On Mon, Jul 29, 2024 at 6:18 AM Valery Smyslov <smyslov.i...@gmail.com> wrote:
> Hi, > > I have some comments on draft-pwouters-ipsecme-delete-info that I tried to > express at IETF120, > but due to lack of time they were not responded to. > > 1. I'm very much concerned with the "Delete Reason Text" field. My primary > question - > in what language this free text explanation is supposed to be? I > suppose > > it is assumed to be English, but why do you think all customers in the > world understand English well enough > for this field to be really useful? If arbitrary language is allowed, > then we need to add a language tag, > otherwise it is generally impossible to even recognize what language > the > text is in. > And allowing arbitrary language makes this field even less useful. > The idea is that the provider uses some language it knows the receiver would understand, in addition to the enum. Computers and UIs can be use the ENUM, and I expect most people would not need or want custom text. However, when presented at IETF119 the group was split. Half wanted an enum and half wanted free flow text. This was the compromise. > > In general, I think it is a bad idea to transmit text strings to be > read > by users in a low level > protocol which IKEv2 is. This is an UI issue, and it is the UI that > should properly display to the user in a user > chosen language what is happening. > In general, I agree. Although I could also see the freeform text to perhaps but in some more details that could make debugging easier. > 2. The list of reasons looks to me both incomplete and excessive at the > same > time. > For example, CONFIGURATION_CHILD_REMOVED and CONFIGURATION_IKE_REMOVED > are not needed, since you either delete IKE SA or Child SA in a single > exchange, so it is > always clear what configuration is removed and only one such reason > would suffice. > This is not about the current instance of the exchange but about the local configuration. It basically says "this one tunnel is no longer configured" vs "the entire config for the peer has been removed". > SIMULTANEOUS_REKEY adds no new information, > since you always understand this reason from local logs. On the other > hand, > it is not specified what to indicate in the reason when ESP SA is being > deleted > in response to deleting the tied ESP SA for the other direction. > In general yes, but again we have seen race conditions and uncertainly, where I think it would have helped debugging if this reason was explicitly logged as part of the exchange. In general, I think that indicating the reason the SA is deleted doesn't > help much the user much. > In many cases it can be inferred from local logs. And if it cannot, then > you probably > will to contact the other end in any case to get more detailed > information on the reason, > in which case sending the reason on the wire has little value. > The point of this reason is to put the Exec Summary of that phone call in the payload :) And perhaps entities that don't answer the phone (eg hyperscale cloud providers) would populate those automatically, since they are usually not reachable by phone :) If you don't think it is useful, by all means don't send it and ignore it when received. Some of my customers have explicitly asked for this, so there is a need (unreasonable or not :) > 3. Perhaps the most useful field is Downtime. But thinking more about this, > I believe that since this value is only a hint, you will probably not > trust it. > For example, if you have to communicate to the peer ASAP and it deletes > SA indicating that downtime is 1 hour, you will not wait for all this > time, > you will try to establish new SA every minute (it costs you nothing, but > you have a chance to get it up earlier). > It is not about trust, it is all about hints. If this field says "60" and the enum says REBOOT, you might just wait a minute or just let the system retry as it. If it says "3600" with OTHER with "replacing broken hardware", you might decide you want to redirect the tunnel to a fallback solution. Paul
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
