Re: [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Section 3)
Rafa Marin-Lopez <rafa@um.es> Tue, 27 November 2018 15:28 UTC
Return-Path: <rafa@um.es>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4842312D4E7; Tue, 27 Nov 2018 07:28:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ad5pBlpIuouN; Tue, 27 Nov 2018 07:27:59 -0800 (PST)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by ietfa.amsl.com (Postfix) with ESMTP id 48666130DDA; Tue, 27 Nov 2018 07:27:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id CBDD01FE6F; Tue, 27 Nov 2018 16:27:53 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WJK62bvlgmTP; Tue, 27 Nov 2018 16:27:53 +0100 (CET)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id 07E071FFD4; Tue, 27 Nov 2018 16:27:50 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <D8BB13F7-1EB2-43E2-8571-A557820C734B@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_66109275-53AA-4055-94F2-8800E1AEC71B"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Tue, 27 Nov 2018 16:27:49 +0100
In-Reply-To: <alpine.LRH.2.21.1811180149220.25604@bofh.nohats.ca>
Cc: Rafa Marin-Lopez <rafa@um.es>, Yoav Nir <ynir.ietf@gmail.com>, i2nsf@ietf.org, "ipsec@ietf.org WG" <ipsec@ietf.org>
To: Paul Wouters <paul@nohats.ca>
References: <A881C135-9BF7-4E93-BB7A-75EB3D1FF605@gmail.com> <6839D47C-4074-486F-9350-8EB7B378036C@um.es> <DAE14995-8504-4134-B021-93D56A4994FB@gmail.com> <alpine.LRH.2.21.1811180149220.25604@bofh.nohats.ca>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/007N17PQDMdInCYzu2Ja5aHJyCA>
Subject: Re: [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-03 (Section 3)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 15:28:03 -0000
Hi Paul:
> Section 3:
>
> It requires information about the
> required authentication method (i.e. preshared keys), DH groups,
> modes and algorithms for IKE SA negotiation, etc.
>
> In the IKE world, we really try to not recommend preshared keys, because
> these keys mostly based on human readable low entropy content. If this
> document thinks raw RSA/ECDSA keys or X.509 certificates are also methods
> that will be implemented by SDN Controllers, please change the example of
> preshared keys to something else.
[Authors] In IKE case, the Security Controller generates pseudo-random PSKs. Hence, there is NO low entropy
content since this PSK is not based on human involment. Having said that, raw RSA/ECDSA keys or
X.509 certificates are plausible. Let's add it:
"It requires information about the
required authentication method (i.e. a raw public key, a x509 certificate or preshared keys), DH groups,
modes and algorithms for IKE SA negotiation, etc.”
Best Regards.
-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------
- [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-flow… Paul Wouters
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Rafa Marin Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Paul Wouters
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Yoav Nir
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Paul Wouters
- Re: [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-… Gabriel Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Paul Wouters
- Re: [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-… Rafa Marin-Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Gabriel Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Yoav Nir
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Rafa Marin-Lopez
- Re: [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-… Rafa Marin-Lopez
- Re: [IPsec] Review of draft-ietf-i2nsf-sdn-ipsec-… Gabriel Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Linda Dunbar
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Rafa Marin Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Rafa Marin-Lopez
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Fernando Pereñíguez García
- Re: [IPsec] [I2nsf] Review of draft-ietf-i2nsf-sd… Paul Wouters