source ports.
    > ```
    > For some NAT devices (or IPv6 nodes w/o NAT but with temporary addresses),
    > the
    > IP address could also change. This document should describe what to do in this
    > case.

    The responder may have policy restricting source IP addresses. The whole point
    of this text is that it should not restrict source ports, with TCP they are usually ephemeral.

EV> then, would the document benefit with some text around "TCP responder MAY allow packets for existing SAs to be received from new IP addresses" ?

    > ### Section 6.5
    > 
    > The very last sentence deserves a paragraph on its own.

    OK.

    > ### Section 6.7
    > 
    > Please add that the DF bit is obvioulsy only for IPv4 (Hi, Tommy, I had to
    > insert my mandatory IPv6-related comment ;-) )

    Changed:

    s/IP header/IPv4 header

    is it OK?

EV> perfect

    > ### Section 9.3
    > 
    > I am not a transport person, but I would have used "MUST NOT" rather than
    > "MAY
    > NOT" in: ```

    Do you mean rather than SHOULD NOT?

EV> oups, indeed

    >    Individual packets
    >    SHOULD NOT use different markings than the rest of the connection,
    >    since packets with different priorities may be routed differently and
    >    cause unnecessary delays in the connection.
    > ```

    Well, MUST NOT implies that it is prohibited and the receiver must log a fatal error
    if this happens. The text meaning is that it is just makes no sense. So, you may 
    do it, but the performance could degrade.

EV> fair enough

    > Even if somehow obvious, should there be a statement about the IPv6 Flow-ID
    > header field ?

    Hm... Can you propose a text?

EV> say something around Flow-ID must remain constant to avoid ECMP load balancing

    > ### TCP Fast Open support
    > 
    > Is TCP fast open supported by this doc ?

    This was already asked by Erik, and the answer was that I see no reason why 
    TCP fast open cannot be used with this spec. Probably Tommy would add more.

EV> Tommy, worth mentioning ?

    Thank you,
    Valery.

    > ## Notes
    > 
    > This review is in the ["IETF Comments" Markdown format][ICMF], You can use
    > the
    > [`ietf-comments` tool][ICT] to automatically convert this review into
    > individual GitHub issues.
    > 
    > [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
    > [ICT]: https://github.com/mnot/ietf-comments
    > 
    >

v2.23.0 | Report a Bug | By Email