Re: [Dime] [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02
"Cakulev, Violeta (Violeta)" <violeta.cakulev@alcatel-lucent.com> Wed, 22 September 2010 19:55 UTC
Return-Path: <violeta.cakulev@alcatel-lucent.com>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EFF33A685B for <dime@core3.amsl.com>; Wed, 22 Sep 2010 12:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level:
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUR2LvyGZwF4 for <dime@core3.amsl.com>; Wed, 22 Sep 2010 12:55:46 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 430D23A6ABC for <dime@ietf.org>; Wed, 22 Sep 2010 12:55:45 -0700 (PDT)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id o8MJuCPk015025 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 22 Sep 2010 14:56:13 -0500 (CDT)
Received: from USNAVSXCHHUB01.ndc.alcatel-lucent.com (usnavsxchhub01.ndc.alcatel-lucent.com [135.3.39.110]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o8MJuCMs019236 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 22 Sep 2010 14:56:12 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.126]) by USNAVSXCHHUB01.ndc.alcatel-lucent.com ([135.3.39.110]) with mapi; Wed, 22 Sep 2010 14:56:12 -0500
From: "Cakulev, Violeta (Violeta)" <violeta.cakulev@alcatel-lucent.com>
To: "lionel.morand@orange-ftgroup.com" <lionel.morand@orange-ftgroup.com>, "dime@ietf.org" <dime@ietf.org>
Date: Wed, 22 Sep 2010 14:56:11 -0500
Thread-Topic: [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02
Thread-Index: Acs9YooxKq4wX5tRRC+T0JyNnhCMaQBsfJWAAmXEKBAEeP4yMA==
Message-ID: <AAE76B481E7A0E4C96610790A852B9A624FD1B6E98@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <074.fd1143ff15296cc8707a663a09a095ab@tools.ietf.org> <AAE76B481E7A0E4C96610790A852B9A624FC5BCDCC@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <D109C8C97C15294495117745780657AE0CC674D8@ftrdmel1>
In-Reply-To: <D109C8C97C15294495117745780657AE0CC674D8@ftrdmel1>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Subject: Re: [Dime] [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 19:55:48 -0000
Lionel, Thanks for the reply. Please see inline (>>VC:) -Violeta -----Original Message----- From: lionel.morand@orange-ftgroup.com [mailto:lionel.morand@orange-ftgroup.com] Sent: Monday, August 30, 2010 9:33 PM To: Cakulev, Violeta (Violeta); dime@ietf.org Subject: RE: [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02 Hi Violeta, Thank you for having taken into account my comments. About the Auth-Request-AVP, no problem for me to state that AUTHORIZE-ONLY is the unique value to use. However, this AVP is defined in RFC3588, and is defined with the following possible values: AUTHENTICATE_ONLY 1 The request being sent is for authentication only, and MUST contain the relevant application specific authentication AVPs that are needed by the Diameter server to authenticate the user. AUTHORIZE_ONLY 2 The request being sent is for authorization only, and MUST contain the application specific authorization AVPs that are necessary to identify the service being requested/offered. AUTHORIZE_AUTHENTICATE 3 What should be the behaviour of the receiver if the Auth-Request-Type AVP is set to the value 1 or 3, which are valid values? What is the error code send back to the sender? >>VC: I agree 1 and 3 are the valid values in general but not for the application the document is defining. So we can return DIAMETER_INVALID_AVP_VALUE and include the Auth-Request-AVP in the Failed-AVP AVP. DIAMETER_UNABLE_TO_COMPLY could also be returned, but in this case the receiver will not know why. Regards, Lionel > -----Message d'origine----- > De : Cakulev, Violeta (Violeta) > [mailto:violeta.cakulev@alcatel-lucent.com] > Envoyé : lundi 30 août 2010 22:14 > À : dime@ietf.org; MORAND Lionel RD-CORE-ISS Objet : RE: [dime] #12: > Review of > draft-ietf-dime-ikev2-psk-diameter-02 > > > Lionel, > Thanks