Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
Valery Smyslov <smyslov.ietf@gmail.com> Wed, 08 November 2023 07:30 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB07AC198492 for <ipsec@ietfa.amsl.com>; Tue, 7 Nov 2023 23:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tihr62e2aI12 for <ipsec@ietfa.amsl.com>; Tue, 7 Nov 2023 23:30:16 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63705C17DBEF for <ipsec@ietf.org>; Tue, 7 Nov 2023 23:30:16 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-5079f9675c6so8868744e87.2 for <ipsec@ietf.org>; Tue, 07 Nov 2023 23:30:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699428614; x=1700033414; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :from:to:cc:subject:date:message-id:reply-to; bh=i0azkSVhYuVBfQDScHcTNG7TTba9NXjCDzyORzahDfg=; b=TJggr7EvqoBPiNUIPh7bbA+gnMLia2r6oOLW2R2m25UEr3v7TTkT9FZnH/Uy3kqu+L Xf5CTWSec11Ts/dzBypWRK/1+MeYqk0ANGwG5sYSKglCfqhesfmOHjIp1EEVdGatf3VG YzWDI/8VrP966+D11f6AHmZrSEkLROB+H5wzauy1cqosLfDogk1SfUXg6zuN0UBw/g3+ OmnRX4tcgQXxbMECQ3Fd34XfCplHlo7+sqyjaNfxK6nweBM4+ZDM0ut0OkIZnmNVQbiY e167vz6wcjicNH9jeoXY5l7fdlFESXk/aZ/jt4FXf4F40v4LITUcaYCAPZFEiOI+lOX4 sPnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699428614; x=1700033414; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=i0azkSVhYuVBfQDScHcTNG7TTba9NXjCDzyORzahDfg=; b=AqyPs0Cg/1bPhM3gIT9Q4FxLBZzftSY3aniU4Z2c0+5YpXcR+ApJjNQ778Rc1GPeMR kQeCb3rsqQaCM+Ti367tIPnNCdGFxAWzch4l0hP4fpe0MV+0dFnGu8axbEPnaiSStgvT DgZX7vfYP4PEUQJMsajQKy0v3dKyRRk+bmoyq3Z0lDgd1RU+AZgyBpVCLfW+QjcRjROR EHCiQ0VQL4Pqnb2s+za1alTSCnWfkUrSzbWUUQ8OWmLaY6XrQJY83AjA8z/Zao6wtztO KG7gmqWOwjw87mLRiLc5EdjCKDxIPMG5Jvkm+KSXsHNgkg59ZipYWyJo/5rhWnQ58tIR 1twg==
X-Gm-Message-State: AOJu0Ywqpwt0bgKD0/4dXfkAGWvS3ZdRtDToXQT3HnYVI/0aUJbooxy2 R45waAtNkt1/7hLbhBV6MFeWi+4dk78=
X-Google-Smtp-Source: AGHT+IEithOd4nT7KJfbSGk5jUINGUbYh/rTUNkIoa8ucdQuN+2AgjGCKZahWPUXJDd8iAARSmLXeg==
X-Received: by 2002:ac2:5939:0:b0:509:4655:d8da with SMTP id v25-20020ac25939000000b005094655d8damr664630lfi.53.1699428614007; Tue, 07 Nov 2023 23:30:14 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id b7-20020a196707000000b004fde41a2059sm592476lfc.305.2023.11.07.23.30.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2023 23:30:13 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Roman Danyliw' <rdd@cert.org>, ipsec@ietf.org
References: <BN2P110MB11076E4C10617CF7810E96DEDCDEA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <068901da0824$27c5a4c0$7750ee40$@gmail.com> <BN2P110MB1107DD52872E04B30A723C1EDCA6A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107DD52872E04B30A723C1EDCA6A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Date: Wed, 08 Nov 2023 10:30:14 +0300
Message-ID: <0ef001da1215$6ad26f00$40774d00$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHSuksbIZnwtB/j9KuCauWvAtCPDAKBDO7ZAnNAGqKwVw8RwA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IMZAJQ-7uq4Tg6hhYZm8DEbnJNQ>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 07:30:17 -0000
HI Roman! > Hi Valery! > > Thanks for -05. Reducing the thread down to areas of discussion. > > > -----Original Message----- > > From: Valery Smyslov <smyslov.ietf@gmail.com> > > Sent: Thursday, October 26, 2023 11:51 AM > > To: 'Roman Danyliw' <rdd@cert.org>; ipsec@ietf.org > > Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04 > > [snip] > > > > ** Section 5. Please add the Security Considerations of the specifically > > negotiated auth methods apply. > > > > This is not a negotiation, this is announcement, just to help the other side to > > correctly choose among several possible methods. Since this is a hint, > > implementations may use it as other hints that are already available (e.g. CAs > > from CERTREQ). Thus I'm not sure what specifically should be added to the > > Security Considerations section. Do you have some proposed text? > > I was looking primarily for a reminder that the different methods being suggested each have their own > security considerations. I think we can add the following text: Security properties of different authentication methods varies. Refer to corresponding documents, listed in [IKEV2-IANA] for discussion of security properties of each authentication method. Note, that announcing authentication methods gives an eavesdropper additional information about peers capabilities. If a peer advertises NULL authentication along with other methods, then active attacker on the path may force to use NULL authentication by removing all other announcements. Note, that this is not a real attack, since NULL authentication should be allowed by local security policy. Regards, Valery. > > > ** Section 6. The “Notify Message Types - Status Types” registry has > > > three fields. Please formally say that this document should be the reference. > > > > Done. > > > > I also have off-the-list conversation with Daniel Van Geest, who made some > > good proposals, which I would also like to include in the draft if the WG agrees. > > > > 1. Specify that auth announcements are included into the > > SUPPORTED_AUTH_METHODS notification > > in the order of their preferences for the sender. This doesn't break anything > > (the receiver is free to ignore the order), > > but might help it to make the best choice. > > > > 2. Clarify that peers may send the SUPPORTED_AUTH_METHODS independently > > of whether it was received > > (this is not a negotiation). This is what actually the draft says now, just stress > > this for clarification. > > > > 3. Specify interaction with RFC 4739 (Multiple Authentication Exchanges in the > > Internet Key Exchange (IKEv2) Protocol). > > In particular. allow sending multiple SUPPORTED_AUTH_METHODS > > notifications in a message > > (also add a clarification that if multiple SUPPORTED_AUTH_METHODS > > notifications are included in a message > > and the receiver doesn't know why, the all included announcements form a > > single list). > > I see this proposed text is in -05. > > WG chairs: can you please check that this has consensus of the WG. > > Thanks, > Roman
- [IPsec] AD Review of draft-ietf-ipsecme-ikev2-aut… Roman Danyliw
- Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2… Valery Smyslov
- Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2… Paul Wouters
- Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2… Tero Kivinen
- Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2… Paul Wouters
- Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2… Roman Danyliw
- Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2… Valery Smyslov