Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Tue, 29 November 2022 17:47 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6671AC14F72F; Tue, 29 Nov 2022 09:47:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fWKcdLfOw_k; Tue, 29 Nov 2022 09:47:20 -0800 (PST)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74878C14F727; Tue, 29 Nov 2022 09:47:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qu/SxGjijfmtEMZv+x9qo/p2kpfHaa5tgajsoWkeUqE=; b=V1LInRQMmOWp8KlJnSKpqlJwDX WsusP04x4PxFyoPxkgCIhtGYpvR2cQncz3BZvpFynXqOr4X1nIxMGlYc8FlMuWQhRo8z8RPn5KsLG 2/oAvkWKDdT9ijoVXgmeV2XN28JuSZKyPA5txfB2yoKG0WMGX53b4KOSgrwktMvyWors=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1p04hL-0004vW-Je; Tue, 29 Nov 2022 20:47:12 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1p04hL-0007WQ-8e; Tue, 29 Nov 2022 20:47:11 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 29 Nov 2022 20:47:11 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Tue, 29 Nov 2022 20:47:11 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Éric Vyncke' <evyncke@cisco.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-multiple-ke@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi, charliep@computer.org, gih@apnic.net
References: <166971468911.7554.15756404808608648113@ietfa.amsl.com>
In-Reply-To: <166971468911.7554.15756404808608648113@ietfa.amsl.com>
Date: Tue, 29 Nov 2022 20:47:12 +0300
Message-ID: <150a01d9041a$9c8b3590$d5a1a0b0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHLbR3DTJkNFJdObyrZMalkiEcAq65w6t3Q
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/11/29 15:26:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/11/29 13:02:00 #20623996
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/riOl27b839MdSpVB2jY1_-7yNaE>
Subject: Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 17:47:24 -0000
Hi Éric, thank you for your comments. Please see inline. > -----Original Message----- > From: Éric Vyncke via Datatracker [mailto:noreply@ietf.org] > Sent: Tuesday, November 29, 2022 12:38 PM > To: The IESG > Cc: draft-ietf-ipsecme-ikev2-multiple-ke@ietf.org; ipsecme-chairs@ietf.org; ipsec@ietf.org; > kivinen@iki.fi; kivinen@iki.fi; charliep@computer.org; gih@apnic.net > Subject: Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with COMMENT) > > Éric Vyncke has entered the following ballot position for > draft-ietf-ipsecme-ikev2-multiple-ke-10: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-multiple-ke/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > # Éric Vyncke, INT AD, comments for draft-ietf-ipsecme-ikev2-multiple-ke-10 > CC @evyncke > > Thank you for the work put into this document. Even if my IPsec knowledge is > now very dated, I find it relatively easy to read. Thank you. > Please find below some non-blocking COMMENT points (but replies would be > appreciated even if only for my own education), and some nits. > > Special thanks to Tero Kivinen for the shepherd's write-up including the WG > consensus *but* the justification of the intended status is missing. > > Other thanks to Geoff Huston for his Last Call DNS directorate review at: > https://datatracker.ietf.org/doc/review-ietf-ipsecme-ikev2-multiple-ke-07-dnsdir-lc-huston-2022-10-10/ > > Please note that Charles Perkins is the Internet directorate reviewer (at my > request) and you may want to consider this int-dir reviews as well when Charles > will complete the review (no need to wait for it though): > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-multiple-ke/reviewrequest/16618/ > > I hope that this review helps to improve the document, > > Regards, > > -éric > > ## COMMENTS > > Out of all Paul Wouters's points, I support the last one about AH (I am not > experience enough to appreciate the other ones). It is also related to bullet > 3) of section 2. I have already commented this in my response to Paul. So, the document focuses on PQ security, but also has another application in mind - the ability to combine several different key exchange methods so, that the resulting shared secret depends on all of them. This can be useful without any PQ algorithms - e.g. in a situation when each of the peers trust only its favorite key exchange algorithms, so that there is no any single one that is trusted by the both. In this case the draft allows to use two, so that each peer will be sure that its favorite algorithm is used. In this context AH still may be used (well, it is not deprecated yet?). > ### Missing reference RFC 8247 > > As indicated by idnits tool, RFC 8247 is used as a reference but is not defined > ;-) Ah, we managed to confuse idnits (which in fact is not too difficult) :-) This document does not reference RFC 8247, but it contains the text to be placed at the IANA registry page as a Note, and this text contains a "[RFC8247]", but this reference is in the context of IANA page :-) > ### Section 2 > > The bullet 2) is a nice explanation about *why* there must be multiple key > exchanges with different methods. Until reading that part, I was really > wondering why this I-D was about the link with PQC and multiple key exchanges. > Should this be mentioned in the abstract already ? I don't mind, but as far as I know, IESG wants abstract to be short :-) If you (and other ADs) think it's a good idea, then we'll add this text. > Should "FIPS" be prefixed by "USA" as in "USA FIPS" ? I don't know, rely on my co-authors (actually it seems that this is a well-known organization outside USA, but formally you are right). > ## NITS > > ### Section 1.2 > > `payloads longer than 64k` suggest to specify the units of measure. Changed to 64 Kbytes. Thank you! The updated PR is available at: https://github.com/post-quantum/ietf-pq-ikev2/pull/22 Regards, Valery. > ## Notes > > This review is in the ["IETF Comments" Markdown format][ICMF], You can use the > [`ietf-comments` tool][ICT] to automatically convert this review into > individual GitHub issues. > > [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md > [ICT]: https://github.com/mnot/ietf-comments >
- [IPsec] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)