for the comments. > Please see inline (>>[VC]). > > I'll upload a new version (v3) of the draft shortly. > > -Violeta > > -----Original Message----- > From: dime issue tracker [mailto:trac@tools.ietf.org] > Sent: Monday, August 16, 2010 12:46 PM > To: lionel.morand@orange-ftgroup.com > Cc: dime@ietf.org; Cakulev, Violeta (Violeta) > Subject: [dime] #12: Review of draft-ietf-dime-ikev2-psk-diameter-02 > > #12: Review of draft-ietf-dime-ikev2-psk-diameter-02 > ----------------------------------------------+--------------- > ---------- > ----------------------------------------------+---- > Reporter: lionel.morand@... | Owner: > Type: defect | Status: new > Priority: major | Milestone: > Component: ikev2-psk-diameter | Version: > Severity: In WG Last Call | Keywords: > ----------------------------------------------+--------------- > ---------- > ----------------------------------------------+---- > I have reviewed this draft and is pretty good for publication. > > One remaining open issue from my side: > > 1/Is there any need for Authorize-Type AVP in the request if only > Authorize-Only is used in this application? > >>[VC] Please see my response to Sebastien. In short, today > this value is constrained and probably not necessary, but in future it > may change. In addition, it is better to be explicit. > > Additional comments/proposed modifications below. > > Regards, > > Lionel. > > ****************** > > > > 1. Introduction > > [RFC4306] defines Internet Key Exchange v2 as a protocol that > > ==> s/[RFC4306] defines Internet Key Exchange v2 as a protocol that/ > [RFC4306] defines the version 2 of the Internet Key Exchange > (IKE) protocol that > >>[VC] Changed. > > performs mutual authentication between two parties and establishes > a > security association (SA) that includes shared secret information > that can be used to efficiently establish SAs for Encapsulating > Security Payload (ESP) [RFC4303] and/or Authentication Header (AH) > [RFC4302], and a set of cryptographic algorithms to be used by the > SAs to protect the traffic that they carry. IKEv2 protocol allows > several different mechanisms for authenticating a IKEv2 Peer to be > used, such as the Extensible Authentication Protocol, > certificates, > and pre-shared secrets. > > From a service provider perspective it is important to ensure that > a > > ==> s/From a service provider perspective it is/From a service > provider perspective, it is > >>[VC] Changed. > > user is authorized to use the services. Therefore, the > IKEv2 Server > must verify that the IKEv2 Peer is authorized for the requested > services possibly with the assistance of the operator's Diameter > servers. [RFC 5778] defines the home agent as a Diameter client > to > the Diameter server communication when the mobile node > authenticates > using the IKEv2 protocol with the Extensible Authentication > Protocol > or using the Mobile IPv6 Authentication Protocol. This document > > ==> s/the Extensible Authentication Protocol or using the Mobile IPv6 > Authentication Protocol/ > the Extensible Authentication Protocol (EAP) [RFC 3748] or > using the Mobile IPv6 Authentication Protocol [RFC 4285]/ > >>[VC] Changed. > > extends the functionality offered by [RFC 5778] with pre-shared > key > based authentication offered by IKEv2. This document does not > assume > that the IKEv2 Server has the pre-shared secrets (PSK) with the > IKEv2 > Peer. Instead, it allows for PSK to be derived for a specific > IKEv2 > session and exchanged between IKEv2 Server and HAAA. This is > accomplished through the use of a new Diameter application > specifically designed for performing IKEv2 authorization > decisions. > > > [skip] > > > 4. Protocol Description > > 4.1. Support for IKEv2 and Pre-Shared Secrets > > When IKEv2 is used with PSK-based initiator authentication, the > Diameter commands