Re: [IPsec] Shepherd review of the draft-ietf-ipsecme-add-ike
Tero Kivinen <kivinen@iki.fi> Tue, 31 January 2023 13:49 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190F2C1522AB; Tue, 31 Jan 2023 05:49:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74DsH0znmg7w; Tue, 31 Jan 2023 05:49:05 -0800 (PST)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE6F6C1522AA; Tue, 31 Jan 2023 05:49:03 -0800 (PST)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id E7A621B0034E; Tue, 31 Jan 2023 15:48:58 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1675172939; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5A3ZL+KhvMmLK88Qz/4VI3VF9PbZ9+NhWYMlNv/hDBE=; b=Kn0flg+NX6UchdZBSPDGvE5/AHKdWoNED8Mo+pr1u229f7fVsLZIjEdggRGULSsksf0FE6 q0sCZ3Mps4ULlO9qb+QcmPCqt1J6mA42QjExKXY7Ky1jCeIIZv+E+bq3OJXVqKZpHgiEd6 NbJOB43Q3pL/v+ohbCmWr7JTtkGqLlMY0A72HKo9Y71qbBVXidKwBXalIZ556jpN1T1ujL 6hIdlTTSqqk/GD3Ov4fvtLtWPkC7H8d7RL+x7tBJjtQ4Rwdl1k3zdhueaTgodBnNvfucUs g7MKT8HlQNj8WV9JvKPa6ZQ8HxrcE8cClIAyMNlR2YkK1vdfGajh0Z9XmvO+Hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1675172939; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5A3ZL+KhvMmLK88Qz/4VI3VF9PbZ9+NhWYMlNv/hDBE=; b=meh6OjV39Cgw+St8GLhHRdfs74KE/Xslz4XrQnEDJhNst6M3oEf5ANFlvlFkPC8EQJAEY5 dLWAjrnAva0DgzBvKlY6i5/IsgvKq2huGwlcxE2Ihhis1F0MTc46U/OkqoqxU/xqUJG2Ht 0T7PXbgUaSiURVRnr4jTaTg4NgTqvtkKDG7VD7HG29tuCO6iDaX93gqmtnHCSCm5pOwQ6R z5hTlurnpZdUa1FnQTzwj1oCx0mQO1q4V/zGRfFRHgKoRGTuQunDhHypCHmMl3Tl6PWSwV h9esifwthFSlmEliapXL8odjyjTrcFBqxtCa4wK2OLOTKA/nMTqf+aOEYjO1ig==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1675172939; a=rsa-sha256; cv=none; b=e6Br7g1WfiQKSLmseJ0BovoGfGAZTcslJuJt1TUZO9zGqiuVFxcdY/JxcAK/5U9qbUSFEP wGI5t/EY9H9/LbDXF4KEapUmdRC+jm0B+e/24jzMep6uz7oRipw2pPUmd4HBZs2bYY4m8P fNS5jfIGBpabq0d7XWpIZad6PTVNzjWYdWqsMVEpUHIWpdGIDy6ihtsIGFLDvrHwFTaObn NjS5pK2O0uFIuRIJBTyHsNl13NaH2a0BvUUnqLFFIwH5cbReILlTJ79ntvHvw5Z7yySby2 j3O8+JtcE9qssiV1nvJGD/JhuhD9fy0mv6L0Zursw5qmwRocFEEx4O1qvNV1jA==
Received: by fireball.acr.fi (Postfix, from userid 15204) id B02B725C1300; Tue, 31 Jan 2023 15:48:58 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25561.7242.527268.796400@fireball.acr.fi>
Date: Tue, 31 Jan 2023 15:48:58 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: mohamed.boucadair@orange.com
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, "draft-ietf-ipsecme-add-ike@ietf.org" <draft-ietf-ipsecme-add-ike@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <31961_1675155778_63D8D942_31961_164_1_567425c5d78042df9598eeadda785f7c@orange.com>
References: <25560.18262.145478.996578@fireball.acr.fi> <013a01d9354c$c1fe37b0$45faa710$@gmail.com> <31961_1675155778_63D8D942_31961_164_1_567425c5d78042df9598eeadda785f7c@orange.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 18 min
X-Total-Time: 17 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/s5JdDiTGSlFaH_3abW8oQVVTmjo>
Subject: Re: [IPsec] Shepherd review of the draft-ietf-ipsecme-add-ike
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 13:49:07 -0000
mohamed.boucadair@orange.com writes: > > > Also the text in Num Addresses indicate that it would be valid > > to send > > > CFG_REQUEST with proposed Service Priority, but having Num > > Addresses > > > set to zero? > > > > > > Is this intended? I.e., is the client allowed to request data, > > but not > > > propose IP address? If so, perhaps add sentence to Num Addresses > > > explaining that it can be 0 for CFG_REQUEST when no specific > > address > > > is request, but other parameters are requested. > > > > Hm... I think my co-authors can comment on this. > > > > [Med] This is intended. The requestor can suggest any of the > parameters in a request. That is already covered by the following: > > * " 0 if the Configuration payload has types CFG_REQUEST (if no > * specific DNS resolver is requested) ..." > * "If the initiator does not want to request specific DNS resolvers, > * it sets the Length field to 0 ..." > * "For a given attribute type, the initiator MAY send either an > * empty attribute or a list of distinct suggested resolvers." This is different case. I.e., there are (possibly) 3 different formats of CFG_REQUEST: CP(CFG_REQUEST) = ENCDNS_IP6() i.e., length = 0, initiator just request responder to send us informationfor ENCDNS_IP6. CP(CFG_REQUEST) = ENCDNS_IP6(Service Priority = 0, Num Addresses = 0, ADN Length = 16, IP addresses = (), Authentication Domain Name = "doh1.example.com", Service Paramters = "???") i.e., initiator requesting the responder to return information for Authentication Domain Name of doh1.example.com, and not providing priority or address of it, but perhaps including some service parameters it want the that server to have. CP(CFG_REQUEST) = ENCDNS_IP6(23, 1, 16, (2001:DB8:99:88:77:66:55:44), "doh1.example.com", "???") initiator requesting the responder for specific information, most likely something that it got last time, and initiator proposes it to the responder, in case it is still valid, and responder can send that same information back if it is valid, or return something else. Btw, for the second use case where the initiator fills in some of the information about the server it wants to talk to, it would be usefull to allow Service Priority to be 0, and explictly mention that this is not AliasMode, this is meaning that initiator does not care about the exact priority or does not know the priority, so it used 0 as placeholder. > > > In IP Address(es) explictly mention that it is field contain 4 > > octet > > > IPv4 addresses, or 16 octet IPv6 address without any delimeters > > etc. > > > This can be derived from the calculation of the length field, > > but I > > > think it should be mentioned here, even when it is obvious. > > > > OK. > > [Med] Actually, no. We don't have a mix. The AF is determined by the > attribute type. This is why we have the following: "One or more IPv4 > (for ENCDNS_IP4) or IPv6 (for ENCDNS_IP6)." Yes, I know, but it does not say how those IP-addresses are encoded in that field. They could be sent out as 16-octet values for both IPv4 and IPv6 addresses, where the IPv4 address would only use last 4 octets :-) Only way to know that this is not true is to check the formula in Length calculation... It is obvious that they are encoded as 4 octets for each IPv4 address and there is nothing between them, and same for IPv6 addresses, except each address takes 16 octets, but I think it would be good to explain it here. Something like this: For ENCDNS_IP4 this field contains one or more 4 octet IPv4 address, and for ENCDNS_IP6 this field contains one or more 16 octet IPv6 address. Address in this field can be used to reach ... -- kivinen@iki.fi
- [IPsec] Shepherd review of the draft-ietf-ipsecme… Tero Kivinen
- Re: [IPsec] Shepherd review of the draft-ietf-ips… Valery Smyslov
- Re: [IPsec] Shepherd review of the draft-ietf-ips… tirumal reddy
- Re: [IPsec] Shepherd review of the draft-ietf-ips… mohamed.boucadair
- Re: [IPsec] Shepherd review of the draft-ietf-ips… mohamed.boucadair
- Re: [IPsec] Shepherd review of the draft-ietf-ips… mohamed.boucadair
- Re: [IPsec] Shepherd review of the draft-ietf-ips… Tero Kivinen
- Re: [IPsec] Shepherd review of the draft-ietf-ips… Tero Kivinen
- Re: [IPsec] Shepherd review of the draft-ietf-ips… Tero Kivinen
- Re: [IPsec] Shepherd review of the draft-ietf-ips… Valery Smyslov
- Re: [IPsec] Shepherd review of the draft-ietf-ips… mohamed.boucadair
- Re: [IPsec] Shepherd review of the draft-ietf-ips… Tero Kivinen
- Re: [IPsec] Shepherd review of the draft-ietf-ips… mohamed.boucadair