IETF Logo Mail Archive

Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)

Mahesh Jethanandani <mjethanandani@gmail.com> Sat, 13 April 2024 02:30 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6858EC14F6F4; Fri, 12 Apr 2024 19:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFxYZmck3zAp; Fri, 12 Apr 2024 19:30:45 -0700 (PDT)
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 924BEC151075; Fri, 12 Apr 2024 19:30:29 -0700 (PDT)
Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-22f078f1aecso829912fac.3; Fri, 12 Apr 2024 19:30:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712975428; x=1713580228; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=mmDVWLQw84PmzQCmuxAUsRMfOFy/NuZzLkjROAfEw4o=; b=YDozC6WgdvSkIJK0Hzm0N7oRujmr3eCpNdJAqaWElkW8v0v5+AOb9rQkEJ2xCPDtCQ YlgTAWUdk0z2eNDUPCMj2Zl668l2Xjq+jjMz9mP1kH37BMjoboDlFxMXXBlKjg7W6Bxt zx9nJkcla5uOJxrTSKgCFWxf9+uUjanrRnzCAjc2Mdc0ij6w/yB8YiwgahFg75V8fWIB kgOT9YJKr6zKArqFHZJCEiJTEZX/3Azw75+GjEbHKiteAr83mY8tohuQ672aH6NqEfof y07qC9QITilq5VXtW50+HsKVQVf/MbemWU8wA+yX61ezzXNBWgeThhnK4tmz9U6aY5ON AQkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712975428; x=1713580228; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mmDVWLQw84PmzQCmuxAUsRMfOFy/NuZzLkjROAfEw4o=; b=JQjZn+OJth3kAQpZGTD7lvuLK0T9SY9gqfS+Kq2UZhkePUrQwaKXf0QoaaDaXwgVjk Dy+sUR2xKSkICMQyX8P5mANWsl046vvH1vWH3CBxxx7hCDYFJvhK4a74dYcgGWfRIkFD 1e9Shg/718I1jvPYcQjQti53paV4mrQeTPgTL+vVAxEQo55EjYwsUB4tcQydhEs45nis EvkS7WlZShXLCgPLsOjHwjNq6NHmOCi5zMXkhyrk60PhD7K+4rBlJZAxTvUqOvyOzyRR iNeXKa0jBcHxFHEWV214wJR1VQO+cI/P7Ify+Y2M2A3E+TWeiAKXhS0Iz/lxGs+XC68r 8POQ==
X-Forwarded-Encrypted: i=1; AJvYcCWmFRBNGptWQoFSzF+wsMnfIVolhQhNj0qq7ndEl4tHWhpih6wUKfShVgevZnSp5adiy9gEWb31TfqY5PbyMMLk2L7AwXKmtp2x94eH0DuWfpoNiKTnX4cLlOvNxwrp+qaGsJLACJ6KMqJSxCb4cnd7ko6XJP8J64egVzdrkdDQ2xMejq/KH3AX
X-Gm-Message-State: AOJu0YyYamIk6BCvcr1f4csOO6D0wNyFpnz1DVttpEhJQKq1QjCRHvmc Qt1pGeSdLfoecHK9d+uBSMH3Bjam9m0Gy23IixSvSkBzRU4XOeeyXTq8q+F0
X-Google-Smtp-Source: AGHT+IGJzwqgFKQKeSbCYrhEZqimirb3NCzMRfjv/VQEC9Kb9Gi4BIXaCOGokPEl3J0KBlxLh2Fbeg==
X-Received: by 2002:a05:6871:78c:b0:22e:b96a:375 with SMTP id o12-20020a056871078c00b0022eb96a0375mr4962921oap.30.1712975428061; Fri, 12 Apr 2024 19:30:28 -0700 (PDT)
Received: from smtpclient.apple (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id z128-20020a626586000000b006ed9d839c4csm3658025pfb.4.2024.04.12.19.30.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Apr 2024 19:30:27 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <5F970481-A46F-413A-8944-50A57AD15130@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_513DC419-9DC4-444E-9318-7CD165A5E15D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Date: Fri, 12 Apr 2024 19:30:25 -0700
In-Reply-To: <044301da8cae$60de23e0$229a6ba0$@elvis.ru>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-auth-announce@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
To: Valery Smyslov <svan@elvis.ru>
References: <044301da8cae$60de23e0$229a6ba0$@elvis.ru>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/wvSAqgOODiugxZ52LjskQTQMp6Q>
Subject: Re: [IPsec] Mahesh Jethanandani's No Objection on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2024 02:30:49 -0000


