IETF Logo Mail Archive

[IPsec] Comments on draft-smyslov-ipsecme-ikev2-auth-announce

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 08 November 2021 19:41 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329F33A0E26 for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 11:41:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.617
X-Spam-Level:
X-Spam-Status: No, score=-9.617 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ffUMLTh7; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Q7ibAnvP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sns-wski2UVh for <ipsec@ietfa.amsl.com>; Mon, 8 Nov 2021 11:40:58 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD2983A0DFF for <ipsec@ietf.org>; Mon, 8 Nov 2021 11:40:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5856; q=dns/txt; s=iport; t=1636400458; x=1637610058; h=from:to:subject:date:message-id:mime-version; bh=e6Dtgwr9zq7Pi1HRUMSR4/rtWdORFtG95KLyzqxhJh0=; b=ffUMLTh7OcciSz8SEpsly9TZgm1eMWfP/yRpdUX8Mp6b0SK4xFukj9qw dcBXA8+JygCp4ORBu02rLhPa8f2Xn8JTD3Cv6LqnMA6vhC0E1RsfZkguz GOUTh+HH+8wKfItfaH+ewN3y0Z93I/dZknd2OboNIDXmpeFwCLrJzQHPR I=;
IronPort-PHdr: A9a23:Fuh/1Ry+l49aIwvXCzPFngc9DxPP8531MxIbrJ09hOEGfqei+sHkO0rSrbVogUTSVIrWo/RDl6LNsq/mVGBBhPTJsH0LfJFWERNQj8IQkl8hDdKLT0rhI62iYykzBs8XUlhj8jmyOlRUH8CrYVrUrzWy4DceFw+5OxByI7H+G5XZiIK80OXhk6A=
IronPort-Data: A9a23:lCPIN69FTK6IggUHTPXJDrUDknyTJUtcMsCJ2f8bNWPcYEJGY0x3yjRMX2mFafyOYDT2ct8naISz8kMBvJOBxtRkHFRs/ilEQiMRo6IpJzg2wmQcns+qw0aqoHtPt63yUfGdapBrJpPgjk31aOG49CEsjfjgqofUUYYoBAggHWeIdw954f5Ts7ZRbr9A2bBVMSvU0T/Bi5W31Gue5tJBGjl8B5RvB/9YlK+aVDsw5jTSbB3Q1bPUvyF94Jk3fcldI5ZkK7S4ENJWR86bpF241nnS8xFoAdS/n/OlNEYLWbXVewOJjxK6WYD73UME/XN0g/19badDAatUo23hc9RZ09tJqJyqRB0BNazXk+NbWB5de817FfwYoeGfeSjg4aR/yGWDKRMA2c5GDVktMIYw++trDydJ7/NwFdynRnhvnMqsy769D+JrnMlmco/gPZgUvTdryjSxMBrveribK42i2DOS9G5YahhyIMvj
IronPort-HdrOrdr: A9a23:xxdJrK0c/bXM59JHQNLyuQqjBQtyeYIsimQD101hICG9Lfb4qyn+ppomPEHP5wr5AEtQ4+xoS5PwPE80lKQFrLX5WI3DYOCIghrREGgP1/qG/9SCIVyzygc+79YaT0EWMrSZZjIW4beYkWuF+r0bsb66GdWT9J7jJgBWPGdXgs9bnmNEIzfeNnczaBhNBJI/GpbZzNFAvSCcdXMeadn+LmUZXsDYzue7267OUFojPVoK+QOOhTSn5PrRCB6DxCoTVDtJ3PML7XXFqQrk/a+u2svLhCM0llWjrqi+quGRieerN/b8yPT97Q+czzpAUb4RG4FqegpF5N1Hpmxa1+Uk6C1QQ/ibo0mhAV1d5yGdnTUJFF0VmiffIZjyuwq7nSWxfkNFN+NRwY1eaRfX8EwmoZV1179KxXuQs95NAQrHhzmV3amBa/hGrDvDnZMZq59bs5Wfa/ptVJZB6YgEuE9FGpYJGyz3rIghDel1FcnZoPJba0mTYXzVtnRmhIXEZAV4Ij6WBkwZ/sCF2Tlfm350i0Me2cwEh38FsJYwUYNN6ejIOrlh0LtOUsgVZ6RgA/ppe7r9NkXdBRbXdG6CK1XuE68Kf3rLtp7s+b0woPqnfZQZpaFC76gpkGkowVLaV3ieefFm7ac7hywlGl/NLAgF4vsulKREhg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CYCACEfIlh/51dJa1agmKBITFRB3daNzGER4NHA4U5hWyCJZV7hQqBLoElA1QDCAEBAQ0BAUEEAQGFAgIXgj8CJTUIDgECBAEBARIBAQUBAQECAQYEgREThWgBDIZbEQoTAQE4EQEGBj4CBDAmAQQbGoJQgX5XAy8BkC+PNgGBOgKKH3qBMYEBgggBAQYEBIUKGII1CYE6gwuEGAEBgnyELxyBSUSBFUOHbIMWN4IujjZwPyoiGYJVOpUiiRSgBwqDOAWfFhWnKJBwhSAfoDMshQUCBAIEBQIOAQEGgWMBOIFZcBWDJFEZD4hKhWEXg1CKXnQ4AgMDAQoBAQMJkHUBAQ
