Re: [Dime] [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02
<lionel.morand@orange-ftgroup.com> Tue, 31 August 2010 01:32 UTC
Return-Path: <lionel.morand@orange-ftgroup.com>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE15D3A6A1F for <dime@core3.amsl.com>; Mon, 30 Aug 2010 18:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.852
X-Spam-Level:
X-Spam-Status: No, score=-102.852 tagged_above=-999 required=5 tests=[AWL=0.397, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2QiKcqbn3B96 for <dime@core3.amsl.com>; Mon, 30 Aug 2010 18:32:27 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by core3.amsl.com (Postfix) with ESMTP id 433EA3A68CF for <dime@ietf.org>; Mon, 30 Aug 2010 18:32:26 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1BD3C798002; Tue, 31 Aug 2010 03:35:53 +0200 (CEST)
Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by p-mail2.rd.francetelecom.com (Postfix) with ESMTP id 12C08760003; Tue, 31 Aug 2010 03:35:53 +0200 (CEST)
Received: from ftrdmel1.rd.francetelecom.fr ([10.192.128.40]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.3959); Tue, 31 Aug 2010 03:32:56 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 31 Aug 2010 03:32:53 +0200
Message-ID: <D109C8C97C15294495117745780657AE0CC674D8@ftrdmel1>
In-Reply-To: <AAE76B481E7A0E4C96610790A852B9A624FC5BCDCC@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02
Thread-Index: Acs9YooxKq4wX5tRRC+T0JyNnhCMaQBsfJWAAmXEKBA=
References: <074.fd1143ff15296cc8707a663a09a095ab@tools.ietf.org> <AAE76B481E7A0E4C96610790A852B9A624FC5BCDCC@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
From: lionel.morand@orange-ftgroup.com
To: violeta.cakulev@alcatel-lucent.com, dime@ietf.org
X-OriginalArrivalTime: 31 Aug 2010 01:32:56.0460 (UTC) FILETIME=[7039C4C0:01CB48AC]
Subject: Re: [Dime] [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 01:32:31 -0000
Hi Violeta, Thank you for having taken into account my comments. About the Auth-Request-AVP, no problem for me to state that AUTHORIZE-ONLY is the unique value to use. However, this AVP is defined in RFC3588, and is defined with the following possible values: AUTHENTICATE_ONLY 1 The request being sent is for authentication only, and MUST contain the relevant application specific authentication AVPs that are needed by the Diameter server to authenticate the user. AUTHORIZE_ONLY 2 The request being sent is for authorization only, and MUST contain the application specific authorization AVPs that are necessary to identify the service being requested/offered. AUTHORIZE_AUTHENTICATE 3 What should be the behaviour of the receiver if the Auth-Request-Type AVP is set to the value 1 or 3, which are valid values? What is the error code send back to the sender? Regards, Lionel > -----Message d'origine----- > De : Cakulev, Violeta (Violeta) > [mailto:violeta.cakulev@alcatel-lucent.com] > Envoyé : lundi 30 août 2010 22:14 > À : dime@ietf.org; MORAND Lionel RD-CORE-ISS > Objet : RE: [dime] #12: Review of > draft-ietf-dime-ikev2-psk-diameter-02 > > > Lionel, > Thanks for the comments. > Please see inline (>>[VC]). > > I'll upload a new version (v3) of the draft shortly. > > -Violeta > > -----Original Message----- > From: dime issue tracker [mailto:trac@tools.ietf.org] > Sent: Monday, August 16, 2010 12:46 PM > To: lionel.morand@orange-ftgroup.com > Cc: dime@ietf.org; Cakulev, Violeta (Violeta) > Subject: [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02 > > #12: Review of draft-ietf-dime-ikev2-psk-diameter-02 > ----------------------------------------------+--------------- > ---------- > ----------------------------------------------+---- > Reporter: lionel.morand@... | Owner: > Type: defect | Status: new > Priority: major | Milestone: > Component: ikev2-psk-diameter | Version: > Severity: In WG Last Call | Keywords: > ----------------------------------------------+--------------- > ---------- > ----------------------------------------------+---- > I have reviewed this draft and is pretty good for publication. > > One remaining open issue from my side: > > 1/Is there any need for Authorize-Type AVP in the request if > only Authorize-Only is used in this application? > >>[VC] Please see my response to Sebastien. In short, today > this value is constrained and probably not necessary, but in > future it may change. In addition, it is better to be explicit. > > Additional comments/proposed modifications below. > > Regards, > > Lionel. > > ****************** > > > > 1. Introduction > > [RFC4306] defines Internet Key Exchange v2 as a protocol that > > ==> s/[RFC4306] defines Internet Key Exchange v2 as a protocol that/ > [RFC4306] defines the version 2 of the Internet Key > Exchange (IKE) protocol that > >>[VC] Changed. > > performs mutual authentication between two parties and > establishes a > security association (SA) that includes shared secret information > that