Re: [IPsec] First version of RFC5996bis

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 09 August 2013 14:17 UTC

Message-ID: <5204F9B3.8030807@gmail.com>
Date: Fri, 09 Aug 2013 17:16:19 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
References: <20996.61108.326911.119416@fireball.kivinen.iki.fi>
In-Reply-To: <20996.61108.326911.119416@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Pasi Eronen <pe@iki.fi>, Charlie Kaufman <charliek@microsoft.com>, Yoav Nir <ynir@checkpoint.com>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@ietf.org, turners@ieca.com
Subject: Re: [IPsec] First version of RFC5996bis
Precedence: list

Hi Tero,

Good stuff! Thanks a lot!

One quick typo: "two Hash and URL format", should be "formats".

Question: RFC 5996 is updated by a single document, which is RFC 5998 
that just got published. The new RFC adds a mandatory, security-critical 
test to IKEv2, and I would like to add to Sec. 1.2 (at the end of the 
paragraph "Both parties in the IKE_AUTH...", this sentence: Both parties 
MUST perform the Diffie-Hellman recipient tests defined in [RFC 5998] 
(and a normative reference). Do you see any issues with that?

Thanks,
     Yaron

On 9.8.2013 16:29, Tero Kivinen wrote:
> In the last IETF there has been discussion that we should start
> driving IPsec protocols from proposed standard to full standard.
> Mostly this needs to be done because some other standardization
> organizations say they cannot refer to proposed standards, they can
> only refer to real standards, and they do not see proposed standards
> as real standards.
>
> Sean Turner promised that he would be willing to do the IESG legwork
> for this process, but to start that we needed to get the actual
> documents ready first. The process of going from proposed standard to
> full standards is easier now, but there are still some things we need
> to do. The first thing is that we need to take all errata we have for
> the document and create a document which fixes that.
>
> To get this process starting I took the RFC5996, and put in the two
> errata items we had for that RFC. The submitted the resulting
> draft-kivinen-ipsecme-ikev2-rfc5996bis today.
>
> This version only puts in the errata, and a section "Differences
> between RFC5996 and This Document".
>
> The problem is that we have been discussing in the WG about the
> draft-kivinen-ipsecme-oob-pubkey draft, and that draft currently
> obsoletes RAW RSA public keys from the RFC5996 and then adds new one.
> We cannot really add new features at this point as it is not widely
> implemented or used, but I think we can safely obsolete the RAW RSA
> support as it has not been widely used.
>
> So my plan is to make new version of this draft in three weeks time (I
> will be vacation for two weeks starting next Monday), and in that
> draft obsolete the RAW RSA public keys. After that I will remove all
> text about obsoleting the RAW RSA public keys from my
> draft-kivinen-ipsecme-oob-pubkey document and it will just be one
> normal extension adding stuff to the rfc5996bis.
>
> So if you have any objections for that speak up now...
>
> In addition to the IKEv2, we most likely want to move some other
> documents forward too. Some of those are easy like RFC2451 "The ESP
> CBC-Mode Cipher Algorithms", RFC3526 "More Modular Exponential (MODP)
> Diffie-Hellman groups for Internet Key Exchange", and RFC3986 "UDP
> Encapsulation of IPsec ESP Packets", as there is no errata, and they
> are widely used.
>
> Some are harder, as we need to make new versions because of errata
> (RFC4303 ESP). For some others we need to discuss do we want to make
> them forward (AH, MOBIKE etc). But I think discussion about the other
> documents should be done on the separate thread, this is just first
> step on the road.
>
> ----------------------------------------------------------------------
> From: internet-drafts@ietf.org
> To: "Paul E. Hoffman" <paul.hoffman@vpnc.org>, Pasi Eronen <pe@iki.fi>,
>          Charlie Kaufman <charliek@microsoft.com>,
>          Tero Kivinen <kivinen@iki.fi>, Yoav Nir <ynir@checkpoint.com>,
>          Paul Hoffman <paul.hoffman@vpnc.org>
> Subject: New Version Notification for
> 	draft-kivinen-ipsecme-ikev2-rfc5996bis-00.txt
> Date: Fri, 09 Aug 2013 05:49:39 -0700
>
> A new version of I-D, draft-kivinen-ipsecme-ikev2-rfc5996bis-00.txt
> has been successfully submitted by Charlie Kaufman and posted to the
> IETF repository.
>
> Filename:	 draft-kivinen-ipsecme-ikev2-rfc5996bis
> Revision:	 00
> Title:		 Internet Key Exchange Protocol Version 2 (IKEv2)
> Creation date:	 2013-08-09
> Group:		 Individual Submission
> Number of pages: 137
> URL:             http://www.ietf.org/internet-drafts/draft-kivinen-ipsecme-ikev2-rfc5996bis-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis
> Htmlized:        http://tools.ietf.org/html/draft-kivinen-ipsecme-ikev2-rfc5996bis-00
>
>
> Abstract:
>     This document describes version 2 of the Internet Key Exchange (IKE)
>     protocol.  IKE is a component of IPsec used for performing mutual
>     authentication and establishing and maintaining Security Associations
>     (SAs).  This document replaces and updates RFC 4306, and includes all
>     of the clarifications from RFC 4718.
>
>                                                                                    
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat

[IPsec] First version of RFC5996bis Tero Kivinen
Re: [IPsec] First version of RFC5996bis Yaron Sheffer
Re: [IPsec] First version of RFC5996bis Yaron Sheffer