Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 22 December 2022 15:57 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9916CC14CF0B for <ipsec@ietfa.amsl.com>; Thu, 22 Dec 2022 07:57:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQAmExA8ONzC for <ipsec@ietfa.amsl.com>; Thu, 22 Dec 2022 07:57:39 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BA74C14F5E0 for <ipsec@ietf.org>; Thu, 22 Dec 2022 07:57:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 161073898F; Thu, 22 Dec 2022 11:25:05 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 0RLliZJLUYDZ; Thu, 22 Dec 2022 11:25:01 -0500 (EST)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 021F83898E; Thu, 22 Dec 2022 11:25:00 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1671726301; bh=yWoDQBweeM9EQL7rghMj5/b6oXS3P8BxgNH726lBTZQ=; h=From:To:Subject:In-Reply-To:References:Date:From; b=GpJe/sSwXKHNnxiNsOM28mI46Mn4iJvGqW84ItDbi2araZmq+Dfxbjpqo0bmmJ02T qHnlZY014f/JA78fixNQjHCXKkNdemiI8+pk/JPqf9LvPllxR0JuTJPMRi5KC/Hghx 6f5JMVcojeyyL4NwWOfWR0Itsrcc/oBQQM24ZiZA9JU/2qnMewj1M7Oj/0Awql/bFP ssR1G2+HbX0NCSVzSJGkxdiGxAkshljDIhjcLjUi60zmB8rtDi3eUzOv3zcZS36nZE uGAP8WlrsqskWvdcWt9g/UlXHm/d6FGHyBmsae6b+CflVG2LA1VecncMD5gKA54So4 E9njuFu81I6qA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 84189121; Thu, 22 Dec 2022 10:57:32 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>, ipsec@ietf.org, bew.stds@gmail.com
In-Reply-To: <261c01d915e3$50ef2670$f2cd7350$@gmail.com>
References: <11505.1671563270@localhost> <257b01d9151c$a16579f0$e4306dd0$@gmail.com> <9470.1671641738@localhost> <261c01d915e3$50ef2670$f2cd7350$@gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 22 Dec 2022 10:57:32 -0500
Message-ID: <14222.1671724652@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GCegXXGFF2VrE8qdlkdZH4jC9LQ>
Subject: Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2022 15:57:44 -0000
Valery Smyslov <smyslov.ietf@gmail.com> wrote: > Thus, what do you want to see in the third column? "Defined in RFC > 7296"/"Defined in this document"? You could say, "STD79", and "Section X" if you like. >> I don't understand GSA_AUTH vs IKE_AUTH. I think that's an IKEv1-ism >> to split it. > Why? When you need to substantially modify the behavior of the exchange > you have two options - either indicate its purpose with some notify or > introduce a new dedicated exchange. GSA_AUTH substantially differs from > IKE_AUTH, so what's wrong with introducing a new exchange type for it? > After all, we did it before (IKE_SESSION_RESUME, IKE_FOLLOWUP_KE). I guess that I'm completely unable to understand what GSA_AUTH needs to do that's different. >> I'd consider leaving it out, or discouraging it. Obviously, one can >> just never compress, but it seems like it's been a PITA to implement. > IPcomp is optional, you don't need to implement it. It can be useful if > the traffic is compressible, especially taking into consideration that > multicast is always udp and IP fragmentation may be an issue. On the > other hand, if IPcomp is used for some group SA and later an GM is > joined which doesn't support it, then a sufficiently clever GCKS could > immediately rekey the SA with IPcomp off (taking a risk of IP > fragmentation). I'm saying, it adds complexity, which means additional test cases, and potential security holes. It seems unlikely to ever actually get used. > The GSA_REKEY is a pseudo-exchange, consisting of a one- way > IKEv2 message sent by the GCKS, where the rekey policy is delivered to > group members using IP multicast as a transport. This method is > valuable for large and dynamic groups, and where policy may change > frequently and a scalable rekeying method is required. Reasonable text, but with the clarification, I have many more questions :-) I think that it's conflating forwarding plane stuff with control plane stuff in a way that is really surprising.. >> propose some clarification text? >> >> It seems that GSA_RSAKEY is not an IKEv2 message at all then. > Why? It is a one-way IKEv2 message (but not an IKEv2 exchange!). It > follows the format for IKEv2 messages and it is processed very much as > usual, except that no response is sent. Does it travel from port 500 to port 500? I don't think so, but maybe I just don't understand. > Note, that RFC 7296 includes a concept of one-way IKEv2 messages (for > error notification in case no IKE SA exists). Fair enough, but those are inside the IKEv2 PARENT_SA, while GSA_REKEY is not. > I cannot speak for others, but I'm planning to implement it. And as > far as I know, draft 05 version of the IEEE Std 802.15.9 standard > (March 2021) specifies that G-IKEv2 is used for group key distribution > (but I'm not involved in this work). Almost nobody other that Tero has implemented 802.15.9/IKEv2. (That's a shame, and I wish it weren't so, but sometimes you have to respect the market choices) -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07 Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Paul Wouters
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Paul Wouters