IETF Logo Mail Archive

Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic

Valery Smyslov <smyslov.ietf@gmail.com> Mon, 28 June 2021 08:23 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8372C3A30AA for <ipsec@ietfa.amsl.com>; Mon, 28 Jun 2021 01:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgPS6TJaQV-s for <ipsec@ietfa.amsl.com>; Mon, 28 Jun 2021 01:23:40 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2D103A30AD for <ipsec@ietf.org>; Mon, 28 Jun 2021 01:23:40 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id c11so24399521ljd.6 for <ipsec@ietf.org>; Mon, 28 Jun 2021 01:23:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=WGtJzU/kQzqjmOP8991of8gYzJcG5b119PK7oaYqhmI=; b=lX6MiDhYrxWjCKIQ85E13FlIDKGzgn3ka1KkJTshMw0GFKcP8gowc3qr6ei7i1uBXF 4XHhHsq0A/7mu0uZJW5OV24Yj+014cNYJvw5RO2s4WYegoM8dqoVq1He6dRemHBepJ9H +0MMHHxRjouuVwAaE1vnCIxhPX4tCjrqbN3WD2l8RbviiKB6gUAGOw9WGe0P+m3UuF/I 0Mg0x8Lvr+KTOUpOTpGtifMoFQZwsQ1wtE/2GW8Q2x/PyJ6SlC4CgYgpjlgljbqn9RTb pxKvVJp8LI4k1z1tWTo9fFoeR9wnSotvX4Mue6Zh58JdrpMlImNPal69FeUMI2his1Td TlZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=WGtJzU/kQzqjmOP8991of8gYzJcG5b119PK7oaYqhmI=; b=cyy4fJPyaR8+XxiT2TWxQC21xcAnUbokj/7b1RNUPdADSw53oiczmsNquMP8WL3+KE CktbbBP/q2Bx/ZCw9/M0BDvr3t/tW6KXV6cB4qjNIf7j2Hg04Q64nA8/0zvsXHwPpots UZLzPFVx7KSmSq+/r1WW3VSmmkgW+creD/r2RO679Kkkyszi6A4inqZAqN+UgxOB/y00 l9a8TIjLsC/M/eNS7aRLvCX7LOEXnREYeN5jqnayuqJXlXjGUuXQCI0QRQOpBvrPl/sj 5zFffRtkY9gxDs70Khb7LEfqDi66XE5P9yxbIiVmuOG9t0PHs6UeRtqb08P2aEOVWuTE ehkA==
X-Gm-Message-State: AOAM532eEMP0z1U+oUYJL51EFzfbVXSSZbuzfTJinDZMYn428DMKnxKz ui8Ps+QQCXjh1TZYgRjvngyumghAAKY=
X-Google-Smtp-Source: ABdhPJz4g6bYPd1MspRsJNbTHYNYE+V3wHzila6KwvBk0TJFcKk9JGFoEVYjU51CrFShfy9ohL9zUw==
X-Received: by 2002:a2e:a546:: with SMTP id e6mr19275411ljn.255.1624868613447; Mon, 28 Jun 2021 01:23:33 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id p18sm986926ljj.56.2021.06.28.01.23.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Jun 2021 01:23:32 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Yoav Nir' <ynir.ietf@gmail.com>, ipsec@ietf.org
References: <315BBB8D-B55E-43C8-A988-ADC8780AD62E@gmail.com>
In-Reply-To: <315BBB8D-B55E-43C8-A988-ADC8780AD62E@gmail.com>
Date: Mon, 28 Jun 2021 11:23:32 +0300
Message-ID: <059201d76bf6$e29680c0$a7c38240$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHxuVp+cPQG1Jn/fU0fR8b5jHKxCar0a7Ew
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zz01zdQhC6T5i5J5EZP5TSyNTfs>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev1-algo-to-historic
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 08:23:51 -0000

Hi,

I think document is mostly ready. Few observations:

- FWIW I think that Dan's efforts to make draft's language less speculative and more concrete 
   are valid and should be reflected in the document. 

- Is it OK that the intended status is Standards Track? Shouldn't it be BCP?

- The draft states that it updates RFC 7296, 8221, 8247. What in particular is being updated?
   I believe the recent IESG directives require a short explanation of what is being updated
   to be present in Abstract. In any case, it should be clearly indicated in the body of the document.
   Have I missed it?

- Section3: I think that phrase "IKEv2 is a more secure protocol than IKEv1 in every aspect." is a bit too vague.
  I believe it's better to list security aspects where we believe IKEv2 is superior:

  * IKEv2 supports modern cryptographic primitives, including AEAD ciphers
  * IKEv2 provides real defense against DoS (cookies, core spec) and DDoS (puzzles, RFC 8019) attacks
  * support for post-quantum crypto in IKEv2 is being developed (draft-ietf-ipsecme-ikev2-multiple-ke)
  * IKEv2 supports various authentication methods via integration with EAP (core spec)
  * an extension that allows build PAKE methods in IKEv2 exists (RFC 6467)
  * did I forget something?
   
- Section 4.3. Formally RFC 6407 is not directly concerned with IKEv1.
   This is an independent protocol developed by msec WG that was based on IKEv1.
   I think more accurate language should be used to make this clear. For example:

       Group Domain of Interpretation (GDOI, RFC 6407) protocol based on IKEv1
       defines the support for Multicast Group SAs.

   I also think that reference to RFC 3740 should be remove (it doesn't even mention IKE
   in any substantial way). I'm not so sure about RFC 5374, but I'm inclining 
   to remove it too - it's mostly concerned with MCAS architecture and doesn't
   define any concrete IKEv1 changes to support it. So, leave only RFC 6407.

- Section 5 lists deprecated algorithms. In my reading this list
   is inconsistent with Section 7 (IANA Considerations) which lists
   many more deprecated algorithms... So, I'm a bit puzzled
   how to read this section.

- The draft currently has all its references as Normative.
   I have no problems with this (except that RFC 3740 is Informational,
   so should not be referenced as Normative in Standards Track and BCP documents,
   but I suggested to remove it anyway). My concern is that 
   referencing active drafts as Normative will lead to slow down
   publication of this document until those drafts are published.
   I don't think it's a major problem (we will have an incentive 
   to work harder on these drafts :-)), just should be noted.

Regards,
Valery.


> Hi, all.
> 
> Although this draft is really new, having been submitted in April of this year, its predecessor draft has been
> under discussion since March of 2019.
> 
> This begins a 2-week WGLC. Please read the draft and post comments to the list. Since this is rather new,
> short messages in the vein of “Yeah, this is good. Ship it”, but substantive comments are, of course, even
> more welcome.
> 
> The WGLC ends at EOD (for me) July 12th, just a week before the IETF meeting.
> 
> Thanks
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email