IETF Logo Mail Archive

Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic

Yoav Nir <ynir.ietf@gmail.com> Tue, 29 June 2021 18:00 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3233A3C42 for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 11:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4eSDNimSH8KF for <ipsec@ietfa.amsl.com>; Tue, 29 Jun 2021 11:00:36 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7A43A3C41 for <ipsec@ietf.org>; Tue, 29 Jun 2021 11:00:35 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id u8so214385wrq.8 for <ipsec@ietf.org>; Tue, 29 Jun 2021 11:00:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=UlDBlhyyS4NAkslN8+bzSMmMCuI0YM9uhnBHJFjlrvo=; b=oWBdUNbwlJk6itDh4Cc8K4MybuX02S3oRRVHFp9kqx90/rR5dbJUwkt9VHmdDNNhhB e+2lprYlE9GSSdZaXSw1wnEGldDBMPxgZAoUZ7CEIUwOzR4fDj6jy/wc9Yo3AycKS0TG hn/3rayC66KYtwozAAD/TvPW9SVuHOxTHxhJT/JIZPryfGnRUevuQUIS3oWaIiaaL91s 2I1SeUSj9QMb618aZxett60jHVThW1NgVzKdIaLsybq6vlRPvuyODNj206em9bv1DHCu GmTtMttAOipaymeePDWioFSk4TJX9NZfTUHzc3drhGxKRPNMjmgn/IatxObVz59STYB1 B4lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=UlDBlhyyS4NAkslN8+bzSMmMCuI0YM9uhnBHJFjlrvo=; b=a7OljJBjPSj5gr5xV73Kx0N582Z88Kgno6WVNNHTX7IV17NY/YqWTLVhUMmrW66WXI LJ75c4tfgvNpRKGQTlHP2VH5z+uqgXy4ytJ/TWHt84d+rXIpypAPvY4bs9yUFjl3BpVC GZ0RZohSF3TON1yMVfrXTnDkuEVAgbg36KuNU2MQkJNy1kxiVUHdJS3swBjdMUFvUftE CMWZyHeErYcKxe8LTVzDpqVNHINEqJBnmEKuqPBcsZZJ3GJ5IuSceh4s2iwFiLMLiAlZ kN7Rxz3rRI/ZOnRCpqW8nKJE3lvuXfExQt6Us1p8rmsXwhZGQex7PV3P789i3VMmPa1v Q66g==
X-Gm-Message-State: AOAM530iATFPMiLL59XZKkTiAi7Ne31nPonhcfT0QGbJ7pKytldsjRv7 k8KwySt+bxJncDtS9Y/XGr0=
X-Google-Smtp-Source: ABdhPJwmm0/ld3mjAOMgpSl7tuXcbGV+b/JxZXpSvHwsEsGuEnbDrdXjUnbu91f7vox8MojL8wRhlQ==
X-Received: by 2002:a05:6000:152:: with SMTP id r18mr35067347wrx.203.1624989632834; Tue, 29 Jun 2021 11:00:32 -0700 (PDT)
Received: from smtpclient.apple ([46.120.57.183]) by smtp.gmail.com with ESMTPSA id o11sm17096770wmq.1.2021.06.29.11.00.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Jun 2021 11:00:32 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <E0F5EAC8-9F0C-4619-8F9C-62B3BD923AB1@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6B482C66-AB72-44C2-8649-0D201AE3CDF9"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
Date: Tue, 29 Jun 2021 21:00:30 +0300
In-Reply-To: <CADZyTk=Ge4XYCYStHi5Uerei53n_eyA=9CzLwZwvtVoO_i9spA@mail.gmail.com>
Cc: Dan Harkins <dharkins@lounge.org>, IPsecME WG <ipsec@ietf.org>
To: Daniel Migault <mglt.ietf@gmail.com>
References: <315BBB8D-B55E-43C8-A988-ADC8780AD62E@gmail.com> <059201d76bf6$e29680c0$a7c38240$@gmail.com> <8ea212cf-ee37-ceed-f905-4fde94173c1d@lounge.org> <CADZyTk=Ge4XYCYStHi5Uerei53n_eyA=9CzLwZwvtVoO_i9spA@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/m2rLDIcTZlIj8loYWfp3rJImLQk>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 18:00:41 -0000

