Re: [Taps] Éric Vyncke's No Objection on draft-ietf-taps-transport-security-11: (with COMMENT)
Tommy Pauly <tpauly@apple.com> Wed, 22 April 2020 17:28 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7415E3A112F; Wed, 22 Apr 2020 10:28:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krp5bpOpS-w1; Wed, 22 Apr 2020 10:28:27 -0700 (PDT)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32ED33A1130; Wed, 22 Apr 2020 10:28:27 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 03MHN8hY030830; Wed, 22 Apr 2020 10:28:23 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=SHF89Uqet8IJvx1X9+AnkqKIE9fckyHnLbZWDn7+S8E=; b=OjUOtqjzV3VomfEMOLMUibJ0WrQg2CWKFbsKPb+VG1znTAjPbkYLlB8YmmCVnxzeYei2 9H/DTo92LsQMfYB53EgJzJBYTbm0WCkZ/KE+c+wl42IYgh3iCRantnRHX9TkRQMO/dvu MSflWbuzX9stdcFfJFakm3gAH3Qe28HXcHpBhHdobkaD2fFVfBDCdgdwcbsQmpC67mtB D/53h/5QdX/DBOoN9AcaQ5U9NSaH/cIhFVFNYH58Wsnb4hiAicyo/VM/GMxVKqogq1bz 2LlmQp3Ljr7bDXW9ST7c+L+RxEr/KHyPezGXmA41A8ieIyAMb8ZVWU/l1PQeXxkQ3xCV Vw==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by nwk-aaemail-lapp01.apple.com with ESMTP id 30hj73bpy1-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Apr 2020 10:28:23 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPS id <0Q9700YJW9VAAB00@rn-mailsvcp-mta-lapp03.rno.apple.com>; Wed, 22 Apr 2020 10:28:22 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) id <0Q97008009LGLW00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 22 Apr 2020 10:28:22 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 8d1cba59968dbf39b3744d73f081bcdc
X-Va-E-CD: 63423d8a375a17b595eac335f35848d7
X-Va-R-CD: b13196f5449c1b7b5961009ccff7c73e
X-Va-CD: 0
X-Va-ID: a39a014b-4d42-4802-8ae2-e16836dcb351
X-V-A:
X-V-T-CD: 8d1cba59968dbf39b3744d73f081bcdc
X-V-E-CD: 63423d8a375a17b595eac335f35848d7
X-V-R-CD: b13196f5449c1b7b5961009ccff7c73e
X-V-CD: 0
X-V-ID: 726c69a7-f990-4e9c-830c-86efc4dcd3de
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-22_06:2020-04-22, 2020-04-22 signatures=0
Received: from [17.232.192.67] (unknown [17.232.192.67]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPSA id <0Q9700VAC9V67710@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 22 Apr 2020 10:28:20 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <6EB77D3C-E0B2-45C2-A8B5-B7F31EDBC722@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_95C4B1A6-C233-497C-AE6C-86EB05AAAC2D"
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.80.7.2.3\))
Date: Wed, 22 Apr 2020 10:28:18 -0700
In-reply-to: <158644309093.3622.11128003590990110741@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-taps-transport-security@ietf.org, taps-chairs@ietf.org, taps@ietf.org, Philipp Tiesel <philipp@tiesel.net>, caw@heapingbits.net
To: Éric Vyncke <evyncke@cisco.com>
References: <158644309093.3622.11128003590990110741@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3608.80.7.2.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-22_06:2020-04-22, 2020-04-22 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/HC8kdaM_KR4-d881HUCHyGRWovw>
Subject: Re: [Taps] Éric Vyncke's No Objection on draft-ietf-taps-transport-security-11: (with COMMENT)
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 17:28:30 -0000
Hi Eric, Thanks for the review! You can find an updated version of the document here: https://ietf-tapswg.github.io/draft-ietf-taps-transport-security/draft-ietf-taps-transport-security.html <https://ietf-tapswg.github.io/draft-ietf-taps-transport-security/draft-ietf-taps-transport-security.html> Responses to your specific points inline. > On Apr 9, 2020, at 7:38 AM, Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > > Éric Vyncke has entered the following ballot position for > draft-ietf-taps-transport-security-11: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-taps-transport-security/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for the work put into this document. It is really easy to read. > > After discussion with Magnus and Barry, I have cleared my DISCUSS but I still > hope for a fix to my previous DISCUSS We incorporated the sentence that Magnus suggested. Thanks for agreeing to this! > > Please find below some non-blocking COMMENTs. An answer will still be > appreciated. > > I hope that this helps to improve the document, > > Regards, > > -éric > > == previous DISCUSS == > > I question the inclusion of CurveCP in the mix as per > https://curvecp.org/addressing.html it does not seem to support IPv6. At the > bare minimum, the I-D should mention this restriction in section 3 or rename > section 3 from "protocol descriptions" into something less exhaustive. > > (and I hope to be corrected about CurveCP IPv6 support). > > == COMMENT == > > Please respond to the IoT-directorate review by Mohit: > https://mailarchive.ietf.org/arch/msg/iot-directorate/xTVOvQ7kI78sDPZQuVsTvGB2x0s > Please respond to the INT-DIR review by Brian: > https://mailarchive.ietf.org/arch/msg/int-dir/2IHPgukaAAMvMjO7TXvo_ujcI_I + > Gorry Fairhurst's about GRE We’ve responded individually to these reviews now. > > Generic comment about the intended transport: all protocols analyzed in this > document are point to point (no multicast), this should probably be mentioned > in the introduction. Added: "This document only surveys point-to-point protocols; multicast protocols are out of scope." > > -- Section 1 -- > Is there any reason why the integrity property of IPsec AH is not mentioned ? > Same also applies in section 2 when "security protocol" is defined. Added a note that AH provides integrity. > > -- Section 3 -- > Use the wording of "record protocol" generically while the term "record > protocol" is defined in section 2 as a blocked data transport (like in TLS). > Suggest the use of "data transfer protocol" ? I believe the use of “record protocol” here is correct, as the delineated data transport indeed is what we are referring to. > > An important property of such protocols is to be able to traverse a NAPT box > (that I hate)... I suggest to mention whether the analyzed protocols support > NAT-traversal in this description section or even in the analysis parts as > having a different view (application and network layers seeing possibly > different IP addresses so a potential impact on the API). Thanks for bringing this up. We discussed as authors, and we don’t believe that interaction with NAT traversal is in scope for our analysis. There are, of course, transport protocols that handle this; and some security protocols (like IKEv2) have specific NAT-T extensions. However, this support does not modify or affect the contract between the security and transport protocols to my understanding. Thanks, Tommy
- [Taps] Éric Vyncke's No Objection on draft-ietf-t… Éric Vyncke via Datatracker
- Re: [Taps] Éric Vyncke's No Objection on draft-ie… Tommy Pauly
- Re: [Taps] Éric Vyncke's No Objection on draft-ie… Benjamin Kaduk
- Re: [Taps] Éric Vyncke's No Objection on draft-ie… Eric Vyncke (evyncke)