IETF Logo Mail Archive

Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 08 November 2023 07:30 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB07AC198492 for <ipsec@ietfa.amsl.com>; Tue, 7 Nov 2023 23:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tihr62e2aI12 for <ipsec@ietfa.amsl.com>; Tue, 7 Nov 2023 23:30:16 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63705C17DBEF for <ipsec@ietf.org>; Tue, 7 Nov 2023 23:30:16 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-5079f9675c6so8868744e87.2 for <ipsec@ietf.org>; Tue, 07 Nov 2023 23:30:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699428614; x=1700033414; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :from:to:cc:subject:date:message-id:reply-to; bh=i0azkSVhYuVBfQDScHcTNG7TTba9NXjCDzyORzahDfg=; b=TJggr7EvqoBPiNUIPh7bbA+gnMLia2r6oOLW2R2m25UEr3v7TTkT9FZnH/Uy3kqu+L Xf5CTWSec11Ts/dzBypWRK/1+MeYqk0ANGwG5sYSKglCfqhesfmOHjIp1EEVdGatf3VG YzWDI/8VrP966+D11f6AHmZrSEkLROB+H5wzauy1cqosLfDogk1SfUXg6zuN0UBw/g3+ OmnRX4tcgQXxbMECQ3Fd34XfCplHlo7+sqyjaNfxK6nweBM4+ZDM0ut0OkIZnmNVQbiY e167vz6wcjicNH9jeoXY5l7fdlFESXk/aZ/jt4FXf4F40v4LITUcaYCAPZFEiOI+lOX4 sPnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699428614; x=1700033414; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=i0azkSVhYuVBfQDScHcTNG7TTba9NXjCDzyORzahDfg=; b=AqyPs0Cg/1bPhM3gIT9Q4FxLBZzftSY3aniU4Z2c0+5YpXcR+ApJjNQ778Rc1GPeMR kQeCb3rsqQaCM+Ti367tIPnNCdGFxAWzch4l0hP4fpe0MV+0dFnGu8axbEPnaiSStgvT DgZX7vfYP4PEUQJMsajQKy0v3dKyRRk+bmoyq3Z0lDgd1RU+AZgyBpVCLfW+QjcRjROR EHCiQ0VQL4Pqnb2s+za1alTSCnWfkUrSzbWUUQ8OWmLaY6XrQJY83AjA8z/Zao6wtztO KG7gmqWOwjw87mLRiLc5EdjCKDxIPMG5Jvkm+KSXsHNgkg59ZipYWyJo/5rhWnQ58tIR 1twg==
X-Gm-Message-State: AOJu0Ywqpwt0bgKD0/4dXfkAGWvS3ZdRtDToXQT3HnYVI/0aUJbooxy2 R45waAtNkt1/7hLbhBV6MFeWi+4dk78=
X-Google-Smtp-Source: AGHT+IEithOd4nT7KJfbSGk5jUINGUbYh/rTUNkIoa8ucdQuN+2AgjGCKZahWPUXJDd8iAARSmLXeg==
X-Received: by 2002:ac2:5939:0:b0:509:4655:d8da with SMTP id v25-20020ac25939000000b005094655d8damr664630lfi.53.1699428614007; Tue, 07 Nov 2023 23:30:14 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id b7-20020a196707000000b004fde41a2059sm592476lfc.305.2023.11.07.23.30.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2023 23:30:13 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Roman Danyliw' <rdd@cert.org>, ipsec@ietf.org
References: <BN2P110MB11076E4C10617CF7810E96DEDCDEA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <068901da0824$27c5a4c0$7750ee40$@gmail.com> <BN2P110MB1107DD52872E04B30A723C1EDCA6A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107DD52872E04B30A723C1EDCA6A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Date: Wed, 08 Nov 2023 10:30:14 +0300
Message-ID: <0ef001da1215$6ad26f00$40774d00$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHSuksbIZnwtB/j9KuCauWvAtCPDAKBDO7ZAnNAGqKwVw8RwA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IMZAJQ-7uq4Tg6hhYZm8DEbnJNQ>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 07:30:17 -0000

HI Roman!

> Hi Valery!
> 
> Thanks for -05.  Reducing the thread down to areas of discussion.
> 
> > -----Original Message-----
> > From: Valery Smyslov <smyslov.ietf@gmail.com>
> > Sent: Thursday, October 26, 2023 11:51 AM
> > To: 'Roman Danyliw' <rdd@cert.org>; ipsec@ietf.org
> > Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
> 
> [snip]
> 
> > > ** Section 5.  Please add the Security Considerations of the specifically
> > negotiated auth methods apply.
> >
> > This is not a negotiation, this is announcement, just to help the other side to
> > correctly choose among several possible methods. Since this is a hint,
> > implementations may use it as other hints that are already available (e.g. CAs
> > from CERTREQ). Thus I'm not sure what specifically should be added to the
> > Security Considerations section. Do you have some proposed text?
> 
> I was looking primarily for a reminder that the different methods being suggested each have their own
> security considerations.

I think we can add the following text:

Security properties of different authentication methods varies.
Refer to corresponding documents, listed in [IKEV2-IANA] for 
discussion of security properties of each authentication method.

Note, that announcing authentication methods gives an eavesdropper
additional information about peers capabilities. If a peer advertises 
NULL authentication along with other methods, then active attacker 
on the path may force to use NULL authentication by removing
all other announcements. Note, that this is not a real attack, since
NULL authentication should be allowed by local security policy.
 
Regards,
Valery.

> > > ** Section 6.  The “Notify Message Types - Status Types” registry has
> > > three fields.  Please formally say that this document should be the reference.
> >
> > Done.
> >
> > I also have off-the-list conversation with Daniel Van Geest, who made some
> > good proposals, which I would also like to include in the draft if the WG agrees.
> >
> > 1. Specify that auth announcements are included into the
> > SUPPORTED_AUTH_METHODS notification
> >     in the order of their preferences for the sender. This doesn't break anything
> > (the receiver is free to ignore the order),
> >     but might help it to make the best choice.
> >
> > 2. Clarify that peers may send the SUPPORTED_AUTH_METHODS independently
> > of whether it was received
> >     (this is not a negotiation). This is what actually the draft says now, just stress
> > this for clarification.
> >
> > 3. Specify interaction with RFC 4739 (Multiple Authentication Exchanges in the
> > Internet Key Exchange (IKEv2) Protocol).
> >     In particular. allow sending multiple SUPPORTED_AUTH_METHODS
> > notifications in a message
> >     (also add a clarification that if multiple SUPPORTED_AUTH_METHODS
> > notifications are included in a message
> >      and the receiver doesn't know why, the all included announcements form a
> > single list).
> 
> I see this proposed text is in -05.
> 
> WG chairs: can you please check that this has consensus of the WG.
> 
> Thanks,
> Roman

v2.23.0 | Report a Bug | By Email