IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 12 October 2022 19:18 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CBCEC14CF02 for <ipsec@ietfa.amsl.com>; Wed, 12 Oct 2022 12:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jReuoI7uZZtw for <ipsec@ietfa.amsl.com>; Wed, 12 Oct 2022 12:18:39 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A12C14F74B for <ipsec@ietf.org>; Wed, 12 Oct 2022 12:18:39 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id b2so27195636lfp.6 for <ipsec@ietf.org>; Wed, 12 Oct 2022 12:18:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=IipYJlVnAAx2O803pABYqQMESHklVYGzgdFknXDibWM=; b=I1VULsekNDbFTRRa/kRAuJ9VoFtfpRZJxGud/7nbT1RmA8d+mlp99uIN4eZTFvmUfE 4m5KbM6YFgbPTnA7efEk2Jp9pC7TpBiKcQ5abZadF/a+9cruejcQ3d7E/bS8Z2B+jAyc LWa1WACAurwUdn77OFOPfhSDyjbrXtyxUACycCcb/3JMgzbJKt8gJXYD34ufqo5WMX5M VNyxwgn3tQ1zL1zj4m9/0cBHiz2+h7yxbnA9OgYa9seG1Fwe0m6QeM8a6tFeO6KaAprf 0IUvrChQt4IaQsM1FVNINi50ypunuqxG1blLkj8Eh/E37DVT6PCRfdyuTEN9qAr8uwHa cCkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IipYJlVnAAx2O803pABYqQMESHklVYGzgdFknXDibWM=; b=G+jYeEXJR7SCXC12ZuBbZrQBYbFndxpdgSmLk9AIQQPgzoH6rc8k8vOTIt5ZspbrNo 956u2fnL3v4oO4Kv/+5IkN/VZpJ9iO1iNhIMjjxr3OaExVTA+T1EwFE1MWFFo7H4SeLS d/75XZCBg2EEssOp6q91G+X2vUj3gXiWyasmrz6wYG1Lh0fWzWO9UUPl56P+37hgh8WM b6NTlOTw/wfDv+c2rHGGVk+R8e+vxBlePY0mhWtqXsgxOs3gZNk1WWrFXLcTRBpemeBE CNHCNk90ru+1OZedPvfYTARVz+T4rIKE6f5CaQfOQRVk3lB9Z9ZiD8mImU/8aDlCEP2r KzdA==
X-Gm-Message-State: ACrzQf10rlhYGFEZxgDmsPCD5vRylPbweH0+1ykFA6u41K2tT3ROUJAP m4AKL7uqxP+Nht0Gf8IL6OE=
X-Google-Smtp-Source: AMsMyM6t0Y79NutNpFfuPLPLY/qLEt7rltk8MOG0yvqoOZStS33zUyC52QJaGJD0ihZO3d1LwjXc/w==
X-Received: by 2002:ac2:46c9:0:b0:4a4:47cc:fc9d with SMTP id p9-20020ac246c9000000b004a447ccfc9dmr1705480lfo.1.1665602317010; Wed, 12 Oct 2022 12:18:37 -0700 (PDT)
Received: from chichi (89-179-106-224.broadband.corbina.ru. [89.179.106.224]) by smtp.gmail.com with ESMTPSA id i21-20020ac25235000000b0049e9122bd0esm75049lfl.114.2022.10.12.12.18.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Oct 2022 12:18:36 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Tero Kivinen' <kivinen@iki.fi>, 'Roman Danyliw' <rdd@cert.org>
Cc: 'CJ Tjhai' <cjt@post-quantum.com>, 'Valery Smyslov' <svan@elvis.ru>, ipsec@ietf.org
References: <BN2P110MB1107D456BF345148FADD88CFDC569@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <CANs=h-WWnrdv5+ewjKVnBdoC4X4eTosM5uZ1BDfED1EJ=V9UFw@mail.gmail.com> <BN2P110MB1107E6807021031C3A5B6A0CDC209@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <25415.3646.863005.336101@fireball.acr.fi>
In-Reply-To: <25415.3646.863005.336101@fireball.acr.fi>
Date: Wed, 12 Oct 2022 22:18:32 +0300
Message-ID: <010301d8de6f$6b669250$4233b6f0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHiTJxmHWwx5snBvvH0Rlk0y1mV0QGeaUCsAscZMowCZasgdq3B6Wzg
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/5fIl4rBZfy0ftcH6bAZbmLrVd8w>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 19:18:40 -0000

Hi Tero,

> Roman Danyliw writes:
> >     ** Section 3.2.4.
> >
> >     The responder MUST handle this
> >        situation gracefully and delete the associated state if it does not
> >        receive the next expected IKE_FOLLOWUP_KE request after some
> >        reasonable period of time.
> >
> >     Is there a guidance on the timeout value?
> >
> > IKEv2 traditionally does not mandate exact timeouts. For example, the
> same
> > situation happens if the initiator completes IKE_SA_INIT and never starts
> > IKE_AUTH. The responder should eventually delete the incomplete IKE SA,
> but
> > RFC 7296 does not specify how long the waiting time is.
> >
> > FWIW, our implementations waits 5 seconds by default (which is
> adjustable
> > value).
> >
> > Do you think we should recommend (but not mandate) to wait for 5-10
> seconds?
> >
> > [Roman] A recommended value would help if you are comfortable giving
> it, or
> > explaining why it’s hard to give one.  This is a common question that
> comes
> > from transport review during IETC LC or IESG review.
> 
> Suitable values can be between few seconds up to few minutes. For
> example timeout between IKE_SA_INIT and IKE_AUTH might require user
> interaction, thus it might be up to minutes if PIN code to unlock user
> auth device is required etc.
> 
> Because the timeouts are so different depending on the environment and
> usage scenario we do not give them in the IKEv2 document.

With the IKE_FOLLOWUP_KE exchange user interaction is not a problem (it should not take place).
However, since we are talking about PQ algorithms and some of them
may be quite costly in terms of generating a key pair, the initiator may just
be unable to provide data for the next IKE_FOLLOWUP_KE exchange quickly.

So, while I think that several minutes is too long in this case,
I agree that timeout values could be very different depending on the 
initiator's resources and on the algorithm employed. For this reason
we didn't specify it. We can give a vague recommendation
that waiting for 5-20 seconds can be appropriate in most situations,
but definitely we don't want making these values normative.

Regards,
Valery.

> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email