Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns
Tommy Pauly <tpauly@apple.com> Fri, 16 February 2018 23:50 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 492DE127241 for <ipsec@ietfa.amsl.com>; Fri, 16 Feb 2018 15:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9M2eJitytSK1 for <ipsec@ietfa.amsl.com>; Fri, 16 Feb 2018 15:50:32 -0800 (PST)
Received: from mail-in23.apple.com (mail-out23.apple.com [17.171.2.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 803CF1200C1 for <ipsec@ietf.org>; Fri, 16 Feb 2018 15:50:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1518825031; x=2382738631; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=1rKjwb7rvqKR+u3NR/28KROEyEz+JBP9l2+2bCxlbCA=; b=JTx0XvoMzFC0AOcLQwYT6n1/yr9AYdCq9lhUfc+gyXErCiV4SRUrP0cLexIBOQbe Rmylsi+CHW+Tw5mLl19jrpnnnYzWeXouaIlDNrk+7BubEinkLJ+EOKHOSWWAHgK+ J5VSFwLtSbzn2Z8wnJFhQigY/BH2TeX57+SDbMZ4c/WLYwTEGjLjxBkGR8Vrtbys gA/G86Tf/tc4eQC16WbrF64z4mDlRYOj+Gkfn3s31lo5mRGTohwOHo1ySTCPcVVv WPem70YC0YDt7MIY3osff1XNwv1U4NvFsz0bPqPMvclGidlHXlMM8O0+UHEWvgim 87C4MTJe/6dmrDtMFgxAcw==;
Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in23.apple.com (Apple Secure Mail Relay) with SMTP id B2.8E.16187.74E678A5; Fri, 16 Feb 2018 15:50:31 -0800 (PST)
X-AuditID: 11ab0217-fc9ff70000003f3b-65-5a876e476d56
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by relay8.apple.com (Apple SCV relay) with SMTP id 7C.7F.10701.64E678A5; Fri, 16 Feb 2018 15:50:30 -0800 (PST)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.235.14.118] (unknown [17.235.14.118]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.2.20180130 64bit (built Jan 30 2018)) with ESMTPSA id <0P49009YWOW5RQ70@nwk-mmpp-sz10.apple.com>; Fri, 16 Feb 2018 15:50:30 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <alpine.LRH.2.21.1802161507530.23713@bofh.nohats.ca>
Date: Fri, 16 Feb 2018 15:50:28 -0800
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <8EB4F8E2-F3F9-45F4-AC76-985F900BA0EC@apple.com>
References: <23175.8000.242283.548415@fireball.acr.fi> <alpine.LRH.2.21.1802161507530.23713@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3458)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMLMWRmVeSWpSXmKPExsUi2FCYpuue1x5l8Oa7vsX+LS/YLI6ef85m 8f7WJSYHZo8lS34yeRz+upDF4/s8pgDmKC6blNSczLLUIn27BK6MD3uXsBY8Yq+YPuU4awPj bLYuRk4OCQETialvXzF1MXJxCAmsZZL4/fIMI0zi4brNjBCJQ4wSPz5tZAVJ8AoISvyYfI+l i5GDg1lAXWLKlFyImolMEq9nf2MDiQsLSEhs3pMIUi4s4Ccxo+8UO4jNJqAicfzbBmaQEk4B R4mjm5VBwiwCqhK7r24DK2EWMJToW/KDEcLWlnjy7gLUVhuJ+UuugNUICeRKfHv1lwXEFhFQ lJh05hELxMmyEitn32UFOUdCYAqbRF/3I9YJjMKzkFw9C+HqWUhWLGBkXsUonJuYmaObmWdk rJdYUJCTqpecn7uJERTqq5nEdzB+fm14iFGAg1GJh7fjYVuUEGtiWXFl7iFGaQ4WJXHea88b o4QE0hNLUrNTUwtSi+KLSnNSiw8xMnFwSjUwdgV+nK3Dki3jlvvsM8u9dwdeRb4RNc3Yerv5 b6Bi29JH/ud2LWm48c/XeX+brObNZRs04+P6Xj9ey2i8TvDl5hcZ6yse2r81P6jzbNLanH+n XBdYf5daM9ExrtVuXuXtx9PafAK7uD0evXyZafWmNqPfb+rGlKJnBWHa5huNzxasOVi55THL JiWW4oxEQy3mouJEAOVJV9lWAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsUi2FBcpeuW1x5lMG2XmcX+LS/YLI6ef85m 8f7WJSYHZo8lS34yeRz+upDF4/s8pgDmKC6blNSczLLUIn27BK6MD3uXsBY8Yq+YPuU4awPj bLYuRk4OCQETiYfrNjN2MXJxCAkcYpT48WkjK0iCV0BQ4sfkeyxdjBwczALqElOm5ELUTGSS eD37GxtIXFhAQmLznkSQcmEBP4kZfafYQWw2ARWJ4982MIOUcAo4ShzdrAwSZhFQldh9dRtY CbOAoUTfkh+MELa2xJN3F6C22kjMX3IFrEZIIFfi26u/LCC2iICixKQzj1ggTpaVWDn7LusE RoFZSA6dhXDoLCRTFzAyr2IUKErNSay00EssKMhJ1UvOz93ECA7MwrQdjE3LrQ4xCnAwKvHw PnjcFiXEmlhWXJkLDAkOZiURXgaT9igh3pTEyqrUovz4otKc1OJDjNIcLErivC+CW6KEBNIT S1KzU1MLUotgskwcnFINjE4zOObd4Dx67NPazOtbbXy8rLjUjsXqee5YU8W65anT52stN6aq Toqba2ak+4bfYMrjatMZd671Jdc6vtXqSVni6i95dqvkfS+16k9fLz15qarx20fpygePHp2a 33vbf9yV8T4RWua8K1UiUe/48oLiiX5fHRxLDnpc+Xto7plJnw8yNW+7cEaJpTgj0VCLuag4 EQBqv1a3SAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0MeqdfKRpRYG7k_B4B3GdrwgZFo>
Subject: Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 23:50:34 -0000
+1 to adding privacy text to the charter. This seems like it will be increasingly relevant if we’re doing host-to-host communication and we want to protect the privacy of various peers. —Tommy > On Feb 16, 2018, at 12:09 PM, Paul Wouters <paul@nohats.ca> wrote: > > On Fri, 16 Feb 2018, Tero Kivinen wrote: > >> IKEv2 is currently vulnerable to the two following privacy concerns: >> >> 1) It's not possible to run a server that obfuscates IKEv2/IPsec using >> TLS. > >> 2) The privacy of the initiator's identity in the presence of a man in >> the middle attacker is not protected. > >> Is this something that we should add to charter? Do people understand >> the issue? > > I would be in favour of adding this issue to the charter in some to be > written text. > > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] Additional charter items 4/4: Mitigat… Yoav Nir
- [IPsec] Additional charter items 4/4: Mitigating … Tero Kivinen
- Re: [IPsec] Additional charter items 4/4: Mitigat… Tero Kivinen
- Re: [IPsec] Additional charter items 4/4: Mitigat… Yoav Nir
- Re: [IPsec] Additional charter items 4/4: Mitigat… David Schinazi
- Re: [IPsec] Additional charter items 4/4: Mitigat… Paul Wouters
- Re: [IPsec] Additional charter items 4/4: Mitigat… Tero Kivinen
- Re: [IPsec] Additional charter items 4/4: Mitigat… Tommy Pauly