Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt

Tero Kivinen <kivinen@iki.fi> Tue, 04 March 2014 10:06 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC0A1A0545 for <ipsec@ietfa.amsl.com>; Tue, 4 Mar 2014 02:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dA1vZSPeZ1A5 for <ipsec@ietfa.amsl.com>; Tue, 4 Mar 2014 02:06:30 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id B3FC81A056D for <ipsec@ietf.org>; Tue, 4 Mar 2014 02:06:28 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s24A6HWC000116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 4 Mar 2014 12:06:17 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s24A6Hga029737; Tue, 4 Mar 2014 12:06:17 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21269.42393.747107.339481@fireball.kivinen.iki.fi>
Date: Tue, 4 Mar 2014 12:06:17 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.10.1403031755040.4233@bofh.nohats.ca>
References: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc> <21268.39396.785431.297271@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1403031755040.4233@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 10 min
X-Total-Time: 9 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/BjOmtSvrLCD4sdR5FAkHd_8XSrQ
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 10:06:38 -0000

Paul Wouters writes:
> > Actually I now noticed you changed the "SHOULD be ignored" to "MUST be
> > ignored", and I think that is again bad idea. I think logging and
> > auditing the ID for problem solving purposes is good idea even if it
> > does not have any meaning for the authentication. I.e. at least then I
> > can contact helpdesk and say that my NULL authentication connection to
> > server 1.2.3.4 failed, and I have no idea why, can you help. Oh, my ID
> > payload had ID_KEY_ID 0324234mkdsff43r5, if that helps you to find it
> > from your logs...
> 
> I disagree strongly. The point here is that the client is anonymous. We
> should not add things that can be traced to a user. Someone will badly
> abuse this "feature" like you are suggesting for "diagnostics" and
> inadvertly compromise the client's anonimity.

I guess you have never done any helpdesk support trying to help people
who complain that something that does not work? Having something there
that would help support to find your items in the logs is always
useful.

The client does not have to put anything there if they do not like it,
and the default setting should be that there is nothing, but allowing
such things will make things easier for those poor souls doing
helpdesk.

I myself need to sometimes help people complaining about email
problems in the iki.fi (email forwarder), and it is really hard to try
to find specific email from the logs, especially as there is problems
with timezones, and delays and so on, so exact time when the email was
sent does not really help. Sometimes they are able to find message-id
of the problematic email or the queue id in our end, and then it is so
easy to find the entries in the logs and pinpoint the problem.

I think the most important point of this feature is that the client is
UNAUTHENTICATED, not that it is ANONYMOUS. If you want to have
anonymity then you need to use TOR or similar, this is not enough.
Your IP address etc will give your identity out in most cases anyways.
Even if your IP address is not same than normally, your browser using
the same IP address at same time will give out browser fingerprint
that will most likely uniquely identify you when used with combination
that you are also using null authentication in IPsec and connecting to
the host X.

We should understand what this feature offers, and what it can be used
for. Anonymity is not offered by this feature.
-- 
kivinen@iki.fi