can be used to efficiently establish SAs for Encapsulating > Security Payload (ESP) [RFC4303] and/or Authentication Header (AH) > [RFC4302], and a set of cryptographic algorithms to be used by the > SAs to protect the traffic that they carry. IKEv2 protocol allows > several different mechanisms for authenticating a IKEv2 Peer to be > used, such as the Extensible Authentication Protocol, > certificates, > and pre-shared secrets. > > From a service provider perspective it is important to > ensure that a > > ==> s/From a service provider perspective it is/From a > service provider perspective, it is > >>[VC] Changed. > > user is authorized to use the services. Therefore, the > IKEv2 Server > must verify that the IKEv2 Peer is authorized for the requested > services possibly with the assistance of the operator's Diameter > servers. [RFC 5778] defines the home agent as a Diameter > client to > the Diameter server communication when the mobile node > authenticates > using the IKEv2 protocol with the Extensible > Authentication Protocol > or using the Mobile IPv6 Authentication Protocol. This document > > ==> s/the Extensible Authentication Protocol or using the > Mobile IPv6 Authentication Protocol/ > the Extensible Authentication Protocol (EAP) [RFC > 3748] or using the Mobile IPv6 Authentication Protocol [RFC 4285]/ > >>[VC] Changed. > > extends the functionality offered by [RFC 5778] with > pre-shared key > based authentication offered by IKEv2. This document > does not assume > that the IKEv2 Server has the pre-shared secrets (PSK) > with the IKEv2 > Peer. Instead, it allows for PSK to be derived for a > specific IKEv2 > session and exchanged between IKEv2 Server and HAAA. This is > accomplished through the use of a new Diameter application > specifically designed for performing IKEv2 authorization > decisions. > > > [skip] > > > 4. Protocol Description > > 4.1. Support for IKEv2 and Pre-Shared Secrets > > When IKEv2 is used with PSK-based initiator authentication, the > Diameter commands IKEv2-PSK-Request and IKEv2-PSK-Answer > defined in > > ==> s/the Diameter commands IKEv2-PSK-Request and > IKEv2-PSK-Answer defined/ > the Diameter command pair IKEv2-PSK-Request/Answer defined > >>[VC] Changed. > > this document are used to authorize the IKEv2 Peer for > the services. > > ==> s/are used to authorize/are used between IKEv2 server > and a Home AAA server (HAAA) to authorize > >>[VC] Changed. > > > Upon receiving the IKE_AUTH message from the IKEv2 Peer, the IKEv2 > Server uses the information received in IDi to determine if it has > the PSK for this IKEv2 Peer. If there is no PSK found associated > with this IKEv2 Peer, the IKEv2 Server MUST send an Authorize-Only > (Auth-Request-Type set to "Authorize-Only") Diameter IKEv2-PSK > message with the IKEv2 Peer's IDi payload to the HAAA to > obtain the > PSK. > > ==> I think that the initial intention was to re-use RFC5778 > and existing commands. Now, as you're creating new command, > why do you have to re-use Auth-Request-Type AVP as it seems > that only "Authorize-Only" will be used in this application? > If removed from the command, this part will be modified. > >>[VC] Discussed above. > > The IDi payload extracted from the IKE_AUTH message has to > > ==> s/has to/MUST > >>[VC] Changed. > > contain an identity that is meaningful for the Diameter > infrastructure, such as a Network Access Identifier > (NAI), since it > is used by the IKEv2 Server to populate the User-Name AVP in the > Diameter message. The IKEv2 Server also includes in the > IKEv2-Nonces > AVP of the same Diameter message the initiator and > responder nonces > (Ni and Nr) exchanged during initial IKEv2 exchange. > > This message is routed to the IKEv2 Peer's HAAA. Upon receiving > Diameter IKEv2-PSK-Request message from the IKEv2 Server, the HAAA > SHALL use the User-Name AVP to retrieve the associated keying > material. The HAAA SHALL use the nonces Ni and Nr > received in IKEv2- > Nonces AVP to generate the PSK. It is outside of scope of this > document how the HAAA obtains or generates the PSK. For > example, if > the HAAA previously performed EAP based access authentication and > authorization of the IKEv2 Peer, it can use the available EMSK to > generate the PSK [RFC5295]. The HAAA returns the PSK to the IKEv2 > Server using the Key AVP as specified in > [I-D.ietf-dime-local-keytran]. > > ==> I would reorder the end of this paragraph and move the > "it is outside of scope..." at the end. It would look like: > > "This message is routed to the IKEv2 Peer's HAAA. Upon receiving > Diameter IKEv2-PSK-Request message from the IKEv2 Server, the HAAA > SHALL use the User-Name AVP to retrieve the associated keying > material. The HAAA SHALL use the nonces Ni and Nr > received in IKEv2- > Nonces AVP to generate the PSK. The HAAA returns the PSK > to the IKEv2 > Server using the Key AVP