Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-00.txt
"Valery Smyslov" <svanru@gmail.com> Wed, 25 December 2013 05:19 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F4D1AE201 for <ipsec@ietfa.amsl.com>; Tue, 24 Dec 2013 21:19:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRkqwuOhjPGb for <ipsec@ietfa.amsl.com>; Tue, 24 Dec 2013 21:19:00 -0800 (PST)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id CA9301AE1F9 for <ipsec@ietf.org>; Tue, 24 Dec 2013 21:18:59 -0800 (PST)
Received: by mail-la0-f43.google.com with SMTP id n7so3115356lam.2 for <ipsec@ietf.org>; Tue, 24 Dec 2013 21:18:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=LxpcpHmIVj5HdMNcuoVeSEqkXcSHixbwIRq2R53ght8=; b=FGvafPaeXMXbXOq/OBgNcCfOtOiS0DRc560cAKKZRYtlIsfps1W4NWWXwD9PhyTBRN RSHjw9BM1whnF7V+Dsa/cGVYLV9fbJo+FQq/7ak3wzepLNjoI48+ow/BzFKXVdOw/GWw IgwXhjW91ghn/Bq6gKivh31LwIoXR8idnBls4ozzZStrdIOKjHQXzgc/gz/Q5+Xnp6q1 /m2HIgSoSU69GsV6G2BbpBvn5ygTyKtUXJoOnTIDYrkO4ZxGLQRCKQ2LdbUASugT0RpW F0YQkjRQzfA/kTnn1pgoESWippPsx04AJI9mP7iHixrN7CChbQ0NHtve+nkP1hToZiq/ /79A==
X-Received: by 10.112.17.39 with SMTP id l7mr112021lbd.51.1387948735339; Tue, 24 Dec 2013 21:18:55 -0800 (PST)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id r10sm19871572lag.7.2013.12.24.21.18.53 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 24 Dec 2013 21:18:54 -0800 (PST)
Message-ID: <01E73A999255430F803315D676238C09@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, ipsec@ietf.org
References: <C687BD9EA2204F1087D18646766A3C7B@buildpc> <52BA0DEA.8040404@gmail.com>
Date: Wed, 25 Dec 2013 09:18:52 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Dec 2013 05:19:02 -0000
Hi Yaron, > Hi Valery, > > Thanks for posting this draft. > > One quick comment: the interaction of your proposal with EAP is not clear > to me, i.e. when one peer uses Null auth and the other uses EAP. There are > cases where this should be forbidden (e.g. MSCHAP, where the > unauthenticated peer can mount a dictionary attack) and other cases where > this is OK. Specifically, for the methods listed as "safe" in Sec. 4 of > RFC 5998, I believe this use would be secure. Actually, I think that NULL Auth should not be used with EAP. Section 2.16 of RFC5996 states: In addition to authentication using public key signatures and shared secrets, IKE supports authentication using methods defined in RFC 3748 [EAP]. Typically, these methods are asymmetric (designed for a user authenticating to a server), and they may not be mutual. For this reason, these protocols are typically used to authenticate the initiator to the responder and MUST be used in conjunction with a public-key-signature-based authentication of the responder to the initiator. I agree with you, that in some cases using NULL Auth with EAP might be secure, but as IKEv2 already requires responder to use signature auth with EAP, I don't see any reason to change it. Do you think it's worth to mention that in the draft and provide a reference to the text from RFC5996? > Happy holidays! > Yaron Happy New Year! Valery. > On 12/24/2013 03:47 PM, Valery Smyslov wrote: >> Hi all, >> >> I've just posted a draft, defining NULL Authentication method in IKEv2. >> This method may be used for anonymous access or in situations, >> when peers don't have any trust relationship, but still want >> to get protection at least against passive attacks. >> >> Regards, >> Valery. >> >> >> ----- Original Message ----- From: <internet-drafts@ietf.org> >> To: "Valery Smyslov" <svan@elvis.ru>; "Valery Smyslov" <svan@elvis.ru> >> Sent: Tuesday, December 24, 2013 5:40 PM >> Subject: New Version Notification for >> draft-smyslov-ipsecme-ikev2-null-auth-00.txt >> >> >> >> A new version of I-D, draft-smyslov-ipsecme-ikev2-null-auth-00.txt >> has been successfully submitted by Valery Smyslov and posted to the >> IETF repository. >> >> Name: draft-smyslov-ipsecme-ikev2-null-auth >> Revision: 00 >> Title: The NULL Authentication Method in IKEv2 Protocol >> Document date: 2013-12-24 >> Group: Individual Submission >> Pages: 8 >> URL: >> http://www.ietf.org/internet-drafts/draft-smyslov-ipsecme-ikev2-null-auth-00.txt >> >> Status: >> https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-null-auth/ >> Htmlized: >> http://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-null-auth-00 >> >> >> Abstract: >> This document defines the NULL Authentication Method for IKEv2 >> Protocol. This method provides a way to omit peer authentication in >> IKEv2 and to explicitely indicate it in the protocol run. This >> method may be used to preserve anonymity or in situations, where no >> trust relationship exists between the parties. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Fw: New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Yoav Nir
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters