Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229bis
Valery Smyslov <smyslov.ietf@gmail.com> Tue, 11 January 2022 12:53 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7263A0949 for <ipsec@ietfa.amsl.com>; Tue, 11 Jan 2022 04:53:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKESXyvh_p-r for <ipsec@ietfa.amsl.com>; Tue, 11 Jan 2022 04:53:46 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CF3F3A0923 for <ipsec@ietf.org>; Tue, 11 Jan 2022 04:53:46 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id j11so55931835lfg.3 for <ipsec@ietf.org>; Tue, 11 Jan 2022 04:53:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=io3Ch29dbMMTLg+nWkRRBQ+7FYu79ypTjvvfN3Ym0lM=; b=n2xa/dRre9K6E5mBpFG4Y7nXTAdoWNe18gZ9BU0oX/TvsIm5hthUO6llUa5WBE4YxF q4q4TVkCz8k/aEBd/HZ+oabeWqXLrS0OL/43kEgnkbS9NgzNF7Wmj4mr4OtQmcG1RfZF yyqw6PYvUVTLfcwVLA1UxkDYTlMvg1ZCU9sdopf4acrNlApy4fUX/LR8xDB3GwSc9Jjv fCu9e2EubM/eFSKi4+PPlAu2Rex0GKXqJcOzw+cNigqQDH0YcygKEzjdtoYCoOCPtSPm 3YkZXHZfqhMxOzHedh/v9B351s/XPf4pBkMno3lf7uwQPrvUTMNStFXEIewpHKuMdVOK u7VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=io3Ch29dbMMTLg+nWkRRBQ+7FYu79ypTjvvfN3Ym0lM=; b=cVBGqrzSlR3ahFRrgA+nu4/MXwTrZLjdLS29wg+62C90m+FhN4rQ+BMhpVbLKy5fiJ DBLfvxIOzZU8MUnt2zAyxRxYZksuiwgE5mjRf0kYq8Rwnja4t7gCa3TwTGtfLH6kWt+c OHU7uRGBTCtgFL2JA2EeMHZCUG/jDVDzOkLh30e5babis52+1UgKOCaebo69cuLQMpLN mLzNallPHHXNW2nU/tK2EMXiHLn/5p+8kCbVfvGWOwG99WUWAl/swy/9LtNabVyr2T2n UvJEhj7452eC9/rk6QEPF7V0w3EHXGyzpyANdidrMexIMyYtH4dEa4wqNcPeffmAXEbD xGEQ==
X-Gm-Message-State: AOAM530avorLzYFS8AXJ7R32umIQbduZcCjZyID597u4owfeuyD07JWF EYvJPTClp07xpFXCye+WCP6VEPS5gOk=
X-Google-Smtp-Source: ABdhPJw3kH8Jl2zuWhIZ0pAdpqNs6y0gLzeXNsb4B8JR3IoZzDGFszelF0iF62uEU+d62gh+3n1G8Q==
X-Received: by 2002:a05:6512:1115:: with SMTP id l21mr3239347lfg.600.1641905623675; Tue, 11 Jan 2022 04:53:43 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id bi16sm1326452lfb.81.2022.01.11.04.53.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jan 2022 04:53:43 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Tero Kivinen' <kivinen@iki.fi>
Cc: 'Paul Wouters' <paul.wouters=40aiven.io@dmarc.ietf.org>, ipsec@ietf.org, tpauly@apple.com
References: <acea85f6-1c72-3b79-a7f6-d4c234b9e7c@nohats.ca> <026601d80627$55c05970$01410c50$@gmail.com> <25052.47710.148277.213677@fireball.acr.fi> <02f301d806e2$83b74030$8b25c090$@gmail.com> <25053.31538.461435.873239@fireball.acr.fi>
In-Reply-To: <25053.31538.461435.873239@fireball.acr.fi>
Date: Tue, 11 Jan 2022 15:53:43 +0300
Message-ID: <02f901d806ea$44444b70$cccce250$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQINrN/IdsOuc0WzOJRkkxx4Plg45gI1M6jVAd9ejX4CghRNFQHj45Mvq66k7FA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/wFMqTTvyF-klLkGyTDtJIbLhkEM>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2022 12:53:49 -0000
> > o if the Responder chooses to send Cookie request (possibly along > > with Puzzle request), then the TCP connection that the IKE_SA_INIT > > request message was received over SHOULD be closed after the Responder sends its reply > > and no repeated requests are received within some short period of time, so that the > > Responder remains stateless. Note that if this TCP connection is > > closed, the Responder MUST NOT include the Initiator's TCP port > > into the Cookie calculation (*), since the Cookie will be returned > > over a new TCP connection with a different port. > > > > The text doesn't specify what "some short period of time" is. > > I don't think we should do it (it may be 10 sec as you suggested > > or 5 sec or 20 sec). > > > > Is it OK? Or should we probably change SHOULD to MAY here? > > I think it would be best to explain that valid clients usually return > back almost immediately, so responders should keep tcp connection open > for at least 10 seconds to receive the cookie responses, and after > that SHOULD close the connection after some timeout. I don't think we should advise any concrete values here, following RFC 7296 practice which deliberately avoided specifying concrete timeouts and also because they don't affect interoperability. But I agree that some explanations can be added and we can mention concrete values (say 10 secs) as examples. > And perhaps add some words that depending on the puzzle difficulty > level the timers might be modified (i.e., if you give puzzle that will > require several minutes to solve, there is no point of waiting any > more than the few seconds, but if you expect initiator to solve the > puzzle in 5 seconds, then waiting 20 seconds is good thing). OK, good idea to add some clarifications. Regards, Valery. > -- > kivinen@iki.fi
- [IPsec] Review of draft-ietf-ipsecme-rfc8229bis Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Tero Kivinen
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Tero Kivinen
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Paul Wouters