Re: [Anima] [IPsec] Troubleshooting IPsec peer certs (was: Re: IPsec profile feedback wanted (draft autonomic control) plane)

Michael Richardson <> Fri, 17 July 2020 22:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F15863A0972; Fri, 17 Jul 2020 15:10:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nJnsw_YXM7Jn; Fri, 17 Jul 2020 15:10:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BDCDD3A08B9; Fri, 17 Jul 2020 15:10:38 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 40D45389AC; Fri, 17 Jul 2020 18:07:35 -0400 (EDT)
Received: from ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id Mo4FrNKUFxU8; Fri, 17 Jul 2020 18:07:34 -0400 (EDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id 29D7F389AB; Fri, 17 Jul 2020 18:07:34 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id AC92824C; Fri, 17 Jul 2020 18:10:36 -0400 (EDT)
From: Michael Richardson <>
To: Tero Kivinen <>,,,
In-Reply-To: <>
References: <> <0b8001d5ecad$79ce7ad0$6d6b7070$> <> <0c9e01d5ed4c$2353f5a0$69fbe0e0$> <> <> <24142.1592760359@localhost> <> <> <> <> <>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Fri, 17 Jul 2020 18:10:36 -0400
Message-ID: <6871.1595023836@localhost>
Archived-At: <>
Subject: Re: [Anima] [IPsec] Troubleshooting IPsec peer certs (was: Re: IPsec profile feedback wanted (draft autonomic control) plane)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Jul 2020 22:10:41 -0000

Tero Kivinen <> wrote:
    Tero> Note, that initiator might not have any certificate from CA1 or CA2,
    Tero> it might actually use completely different CAs, i.e., the list of
    Tero> certificate authorities can be asymmetric.

    Toerless> Good explanation. So, whats the most simple example for this ?
    Toerless> I have a single VPN but multiple geographic headends and
    Toerless> there is an obfuscated logic what certs each headends accepts,
    Toerless> so i do have multiple and certreq helps me to choose ?

    > I would assume most common case will be when certificates are being
    > renewed in non-compatible way. I.e., you initially have rsa certs for
    > both client and server, then someone decides rsa is weak, and we must
    > move to ecdsa in the future. They will first install new TA certs on
    > the some servers (lets say they have 1000 of those, and they do not
    > want to do all of them immediately). Now some of the servers do have
    > TA1, and some have both TA1, and TA2.

I am not really following this discussion very well.
I'm not sure if this is general advice or ACP specific advince.

In the case that you describe (RSA->ECDSA),  I think that we would sign TA1
with TA2, or vice-versa. (probably one and then the other a month later).
We can feed/update the trust anchors when certificates are renewed, or we can
use draft-ietf-netconf-trust-anchors to change things (the advantages of
having really good security for in-band management)

I prefer relatively short expiries for certificates in the ACP because <STAR reasons>.
I think that all systems have to support both RSA and ECDSA for a big
overlapping period.  I don't think this is a problem.

I think that there is not a problem having a RSA key (TA1) sign an ECDSA EE cert.
I know that I've done it, but I know that some think it uncool.

    > Next clients needs to get new certificates from TA2. This process can
    > m^Htake months, as it is possible that some of the clients are not
    > connecting to the server for long time.

That's true in general, particularly for remote access situations, but ACP
nodes are mostly always reachable.  If they get turned off and put in a box,
then when they return, they have a valid certificate, or they have to
bootstrap again, and that's okay.

    > If you have client which has only TA1, there is no problem, it can
    > connect to any server which still supports TA1. If you have client
    > which has both TA1, and TA2, and it connects to old server which only
    > supports TA1, it needs to recognize this and use TA1 in that case. If
    > it connects to server using both TA1, and TA2, it most likely wants to
    > prefer TA2, as that is the direction the transition is going, so TA2
    > should be preferred if both are supported.

    > When all servers have been updated to support both TA1, and TA2, then
    > there is no longer issues, as now all clients which do have TA2, use
    > it for all servers, and those which have not yet updated to TA1, still
    > use that.

You are imagining a period of time where we are installing the trust anchors,
and I don't see it has to be like that.

Have TA1 sign TA2 as a sub-CA, and then pass out TA1->TA2->EE(ecdsa) chain to the
new nodes.  Once this is done for all nodes, you can drop TA1.
In reality, there are probably at least an extra level of CA, possibly two.

Do you think that I should include this situation into draft-richardson-registrar-operational-considerations?

    > So the idea is to allow iterative updating of the system, without the
    > need of flag days or configuration settings to specify things. I.e.,
    > IKEv2 will automatically detect which TA is supposed to be used, and
    > use it.


    >> The full name of a node was so far an rfc822Name, now i need to
    >> fix it to become what i think is going to be a GeneralName,
    >> and hence it might best be to signal IDi/IDr as ID_DER_ASN1_GN

    > Note, that the IDi and IDr are what is matched against the IPsec
    > policy, i.e., nothing in the certificate will cause policy to be
    > selected, only IDi and IDr does that. After IDi and IDr identifies the
    > suitable policy, we can go and match the information in the policy
    > against the certificate. That policy might include information like
    > how to match the certificate subject alt name or subject name to
    > identity or information in the policy.

So, we've been forced to use otherName, and this will cause new code in some
of the IKEv2 daemon that we need to use :-(

Michael Richardson <>, Sandelman Software Works
 -= IPv6 IoT consulting =-