X-IronPort-AV: E=Sophos;i="5.87,218,1631577600"; d="scan'208,217";a="961600878"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Nov 2021 19:40:57 +0000
Received: from mail.cisco.com (xbe-aln-002.cisco.com [173.36.7.17]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 1A8Jev0I022296 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK) for <ipsec@ietf.org>; Mon, 8 Nov 2021 19:40:57 GMT
Received: from xfe-aln-002.cisco.com (173.37.135.122) by xbe-aln-002.cisco.com (173.36.7.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 8 Nov 2021 13:40:57 -0600
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 8 Nov 2021 13:40:56 -0600
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 8 Nov 2021 13:40:56 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LJhjjAULlr3ZR5f3wd5rNA7LL82BysgernO4iV9V3fsKb2+5H48jSTLXhgY2YSXL6dwTYXyiHEvwoyfkwjm8NyZp7/V6oGtS+IIfInBhWWDeHGi1gDdF/7lbBIohP2J0jWNIcq/McpbjOKvfVvDaDI/T5ZZr6HMRZ64iWudFjbhDyao66MdSO+8Kv4ZzeI43Ng5yNIKtt7bsQZPRxJQqlBwln3dnTOZlqUjVZtLCjCfeCD+zjhWQit+bT/wSkxG3iVUQCGI0NhPmehKjR7qpGiRDY6J+6VcjeqwCq/DZzkh9MGibSShTP1nOXHHwiPLpfU8ijVM2Zi8rqYNVKn1umA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=e6Dtgwr9zq7Pi1HRUMSR4/rtWdORFtG95KLyzqxhJh0=; b=KqxDIxgvUeMf4hiug4fbfz6QrC9NhoCoIScXkJJXjCqBhEE2IWfx9UjMc+DjAUikLaxIbfHihUphAcqDRC/5pAcWAvnNZn/bhEMgCZe7R9cnkdSrw1JzhB6FJ1gLHSfOslZPrCKZg9JTD23xQDyD7UwVHpKM73ZeWDcqlFSILPaulHciGjwY5PJNKUysL/Tj389Mzh0rVFCRasp27FnggngrqHN49VcrytgXZ3NMjf+nEDX7baMs4sjSVpyzf0TfDdgaAp7yuW5dCT8qzc0XsCpWo7cmjKHcXMe6buWT8QjLm3lBcQlli3u6M5XiymrxqAhYBwLU7VHWPxNxxZMmqA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e6Dtgwr9zq7Pi1HRUMSR4/rtWdORFtG95KLyzqxhJh0=; b=Q7ibAnvP8en8I+GqLY5m/XFgnXdoKB4bydxX77lFnDVtuAoBnyI0ZsDChntvcM8RJJvMw4E3HryL9sz4QjKb6/kAyZIEJPeF1FpZ34kRht0CdqsN87BsOd76rWHAX8ufVRbt0k7SmvW28uLgNzg5Ky4ci4SQ9wu8kLRP/uPSe5g=
Received: from BL3PR11MB5682.namprd11.prod.outlook.com (2603:10b6:208:33d::18) by BL0PR11MB3074.namprd11.prod.outlook.com (2603:10b6:208:31::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Mon, 8 Nov 2021 19:40:52 +0000
Received: from BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::7967:f6c7:1632:1549]) by BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::7967:f6c7:1632:1549%7]) with mapi id 15.20.4649.020; Mon, 8 Nov 2021 19:40:52 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Comments on draft-smyslov-ipsecme-ikev2-auth-announce