> On Apr 12, 2024, at 12:52 AM, Valery Smyslov <svan@elvis.ru> wrote:
> 
> Hi Mahesh,
>  
> please, see inline.
>  
> HI Valery,
>  
> Thanks for responding to my comments. 
>  
> Some of these comments are generated by a tool we use, and as it says, you should feel free to ignore them if they are not applicable. Please see inline for the remaining.
> 
> 
>> On Apr 11, 2024, at 12:56 AM, Valery Smyslov <svan@elvis.ru <mailto:svan@elvis.ru>> wrote:
>>  
>> Hi Mahesh,
>> 
>> thank you for your comments, please see inline.
>> 
>> 
>>> Mahesh Jethanandani has entered the following ballot position for
>>> draft-ietf-ipsecme-ikev2-auth-announce-09: No Objection
>>> 
>>> When responding, please keep the subject line intact and reply to all email
>>> addresses included in the To and CC lines. (Feel free to cut this introductory
>>> paragraph, however.)
>>> 
>>> 
>>> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot- <https://www.ietf.org/about/groups/iesg/statements/handling-ballot->
>>> positions/
>>> for more information about how to handle DISCUSS and COMMENT positions.
>>> 
>>> 
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-auth-announce/ <https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-auth-announce/>
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>> 
>>> Thanks to Reese Enghardt for the General Area Review Team (Gen-ART) review
>>> to Rifaat for the SECDIR review, and to Marc for the ARTART review.
>>> 
>>> Section 3.1, paragraph 14
>>> 
>>>>   If the responder has sent any CERTREQ payload in the IKE_SA_INIT,
>>>>   then it MUST re-send the same payload(s) in the IKE_INTERMEDIATE
>>>>   response containing the SUPPORTED_AUTH_METHODS notification if any of
>>>>   the included Announcements has a non-zero Cert Link field (see
>>>>   Section 3.2.2 and Section 3.2.3).  This requirement allows peers to
>>>>   have a list of Announcements and a list of CAs in the same message,
>>>>   which simplifies their linking (note, that this requirement is always
>>>>   fulfilled for the IKE_SA_INIT and IKE_AUTH exchanges).  However, if
>>>>   for any reason the responder doesn't re-send CERTREQ payload(s) in
>>>>   the IKE_INTERMEDIATE exchange, then the initiator MUST NOT abort
>>>>   negotiation.  Instead, the initiator MAY either link the
>>>>   Announcements to the CAs received in the IKE_SA_INIT response, or MAY
>>>>   ignore the Announcements containing links to CAs.
>>> 
>>> I am a little puzzled by the MUST at the beginning of the paragraph which
>>> insists that CERTREQ payload should be sent in IKE_INTERMEDIATE response
>>> and
>>> the MUST NOT/MAY at the bottom of the paragraph, which seems to be ok with
>>> not
>>> re-sending the CERTREQ payload. Is it possible that the CERTREQ payloads are
>>> not re-send and at the same time they do not fit in IKE_SA_INIT (without being
>>> fragmented)?
>> 
>> Good point, thank you. We can s/MUST/SHOULD.
>> 
>> The idea is to make initiator's task of linking auth announcements to CAs simpler,
>> by always having them in one message. On the other hand, responder may
>> have its own considerations about re-sending CERTREQ in the IKE_INTERMEDIATE.
>> 
>> 
>>> The IANA review of this document seems to not have concluded yet.
>> 
>> Hmm, from my understanding, the IANA has already reviewed the draft...
>  
> You are right. In most cases, IANA will take a look at the IANA Considerations section, and say they understand the request. I on the other hand, tend to err on the side of giving more information than less. For example, in this case what does RFCXXXX refer to? A short note to the RFC Editor (with another note to say please remove it before publication), would inform them that RFCXXXX refers to the RFC number that will be assigned to this document. 
>  
>          Well, I see your point, but do you think that the current text would confuse the IANA and the RFC Editor?
>          The current text is:
>  
>    This document defines a new Notify Message Type in the "IKEv2 Notify
>    Message Status Types" registry referencing this RFC:
>  
>      <TBA>       SUPPORTED_AUTH_METHODS    [RFCXXXX]
> 
> 
>           It seems to me that the current text is clear enough that RFCXXXX is this RFC. 
>          Do you think more instructions for the RFC Editor are needed?

The current text is fine. As you mention, IANA has already processed the request. 

Thanks.

