IETF Logo Mail Archive

Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth

Paul Koning <paul_koning@dell.com> Fri, 23 January 2015 16:50 UTC

Return-Path: <paul_koning@dell.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E192B1A8BC2 for <ipsec@ietfa.amsl.com>; Fri, 23 Jan 2015 08:50:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3m_P391Cz0KY for <ipsec@ietfa.amsl.com>; Fri, 23 Jan 2015 08:50:10 -0800 (PST)
Received: from resqmta-ch2-04v.sys.comcast.net (resqmta-ch2-04v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:36]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D25041A87AC for <ipsec@ietf.org>; Fri, 23 Jan 2015 08:50:09 -0800 (PST)
Received: from resomta-ch2-10v.sys.comcast.net ([69.252.207.106]) by resqmta-ch2-04v.sys.comcast.net with comcast id jUpP1p0062JGN3p01Uq8Vv; Fri, 23 Jan 2015 16:50:08 +0000
Received: from akdesign.dyndns.org ([50.169.224.229]) by resomta-ch2-10v.sys.comcast.net with comcast id jUq81p00A4xb7Ai01Uq8UF; Fri, 23 Jan 2015 16:50:08 +0000
Received: from pkoning.akdesign.com (pkoning.akdesign.com [192.168.10.125]) by akdesign.dyndns.org (Postfix) with ESMTP id 7770A3C0485; Fri, 23 Jan 2015 11:50:06 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Koning <paul_koning@dell.com>
In-Reply-To: <D0E8103C.38B87%grbartle@cisco.com>
Date: Fri, 23 Jan 2015 11:50:06 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <B8D4358C-E4D8-4B28-876E-D99FCC927302@dell.com>
References: <5E3BDAA5-B0C8-4004-8FFE-25B91199D7EC@vpnc.org> <D0D61010.3756D%grbartle@cisco.com> <363A367E1CF64C4C98586DC57F1AC987@buildpc> <D0DB345D.37DEF%grbartle@cisco.com> <alpine.LFD.2.10.1501131803240.3286@bofh.nohats.ca> <D0E8103C.38B87%grbartle@cisco.com>
To: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
X-Mailer: Apple Mail (2.1993)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1422031808; bh=FtnP4l0dTshz+yqdvGteVbWgwMJbOA2XIXj/5hI2EuM=; h=Received:Received:Received:Content-Type:Mime-Version:Subject:From: Date:Message-Id:To; b=WKWG7jH8ckH1TvII0BDxOH73gX4MvSrcSi5BzL/9A2Vq06blVsynvoxlo+ZkrKTk0 Yr9qFtGJ/DEWKbmj8UjOvcMsNbzdk1FyO7i8XndM9t60LfsjFWO40tDwjb+W+Avj9V qo9N34Lgae0l6YwLPysQcxzvaJcKGd4RdLaDNlSq7Mpc5ueOJgYYjmmOqL7Vq5Lc2Y eghn2NGRZJfKAYJHkoR1bBwTiheQTwrFAaungbBa4fSqWxFlT59g43IpQmxpCxjdEH yei07DTk3PDEG5hdwT6bvka2U71L5+dr6HT8IUjo+R14lx6HqrR9B1W9vhboxX3sHh 7o5CF6Z/0hFwQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/48RVRx3Pi4k9VO7t1jnVq6TqYyg>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 16:50:11 -0000

> On Jan 23, 2015, at 11:28 AM, Graham Bartlett (grbartle) <grbartle@cisco.com> wrote:
> 
> Hi Paul
> 
> 
> Sorry for the late reply. Hopefully the following is more clear?
> 
> When designing systems which will provide connectivity for
> non-authenticated users, the system SHOULD be designed with the capacity
> to support not only the maximum intended number of peers, but also include
> an additional number of sessions which are created due to malicious or
> erroneous behaviour. This safety margin will allow a system to still
> operate safely under load until it is exceeded.

I understand the sentiment, but this seems like a recommendation that can’t be tested and can’t really be implemented either.  The trouble is that the number of malicious sessions is unbounded (and may be quite large in a DOS scenario).

It might be better simply to point out the limitations of the machinery: because authentication is not provided in this case, the receiving system has no way to distinguish legitimate peers from malicious ones.  As a result, a denial of service attack may prevent the intended number of legitimate peers from communicating.  Additional session (SA?) capacity may help in such cases.

My point is that this is definitely going to be a case of throwing some more resources at the problem in the hopes it’s enough, but no way to predict whether it’s good enough.  Because of that, “SHOULD” seems inappropriate, and a simple statement of the issue and the limitations of this new protocol is better.

	paul

v2.23.0 | Report a Bug | By Email