Re: [IPsec] Candidate charter text is now in wiki
Tero Kivinen <kivinen@iki.fi> Tue, 06 February 2018 18:30 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C2E12D963 for <ipsec@ietfa.amsl.com>; Tue, 6 Feb 2018 10:30:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2pZgWwv1_0e for <ipsec@ietfa.amsl.com>; Tue, 6 Feb 2018 10:30:04 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02BDD12D955 for <ipsec@ietf.org>; Tue, 6 Feb 2018 10:30:03 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w16ITsNX020441 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 Feb 2018 20:29:54 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w16ITs12014425; Tue, 6 Feb 2018 20:29:54 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23161.62498.200072.707799@fireball.acr.fi>
Date: Tue, 06 Feb 2018 20:29:54 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: David Schinazi <dschinazi@apple.com>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <84472A32-CABA-4CFC-AA4D-BCAF070E9959@apple.com>
References: <23054.29098.665202.402605@fireball.acr.fi> <787AE7BB302AE849A7480A190F8B93300A07C37A@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <84472A32-CABA-4CFC-AA4D-BCAF070E9959@apple.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-k3mIortk8vMTCu_HugBRZnM_x0>
Subject: Re: [IPsec] Candidate charter text is now in wiki
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 18:30:06 -0000
David Schinazi writes: > Here is proposed charter text for the "Mitigating privacy concerns" > section: As there has not been any support for this item in the mailing list I do not think we will be adding it in the charter this time. > IKEv2 is currently vulnerable to the two following privacy concerns: > > 1) It's not possible to run a server that obfuscates IKEv2/IPsec > using TLS. Today thanks to RFC 8229 it is possible to run an > IKEv2/IPsec server on TCP port 443 with TLS. However if a > government agent tries to send an SA_INIT over that it will > discover that this server runs IKEv2/IPsec, and may blacklist > it. We should add a mechanism to IKEv2 that allows the server to > only respond to SA_INIT from known entities (e.g. that possess a > shared secret). > > 2) The privacy of the initiator's identity in the presence of a man > in the middle attacker is not protected Today an attacker with > full control of the network can receive the IDi/IDr sent by the > initiator in the first AUTH packet. We should add a mechanism to > IKEv2 that allows the initiator to only send IDi/IDr to known > entities (e.g. that possess a shared secret). -- kivinen@iki.fi
- [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki mohamed.boucadair
- Re: [IPsec] Candidate charter text is now in wiki David Schinazi
- Re: [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki mohamed.boucadair
- Re: [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki mohamed.boucadair
- Re: [IPsec] Candidate charter text is now in wiki Paul Wouters
- Re: [IPsec] Candidate charter text is now in wiki Yoav Nir