Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 21 December 2022 16:55 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68E0C14F726 for <ipsec@ietfa.amsl.com>; Wed, 21 Dec 2022 08:55:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jR-dptSyquAW for <ipsec@ietfa.amsl.com>; Wed, 21 Dec 2022 08:55:43 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76834C14F6EC for <ipsec@ietf.org>; Wed, 21 Dec 2022 08:55:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 7980238990; Wed, 21 Dec 2022 12:23:07 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Hnls7Vozlidv; Wed, 21 Dec 2022 12:23:03 -0500 (EST)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 6F5183898F; Wed, 21 Dec 2022 12:23:03 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1671643383; bh=IiygINyRk2pxKQjsukr2dKgBa0kjI4cvI+oV7/pHt44=; h=From:To:Subject:In-Reply-To:References:Date:From; b=tXnk1E1qJbUfAED9vYrtTnXVdCyk/SWMYoo5IOgunudb0BTAmzIBMCzK2fhFa2aYP aO1Uwtf8T0djbUFtTZ0+ZabP5WVAI/L6BhoPwNR5BUU+M92lihR/tZT95pr8qUBPUw 80wMAxStdXQ9GHedzl6zMtZh6O2b/8wmAiBqpl2ycxstxMurcl2uIKhcA5ib2pXErr MQuWfbPzHlF3PuBwB1M11wDi/cPXuVWTlWjdiAna5GftF0OhpGPqL2+Yr3GwRMZYUa y/syAv6qiogzAFh5cG/ZIuyjCy5ezi0ShNmN/K/PH3aPzo9ddsvyekTWZ2/RGuX966 4YWtbWB1siqKg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 92A103CF; Wed, 21 Dec 2022 11:55:38 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>, ipsec@ietf.org, bew.stds@gmail.com
In-Reply-To: <257b01d9151c$a16579f0$e4306dd0$@gmail.com>
References: <11505.1671563270@localhost> <257b01d9151c$a16579f0$e4306dd0$@gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 21 Dec 2022 11:55:38 -0500
Message-ID: <9470.1671641738@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IuaqvNwLnsHrs1AaTE9-ep5KpOA>
Subject: Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2022 16:55:47 -0000
Valery Smyslov <smyslov.ietf@gmail.com> wrote: > many thanks for your review. Much appreciated. > Please, see inline. >> I started reading through this document during IETF115, but didn't >> finish until today. I don't think that I have ever read the IKEv1-G >> stuff. >> >> > G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because >> > they serve a similar function. They can use the same ports, just as >> > IKEv1 and IKEv2 can share port 500. The version number in the IKE > >> header distinguishes the G-IKEv2 protocol from GDOI protocol > >> [RFC6407]. G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which > >> would provide a better integration with IKEv2. G-IKEv2 MAY also use > >> TCP transport for registration (unicast) IKE SA, as defined in > >> [RFC8229]. >> >> Based upon this text, I would have no idea when/if I can send my >> G-IKEv2 packet to port 500 or 848. > I think it must be pre-configured (just as, for example, using TCP > encapsulation in IKEv2). Should we add some text? If it's an arbitrary port that someone has to configure, then please include no ports. I don't think it should be that way. I think that it should be port 500. I don't know if the option to also listen on port 848 matters. That reflects my preference that this work be an IKEv2 extension, rather than a new protocol like the IKEv1 version. >> Section 2.2 recaps the payload acronyms. I suggest a third column >> telling us where they are defined. > Perhaps it's better to split the table into to - existing IKEv2 > payloads and newly defined G-IKEv2-specific payloads. Does it work for > you? No, I'd rather see it all in one table. >> Can I do unicast IKE_CHILD_SA echanges in the same PARENT_SA as I do >> G-IKEv2? I can imagine use cases where there is both multicast and >> unicast traffic that needs to be protected. I guess not, beacuse >> GSA_AUTH is not IKE_AUTH. > You cannot create unicast IPsec SA at the time the G-IKEv2 SA is being > established (since GSA_AUTH cannot do it). It's an open question > whether you can create them once it is up (via CREATE_CHILD_SA). It is > not explicitly prohibited now, but would prefer not to do it - use > G-IKEv2 SA for group key management traffic only and create a separate > IKEv2 SA if the GCKS acts as a GW too. I don't understand GSA_AUTH vs IKE_AUTH. I think that's an IKEv1-ism to split it. >> Use of IPCOMP seems really difficult. I guess it can't be used until >> every receiver supports it. Is that common? Are the target use cases >> (probably video?) even compressible? > With multicast architecture for any single feature used, every receiver > have to support it, IPcomp is not an exception. Using IPcomp is defined > for completeness. No target use cases were considered (I think there > may be few of them). I'd consider leaving it out, or discouraging it. Obviously, one can just never compress, but it seems like it's been a PITA to implement. >> I guess 2.4.1 answers that question. Maybe just leave the comment to >> 2.4.1. > Can you suggest some wording? remove: "This is not a real IKEv2 exchange, since no response messages are sent." >> Are these IKEv2 messages sent in the normal port 500/848/4500 channel? >> Or? I don't understand this part at all. There are implications that >> it's multicast, but clearly, it can't be? > GSA_REKEY is sent over multicast (that's why it is unacknowledged). > The port it is sent to is specified by the GCKS in the GSA_AUTH > exchange (it can be any UDP port). > Can you be more specific of the text that is not clear and perhaps > propose some clarification text? It seems that GSA_RSAKEY is not an IKEv2 message at all then. >> "SID" is now rather overloaded in the IETF (CORE/YANG, SR6...), and >> perhaps another TLA could be considered :-) > This term was used in the draft from its early versions :-) Perhaps > change to SenderID? Or SENDER_ID? Or is it overloaded too? SenderID is way better. (CORE/YANG has Schema ID, SR6 has SegmentID) >> I think that the end of section 2.6, aout reusing Extended Sequence >> Number should probably have more widespread review within the WG. >> This is not just a key mgmt issue, but an 4301 update I think. > Actually, the current text in the draft is misleading. It is not about > reusing, the transform meaning is generalized and a new value for > transform ID is added. We'll try to make the text more clear. > I'm not sure it is an update to 4301, since it requires no code change > for existing implementations. Is the KWK part of IKEv2 or is it part of ESP? >> I'm not sure if section 6.1 belongs here. > Why? It describes how PPK can be used (well, how complicated is to use > it :-)) with G-IKEv2 and also has some justification for alternative > way of using PPK (defined in drft-smyslov-ipsecme-ikev2-qr-alt). It seems like it belongs in smyslov-ipsecme-ikev2-qr-alt. I don't feel strongly. >> Who has implemented? > As far as I know early versions of the draft (incompatible with the > current one) were implemented by Cisco and by Tobias Heider and Tobias > Guggemos. The current version is partially implemented by myself. >> Or maybe I should instead ask: who cares? > I believe that there is some interest in this work. I cannot estimate > how strong it is :-) We shouldn't waste resources publishing documents that nobody plans to deploy. (We have enough to do...) -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [IPsec] comments on draft-ietf-ipsecme-g-ikev2-07 Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Michael Richardson
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Paul Wouters
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] comments on draft-ietf-ipsecme-g-ikev… Paul Wouters