>> 
>> 
>>> No reference entries found for these items, which were mentioned in the text:
>>> [RFCXXXX].
>> 
>> I believe the RFC Editor will change XXXX this to the appropriate value.
>> 
>> 
>>> Possible DOWNREF from this Standards Track doc to [IKEV2-IANA]. If so, the
>>> IESG
>>> needs to approve it.
>> 
>> I think that referencing IANA registries is not a DOWNREF.
>  
> This is an example of the tool trying to figure out where is the reference (possibly because of the square brackets). You can ignore it.
> 
>           OK.
>> 
>> 
>>> Found terminology that should be reviewed for inclusivity; see
>>> https://www.rfc-editor.org/part2/#inclusive_language <https://www.rfc-editor.org/part2/#inclusive_language> for background and more
>>> guidance:
>>> 
>>> * Term "his"; alternatives might be "they", "them", "their"
>> 
>> 
>> Paul Wouters is definitely "he" :-)
>  
> Another case of the tool giving a false positive. But in general the idea is to flag use of his, her etc. You get the picture. 
> 
>           Sure.
>> 
>> 
>>> -------------------------------------------------------------------------------
>>> NIT
>>> -------------------------------------------------------------------------------
>>> 
>>> All comments below are about very minor potential issues that you may choose to
>>> address in some way - or ignore - as you see fit. Some were flagged by
>>> automated tools (via https://github.com/larseggert/ietf-reviewtool <https://github.com/larseggert/ietf-reviewtool>), so there
>>> will likely be some false positives. There is no need to let me know what you
>>> did with these suggestions.
>>> 
>>> Section 1, paragraph 3
>>> 
>>> s/each peer uses/each peer use/
>> 
>> I think the current text is correct.
>> 
>> 
>>> Section 3, paragraph 1
>>> 
>>>>   particular trust anchors.  Upon receiving this information the peer
>>>>   may take it into consideration while selecting an algorithm for its
>>>>   authentication if several alternatives are available.
>>> 
>>> This sentence does not parse for me. When it says, "the peer may take it into
>>> consideration while ...", I seem to be missing what needs to be taken into
>>> consideration.
>> 
>> Perhaps:
>> 
>> NEW:
>> 
>>   The receiving party may take this information into consideration when selecting an algorithm for its
>>   authentication if several alternatives are available.
>> 
>> Is this better?
>  
> Yes, and thanks.
>  
> All the comments following this are from the tool, so feel free to ignore.
> 
>           Some of them were useful, thank you.
>  
>          Regards,
>          Valery.
>> 
>> 
>>> Section 3.2, paragraph 6
>>> 
>>>>   If more authentication methods are defined in future, the
>>>>   corresponding documents must describe the semantics of the
>>>>   announcements for these methods.  Implementations MUST ignore
>>>>   announcements which semantics they don't understand.
>>> 
>>> s/announcements which semantics/announcements whose semantics/
>> 
>> OK.
>> 
>> 
>>> Reference [RFC2409] to RFC2409, which was obsoleted by RFC4306 (this may be
>>> on
>>> purpose).
>> 
>> On purpose.
>> 
>> 
>>> Section 1, paragraph 2
>>> 
>>>> or implementations, especially if so called hybrid schemes are used (e.g. se
>>>>                                  ^^^^^^^^^
>>> The expression "so-called" is usually spelled with a hyphen.
>> 
>> Fixed (caused by my native language experience - in Russian no hyphen is used in this case).
>> 
>> 
>>> Section 3.1, paragraph 6
>>> 
>>>> E exchange, defined in [RFC9242] (i.e. the responder has received and is goin
>>>>                                      ^^
>>> It seems like there are too many consecutive spaces here.
>> 
>> This is a result of xml2rfc conversion. There are no extra spaces in the xml.
>> 
>> 
>>> Section 3.1, paragraph 8
>>> 
>>>> st to be sent in. This would allow to use IKE fragmentation [RFC7383] for lon
>>>>                                   ^^^^^^
>>> Did you mean "using"? Or maybe you should add a pronoun? In active voice,
>>> "allow" + "to" takes an object, usually a pronoun.
>> 
>> OK, s/to use/using
>> 
>> 
>>> "I", paragraph 6
>>> 
>>>> field, and the Notify Message Type is set to <TBA by IANA>. The Notification
>>>>                                    ^^^^^^
>>> You have used the passive voice repeatedly in nearby sentences. To make your
>>> writing clearer and easier to read, consider using active voice.
>> 
>> Not that I disagree with you (and actually, as a non-native speaker, I really appreciate these comments),
>> but in this case I'd rather leave it to the RFC Editor.
>> 
>> 
>>> Section 3.2, paragraph 2
>>> 
>>>> uthentication methods are defined in future, the corresponding documents must
>>>>                                  ^^^^^^^^^
>>> The phrase "in future" is British English. Did you mean: "in the future"?
>> 
>> Fixed (and I will try to remember this particular difference between British English and American English).
>> 
>> 
>>> Section 3.2, paragraph 6
>>> 
>>>> ormat is used. This format allows to link the announcement with a particular
>>>>                                  ^^^^^^^
>>> Did you mean "linking"? Or maybe you should add a pronoun? In active voice,
>>> "allow" + "to" takes an object, usually a pronoun.
>> 
>> OK, s/to link/linking
>> 
>> 
>>> Section 8.1, paragraph 5
>>> 
>>>> th-pq-composite-sigs-13>. Appendix A. Examples of Announcing Supported
>>> Authe
>>> 
>>>>                                     ^^
>>> It seems like there are too many consecutive spaces here.
>> 
>> It is xml2rfc which is at fault :-)
>> 
>> 
>>> Section 8.2, paragraph 5
>>> 
>>>> 1), SIGNATURE(RSASSA-PSS:2), SIGNATURE(ECDSA:3)))} IKE_AUTH HDR,
>>> SK {IDi, CE
>>> 
>>>>                                      ^
>>> It appears that a white space is missing.
>> 
>> Not sure where it is missing...
>> 
>> Regards,
>> Valery.
> 
>  
> 
> Mahesh Jethanandani
> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email