IKEv2-PSK-Request and IKEv2-PSK-Answer defined > in > > ==> s/the Diameter commands IKEv2-PSK-Request and IKEv2-PSK-Answer > defined/ > the Diameter command pair IKEv2-PSK-Request/Answer defined > >>[VC] Changed. > > this document are used to authorize the IKEv2 Peer for the > services. > > ==> s/are used to authorize/are used between IKEv2 server and a Home > AAA server (HAAA) to authorize > >>[VC] Changed. > > > Upon receiving the IKE_AUTH message from the IKEv2 Peer, the IKEv2 > Server uses the information received in IDi to determine if it has > the PSK for this IKEv2 Peer. If there is no PSK found associated > with this IKEv2 Peer, the IKEv2 Server MUST send an Authorize-Only > (Auth-Request-Type set to "Authorize-Only") Diameter IKEv2-PSK > message with the IKEv2 Peer's IDi payload to the HAAA to obtain > the > PSK. > > ==> I think that the initial intention was to re-use RFC5778 and > existing commands. Now, as you're creating new command, why do you > have to re-use Auth-Request-Type AVP as it seems that only > "Authorize-Only" will be used in this application? > If removed from the command, this part will be modified. > >>[VC] Discussed above. > > The IDi payload extracted from the IKE_AUTH message has to > > ==> s/has to/MUST > >>[VC] Changed. > > contain an identity that is meaningful for the Diameter > infrastructure, such as a Network Access Identifier (NAI), since > it > is used by the IKEv2 Server to populate the User-Name AVP in the > Diameter message. The IKEv2 Server also includes in the > IKEv2-Nonces > AVP of the same Diameter message the initiator and responder > nonces > (Ni and Nr) exchanged during initial IKEv2 exchange. > > This message is routed to the IKEv2 Peer's HAAA. Upon receiving > Diameter IKEv2-PSK-Request message from the IKEv2 Server, the HAAA > SHALL use the User-Name AVP to retrieve the associated keying > material. The HAAA SHALL use the nonces Ni and Nr received in > IKEv2- > Nonces AVP to generate the PSK. It is outside of scope of this > document how the HAAA obtains or generates the PSK. For example, > if > the HAAA previously performed EAP based access authentication and > authorization of the IKEv2 Peer, it can use the available EMSK to > generate the PSK [RFC5295]. The HAAA returns the PSK to the IKEv2 > Server using the Key AVP as specified in > [I-D.ietf-dime-local-keytran]. > > ==> I would reorder the end of this paragraph and move the "it is > outside of scope..." at the end. It would look like: > > "This message is routed to the IKEv2 Peer's HAAA. Upon receiving > Diameter IKEv2-PSK-Request message from the IKEv2 Server, the HAAA > SHALL use the User-Name AVP to retrieve the associated keying > material. The HAAA SHALL use the nonces Ni and Nr received in > IKEv2- > Nonces AVP to generate the PSK. The HAAA returns the PSK to the > IKEv2 > Server using the Key AVP as specified in > [I-D.ietf-dime-local-keytran]. > > It is outside of scope of this document how the HAAA obtains or > generates the PSK. For example, if the HAAA previously performed > EAP > based access authentication and authorization of the > IKEv2 Peer, it > can use the available EMSK to generate the PSK [RFC5295]." > > >>[VC] Reordered. > > [skip] > > > 4.2.2. AbortSession-Request > > ==> AbortSession/Abort-Session > >>[VC] Changed. > > The Abort-Session-Request (ASR) message [RFC3588] is sent by the > HAAA > to the IKEv2 Server to terminate the authorized session. When the > IKEv2 Server receives the ASR message, it MUST delete the > corresponding IKE_SA and all CHILD_SAs set up through it. > > The Abort-Session-Answer (ASA) message [RFC3588] is sent by the > IKEv2 > Server in response to an ASR message. > > > [skip] > > > 5.1. IKEv2-PSK-Request (IKEPSKR) Command > > The IKEv2-PSK-Request message, indicated with the Command-Code set > to > TBD2 and the 'R' bit set in the Command