Re: [IPsec] New Version Notification for draft-ietf-ipsecme-add-ike-04.txt

[mohamed.boucadair@orange.com]

Hi Paul, all, 

FWIW, I just submitted a new version (-05) to remove the ambiguity about multiple distinct attributes you raised. 

Also fixed some nits and removed some redundant text by simply pointing to existing stable specs. 

Cheers,
Med

> -----Message d'origine-----
> De : BOUCADAIR Mohamed INNOV/NET
> Envoyé : mercredi 31 août 2022 13:39
> À : 'Valery Smyslov' <svan@elvis.ru>; 'Paul Wouters'
> <paul@nohats.ca>
> Cc : ipsec@ietf.org; 'Tero Kivinen' <kivinen@iki.fi>; draft-ietf-
> ipsecme-add-ike@ietf.org
> Objet : RE: [IPsec] New Version Notification for draft-ietf-
> ipsecme-add-ike-04.txt
> 
> Hi all,
> 
> Please see one clarification inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Valery Smyslov <svan@elvis.ru>
> > Envoyé : mardi 30 août 2022 18:55
> > À : 'Paul Wouters' <paul@nohats.ca>; BOUCADAIR Mohamed INNOV/NET
> > <mohamed.boucadair@orange.com> Cc : ipsec@ietf.org; 'Tero
> Kivinen'
> > <kivinen@iki.fi>; draft-ietf- ipsecme-add-ike@ietf.org Objet :
> Re:
> > [IPsec] New Version Notification for draft-ietf-
> > ipsecme-add-ike-04.txt
> >
> > HI Paul,
> >
> > > On Tue, 30 Aug 2022, mohamed.boucadair@orange.com wrote:
> > >
> > > > This version takes into account the comments received during
> > the
> > > > WGLC, mainly the edits suggested by
> > > Tommy.
> > >
> > >  	If the initiator sends multiple attributes of a particular
> > type in
> > >  	the request, all of them MUST be distinct (either be empty
> > or
> > >  	containing different suggested resolvers).
> > >
> > > What does it mean when multiple attributes of a particular
> type
> > are
> > > sent, where one is empty and one is not empty? I think perhaps
> > this
> > > text means to say either it sends one empty one, or it sends
> > multiple
> > > non-empty ones?
> >
> > Yes (with a clarification - multiple _distinct_ non-empty ones).
> >
> > > Another comment on text unchanged in the latest revision that
> I
> > just
> > > noticed:
> > >
> > >     For split-tunnel VPN configurations, the endpoint uses the
> > >     Enterprise-provided encrypted DNS resolver to resolve
> > internal-only
> > >     domain names.
> > >
> > > What if one of the reasons I want a split-tunnel, is to
> actually
> > use
> > > an encrypted DNS over the VPN to protect my non-VPN traffic?
> > This use
> > > case is not captured in A1?
> >
> > It seems so.
> >
> 
> [Med] As a reminder, A1 is specific to the enterprise use case.
> The case mentioned by Paul can be met with the configuration in A2
> (with some local policies).
> 
> > Regards,
> > Valery.
> >
> > > Paul


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.