Re: [IPsec] GDOI and G-IKEv2 payloads

'Toerless Eckert' <tte@cs.fau.de> Tue, 06 February 2024 16:14 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95777C14F699 for <ipsec@ietfa.amsl.com>; Tue, 6 Feb 2024 08:14:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.657
X-Spam-Level:
X-Spam-Status: No, score=-6.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QI4eAK92nD-k for <ipsec@ietfa.amsl.com>; Tue, 6 Feb 2024 08:14:07 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8E4EC14F605 for <ipsec@ietf.org>; Tue, 6 Feb 2024 08:14:06 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TTpGK4f3MznkL2; Tue, 6 Feb 2024 17:14:01 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TTpGK3WxLzkmlp; Tue, 6 Feb 2024 17:14:01 +0100 (CET)
Date: Tue, 06 Feb 2024 17:14:01 +0100
From: 'Toerless Eckert' <tte@cs.fau.de>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: "'Fries, Steffen'" <steffen.fries=40siemens.com@dmarc.ietf.org>, ipsec@ietf.org
Message-ID: <ZcJayWHonFVxYRhv@faui48e.informatik.uni-erlangen.de>
References: <DB9PR10MB6354CF46CDE84485FB1510BCF3472@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM> <ZcEQWFuF7Uj_dY-d@faui48e.informatik.uni-erlangen.de> <02ff01da58ce$88f7f630$9ae7e290$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <02ff01da58ce$88f7f630$9ae7e290$@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AgmVakNSaiafv8MFMRFyuRBhBOc>
Subject: Re: [IPsec] GDOI and G-IKEv2 payloads
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 16:14:10 -0000

Well... There may be connection between progressing the draft and these extensions.

Given how extensions to GDOI where also done by other SDOs, i would like to understand if
G-IKEv2 has done the best to make extensions as painless as possible, especially for adopting
extensions previously existing in GDOI. Worst case, G-IKEv2 does make any such extensions more
difficult than necessary (not what i would think, just thinking paranoid).

Ideally, i would even like to see a small section in G-IKEv2 that outlines how GDOI extensions
can be mapped to G-IKEv2 . If this waas all registry entries in RFC8052, then it would
IMHO even be a great exercise for progressing G-IKEv2 to see if equivalent registry entries for
G-IKEv2 would be sufficient. And the section i am thinking of would for example just be a
comparison of registry tables.

Cheers
    Toerless

On Tue, Feb 06, 2024 at 10:31:43AM +0300, Valery Smyslov wrote:
> Hi Toerless,
> 
> first G-IKEv2 should be published as RFC. The draft is currently in WGLC
> (for a long time),
> but received very few reviews so far (and many thanks to all who reviewed
> it!).
> I'm planning to publish an updated version addressing Daniel's review soon.
> 
> Once G-IKEv2 is standardized, there is no problem (IMHO) to do the
> equivalent of RFC8052 with it.
> 
> Regards,
> Valery.
> 
> > How would someone today do the equivalent of RFC8052 with G-IKEv2 ?
> > 
> > On Mon, Feb 05, 2024 at 04:06:11AM +0000, Fries, Steffen wrote:
> > > Hi,
> > >
> > > I've got a question regarding the relation of G-IKEv2 and GDOI.
> > >
> > > I realized that G-IKEv2 will be the successor of GDOI and would have a
> question
> > regarding backward compatibility of payloads defined for GDOI. As the
> underlying
> > exchanges for the base key management changed from IKE to IKEv2 they will
> not
> > be backward compatible. Nevertheless, there have been enhancements of GDOI
> > for protocols used in the power system domain like GOOSE and Sampled
> Values,
> > which lead to the definition of new payloads for the ID, SA TEK and KD
> payloads to
> > accommodate the power system protocol parameters in RFC 8052. Likewise,
> using
> > the same approach new payloads of the same types have been defined to
> > distribute parameters for PTP (Precision Time Protocol) in IEC 62351-9.
> > >
> > > In general, I realized that there are similar payloads available in
> G-IKEv2 but I
> > was not quite sure, if it was a design criterion to have backward
> compatibility for
> > extensions/enhancements defined for GDOI to be usable also in G-IKEv2.
> Could
> > you please shed some light on this?
> > >
> > > Best regards
> > > Steffen
> > >
> > > --
> > > Steffen Fries
> > >
> > > Siemens AG
> > > Technology
> > > Cybersecurity & Trust
> > > T CST
> > > Otto-Hahn-Ring 6
> > > 81739 Munich, Germany
> > > Phone: +49 (89) 7805-22928
> > > mailto:steffen.fries@siemens.com
> > > www.siemens.com
> > > [Logo]
> > > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> Hagemann
> > Snabe; Managing Board: Roland Busch, Chairman, President and Chief
> Executive
> > Officer; Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese;
> > Registered offices: Berlin and Munich, Germany; Commercial registries:
> Berlin-
> > Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
> > 
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec