Re: [IPsec] #123: Proposal to remove the IANA tables from IKEv2bis

[Tero Kivinen]

Paul Hoffman writes:
 At 7:24 PM +0200 11/26/09, Yaron Sheffer wrote:
 Given the amount of interest on the list, I prefer the do nothing
 approach. 
 
 That makes no sense. People seem interested in fixing the problem of
 the lists being confusing. 

I agree that we should do something. 

 There is nothing confusing about removing the assigned numbers: it
 only causes a developer who is actively coding at the moment to grab
 one file from IANA. That file will contain all of the values needed
 for developing from IKEv2bis (including the two new values we are
 assigning), and will also contain values and pointers for other
 extensions in which they might be interested. 

Not only those who are coding, but also those are debugging or
supporting implementations, as quite often they do not remember all
the numbers or the packet formats exactly, so they use the RFC to
check out the packet formats and numbers, and only if numbers are not
there then they need to go to IANA. 

 Removing the assigned numbers also causes people who will be
 expanding on IKEv2bis to actually fetch the IANA registry before
 they do their work. We have a recent example of why that would be
 useful. 

I do not think this would have caused anything, as I most likely would
have also picked numbers 40, and 41 anyways because I remember that 39
was last number used in RFC4306... There is reason why there is IANA
assignment phase in the RFC assignment process, so there was no harm
done even when someone took some numbers instead of using TBA1 and
TBA2.

If we split this to three parts:

1) I think almost everybody can agree that we can remove RESERVED and
   PRIVATE use ranges and numbers from the all tables, and add notice
   saying these are partial lists and go and check IANA for full list.

2) I think quite a lot of people agree that we should remove algorithm
   tables i.e ENCR_*, PRF_*, AUTH_*, Diffie-Hellman groups, extended
   sequence number tables and IPCOMP_*, i.e. all Transform type 1-5
   tables and IPCOMP transform ID table from the RFC.

3) The thing we do not all agree on is whether to keep the numbers for
   the rest of the tables. I.e. do we want to remove numbers from rest?

I myselfo would say yes for 1, and 2, and no for 3. 
-- 
kivi...@iki.fi
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] #123: Proposal to remove the IANA tables from IKEv2bis

[Valery Smyslov]

Hi Paul,

please, see inline.


2. IANA registry already contains some very specific entries (like, for
example,
   those that came from RFC4595) and their number will be increasing. I
think,
   those numbers would confuse some implementers, who might be thinking
   that they need to support all of them.


If a developer does not know how to read the IANA tables, we are all in 
trouble. Nothing in the tables says you must implement every thing in 
these tables, of course.


Are you proposing that we get rid of the IANA registry altogether, or we 
hide it from developers?


Not, of course.


If not, how do you rectify this with your concern about confusion?


For someone, who spent quite a lot of time working in this area, it is not
difficult fo figure out what is really important and what is not. But, I 
think,

a newcomer could be confused by a long list of all possible numbers.


3. Sometimes there might be difficulties in matching names from RFC with
IANA entries.
   For example, IANA registry has an entry named ENCR_AES-CCM_8, but in
   RFC5282 this algorithm is called AEAD_AES_128_CCM_SHORT_8. Are you 
sure
   these names reference the same algorithm? I prefer to check their IDs 
in

RFC
   and in IANA registry.


This is a bug in the IANA registry that needs to be fixed. It is not 
related to the values being in the RFC. Tero has spent a lot of time 
trying to fix the registry, but clearly we need more effort here. I will 
certainly make sure that the names in the registry match those in RFC 
4306, and that the exact names are used in IKEv2bis.


For RFC4306 that seems to be true.


4. Some entries in Diffie-Hellman Group Transform IDs table do not really
assign
   individual numbers, but instead point to other documens, even to 
RFC4306

itself,
   where the numbers are assigned.


Again, I am concerned that you think we should get rid of the IANA 
registry. That is not how the IETF works.


No, you didn't get the point. I meant that Diffie-Hellman Group Transform 
IDs table

in two cases doesn't assign individual numbers, just ranges. For example:

1-2   Defined in Appendix B   [RFC4306]
14-18Defined in [RFC3526]   [RFC3526]

So, in first case it just points back to RFC4306 Appendix B, where the 
actual

numbers (what is 1 and what is 2) are assigned. Probably it may (and must)
be changed, but in its current form it's ridiculos - you went to IANA for
real numbers and have found only pointer back to RFC4306 where you
just have come from...

What about EAP Message format and magic numbers? Remove and just 
reference RFC3748 (or IANA entry for EAP)?


No, those were left in because they came from an RFC, not from a 
particular IANA registry where the names match what we have in IKEv2bis.


EAP numbers listed in RFC4306 might also be changed in future,
so from your logic it's better just to point to
http://www.iana.org/assignments/eap-numbers, right?


I think, removing all magic numbers from the RFC would make implementing
less convinient


Yes.


and more error-prone


No.


I don't agree with you. Remember, when IKEv2 was being developed,
one of the motivations for single self-contained document was complaint
from implementers that having 3 RFC (2408, 2409, 2407) for IKEv1
was very inconvinient and provoked confusions that led to interoperability
problems. Now you suggest to make IKEv2 not self-contained again.
Of course, I understand that IANA registry is not another RFC, but
I still prefer single self-contained document for core protocol.
If you need extensions - go to IANA and look for added numbers,
but core protocol must be implementable reading as few sources,
as possible, preferrably one.


, so I strongly support either do
nothing
approach, or Tero's suggestion.


This is completely inconsistent. Tero's approach would lead you to need 
the IANA registry to implement IKEv2.


Tero's approach is a compromise. You will need the IANA only for
few types of magic numbers, most of which don't affect protocol
logic. I can leave with it.


Those numbers won't change, so their
presence must not hurt,


This is probably incorrect. In many WGs, when errors are found in old 
definitions, the error is corrected *and a new value is assigned*. That is 
the only way to assure interoperability.


As far as I understand, in this case new RFC must be issued,
which will obsolete current one, won't it? If so, no contradiction.


just will make implementing of base protocol more
convinient.


The goal of our work is clarity and interoperability, not convenience, 
particularly when the inconvenience is remedied by one extra lookup.


Just out of curiosity: is such approach (removing magic numbers from RFC
completely) widely used in IETF? If memory serves me, all RFC I've read
contained their magic numbers (of course they were duplicated in IANA)
and that didn't lead to interoperability problems, I think. What is an 
origin

for your conclusion that this practice leads to