Re: [secdir] [Detnet] Secdir last call review of draft-ietf-detnet-ip-05
Lou Berger <lberger@labn.net> Sun, 15 March 2020 22:06 UTC
Return-Path: <lberger@labn.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232EC3A1D28 for <secdir@ietfa.amsl.com>; Sun, 15 Mar 2020 15:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.362
X-Spam-Level:
X-Spam-Status: No, score=-3.362 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLLP45S1FCQi for <secdir@ietfa.amsl.com>; Sun, 15 Mar 2020 15:06:41 -0700 (PDT)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCFA53A0A01 for <secdir@ietf.org>; Sun, 15 Mar 2020 15:06:35 -0700 (PDT)
Received: from cmgw11.unifiedlayer.com (unknown [10.9.0.11]) by gproxy1.mail.unifiedlayer.com (Postfix) with ESMTP id 691903E15AB8D for <secdir@ietf.org>; Sun, 15 Mar 2020 16:06:35 -0600 (MDT)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id DbP1jl6zBVKjoDbP1jJbws; Sun, 15 Mar 2020 16:06:35 -0600
X-Authority-Reason: nr=8
X-Authority-Analysis: v=2.3 cv=dJyIZtRb c=1 sm=1 tr=0 a=h1BC+oY+fLhyFmnTBx92Jg==:117 a=h1BC+oY+fLhyFmnTBx92Jg==:17 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=xqWC_Br6kY4A:10:nop_ipv6 a=IkcTkHD0fZMA:10:nop_charset_1 a=SS2py6AdgQ4A:10:nop_rcvd_month_year a=Vy_oeq2dmq0A:10:endurance_base64_authed_username_1 a=48vgC7mUAAAA:8 a=-GYIVPKYuqpPrMMxd9MA:9 a=m9t80olVZxsxLucD:21 a=IwtjSeqQznlvVA3x:21 a=QEXdDO2ut3YA:10:nop_charset_2 a=w1C3t2QeGrPiZgrLijVG:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=clmn0WxaP5lp0+T1Lxf1vZ49d322SjWUeUMGdl8Vsxg=; b=T4f1Jbkz8mfqUUQ5M5B8kDsscp qS4RFaSMOu9DP0LiGibOyayXcy4QxFlpwxSFMyz4fGtIdhD+OE9S6zgu9q73gNieLRrFGfuUDj90R yi9n6uqJArhqR5tlf1QB3CMXu;
Received: from [127.0.0.1] (port=42103 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <lberger@labn.net>) id 1jDbP1-00203I-4s; Sun, 15 Mar 2020 16:06:35 -0600
To: Tero Kivinen <kivinen@iki.fi>, secdir@ietf.org
Cc: draft-ietf-detnet-ip.all@ietf.org, detnet@ietf.org, last-call@ietf.org
References: <158406212471.18347.14473548719649982992@ietfa.amsl.com>
From: Lou Berger <lberger@labn.net>
Message-ID: <57456b4d-79a4-191a-8e25-7a2d2157f5d8@labn.net>
Date: Sun, 15 Mar 2020 18:06:25 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <158406212471.18347.14473548719649982992@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source-L: Yes
X-Exim-ID: 1jDbP1-00203I-4s
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([IPv6:::1]) [127.0.0.1]:42103
X-Source-Auth: lberger@labn.net
X-Email-Count: 2
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/yoLRjWULU7OkSM5-P2AVAXO1M5M>
Subject: Re: [secdir] [Detnet] Secdir last call review of draft-ietf-detnet-ip-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2020 22:06:43 -0000
Tero, Thank you for the comments, please see below. On 3/12/2020 9:15 PM, Tero Kivinen via Datatracker wrote: > Reviewer: Tero Kivinen > Review result: Has Nits > > In section 1 there is text saying: > > The DetNet Architecture models the DetNet related data plane > functions as two sub-layers: functions into two sub-layers: a service > sub-layer and a forwarding sub-layer. > > I think the second one of the "functions as/into two sub-layers" instance > should be removed. agreed. This looks like a cut-and-past bug to me. > > In section 5.1.2.2 it says that SPI field of the ESP and AH is used, but in > case the IPsec is configured to use UDP encapsulation (rfc3948, i.e., UDP > destination port is 4500) there is different location for the SPI. Should this > document also dig SPI out from the UDP encapsulated ESP/AH? no. I'll add qualifications that this applies when the "IPv4 Protocol and IPv6 Next Header Fields" are set to AH and ESP. specifically: The rules defined in this section only apply when the IPv4 Protocol or IPv6 Next Header Field contains the IANA defined value for AH or ESP. > There is also > wrapped ESP (rfc5840) with bit different format, i.e., having wrapped ESP > header before the normal ESP header. Should this be included also? This was not discussed in the working group -- so a really great point to raise in this review. Thank you! As it has it's own protocol number, it would be not too hard to add. That said, there's no reason it couldn't be added later and no one in the working group raised it. What do you think, is it important to add it now. > In section 6, I would think it would be useful to have wildcard SPI matching > too, i.e., match all ESP/AH traffic between two hosts regardless of SPI. Agreed. I think this is what is intended by the existing earlier text: Implementation SHOULD also allow for the field to be ignored for a specific DetNet flow. So another good catch! > Note, that standard procedure to support QoS in IPsec is to create multiple SAs > between hosts with identical addresses, but different SPI, and where each flow > has traffic related to one QoS level inside, but there might not be any way for > external user to know which SPI match to which QoS level). So there is > definitely need to have exact match SPI, but problem is that DetNet might not > have any visibility which SPI match witch QoS level. understood. The thinking is that such information will need to be mapped into the controller (control/management) plane provisioning of the QoS parameters subject to whatever restrictions are appropriate to not expose any security information. Thanks again for the review! Lou > > > _______________________________________________ > detnet mailing list > detnet@ietf.org > https://www.ietf.org/mailman/listinfo/detnet >
- [secdir] Secdir last call review of draft-ietf-de… Tero Kivinen via Datatracker
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Tero Kivinen
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Last-Call] [Detnet] Secdir last cal… Roman Danyliw