[no hats]
I don’t want to start (or resume) a religious holy war about uppercase MUSTs, but they’re usually about protocol compliance. What people should (not SHOULD) do with their systems is not subject to requirements language, because the IETF does not engineer administrators. What? You are not compliant with RFC xxxx if you didn’t upgrade your systems already?

I could understand a statement that Product yyyy is not compliant with RFC xxxx because it still offers IKEv1, but I don’t like non-compliant administrators. Not that I’m advocating to add that statement to the draft. I think it’s fine as it is: just offering advice that systems should be upgraded.

Yoav

> On 29 Jun 2021, at 17:21, Daniel Migault <mglt.ietf@gmail.com> wrote:
> 
> I believe that the first sentence of section 3 says it all. ship it!
> 
> I still have some minor comments, though these may have already been discussed. There are no normative MUST to upgrade ( and in general very little normative language). 
> Shouldn't we have for example:
> Systems running IKEv1 should be upgraded and reconfigured to run IKEv2.
> 
> moved to :
> Systems running IKEv1 MUST be upgraded and reconfigured to run IKEv2.
> 
> There are overall very little number of SHOULD/MUST but maybe that is an editorial choice. 
> 
> Yours, 
> Daniel 
> 
> 
>  
>  
> 
> Yours, 
> Daniel
> 
> On Mon, Jun 28, 2021 at 7:17 PM Dan Harkins <dharkins@lounge.org <mailto:dharkins@lounge.org>> wrote:
> 
>    Hi,
> 
> On 6/28/21 1:23 AM, Valery Smyslov wrote:
> > Hi,
> >
> > I think document is mostly ready. Few observations:
> >
> > - FWIW I think that Dan's efforts to make draft's language less speculative and more concrete
> >     are valid and should be reflected in the document.
> >
> > - Is it OK that the intended status is Standards Track? Shouldn't it be BCP?
> >
> > - The draft states that it updates RFC 7296, 8221, 8247. What in particular is being updated?
> >     I believe the recent IESG directives require a short explanation of what is being updated
> >     to be present in Abstract. In any case, it should be clearly indicated in the body of the document.
> >     Have I missed it?
> >
> > - Section3: I think that phrase "IKEv2 is a more secure protocol than IKEv1 in every aspect." is a bit too vague.
> 
>    You know, that was bugging me too. "in every aspect" is laying it on 
> a bit thick. IKEv1
> has a security proof. The much maligned PSK mode authenticates the key 
> as well as the
> exchange which is better than what IKEv2 does (and why IKEv1 did not 
> need an update to do
> PQC). So saying it's less secure "in every aspect" just isn't true. But 
> I couldn't figure
> out a better way to say it....
> 
> >    I believe it's better to list security aspects where we believe IKEv2 is superior:
> >
> >    * IKEv2 supports modern cryptographic primitives, including AEAD ciphers
> >    * IKEv2 provides real defense against DoS (cookies, core spec) and DDoS (puzzles, RFC 8019) attacks
> >    * support for post-quantum crypto in IKEv2 is being developed (draft-ietf-ipsecme-ikev2-multiple-ke)
> >    * IKEv2 supports various authentication methods via integration with EAP (core spec)
> >    * an extension that allows build PAKE methods in IKEv2 exists (RFC 6467)
> >    * did I forget something?
> 
>    But this is great! I agree that such a brief summary of the superior 
> features
> would be better than a factually challenged "in every aspect" statement.
> 
>    regards,
> 
>    Dan.
> 
> -- 
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>
> 
> 
> -- 
> Daniel Migault
> Ericsson
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email