Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Hi Chris, > Hi ipsecme and chairs, > > This is a small update to the IPTFS draft which incorporates the last 2 > changes that had been requested over > the last year or so. > > 1. As requested last year, it dispenses with the late-enabled functionality, > replacing it with a SHOULD clause > su

Re: [IPsec] [I2nsf] [yang-doctors] [Last-Call] Yangdoctors last call review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08

> On Oct 13, 2020, at 12:15 AM, Rafa Marin-Lopez wrote: > > Hi Christian (, Rob): > > Thanks for your comments. We really appreciate them. Please see some comments > inline. > >> El 12 oct 2020, a las 22:21, Christian Hopps > > escribió: >> >> >> >>> On Oct 12, 2

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery, Please see below. On 10/13/2020 3:22 AM, Valery Smyslov wrote: Hi Chris, Hi ipsecme and chairs, This is a small update to the IPTFS draft which incorporates the last 2 changes that had been requested over the last year or so. 1. As requested last year, it dispenses with the late-en

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

> On Oct 13, 2020, at 7:27 AM, Lou Berger wrote: > > Valery, > > Please see below. > > On 10/13/2020 3:22 AM, Valery Smyslov wrote: >> Hi Chris, >> >>> Hi ipsecme and chairs, >>> >>> This is a small update to the IPTFS draft which incorporates the last 2 >>> changes that had been requested

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Hi Lou, > Valery, > > Please see below. > > On 10/13/2020 3:22 AM, Valery Smyslov wrote: > > Hi Chris, > > > >> Hi ipsecme and chairs, > >> > >> This is a small update to the IPTFS draft which incorporates the last 2 > >> changes that had been requested > over > >> the last year or so. > >> > >

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

> On Oct 13, 2020, at 9:16 AM, Valery Smyslov wrote: > > Hi Lou, > >> Valery, >> >> Please see below. >> >> On 10/13/2020 3:22 AM, Valery Smyslov wrote: >>> Hi Chris, >>> Hi ipsecme and chairs, This is a small update to the IPTFS draft which incorporates the last 2 cha

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Hi Chris, IPTFS is not always negotiated, as IKE is not always used. Supporting zero-conf IPTFS receive is very useful for supporting these non-IKE use-cases. If you plan to use IPTFS without IKE, then make it clear in the draft that Zero-Conf is only applicable for

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

I can live with MAY. On 10/13/2020 9:16 AM, Valery Smyslov wrote: If you badly need this feature, then please make it MAY and negotiable, so that people can ignore it. SHOULD is too strong for it, leaving it non-negotiable is just unacceptable, IMHO. ___

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

> I can live with MAY. OK, but it must be negotiable in any case if you plan to use it with IKE. Otherwise we'll get black holes. > On 10/13/2020 9:16 AM, Valery Smyslov wrote: > > If you badly need this feature, then please make it MAY and negotiable, > > so that people can ignore it. SHOULD is

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery, How about this: OLD    Receive-side operation of IP-TFS does not require any per-SA    configuration on the receiver; as such, an IP-TFS implementation    SHOULD support the option of switching to IP-TFS receive-side    operation on receipt of the first IP-TFS payload. NEW    Receive-si

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery, How about this: OLD Receive-side operation of IP-TFS does not require any per-SA configuration on the receiver; as such, an IP-TFS implementation SHOULD support the option of switching to IP-TFS receive-side operation on receipt of the first IP-TFS payload. NEW Receive-sid

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Valery, >    If IKE is used to negotiate using IP-TFS, then such switching MUST NOT take place. I read this added line as saying you can switch from tunnel to TFS, I think you mean that use of TFS is controlled via IKE.  How about?    If IKE is used to negotiate using IP-TFS, then use of TF

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Lou Berger writes: > Valery, > > How about this: > > OLD >    Receive-side operation of IP-TFS does not require any per-SA >    configuration on the receiver; as such, an IP-TFS implementation >    SHOULD support the option of switching to IP-TFS receive-side >    operation on receipt of the firs

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Hi Tero, see below On 10/13/2020 1:32 PM, Tero Kivinen wrote: Lou Berger writes: Valery, How about this: OLD    Receive-side operation of IP-TFS does not require any per-SA    configuration on the receiver; as such, an IP-TFS implementation    SHOULD support the option of switching to IP-T

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Lou Berger writes: > > I have to admit that I have not read this draft, but noting, that most > > of the cipher we use do require automated key management like IKE, I > > just wonder are you really going to be limited to 3DES, or what > > automated key management you are going to be using instead o

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Tero,     are you saying you not happy with the proposed text as discussed with valery? Thanks, Lou On 10/13/2020 5:00 PM, Tero Kivinen wrote: Lou Berger writes: I have to admit that I have not read this draft, but noting, that most of the cipher we use do require automated key management

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Hi Lou, Valery, >If IKE is used to negotiate using IP-TFS, then such switching MUST NOT > take place. I read this added line as saying you can switch from tunnel to TFS, I think you mean that use of TFS is controlled via IKE. How about? If IKE is used to negotiate using IP-TFS, then

Re: [IPsec] Update and WGLC request [Re: I-D Action: draft-ietf-ipsecme-iptfs-02.txt]

Hi Tero, > > I'm not advocating ike vs ike-less, just trying to have a comprehensive > > solution.  One example ikeless usecase is captured by the YANG model in > > last call: > > https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09 > > Which will require similar behavior fro