Thread-Index: AdfU1qwxTh373Nn8RkOOzqT4ygM5zg==
Date: Mon, 08 Nov 2021 19:40:52 +0000
Message-ID: <BL3PR11MB5682B8216D3A393B4D1771DBC1919@BL3PR11MB5682.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 93f85714-3fdc-48de-5ba9-08d9a2efac9a
x-ms-traffictypediagnostic: BL0PR11MB3074:
x-microsoft-antispam-prvs: <BL0PR11MB307469D7873EF58C47103AE2C1919@BL0PR11MB3074.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jPnBwx+yr52sp2mmceVC81CLpl15kHUV9fbF+GcbK2sV2q4VShmeB0Y/e3eRE0L6+3Z3IwUGLj0Y6SJGOIosccWsvhwdNXRW/j52PR1sLcwjqvgw9K4kB92neOUxZMw0KwMB2J5aGhcbwUNI2z14jtB+V5v92KLJ4ZEkIAbALNPNaeO1UH8c2B9NY36c/ESMKliojL8392dsii2RKkzYxOsunEDmVgsjBVsG5zK25etzXkYGUk2znMne4l3bNxvh2+TqBnkNXOxsNPUXUBJ3tieTMB0aQndCM80pNb4JMtFuvop0on/Gww+xgAfdaZV3idw8LCrBLFzURbfkZrr815hleVrVV+Xu5Uj8a2srbDYv4Gh07ybYnozNg899l+uH4LdtiVdyQGG8+NjZViNTAqGedyCIIXruRApmM2meW+S4s5QHcAjZ5c+C4t0ZCdsT7oRvhas7XknReiE3T0sHtoeQmh/8D1gTViH6ukrspwtD5PfMBdR5/+mnY5sDennh8TvnVkVOqntD9DjwhCbOpZ4aVi8l8vhMEeVqzj8r8GHnYqx5qA9zY38z7bzTI87CfUFvb8ksGWw33VMr9Ih+NDGLR/8dXeGeF4C0tC/X1yI025sDUv57qV23QEoP4B9eY8Uf+AznUQRpj4giGvJDaF+QBwEzd17xGTwq/e3ZibENBeudaQ2Aq7G3P1UvfkQOhB2ybJa3JYNseMdTliNczg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL3PR11MB5682.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(7696005)(508600001)(38100700002)(38070700005)(8936002)(8676002)(122000001)(55016002)(66446008)(64756008)(66556008)(9686003)(316002)(76116006)(66946007)(6916009)(71200400001)(86362001)(52536014)(26005)(2906002)(33656002)(66476007)(186003)(5660300002)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZT/PuEyPc97fz09kKWPZUt+lDPBlZUooSaylG80DUMiR9WngZCxTKkbpxBJdfTDK9qWe0cZNGtUC51arLuwTh+J7rFjhJ2d/QDZTPnSzL9yr5LqFrj8X4s3eNHaigtyMeU8Hr9FnNxn37loEjtt4bTQEsPDfXQyFIRZfNyhk/r9dPO9uH3UtuahnY4Sh4q50XJPuqvwK/xGiYhPTOX6toDvReeoQqg7g66qV+wM72J15WEzq01Qzv9UVcl4Y9iBmhkf5kwvc1mLycJGrjobbmeIHpTEqTSSpaFRj7/q3KtrihtzZRudG6e+68ISWCYSGJ75ZXvKTOHe8YX3E24v6VEKtBzX4RDv9e0kKYh7OdGbOSRd/9mE0/nzl26aU7O+De9K+S9Y5H2y9SDAotis2wYbLjSjtMgpTSnfS4iqFxR/xUoJobvGFiSeDhvPIXe4cDXqoEJc3aJfJWGgwPTdrXjde6/GVDlI1tQRt9aI7LSP29FO//55cMk5aoxtOoF9UpTodSv8seSieMzdUbioxtzf00CIOjBXJ7qjmN7aaRMQpYnySl2wP3tCMS0i4vGwWAj/KV9V2KgEgwxfyCjusj420wdeqT7xAFeRZIBAq4+NTSV9WqJu1E8FYUDE1XunGAmKWSX5md1Qu1pVkn2slcRhdeHG+cNpry6Py1cMV3ncHGqrrSrqiNI5PSxOiFAcPgqZpFK0Dpa9LNFUJ8bVhFTPkMNuWifbV3XmaHxbk+bE+2QznQn2QzfKCcJe5SewNJ5ofEoKQ5w0LnedbQkBkp5chM4YieNx9g1VneKzunfsxAwT1cZElM+oqTRezmirE8ydgSlIr4HiDCfan8RUsCd3UbIgb1hMcOiWhEGa2SLDIUIUbjJMEHq5FY7DIgJvUiJA85