[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [IPsec] Genart last call review of draft-ietf-ipsecme-split-dns-12
From: Tommy Pauly <tpauly () apple ! com>
Date: 2018-10-22 20:26:36
Message-ID: FA979F31-FD60-482F-A4F2-91B4A5A05854 () apple ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Christer,
Thanks again for the review. I've addressed all three comments below in an update to \
the draft:
https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13 \
<https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13> \
https://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-13.txt
Thanks,
Tommy
> On Aug 19, 2018, at 1:39 PM, Christer Holmberg <christer.holmberg@ericsson.com> \
> wrote:
> Hi Tommy,
>
> Please see inline.
>
>
> Minor issues:
>
> Q1:
>
> > > Section 3.1 contains some SHOULD-do statements, e.g.,:
> > >
> > > "the initiator SHOULD also include one or more INTERNAL_IP4_DNS and
> > > INTERNAL_IP6_DNS attributes in the CFG_REQUEST"
> > >
> > > "the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN attributes
> > > in the CFG_REQUEST."
> > >
> > > Is there a reason for not using MUST instead of SHOULD?
> >
> > In general, the CFG_REQUEST attributes are a bit loose—they're hints more than \
> > requirements.
> > From section 3.15.1 of RFC7296:
> >
> > The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request
> > information from its peer. If an attribute in the CFG_REQUEST
> > Configuration payload is not zero-length, it is taken as a suggestion
> > for that attribute. The CFG_REPLY Configuration payload MAY return
> > that value, or a new one. It MAY also add new attributes and not
> > include some requested ones. Unrecognized or unsupported attributes
> > MUST be ignored in both requests and responses.
> >
> > So, the CFG_REPLY MUST have a DNS server to go along with the DNS domain, but I \
> > left the SHOULD in spirit of the fact that the CFG_REQUEST is more of a \
> > suggestion.
> > That being said, if others in the WG would like to see this be a MUST, I'm fine \
> > with that as well. I don't think we should have the responder error out if it \
> > doesn't see both, however.
>
> Well, if it is only a suggestion, then I guess my question is why use something as \
> strong as SHOULD :) SHOULD basically means MUST-unless-you-have-a-good-reason to.
> In general, is providing suggestions a SHOULD, or is it only for the attributes \
> above?
> Anyway, if you want to have a SHOULD (or even a MUST) I won't object. But, when I \
> see a SHOULD, I always ask about the background :)
>
> Q2:
>
> > > Section 3.2 says:
> > >
> > > "the initiator SHOULD behave as if Split DNS configurations are not supported
> > > by the server."
> > >
> > > Again, is there a reason for not using MUST?
> >
> > This one could be a MUST. The one exception I could see is if the initiator was \
> > statically configured with some split DNS domains to use as split domains In case \
> > the responder didn't provide any in the CFG_REPLY, it should still use those and \
> > not send all DNS queries inside the tunnel. I wouldn't want this MUST to disable \
> > the static configuration workarounds that implementations have done prior to \
> > allowing split DNS to be negotiated.
>
> Could you say:
>
> "the initiator MUST behave as if a Split DNS configurations are not supported, \
> unless <insert text above the statically configuration case above>"
>
>
> Nits/editorial comments:
>
> Q3:
>
> > > Is there a need for the "Background" section? Since the text is related to what
> > > is described in the "Introduction", could the the text be moved there?
> >
> > The main new points that the Background section adds on top of the Introduction \
> > are:
> > - The prior art for split DNS in IKEv1
> > - The fact that this is currently mainly seen in enterprise VPN deployments
> >
> > These points could indeed be moved to the introduction. I had felt they fit \
> > better as "background" since they're not essential to the description of the \
> > protocol, but give context that is relevant now (and may be less so in the \
> > future).
>
> The first sections of both the Introduction and the Background sections talk about \
> split DNS:
> "Split DNS is a common configuration for secure tunnels, such as
> Virtual Private Networks in which host machines private to an
> organization can only be resolved using internal DNS resolvers"
>
> "Split DNS is a common configuration for enterprise VPN deployments,
> in which one or more private DNS domains are only accessible and
> resolvable via an IPsec based VPN connection."
