Re: IKEv2 (son-of-ike) draft
"Valery Smyslov" <svan@trustworks.com> Wed, 21 November 2001 12:01 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fALC1L820311; Wed, 21 Nov 2001 04:01:21 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id GAA15410 Wed, 21 Nov 2001 06:14:18 -0500 (EST)
Message-Id: <200111211123.OAA26771@relay1.trustworks.com>
From: Valery Smyslov <svan@trustworks.com>
Organization: TWS
To: ipsec@lists.tislabs.com
Date: Wed, 21 Nov 2001 14:23:33 +0300
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: IKEv2 (son-of-ike) draft
CC: dharkins@tibernian.com
In-reply-to: <20011118071052.0F71654C53@tailor.sailpix.com>
X-mailer: Pegasus Mail for Win32 (v3.12b)
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On 17 Nov 01, at 23:10, dharkins@tibernian.com wrote: > This draft was submitted but hasn't shown up yet in the repository > (the I-D editor is, no doubt, swamped) so in the interest of giving > people more time to look at it prior to Salt Lake here's a link: > > http://www.lounge.org/draft-ietf-ipsec-ikev2-00.txt > > Please send comments to the list. > > Dan. I've read through the draft and have some comments and questions. 1. It seems that peers have no ability to learn what type of signature (RSA, DSS or smth else) the other party uses apart from investigating the type of public key contained in certificate. Because of certificate exchange is optional, it makes the protocol unworkable in some situations. Consider the example, when party A supports only RSA signatures, and party B supports both RSA and DSS signatures with DSS as preferable. While party B will be able to verify signature, generated by party A, the other party won't be able to do it, if party B will use its favourite (DSS). Moreover, party A has no ability to inform party B that she doesn't support DSS. Even the exchange of certificates doesn't help much - party B may have both RSA and DSS certificates from the same CA and she still will select her favourite - DSS, because she has no ability to learn that her peer doesn't support DSS at all. I can think of two ways to improve the situation. a) use notification INVALID-SIGNATURE to inform the other party that this type of signature algorithm is not supported. The problem with this solution is that with the lack of explicit knowledge of peer's public key type (if no cert exchange took place) the peer could not be able to always distinguish unsupported signature algorithm and just bad signature. b) add attribute "Signature algorithm" to transform "Authentication method", making the algorithm negotiateable. This will, however, eliminates the ability for each of the peers to use different algorithm. As for me, I like option b). 2. The draft says that responder may return a subset of TS proposed by initiator. While I like the idea in general, there is a problem: responder doesn't know what packet triggered IKE at initiator, so it can falsely narrow down TS so, that original packet at initiator won't fit into resulting SA, forcing initiator to perform one more Phase 2 (possibly with the same result). For responder to be more smart in this narrowing, some information about the packet, triggered the negotiation must be provided by initiator. Again, I can see 2 ways how this information may be provided. a) define a new payload type - say "Original packet" payload, very similar in format to Traffic Selector Substructure or to current ID payload (not to IKEv2 ID payload). Such payload must be sent by initiator along with TS payloads. They must be filled with information from the very packet, that triggered this negotiation. For responder this payloads will be an indication of IP addresses, protocol and ports that must be always be met while she will be narrowing initiator's TS. b) it is possible to avoid defining new payload type if initiator will always fill the very first TS Substructure with the information from the packet, triggered negotiation. She may provide additional TS Substructures as a proposal for SA selector, and responder will be knowing that she may narrow this proposal to any extent except that the requirements of the the very first TS Substructure must always be met after the narrowing. I have no strong opinion what solution is better. Few minor comments and questions. 3. It seems that TS payloads are required in IKEv2, eliminating the simplest case in IKEv1, when it was allowed to omit ID in Quick Mode. Is it right? 4. Reference to RFC 2522 (on page 10) is absent in References section. 5. Section 2.2, second paragraph. "... with is zero" - did you mean "... which is zero"? 6. Section 7.3.2, table Transform Type Values, "Integrity Algorithm" line. Is it a typo that IKE is mentioned in this line or is it for purpose? I cannot figure out how it is applicable to IKE and if it is, how does it interact with PseudoRandom Function values. 7. Page 30,31 - there seems to be too many bullets in description of Proposal Substructure and too few in description Transform :-) Regards, Valery Smyslov.
- IKEv2 (son-of-ike) draft dharkins
- Re: IKEv2 (son-of-ike) draft Valery Smyslov
- RE: IKEv2 (son-of-ike) draft sankar ramamoorthi
- Re: IKEv2 (son-of-ike) draft - IPComp-related com… Abraham Shacham