Re: Moving forward with IKE V2: A proposal for final edits to ikev2-04
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Mon, 03 February 2003 17:42 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA14629 for <ipsec-archive@lists.ietf.org>; Mon, 3 Feb 2003 12:42:02 -0500 (EST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA01159 Mon, 3 Feb 2003 10:17:43 -0500 (EST)
Message-Id: <200302031518.h13FIvof057374@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Theodore Ts'o <tytso@mit.edu>
cc: ipsec@lists.tislabs.com
Subject: Re: Moving forward with IKE V2: A proposal for final edits to ikev2-04
In-reply-to: Your message of Thu, 30 Jan 2003 17:57:09 EST. <E18eNcL-0004sj-00@think.thunk.org>
Date: Mon, 03 Feb 2003 16:18:57 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
In your previous mail you wrote: For this reason, what we propose is that we pick an approach, and be done with it. The question then before the working group is whether or not there is another way to accomplish the task, but whether there are either (a) fatal flaws in the proposal presented, (b) clear, overwhelming advantages to do things a different way (and no handwaving; it must be a complete proposal), or (c) minor enhancements that all can agree are worthwhile to include in the protocol and worthwhile to implement. Otherwise we will be arguing until the cows come home (and/or when the IESG shuts us down, or the mob from problem-statement mailing list show up with the pitchforks, tar, and feathers :-). (SEMI-)CLOSED ISSUES ===================== The following issues have been burbling on the list, although in the opinion of the IPSEC Working group chairs, there isn't consensus in the IPSEC working group to act on them. If you feel otherwise, please speak now. A) Revised identity -------------------- => I am afraid that either we have to include a large part of draft-ietf-ipsec-pki-profile-xx.txt draft, or to adopt this revised identity proposal. IMHO this is between (a) and (b). B) DHCP-based vs. MODECFG style remote access configuration ----------------------------------------------------------- => IMHO IKE should not be involved directly into address allocation... I propose to ask the IPSRA WG to remove if they'd like any relevant part from IKEv2 (they should already have strong opinions and they should like the idea to remove something from an IPsec WG proposal :-). This is between (b) and (c). If there are those who feel otherwise, or who see fatal problems with the current approach, please speak now. => the NAT-DETECTION-*-IP notifications were cut&paste from a draft for IKEv1 and should be fixed. Fortunately this is easy and we can extend the fix to a proper address management in IKEv2. I'd like that the proposal of draft-dupont-ikev2-addrmgmt-00.txt is included in the next IKEv2: all the section 3 at the exception of the subsection 3.5 which is a real change and perhaps needs more discussion. BTW I have a minor point: my proposed "peer address update" notification relies on a strong sequencing of IKE messages. The current draft has only a weak sequencing (weak because the message ID, aka the sequence number, is not protected), I don't know if this is a global problem, i.e., if the replay of old messages with a fresh message ID can be used for real attacks... Regards Francis.Dupont@enst-bretagne.fr
- Moving forward with IKE V2: A proposal for final … Theodore Ts'o
- Revised identity, again Paul Hoffman / VPNC
- Ciphersuites MUSTs and SHOULDs Paul Hoffman / VPNC
- Re: Revised identity, again Cheryl Madson
- Re: Moving forward with IKE V2: A proposal for fi… Stephen Kent
- Re: Moving forward with IKE V2: A proposal for fi… Charlie_Kaufman
- Re: Moving forward with IKE V2: A proposal for fi… Charlie_Kaufman
- Re: Moving forward with IKE V2: A proposal for fi… Francis Dupont
- Re: Moving forward with IKE V2: A proposal for fi… Stephen Kent
- RE: Ciphersuites MUSTs and SHOULDs Roger Younglove
- Re: Revised identity, again Scott G. Kelly
- Re: Moving forward with IKE V2: A proposal for fi… Hugo Krawczyk
- RE: Moving forward with IKE V2: A proposal for fi… Geoffrey Huang
- Re: Moving forward with IKE V2: A proposal for fi… Derrell Piper
- RE: Moving forward with IKE V2: A proposal for fi… Victor Volpe