EP6pMXa1gDrcJXlZkOucv5CCLsAy5ItxvnknQpCez1D4KPbsVb6u71GO7rHtKmi7pfiSzG0c0Glf1gth0kdlfB+UDraEaniD0hpDxKKNA9B/+PYPY+vH8+XiRtbIeezrzdyi0/gQ24DWR/kI5/IU1TdeP8Kouy0uf4v+yM7+Rd8pMwkHESmF4vJWtAA0nDyrsFaZUS/4RSLpXGadeSCaagCQkvlKVmJgCpjdr2Niey+LzA/kvU9i6tLeoYs57Wfb1ZRq7fH5t6lVoTi/6XqUirxqbiNMSjNStK+abaOeNh9b3/jE3fUx7YnLnW7nYEwjhaPAHmgENx18sLHe0YZJpQhMI1dZMS6PztrYL00LhpE867PjTPEoZnShTj8gEoUO0XwSyf3MRSsSHJvGoh7Ml6HeiT2TKEo081ZuOhU7YxmADUoH5uONuloqk4U4XD2noEAdQ9saBujDAJYadY2dfL0NOvs8CC6MOC2PQnEgVr3C053hO6l74YtLml9J9lNzyl2Mj+sotBV9PPh0mhzxBDIAFRmP4LK21oDV9z4va/hKtmau/hoc9jOz6vkAU5u45XHlmDpF7OQ994e5Xa4qkWl6Zk4nZhL24ZCHQLzpq1+Mg7J/bAi1TLF/sRl7j3zB3rv6hj4n2nhk8aviAmCLpcC/QlmoBQg1RdQvO+fBMZBOFC16EbtmIBMnCFrHJ3ivgF+//bWSLqVX8/w3Q==
Content-Type: multipart/alternative; boundary="_000_BL3PR11MB5682B8216D3A393B4D1771DBC1919BL3PR11MB5682namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5682.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 93f85714-3fdc-48de-5ba9-08d9a2efac9a
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2021 19:40:52.5549 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fISWKzGGTwWXC3XTTaKiGssRpWfLGL5goTFHMiomn1GAQahnN4PQ0ZWqGclIZL1vHfsER3aAtz7zCQADUkMECw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3074
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.17, xbe-aln-002.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HnAET6QNVpy7s_c91eB78gv1Oh8>
Subject: [IPsec] Comments on draft-smyslov-ipsecme-ikev2-auth-announce
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 19:41:03 -0000

I’m glad to see this work; however I see a potentially important constraint on authentication that the current draft does not appear to address.

It allows the peers to specify which signature algorithms they accept; however if we are talking about certificates, those include internal signature algorithms, which may be different.  One instance where I expect this to come up is that the root certificate may have a more conservative algorithm choice (e.g. a hash based signature, or one with NIST level 5) than the device certificates (which may have a short expiry time, and so being so conservative might not be necessary).

Does the AuthMethod apply to the algorithms within the certificate as well?  The RFC should clarify this.


Listing the AlgorithmIdentifier’s for all the signature algorithms we can support seems unnecessarily chatty; would it be more prudent to extend the AuthMethod field to 16 bits (and so we (or IANA) would feel more free to dole them out?


And, finally, a typo: it’s P-521, not P-512 😊

v2.23.0 | Report a Bug | By Email