Re: [Gen-art] [***SPAM***] Re: Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
Valery Smyslov <svan@elvis.ru> Wed, 03 April 2024 08:10 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2196AC151087; Wed, 3 Apr 2024 01:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Iz2yOyTuPBC; Wed, 3 Apr 2024 01:10:20 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1CB3C14CE33; Wed, 3 Apr 2024 01:10:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3Ym9x71TjfJrnUD0vPZOWQKeU7TWU63IWthVynB61Po=; b=lx/FanMAhZSIT5quNJC3+rmjvn jjo1Y6dZe+PLzk3lKJ2UFNzmpy17Wx44BKpq8XLtpYnJfsLSBCZ7hmjI0y4Oko9sxXoBdQLjmCQQt wJEfcCW/m8AoeHEmQyaMEcS89xVCJQhOIISmUEj8yQfB9BB+SxBo0kzwV6CeL1wz8JvM=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1rrvhF-0004DG-5j; Wed, 03 Apr 2024 11:10:13 +0300
Received: from mail.office.elvis.ru ([10.111.1.29]) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1rrvhE-00AcAH-VC; Wed, 03 Apr 2024 11:10:12 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 3 Apr 2024 11:10:12 +0300
Received: from BuildPC (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Wed, 3 Apr 2024 11:10:12 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Reese Enghardt' <ietf@tenghardt.net>
CC: draft-ietf-ipsecme-ikev2-auth-announce.all@ietf.org, ipsec@ietf.org, last-call@ietf.org, gen-art@ietf.org
References: <171173986283.29677.15166968196717624638@ietfa.amsl.com> <03f601da8435$abd224e0$03766ea0$@elvis.ru> <1f825184-60d4-7b60-a2bb-b62a8f6a56f8@tenghardt.net>
In-Reply-To: <1f825184-60d4-7b60-a2bb-b62a8f6a56f8@tenghardt.net>
Date: Wed, 03 Apr 2024 11:12:32 +0300
Message-ID: <000001da859e$ada3efa0$08ebcee0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLaTwj89V31ruQgk1px0cbnvV3PaQE4tbRXAnvoen6vOPk3EA==
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/WGjt9ArRtqVOtzN0pZD1S46UgCA>
Subject: Re: [Gen-art] [***SPAM***] Re: Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 08:10:26 -0000
Hi Reese, I snipped most of the text for readability. > Hi Valery, > > Thank you for the response and updates. > > Please see inline: [...] > >> Section 5: > >> > >> "Note, that this is not a real attack, since NULL authentication > >> should be allowed by local security policy." Why is it not a real > >> attack then? If NULL authentication is allowed among other methods, > >> surely downgrading to NULL authentication is still a problem? Or > >> should the second sentence instead say "NULL authentication should NOT be > allowed by local security policy"? > > There is no negotiation of the authentication method to be used in > > IKEv2, thus this is not a "downgrade". If your local policy allows > > peers to not authenticate on their discretion, then it is your choice. > > If they use NULL authentication in this case, they don't violate your policy, thus > this is not an real attack. > > Thanks, that's a great clarification, I initially missed the "there is no negotiation" > part. Would you mind adding a sentence to the section, please? I've rephrased the text as follows: Note, that this is not a real "downgrade" attack, since authentication methods in IKEv2 are not negotiated and in this case NULL authentication should be allowed by local security policy. Is this OK? Regards, Valery. > Best, > Reese
- [Gen-art] Genart last call review of draft-ietf-i… Reese Enghardt via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Valery Smyslov
- Re: [Gen-art] Genart last call review of draft-ie… Paul Wouters
- Re: [Gen-art] Genart last call review of draft-ie… Valery Smyslov
- Re: [Gen-art] Genart last call review of draft-ie… Paul Wouters
- Re: [Gen-art] Genart last call review of draft-ie… Reese Enghardt
- Re: [Gen-art] [***SPAM***] Re: Genart last call r… Valery Smyslov
- Re: [Gen-art] [***SPAM***] Re: Genart last call r… Reese Enghardt