IETF Logo Mail Archive

Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol

<Paul_Koning@Dell.com> Mon, 08 September 2014 14:54 UTC

Return-Path: <Paul_Koning@dell.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08C01A8847 for <ipsec@ietfa.amsl.com>; Mon, 8 Sep 2014 07:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.653
X-Spam-Level:
X-Spam-Status: No, score=-8.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoxAhY0BzvCn for <ipsec@ietfa.amsl.com>; Mon, 8 Sep 2014 07:54:11 -0700 (PDT)
Received: from ausxipps301.us.dell.com (ausxipps301.us.dell.com [143.166.148.223]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60D081A8842 for <ipsec@ietf.org>; Mon, 8 Sep 2014 07:54:11 -0700 (PDT)
DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns; h=X-LoopCount0:X-IronPort-AV:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version:Return-Path; b=fbZ8QqQud/V/BNtjtX3mTrsyyDTt+KmpZV5bU5uHzbCuNWzQxgi9kA75 fLh8t/5Ps7SsEaOhbfYObIVmAjXAWFFIvATbH1sr7e/HQqEUx7XBCieI0 aQW3IGJ5QN8eNhQ/lOxUI7Xysn9iR4MXm0BGtnS6xSsrM6jOhZWm/R9J2 o=;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1410188051; x=1441724051; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=jvoV54u3o16ObN9umwSJXfU5P7EYZlBvVGjDRXyC6Hk=; b=VfoREBkPJa4bzH99aZ/ZEdJoW0kAB2czxSqF+wRFjHsYL6o14fO2oHqz f00itYEQVfM6ygquFBlmd0rF28tR0vYHnAwSA9aNHfkv6Y8tz7HYeVNmw MMJfQs6SDhrQxoS7CwCA00PDsLrI7uXiiHx2G7CwtIiB/aVUMSJT1PPyg Y=;
X-LoopCount0: from 10.170.28.39
X-IronPort-AV: E=Sophos;i="5.04,486,1406610000"; d="scan'208";a="564034293"
From: Paul_Koning@Dell.com
To: yaronf.ietf@gmail.com
Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
Thread-Index: AQHPy3S+RQfjeqJSdUuFetBAvZq/+g==
Date: Mon, 08 Sep 2014 14:54:09 +0000
Message-ID: <BE175F90-68B6-4731-B32E-BA9EF3F3BAD8@dell.com>
References: <540CA9B2.3090807@gmail.com>
In-Reply-To: <540CA9B2.3090807@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.152.216.26]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <397F1DF8D33F774FB7C8650E5B8C48F7@dell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/CcbUhRF6FJ7DVoqYOdLGoAqEvdE
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 14:54:13 -0000

On Sep 7, 2014, at 2:53 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> Dear working group,
> 
> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG document. Please respond to this mail with a Yes or No and a short rationale, at latest by Friday Sep. 12.

Maybe.

I understand and support the rationale for this draft.  

The Security Considerations seems to be inadequate.  Whenever possible, real authentication should be used.  So the Security Considerations should explicitly and strongly emphasize that, and recommend that products that incorporate Null authentication should strive to avoid its use whenever possible, and steer users away from its use when they can.

A related question: does the use of Null authentication open up the Bellovin attack?  It seems that it would.  If so, my answer changes to “NO”.

	paul

v2.23.0 | Report a Bug | By Email