IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-08

Paul Wouters <paul@nohats.ca> Tue, 05 November 2019 22:44 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B662120025; Tue, 5 Nov 2019 14:44:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cucmqs5MX0Ly; Tue, 5 Nov 2019 14:44:48 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59AFF120018; Tue, 5 Nov 2019 14:44:48 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4774VQ1FbQzFk4; Tue, 5 Nov 2019 23:44:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1572993886; bh=6e0rwcTYJDTjZpkwyjbQY0oqsyaJZiBUqtaT6gyzZm0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rEzpI2Xm0f8OtZ7IsLG5GaLZpHwFF1+ZL2QudbxZrnGRpFUIPXYxwkpvs6fb/SRT2 XJbrZhVXnWHCCTK+Q2fEbS+lxszhY+YpCEM+nMpSX17E0HB6fGnar6PbZ8yfoYnJGC kpqodiKyWELMY7wQ3p0+jFgZsKr6ENKyJivE5eyQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cluyVpZcIK8y; Tue, 5 Nov 2019 23:44:43 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 5 Nov 2019 23:44:43 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 045BB607CBF4; Tue, 5 Nov 2019 17:44:42 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 031C223D09C; Tue, 5 Nov 2019 17:44:42 -0500 (EST)
Date: Tue, 05 Nov 2019 17:44:41 -0500
From: Paul Wouters <paul@nohats.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
cc: Valery Smyslov <svan@elvis.ru>, ipsec@ietf.org, draft-ietf-ipsecme-qr-ikev2.all@ietf.org
In-Reply-To: <20191105195939.GH61969@kduck.mit.edu>
Message-ID: <alpine.LRH.2.21.1911051731400.15597@bofh.nohats.ca>
References: <20191105023831.GH55993@kduck.mit.edu> <058d01d593e5$0be7eb80$23b7c280$@elvis.ru> <20191105195939.GH61969@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4H4WaGL4rebnevPc-eNhMW4G7ZQ>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 22:44:50 -0000

On Tue, 5 Nov 2019, Benjamin Kaduk wrote:

> Oh, this is probably the key part of my confusion/misunderstanding with the
> terminology (which also shows up later on, IIRC).
> Namely, that the initial exchange generates an IKE SA, and the other SAs
> ("children" for ESP/AH usage) are called IPsec SAs (not IKE SAs).
> In that case this text is fine as-is and there's nothing to change, so
> sorry for the noise.

Sorry, I do want to clarify this to be sure you got it completely right:

In IKEv1, you first setup an IKE SA (then called ISAKMP SA) using eiher
the Main or Aggress Mode Exchange, and then you do one or more Quick Mode
Exchanges to setup the first and subsequent IPsec SA's.

In IKEv2, the Initial Exchanges (1 IKE_SA_INIT plus 1 IKE_AUTH exchange)
create one IKE SA (now called Parent SA) nd one IPsec SA (now also called
Child SA) at the same time. Additional IPsec SA's can be created using
the CREATE_CHILD_SA exchange.

In IKEv2, we don't talk about ISAKMP SA anymore. I think people hoped
that in IKEv2 we would not talk about IKE SA and IPsec SA anymore (but
only talk about Parent SA and Child SA) but I don't think in reality
that is happening. I know our developers continue to disagree about what
to call certain things in code and documentation :)

This all does make it a little confusing. I can recommend the new NIST
Guide to IPsec VPNs SP800-77r1 document where I explain all these terms
as well :)

>>>                                    <--  HDR, SK {AUTH, SAr2, TSi, TSr
>>>                                         [, N(PPK_IDENTITY)]}
>>>
>>> Am I missing something subtle as to why N(PPK_IDENTIFY) is listed as
>>> optional here in the EAP case but not in the previous diagram for the
>>> non-EAP case?
>>
>> In the previous diagram we consider only the case when using
>> PPK is agreed upon, so N(PPK_IDENTITY) is not optional.

This btw, is a little weird. I think it is better to have the "generic"
exchange documented, and in the text write specific examples of when
payloads are or aren't t there. I think the figures/diagrams should be
drawn to represent the generic case, where it should be optional because
if it does not know the right PPK_ID, it will not send the notify.

That is, the diagrams should represent the state machine, not an
example of the state machine.

Paul

v2.23.0 | Report a Bug | By Email