Re: [Gen-art] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
Reese Enghardt <ietf@tenghardt.net> Tue, 02 April 2024 15:07 UTC
Return-Path: <ietf@tenghardt.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BE62C14CEE4; Tue, 2 Apr 2024 08:07:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.46
X-Spam-Level:
X-Spam-Status: No, score=-6.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-2.064, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tenghardt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0Cndm3HEYvZ; Tue, 2 Apr 2024 08:07:44 -0700 (PDT)
Received: from mail.hemio.de (mail.hemio.de [136.243.12.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7649BC14F75F; Tue, 2 Apr 2024 08:07:40 -0700 (PDT)
Received: from user.client.invalid (localhost [136.243.12.180]) by mail.hemio.de (Postfix) with ESMTPSA id 9C263B2; Tue, 2 Apr 2024 17:07:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tenghardt.net; s=20170414; t=1712070458; bh=pRA6lJs+LcsB106cDCRnN/HqSmWK00jV83uILfVIaG8=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=M/HD5VG3rhX8yhD4rI3+JMaq2palyM91lYhwzkCz6FC29P7sjlXgeJaCnkwN0AfIq SxujGty6mySvT1Z14ZdmMDaTDdEq0dPjmn5y3/jtdi56UQA56jLn//rb7WuU5I++RW ZCib4bP5ku/dObhvQYRUgs45YRIXraMDh5pqMoHT/1KA9CtMS+TSAy3a/lV/LfIWvY YN65RilbLIsvmSMHMKxaDyZwikOXMfOl39VAzIV+3mA/pYiAjfHV3MAZPGijBooEee 3fk9D2OMZ8BPWFO800oFdTISN7Ht6d1UaQh9chF2M5SuYKme2KWs2q8xrdRKbpD9WT Z9eeMV+7m4mVA==
Message-ID: <1f825184-60d4-7b60-a2bb-b62a8f6a56f8@tenghardt.net>
Date: Tue, 02 Apr 2024 08:07:30 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
To: Valery Smyslov <svan@elvis.ru>
Cc: draft-ietf-ipsecme-ikev2-auth-announce.all@ietf.org, ipsec@ietf.org, last-call@ietf.org, gen-art@ietf.org
References: <171173986283.29677.15166968196717624638@ietfa.amsl.com> <03f601da8435$abd224e0$03766ea0$@elvis.ru>
Content-Language: en-US
From: Reese Enghardt <ietf@tenghardt.net>
In-Reply-To: <03f601da8435$abd224e0$03766ea0$@elvis.ru>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/xyn86dcaHg346f4yRqVPDWFgXNQ>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 15:07:48 -0000
Hi Valery, Thank you for the response and updates. Please see inline: On 4/1/24 06:08, Valery Smyslov wrote: >> Abstract: >> >> As a non-expert reader, the following phrases appear to contradict each other: >> "indicate the list of supported authentication methods" sounds like different >> algorithms, "configured with multiple different credentials to authenticate each >> other" sounds like different certificates but potentially using the same algorithm. If >> this proposal is most applicable to scenarios where IKEv2 partners use different >> algorithms or methods, please consider saying so explicitly in the abstract. > I'm a bit confused here. My interpretation is that "different credentials" includes the situation > when these credentials can only be used with specific authentication methods > (e.g., user may have a certificate and a PSK). So, I believe that the current text > is adequate, but as a non-native speaker I might have missed some nuances. > If this is the case, then can you propose a better wording? No worries. If "different credentials" is commonly understood to include different authentication methods, then the text should stay as it is. >> Please consider adding a sentence as additional motivation for this new >> mechanism. > I've added the following sentence to the Introduction: > > Since IKEv2 requires that each peer uses exactly one authentication method > and doesn't provide means for peers to > indicate to the other side which authentication methods they support, > it is possible that in these situations the peer which supports wider > range of authentication methods (or authentication token formats) > improperly selects the method (or format) which is not supported by > the other side. (Copied text from the thread with Paul) Thank you, this is a great clarification and works well for me! >> Section 5: >> >> "Note, that this is not a real attack, since NULL authentication should be allowed by >> local security policy." Why is it not a real attack then? If NULL authentication is >> allowed among other methods, surely downgrading to NULL authentication is still a >> problem? Or should the second sentence instead say "NULL authentication should >> NOT be allowed by local security policy"? > There is no negotiation of the authentication method to be used in IKEv2, > thus this is not a "downgrade". If your local policy allows peers to not authenticate > on their discretion, then it is your choice. If they use NULL authentication > in this case, they don't violate your policy, thus this is not an real attack. Thanks, that's a great clarification, I initially missed the "there is no negotiation" part. Would you mind adding a sentence to the section, please? Best, Reese
- [Gen-art] Genart last call review of draft-ietf-i… Reese Enghardt via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Valery Smyslov
- Re: [Gen-art] Genart last call review of draft-ie… Paul Wouters
- Re: [Gen-art] Genart last call review of draft-ie… Valery Smyslov
- Re: [Gen-art] Genart last call review of draft-ie… Paul Wouters
- Re: [Gen-art] Genart last call review of draft-ie… Reese Enghardt
- Re: [Gen-art] [***SPAM***] Re: Genart last call r… Valery Smyslov
- Re: [Gen-art] [***SPAM***] Re: Genart last call r… Reese Enghardt