Flags field is sent from > the > IKEv2 Server to the HAAA to initiate IKEv2 with PSK authorization. > In this case, the Application-ID field of the Diameter Header MUST > be > set to the Diameter IKE PSK Application ID (value of TDB1). > > Message format > > > <IKEv2-PSK-Request> ::= < Diameter Header: TBD2, REQ, PXY > > < Session-Id > > { Auth-Application-Id } > { Origin-Host } > { Origin-Realm } > { Destination-Realm } > { Auth-Request-Type } > [ Destination-Host ] > [ NAS-Identifier ] > [ NAS-IP-Address ] > [ NAS-IPv6-Address ] > [ NAS-Port ] > [ Origin-State-Id ] > { User-Name } > [ Auth-Session-State ] > { IKEv2-Nonces } > * [ Proxy-Info ] > * [ Route-Record ] > ... > * [ AVP ] > > IKEv2-PSK-Request message MUST include a IKEv2-Nonces AVP > containing > Ni and Nr nonces exchanged during initial IKEv2 exchange. > > ==> Check if the use of Auth-Request-Type AVp is really needed. If > not, remove it. > >>[VC] Discussed above. > > ==> Why do we have to insist on the presence of IKEv2-Nonces AVP as > this AVP is described as required in the ABNF? > >>[VC] Makes sense. However, focus was more on the fact that > those are the nonces exchanged between the peer and the server in IKE > messages. I believe it is not wrong to leave the text as it is. > > ==> In the AVP Occurence table, Key AVP can be found in the request > while this AVP is missing in the ABNF description. > inconsistency must fixed. > Moreover, if Key AVP can be found in the request, add some text to > explain why. > >>[VC] Good catch. Key AVP needs to be an optional AVP in the > request. If present it contains SPI. Some applications might use SPI > values for key identification purposes. Key AVP is added in the ABNF > description. > > [skip] > > > 7. AVP Occurrence Tables > > The following tables present the AVPs defined or used in this > document and their occurrences in Diameter messages. > Note that AVPs > that can only be present within a Grouped AVP are not represented > in > this table. > > The table uses the following symbols: > > 0: > > The AVP MUST NOT be present in the message. > > > 0+: > > Zero or more instances of the AVP MAY be present in the > message. > > > 0-1: > > Zero or one instance of the AVP MAY be present in the message. > > > 1: > > One instance of the AVP MUST be present in the message. > > > > +-------------------+ > | Command-Code | > |---------+---------+ > AVP Name | IKEPSKR | IKEPSKA | > -------------------------------|---------+---------+ > Key | 0-1 | 0-1 | > IKEv2-Nonces | 0-1 | 0 | > +---------+---------+ > > IKEPSKR and IKEPSKA Commands AVP Table > > ==> Inconsistency! IKEv2-Nonces is described are required in the > Request and the Occurence is then 1. Moreover, the use of Key AVP in > the request is not described, neither in the text nor in the request > ABNF description. > >>[VC] Agreed. Table is changed. > > > [skip] > > 11.2. Informative References > > [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > Requirement Levels", BCP 14, RFC 2119, March 1997. > > [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and > H. > Levkowetz, "Extensible Authentication Protocol (EAP)", > RFC 3748, June 2004. > > [RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M. > Nakhjiri, > "Specification for the Derivation of Root Keys from an > Extended Master Session Key (EMSK)", RFC 5295, > August 2008. > > > ==> an informative reference to RFC 4285 should be added (cf. > previous > comment) > >>[VC] Added. > > -- > Ticket URL: <http://trac.tools.ietf.org/wg/dime/trac/ticket/12> > dime <http://tools.ietf.org/wg/dime/> > >
- [Dime] #12: Review of draft-ietf-dime-ikev2-psk-d… lionel.morand
- Re: [Dime] [dime] #12: Review of draft-ietf-dime-… Cakulev, Violeta (Violeta)
- Re: [Dime] [dime] #12: Review of draft-ietf-dime-… lionel.morand
- Re: [Dime] [dime] #12: Review of draft-ietf-dime-… Cakulev, Violeta (Violeta)