>
> So, isn't Split DNS already covered by the Introduction? What extra does the \
> Background text bring?
> The second paragraph of the Background could be placed at the end of the \
> Introduction, in my opinion.
> Regards,
>
> Christer
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://www.ietf.org/mailman/listinfo/ipsec \
> <https://www.ietf.org/mailman/listinfo/ipsec>
[Attachment #5 (text/html)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class="">Hi Christer,<div class=""><br \
class=""></div><div class="">Thanks again for the review. I've addressed all three \
comments below in an update to the draft:</div><div class=""><br class=""></div><div \
class=""><a href="https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13" \
class="">https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-13</a></div><div \
class=""><a href="https://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-13.txt" \
class="">https://tools.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-13.txt</a></div><div \
class=""><br class=""></div><div class="">Thanks,</div><div class="">Tommy <br \
class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Aug 19, \
2018, at 1:39 PM, Christer Holmberg <<a \
href="mailto:christer.holmberg@ericsson.com" \
class="">christer.holmberg@ericsson.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, \
0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Hi Tommy,</span><br style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">Please see \
inline.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">Minor \
issues:</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; \
float: none; display: inline !important;" class="">Q1:</span><br style="caret-color: \
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote \
type="cite" class="">Section 3.1 contains some SHOULD-do statements, e.g.,:<br \
class=""><br class="">"the initiator SHOULD also include one or more INTERNAL_IP4_DNS \
and<br class="">INTERNAL_IP6_DNS attributes in the CFG_REQUEST"<br class=""><br \
class="">"the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN \
attributes<br class="">in the CFG_REQUEST."<br class=""><br class="">Is there a \
reason for not using MUST instead of SHOULD?<br class=""></blockquote><br class="">In \
general, the CFG_REQUEST attributes are a bit loose—they're hints more than \
requirements.<br class=""><br class="">From section 3.15.1 of RFC7296:<br \
class=""><br class=""> The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint \
to request<br class=""> information from its peer. If an attribute in the \
CFG_REQUEST<br class=""> Configuration payload is not zero-length, it is taken \
as a suggestion<br class=""> for that attribute. The CFG_REPLY \
Configuration payload MAY return<br class=""> that value, or a new one. It \
MAY also add new attributes and not<br class=""> include some requested ones. \
Unrecognized or unsupported attributes<br class=""> MUST be ignored in \
both requests and responses.<br class=""><br class="">So, the CFG_REPLY MUST have a \
DNS server to go along with the DNS domain, but I left the SHOULD in spirit<span \
class="Apple-converted-space"> </span><br class="">of the fact that the \
CFG_REQUEST is more of a suggestion.<br class=""><br class="">That being said, if \
others in the WG would like to see this be a MUST, I'm fine with that as well. I \
don't think we<span class="Apple-converted-space"> </span><br class="">should \
have the responder error out if it doesn't see both, however.<br \
class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Well, if it is only a suggestion, then I guess my question is \
why use something as strong as SHOULD :) SHOULD basically means \
MUST-unless-you-have-a-good-reason to.</span><br style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">In general, \
is providing suggestions a SHOULD, or is it only for the attributes above?</span><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Anyway, if you want to have a SHOULD (or even a MUST) I won't \
object. But, when I see a SHOULD, I always ask about the background :)</span><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; \
float: none; display: inline !important;" class="">Q2:</span><br style="caret-color: \
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote \
type="cite" class="">Section 3.2 says:<br class=""><br class="">"the initiator SHOULD \
behave as if Split DNS configurations are not supported<br class="">by the \
server."<br class=""><br class="">Again, is there a reason for not using MUST?<br \
class=""></blockquote><br class="">This one could be a MUST. The one exception I \
could see is if the initiator was statically configured with some split DNS domains \
to use as split domains<br class="">In case the responder didn't provide any in the \
CFG_REPLY, it should still use those and not send all DNS queries inside the tunnel. \
I wouldn't want this<br class="">MUST to disable the static configuration workarounds \
that implementations have done prior to allowing split DNS to be negotiated.<br \
class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Could you say:</span><br style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic