Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
Paul Wouters <paul@nohats.ca> Sun, 31 May 2015 15:57 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6281A1A7C; Sun, 31 May 2015 08:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.111
X-Spam-Level:
X-Spam-Status: No, score=-0.111 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBjjpbe3Ckpb; Sun, 31 May 2015 08:57:49 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3821B1A1A80; Sun, 31 May 2015 08:57:49 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3m04632nRVz4KN; Sun, 31 May 2015 17:57:47 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=RMkutqLf
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id k8MZC0yQmmld; Sun, 31 May 2015 17:57:46 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 31 May 2015 17:57:46 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B0FC48010B; Sun, 31 May 2015 11:57:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1433087864; bh=N6ciIcQEAMd8ufe20xzjLFDgeEUoOGDpowXhuchyMis=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=RMkutqLfYwNSP+MCdTiLjBZESzc5sPPdnru62MflizJGPxz+NA6pJoIYQUNdayz/M 5k79/bLrLdomqlZSQL9GT8cmKttyRWkv0WtToGCUSq+wE8PZlbvPsfUooaD9xSzyQi zq+YPbHvO5hfuXyq4f96M3nytaqjZpUG16Omvtb4=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4VFvhIx006122; Sun, 31 May 2015 11:57:44 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 31 May 2015 11:57:43 -0400
From: Paul Wouters <paul@nohats.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LFD.2.11.1505311151230.5269@bofh.nohats.ca>
References: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/7AGWLd-CvH4tlv9aUWmP1UEndus>
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2015 15:57:52 -0000
On Wed, 27 May 2015, Stephen Farrell wrote:
> - 2.5: "hand out" is an odd phrase here - would be better
> to expand on that I think and say more precisely what
> should never be done.
How about:
OLD:
A rogue IKE peer could use malicious Traffic Selectors to obtain
access to traffic that the host never intended to hand out.
NEW:
A rogue IKE peer could use malicious Traffic Selectors to trick
a remote host into giving it IP traffc that the remote host never
intended to be send to remote IKE peers. For example, if the remote
host uses 192.0.2.1 as DNS server, a rogue IKE peer could set its
Traffic Selector to 192.0.2.1 in an attempt to receive the remote
peer's DNS traffic.
Paul
- [IPsec] Stephen Farrell's Yes on draft-ietf-ipsec… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Valery Smyslov
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Paul Wouters
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… stephen.farrell