[IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt

[Robert Moskowitz]

This latest ver is in response to comments recieved.

Please review Appendix A that I have the RR properly set up.

I also have questions about the text added to specify this is for public 
key lookup.  Please review how I have said this in the draft.


Also the text for use in the IPSECKEY registry is at odds with the text 
for the current values.  What to do?


Instruct IANA to adjust the text for values 1 - 3 to match?

Write text to go at the beginning that this is for public keys and 
remove the proposed such text for the eddsa value.  I have not (yet) 
found any IANA registry that has such text, and any points would help 
this discussion.


Thank you

Bob



 Forwarded Message 
Subject: 	New Version Notification for 
draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt

Date:   Fri, 05 Aug 2022 05:29:44 -0700
From:   internet-dra...@ietf.org
To: 	Robert Moskowitz , Tero Kivinen 






A new version of I-D, draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
has been successfully submitted by Robert Moskowitz and posted to the
IETF repository.

Name: draft-moskowitz-ipsecme-ipseckey-eddsa
Revision: 01
Title: EdDSA value for IPSECKEY
Document date: 2022-08-05
Group: Individual Submission
Pages: 4
URL: 
https://www.ietf.org/archive/id/draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
Status: 
https://datatracker.ietf.org/doc/draft-moskowitz-ipsecme-ipseckey-eddsa/
Html: 
https://www.ietf.org/archive/id/draft-moskowitz-ipsecme-ipseckey-eddsa-01.html
Htmlized: 
https://datatracker.ietf.org/doc/html/draft-moskowitz-ipsecme-ipseckey-eddsa
Diff: 
https://www.ietf.org/rfcdiff?url2=draft-moskowitz-ipsecme-ipseckey-eddsa-01


Abstract:
This document assigns a value for EdDSA Public Keys to the IPSECKEY
IANA registry.



The IETF Secretariat

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

[Martin Duke via Datatracker]

Martin Duke has entered the following ballot position for
draft-ietf-ipsecme-rfc8229bis-07: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to 
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc8229bis/



--
COMMENT:
--

Thanks to Joe Touch for the TSVART review. There are no showstoppers in this
document, but some non-normative text makes inaccurate statements about TCP and
RFC6040, and there are some odd decisions with respect to TLS that are worth
asking about:

(Sec 9.1)
"TCP-in-TCP can also lead to "TCP meltdown", where stacked instances
   of TCP can result in significant impacts to performance
   [TCP-MELTDOWN].  For the case in this document, such meltdown can
   occur when the window size of the outer TCP connection is smaller
   than the window sizes of the inner TCP connections.  The resulting
   interactions can lead to packets backing up in the outer TCP
   connection's send buffers.  In order to limit this effect, the outer
   TCP connection should have limits on its send buffer size and on the
   rate at which it reduces its window size."

Which "window" are you referring to? Receive window, congestion window, or the
send buffer? My reading of [TCP-MELTDOWN] is that the tunnel ingress should set
its send buffer size to the BDP of the tunnel, which is easier said than done.
It appears you are using "window" and "send buffer" interchangeably here in a
way that is confusing.

(9.5)
Implementations SHOULD follow the ECN compatibility mode for tunnel
   ingress as described in [RFC6040].  In compatibility mode, the outer
   tunnel TCP connection marks its packet headers as not ECN-capable.
   If upon egress, the arriving outer header is marked with CE, the
   implementation will drop the inner packet, since there is not a
   distinct inner packet header onto which to translate the ECN
   markings.

This is not an accurate summary of compatibility mode. In compatibility mode,
the outer packet is marked Not-ECT, which means it will not be marked CE. In
normal mode, the outer packet is marked as the inner, and this might result in
an outer CE marking.

It's a shame that there is no attempt to figure out a mapping between inner and
outer that would make normal mode work, as this reviewer is optimistic that ECN
marks will become increasingly important. But regardless, this section should
be clear and make correct statements.

(Appendix A) Why not provide an in-band way to determine TLS support? There
could be another port number, or different magic bytes to indicate that TLS
handshake messages follow.



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec