Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
Tero Kivinen <kivinen@iki.fi> Thu, 23 March 2017 09:37 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6691314F6; Thu, 23 Mar 2017 02:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nd_FLnFGqepc; Thu, 23 Mar 2017 02:37:17 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6290129A0B; Thu, 23 Mar 2017 02:37:16 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v2N9bDKu028155 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 23 Mar 2017 11:37:13 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v2N9bCwO007610; Thu, 23 Mar 2017 11:37:12 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22739.38728.808538.27709@fireball.acr.fi>
Date: Thu, 23 Mar 2017 11:37:12 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: Ben Campbell <ben@nostrum.com>, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-rfc7321bis@ietf.org, ipsec@ietf.org, ipsecme-chairs@ietf.org, david.waltermire@nist.gov
In-Reply-To: <alpine.LRH.2.20.999.1703161300150.32675@bofh.nohats.ca>
References: <148962889979.14189.965850110922865986.idtracker@ietfa.amsl.com> <alpine.LRH.2.20.999.1703161300150.32675@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 6 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zcKM2LlGnnyMVG_Bwmfed0H-dL8>
Subject: Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 09:37:18 -0000
Paul Wouters writes: > > -3: I wonder why "... is not to be used..." is not "... MUST NOT be > > used...". But the section goes on to say if you do it anyway, you MUST > > NOT use certain cryptosuites. So, does "... is not to be used..." mean > > "SHOULD NOT"? Or is this one of those "MUST NOT BUT WE KNOW YOU WILL" > > sort of requirements? > > It is indeed. I think a SHOULD NOT would actually be appropriate ? We do not want to make the implementation of the manual keying MUST NOT, as it is still useful in testing and similar situations, but we do not want anybody using it in any real world use cases. As this document is mostly about the implementation and tries to stay out from the issues about what should be used (as explained in the 2nd paragraph of the section 1.3). On the other hand section 1.3 is really about the use of the manual keying, not about the implementation of manual keying, so that confuses things (we do have some other cases were we say things DES MUST NOT be used). I think the text needs to be clarified about this bit more, especially we do not want to say that ENCR_AES_CBC MUST be used, as there are other algorithms which can also be used (MUST be used would indicate no other algorithm is possible). > > - Table in section 6: > > I'm boggled by the first entry being labeled "MUST/MUST NOT". I don't see > > anything in the text to explain the "MUST" part--did I miss something? > > > First paragraph under the table: > > AUTH_NONE has been downgraded from MAY in RFC7321 to MUST NOT. The > only reason NULL is acceptable is when authenticated encryption > algorithms are selected from Section 5. In all other cases, NULL > MUST NOT be selected. It does not make it easier that there is typo in that paragraph, and it talks about NULL, when it should be talking about AUTH_NONE... -- kivinen@iki.fi
- [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-… Ben Campbell
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Waltermire, David A. (Fed)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Ben Campbell
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Frankel, Sheila E. (Fed)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Tero Kivinen
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Eric Rescorla
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Russ Housley
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Eric Rescorla