IETF Logo Mail Archive

Comments to draft-ietf-ippm-ipsec-08

Tero Kivinen <kivinen@iki.fi> Thu, 29 January 2015 10:36 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51CF11A019B; Thu, 29 Jan 2015 02:36:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT203VrjwuQ4; Thu, 29 Jan 2015 02:36:54 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E4391A0193; Thu, 29 Jan 2015 02:36:54 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t0TAaqem027534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 29 Jan 2015 12:36:52 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t0TAamvt007364; Thu, 29 Jan 2015 12:36:48 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21706.3392.910550.950465@fireball.kivinen.iki.fi>
Date: Thu, 29 Jan 2015 12:36:48 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ietf@ietf.org
Subject: Comments to draft-ietf-ippm-ipsec-08
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 18 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/7fMlYAfDFxiBEeXpF_HQqm-tC0I>
Cc: draft-ietf-ippm-ipsec.all@tools.ietf.org, ippm@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 10:36:55 -0000

In the whole draft there are several cases where IPsec is spelled
incorrectly (IPSec). 

--

In section 5.3 there is text saying:

   The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can
   uniquely identify the Security Association (SA).  If the client
   supports the derivation of shared secret key from IKEv2 SA, it will
   choose the corresponding mode value and carry SPIi and SPIr in the
   Key ID field.  SPIi and SPIr MUST be included in the Key ID field of
   Set-Up-Response Message to indicate the IKEv2 SA from which the O/
   TWAMP shared secret key derived from.  The length of SPI is 4 octets.
   	 	       	   	   	      	     	       ^
   Therefore, the first 4 octets of Key ID field MUST carry SPIi and the
   	      	  	^
   second 4 octets MUST carry SPIr.  The remaining bits of the Key ID
   	  ^
   field MUST set to zero.

This is wrong. The SPIi and SPIr in the IKEv2 SA are 8 octets each.
The ESP and AH SPI is 4 octets, for IKEv2 SA it is 8+8. Also in the
next paragraph it should say "first 16 octets" not "first 8 octets".

--

In section 5.4 you there is text:

							    ... If
   the two endpoints are already connected through an IPSec tunnel it
   is RECOMMENDED that the O/TWAMP measurement packets are forwarded
   over the IPSec tunnel if the peers choose the unauthenticated mode
   in order to ensure authenticity and security.

Part of the IPsec architecture model specifies policy rules which
dictate which packets go to the tunnel and which do not. This text
above seems to indicate that someone else than the policy rules could
say that those O/TWAMP measurement packets might ignore those policy
rules and go out bypassing those rules.

I think it would be better to rewrite the text above to reflect that
the IPsec policy model is followed with those packets just as for any
other packets. I.e. the normal case would be that IPsec policy rules
will specify whether the measurement packets go to the tunnel or not.
If I understand correctly that this text tries to say that IPsec
tunnel should be configured so that it SHOULD include O/TWAMP
measurement packets, even when using unauthenticated mode, to ensure
authenticity and security.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email