as specified in > [I-D.ietf-dime-local-keytran]. > > It is outside of scope of this document how the HAAA obtains or > generates the PSK. For example, if the HAAA previously > performed EAP > based access authentication and authorization of the > IKEv2 Peer, it > can use the available EMSK to generate the PSK [RFC5295]." > > >>[VC] Reordered. > > [skip] > > > 4.2.2. AbortSession-Request > > ==> AbortSession/Abort-Session > >>[VC] Changed. > > The Abort-Session-Request (ASR) message [RFC3588] is sent > by the HAAA > to the IKEv2 Server to terminate the authorized session. When the > IKEv2 Server receives the ASR message, it MUST delete the > corresponding IKE_SA and all CHILD_SAs set up through it. > > The Abort-Session-Answer (ASA) message [RFC3588] is sent > by the IKEv2 > Server in response to an ASR message. > > > [skip] > > > 5.1. IKEv2-PSK-Request (IKEPSKR) Command > > The IKEv2-PSK-Request message, indicated with the > Command-Code set to > TBD2 and the 'R' bit set in the Command Flags field is > sent from the > IKEv2 Server to the HAAA to initiate IKEv2 with PSK authorization. > In this case, the Application-ID field of the Diameter > Header MUST be > set to the Diameter IKE PSK Application ID (value of TDB1). > > Message format > > > <IKEv2-PSK-Request> ::= < Diameter Header: TBD2, REQ, PXY > > < Session-Id > > { Auth-Application-Id } > { Origin-Host } > { Origin-Realm } > { Destination-Realm } > { Auth-Request-Type } > [ Destination-Host ] > [ NAS-Identifier ] > [ NAS-IP-Address ] > [ NAS-IPv6-Address ] > [ NAS-Port ] > [ Origin-State-Id ] > { User-Name } > [ Auth-Session-State ] > { IKEv2-Nonces } > * [ Proxy-Info ] > * [ Route-Record ] > ... > * [ AVP ] > > IKEv2-PSK-Request message MUST include a IKEv2-Nonces AVP > containing > Ni and Nr nonces exchanged during initial IKEv2 exchange. > > ==> Check if the use of Auth-Request-Type AVp is really > needed. If not, remove it. > >>[VC] Discussed above. > > ==> Why do we have to insist on the presence of IKEv2-Nonces > AVP as this AVP is described as required in the ABNF? > >>[VC] Makes sense. However, focus was more on the fact that > those are the nonces exchanged between the peer and the > server in IKE messages. I believe it is not wrong to leave > the text as it is. > > ==> In the AVP Occurence table, Key AVP can be found in the > request while this AVP is missing in the ABNF description. > inconsistency must fixed. > Moreover, if Key AVP can be found in the request, add some > text to explain why. > >>[VC] Good catch. Key AVP needs to be an optional AVP in the > request. If present it contains SPI. Some applications might > use SPI values for key identification purposes. Key AVP is > added in the ABNF description. > > [skip] > > > 7. AVP Occurrence Tables > > The following tables present the AVPs defined or used in this > document and their occurrences in Diameter messages. > Note that AVPs > that can only be present within a Grouped AVP are not > represented in > this table. > > The table uses the following symbols: > > 0: > > The AVP MUST NOT be present in the message. > > > 0+: > > Zero or more instances of the AVP MAY be present in > the message. > > > 0-1: > > Zero or one instance of the AVP MAY be present in the message. > > > 1: > > One instance of the AVP MUST be present in the message. > > > > +-------------------+ > | Command-Code | > |---------+---------+ > AVP Name | IKEPSKR | IKEPSKA | > -------------------------------|---------+---------+ > Key | 0-1 | 0-1 | > IKEv2-Nonces | 0-1 | 0 | > +---------+---------+ > > IKEPSKR and IKEPSKA Commands AVP Table > > ==> Inconsistency! IKEv2-Nonces is described are required in > the Request and the Occurence is then 1. Moreover, the use > of Key AVP in the request is not described, neither in the > text nor in the request ABNF description. > >>[VC] Agreed. Table is changed. > > > [skip] > > 11.2. Informative References > > [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > Requirement Levels", BCP 14, RFC 2119, March 1997. > > [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, > J., and H. > Levkowetz, "Extensible Authentication Protocol (EAP)", > RFC 3748, June 2004. > > [RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and > M. Nakhjiri, > "Specification for the Derivation of Root Keys from an > Extended Master Session Key (EMSK)", RFC 5295, > August 2008. > > > ==> an informative reference to RFC 4285 should be added > (cf. previous > comment) > >>[VC] Added. > > -- > Ticket URL: <http://trac.tools.ietf.org/wg/dime/trac/ticket/12> > dime <http://tools.ietf.org/wg/dime/> > >
- [Dime] #12: Review of draft-ietf-dime-ikev2-psk-d… lionel.morand
- Re: [Dime] [dime] #12: Review of draft-ietf-dime-… Cakulev, Violeta (Violeta)
- Re: [Dime] [dime] #12: Review of draft-ietf-dime-… lionel.morand
- Re: [Dime] [dime] #12: Review of draft-ietf-dime-… Cakulev, Violeta (Violeta)