Re: [IPsec] Comments on draft-smyslov-ipsecme-ikev2-auth-announce
Paul Wouters <paul.wouters@aiven.io> Mon, 08 November 2021 21:12 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFBFD3A0788 for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 13:12:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 122ysFK-6TDy for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 13:12:21 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51B533A076C for <ipsec@ietf.org>; Mon, 8 Nov 2021 13:12:21 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id f8so68094804edy.4 for <ipsec@ietf.org>; Mon, 08 Nov 2021 13:12:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=OQRXMh5TpMiBBSuL0iWsS5w8DmjkkzGdoylQHUPMGFM=; b=HRNTC+iYpXM/dTT34nPgAGMyDemsnouwic74VhPKQJ7R0UylQG2PYLXT/+fwZnCBll RFPtTGj2KGt1KG5iioxAifAYb7M6Y8H7QXqZMbFy9bj60zSD4UeifSocILhj05DoTMnC +OAdyJ/06WLIayeacJQttyI33ftmA8i1SFEAE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=OQRXMh5TpMiBBSuL0iWsS5w8DmjkkzGdoylQHUPMGFM=; b=Nh7VEuxq3PQBNsqUoNLCDbQy6b3/cVCf+31kt5Ji+Kkcvg2FZZ4pZ7/E9Z1KgCP4CI UFjvRRhJ3W2bT2Uo0HrFAzNI9MSnSvGsFrFCqpf8+gUztm+bGm32D1JBaQaO18Q+tzYe W1MFrHJaOtEFbiMtkwc8U7omWgyjuVgb/XOPtphUNCrKy11uIIMPYrLI2GxRjMveU6Pi tVWxA+1RNPl98ZVk9FhUHuQJ7ccEgvRpd6uyC311X1+mCfdyIem+0UfXRyT6KBqqdHAd 3dWC9lBe5j3tmOzUNk+1+HKdSKmYyyqzCmdiyBFpLwCR8NDskLt00lZbHXWRuNbz9nDM FIlw==
X-Gm-Message-State: AOAM531wTs5s4TWSk4ztPdJSzD4Uayi8Q5vKOzH9UNcDMx3QMNzoyE4Z 2DnBHPFDoi9O6zfloYdk0MYo0g==
X-Google-Smtp-Source: ABdhPJx+NpqD4aOF5ZWtiQ7NfOvYK/aiBSp9gG4r19CMUZkfaxQFdNxsc3DzBEzhOiByGXgrjj/f1A==
X-Received: by 2002:a05:6402:c18:: with SMTP id co24mr2902407edb.278.1636405936040; Mon, 08 Nov 2021 13:12:16 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id m12sm8525521ejj.63.2021.11.08.13.12.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Nov 2021 13:12:15 -0800 (PST)
Date: Mon, 08 Nov 2021 16:12:12 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: Tero Kivinen <kivinen@iki.fi>
cc: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <24969.37073.626018.820410@fireball.acr.fi>
Message-ID: <2fe9aba6-6ac5-5af4-5439-867c5ad6f053@nohats.ca>
References: <BL3PR11MB5682B8216D3A393B4D1771DBC1919@BL3PR11MB5682.namprd11.prod.outlook.com> <24969.37073.626018.820410@fireball.acr.fi>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GjhyikjDl_ADTMPGcIwPKRCvsmE>
Subject: Re: [IPsec] Comments on draft-smyslov-ipsecme-ikev2-auth-announce
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 21:12:26 -0000
On Mon, 8 Nov 2021, Tero Kivinen wrote: >> Does the AuthMethod apply to the algorithms within the certificate >> as well? The RFC should clarify this. > > The reason for this notify is that if the peer has multiple key pairs > (i.e., private keys) it needs to pick one private key to sign the AUTH > payload with. If one of those private keys is using EC and another is > using RSA, then without this notification there is no way of knowing > which one to pick (except perhaps by prior configuration or by > heuristics based on the CERTREQ etc). What will be in the notification then? Since the authenticaion method for both is "RFC 7425 Digital Signatures" as per existing IANA registry for IKEv2 Authentication Methods. We would still need a new registry or we need to identify auth algorithms by their SPKI similar to how we can signature supported hash algorithms. But we would prob end up with seeing lots of duplicate entries with slightly different SPKI prefixes. The RSS-v1.5 vs RSS-PSS is a major pain right now, and implementations using 7425 and specifying RSA-v1.5 SHA1 are a double pain as the RFCs clearly doesn't allow that. We run into frequent interop issues with these. Paul
- [IPsec] Comments on draft-smyslov-ipsecme-ikev2-a… Scott Fluhrer (sfluhrer)
- [IPsec] Comments on draft-smyslov-ipsecme-ikev2-a… Tero Kivinen
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Paul Wouters
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Tero Kivinen
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Valery Smyslov
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Valery Smyslov
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Paul Wouters