Re: [Gen-art] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
Paul Wouters <paul@nohats.ca> Tue, 02 April 2024 10:27 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90CDC14F617; Tue, 2 Apr 2024 03:27:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.201
X-Spam-Level:
X-Spam-Status: No, score=-6.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QGsrKQq4oRF; Tue, 2 Apr 2024 03:27:30 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F65CC14F5FB; Tue, 2 Apr 2024 03:27:29 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4V83wZ5rJQzFSM; Tue, 2 Apr 2024 12:27:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1712053646; bh=Hb6fhE8XFkBT5qeZ0NwNNXt9GU9K+ETmdud2mPokeJc=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=EYuUM2OEBVsUBmmEE559y87L6xUI27DY4qiHK3zkRnW9rGnsYckTaDwVGflCYA3BS KKaLJDntzvKrNXkK5QGfUzFGjsV/pvbub05hM8y7ONc6jb+q6g9CBJA/XiV1M7Tydw 7JtwjcU5enKMTAZiJbH6oT/5zUf5AwUrYRWNNacY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id UWBBatI-jaJl; Tue, 2 Apr 2024 12:27:25 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 2 Apr 2024 12:27:25 +0200 (CEST)
Received: from smtpclient.apple (bras-base-toroon01zb3-grc-22-142-115-101-253.dsl.bell.ca [142.115.101.253]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id BE2B511AE361; Tue, 2 Apr 2024 06:27:23 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-EF6DD9A5-C564-4BB5-BE26-17FB93D83D6D"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Tue, 02 Apr 2024 06:27:10 -0400
Message-Id: <EA0BE11D-952C-42E9-A66C-05549E16EE5C@nohats.ca>
References: <047001da84cc$acc92870$065b7950$@elvis.ru>
Cc: Paul Wouters <paul.wouters@aiven.io>, Reese Enghardt <ietf@tenghardt.net>, gen-art@ietf.org, draft-ietf-ipsecme-ikev2-auth-announce.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
In-Reply-To: <047001da84cc$acc92870$065b7950$@elvis.ru>
To: Valery Smyslov <svan@elvis.ru>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/YfQ6kjktOvcoTmis9QFH5wyG39I>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 10:27:34 -0000
On Apr 2, 2024, at 03:10, Valery Smyslov <svan@elvis.ru> wrote:
--Hi Paul,
On Mon, Apr 1, 2024 at 9:08 AM Valery Smyslov <svan@elvis.ru> wrote:
I've added the following sentence to the Introduction:
Since IKEv2 doesn't allow to use multiple
authentication methods and doesn't provide means for peers to
indicate to the other side which authentication methods they support,
it is possible that in these situations the peer which supports wider
range of authentication methods (or authentication token formats)
improperly selects the method (or format) which is not supported by
the other side.
I wouldn't phrase it like it, since if we are talking about the peers using different authentication
methods (eg client EAPTLS and server X.509 cert) then there are "multiple authentication methods".
Also, the server could have multiple configurations for the same peer so a peer could come in using X509 or PSK.
I think the core case is that the peers cannot dictate the auth method the peer must use. But this document allows
them to inform the peer or what they are going to allow? Although a bit limited because in IKE_SA_INIT, one does
not have the peer's identity yet, and different peers might only be allowed specific auth methods.
I believe the issue Reese raised was: why we didn’t modify IKEv2 so that
each peer was able to try to authenticate with all auth methods it had credentials for – with signature(s), PSK etc.,
and the SA would be established if at least one of these methods succeeded.
I agree that the wording above is imperfect and imprecise. Perhaps:
Since IKEv2 requires that each peer uses exactly one authentication method
and doesn't provide means for peers to
indicate to the other side which authentication methods they support,
it is possible that in these situations the peer which supports wider
range of authentication methods (or authentication token formats)
improperly selects the method (or format) which is not supported by
the other side.
This is still imprecise since with EAP the server actually authenticates itself with two methods.
But perhaps we can leave with this? Or can you propose a better wording?
Regards,
Valery.
Paul
last-call mailing list
last-call@ietf.org
https://www.ietf.org/mailman/listinfo/last-call
- [Gen-art] Genart last call review of draft-ietf-i… Reese Enghardt via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Valery Smyslov
- Re: [Gen-art] Genart last call review of draft-ie… Paul Wouters
- Re: [Gen-art] Genart last call review of draft-ie… Valery Smyslov
- Re: [Gen-art] Genart last call review of draft-ie… Paul Wouters
- Re: [Gen-art] Genart last call review of draft-ie… Reese Enghardt
- Re: [Gen-art] [***SPAM***] Re: Genart last call r… Valery Smyslov
- Re: [Gen-art] [***SPAM***] Re: Genart last call r… Reese Enghardt