Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
Paul Wouters <paul@nohats.ca> Mon, 18 March 2019 17:08 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6900131135 for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2019 10:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdtEPToe5T5w for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2019 10:08:35 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 181FA131128 for <ipsec@ietf.org>; Mon, 18 Mar 2019 10:08:35 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44NN1X11MQzDct; Mon, 18 Mar 2019 18:08:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1552928912; bh=4E+XDVPF0g+0FzEGFNA2MhXljTyTuneI2AZzSrO5FXE=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=cZ0iuhdpYi7zYQnXXNod5LVDAGz2vi3Kxaj//QPbXfoAH1grIPH+WcV9aJBI+N905 px62om7X/prOzo7GxLB3l0g2Hgpw5p6Lws5OQxYIP/KQ73Teq+Ih3BE+xi8K+HXYzG rToLqxe6/QBdCpwc7VNjTuuAzBP4vSdHa5M2eTy0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id pCIpkM4NhJRm; Mon, 18 Mar 2019 18:08:28 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 18 Mar 2019 18:08:27 +0100 (CET)
Received: from [10.0.3.59] (unknown [62.168.35.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id DE86B2FCD9; Mon, 18 Mar 2019 13:08:26 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca DE86B2FCD9
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <001e01d4ddac$5502d770$ff088650$@nm.ifi.lmu.de>
Date: Mon, 18 Mar 2019 18:08:20 +0100
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5EA6ED83-4654-4A49-B429-D0661791EEBD@nohats.ca>
References: <23688.31062.426962.985107@fireball.acr.fi> <01c701d4da41$3c61f890$b525e9b0$@gmail.com> <6454f07af680410e918431971f3489f2@XCH-ALN-010.cisco.com> <001e01d4ddac$5502d770$ff088650$@nm.ifi.lmu.de>
To: Tobias Guggemos <guggemos@nm.ifi.lmu.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LKxXDe-_gwhmm3z7k8LABWLfirQ>
Subject: Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 17:08:39 -0000
Tobias races good points to address, but that can be discussed after adoption too. I’m in favour of adoption and I would like all ambiguity to be resolved so that this document can be implemented independently from any other future documents. Paul Sent from mobile device > On Mar 18, 2019, at 18:02, Tobias Guggemos <guggemos@nm.ifi.lmu.de> wrote: > > Hey all, > we have implemented the draft and found a few issues. > Overall, the separation of IKE_INTERMEDIATE and the > draft-tjhai-ipsecme-hybrid-qske-ikev2-03 is not clear in some points. > > I personally like the idea of having a document on how to add a "pre-auth" > exchange to IKEv2, however we’ve found that the two documents depend quite > strongly on each other, which we found a bit of an implementation issue: > > 1. The draft does not say anything about payloads to be carried in the > IKE_INTERMEDIATE message (except SK payload), which means it could either > transfer "any payload" or "no payload". >> From a security perspective, I'd assume "no payload", which means the draft > specifies how to send an empty SK payload between IKE_INIT and IKE_AUTH, > where "empty" means encrypted padding. > So basically, we have a (standard-track RFC) document describing a message > which cannot (I'd almost say MUST NOT) be implemented without the > requirement to implement an additional document describing the payload. > > 2. On the other hand, IKE_INTERMEDIATE describes how to use previously > exchanged keys in order to secure (encrypt) the IKE_INTERMEDIATE traffic. > If IKE_INTERMEDIATE is there to describe the messages and not the key > exchange, I think the document should only say that the current key in the > IKE SA should be used. > > I'm not 100% sure if especially point 1 is an actual issue for an IETF > document and if so how to solve it. > One idea would be to define a (maybe informational/experimental) document > like "how to add an additional pre-auth exchange in IKEv2", which can then > be used by e.g. draft-tjhai-ipsecme-hybrid-qske-ikev2-03 to define the > actual exchange. > Another idea would be to define a list of allowed payloads (e.g. by IANA > registry). > > If the WG thinks that this is not an issue or can be solved after adoption, > we support adoption and we were about to show and discuss some details on > that (and other PQKE related stuff) in a presentation in Prague. > We just wanted to raise awareness and get a discussion on this (potential) > issue before the adoption call ends. > > Regards > Tobias > >> -----Ursprüngliche Nachricht----- >> Von: IPsec <ipsec-bounces@ietf.org> Im Auftrag von Panos Kampanakis >> (pkampana) >> Gesendet: Donnerstag, 14. März 2019 20:07 >> An: 'Tero Kivinen' <kivinen@iki.fi>; ipsec@ietf.org >> Betreff: Re: [IPsec] WG adoptation call for > draft-smyslov-ipsecme-ikev2-aux- >> 02 >> >> +1 on adopting this draft. >> >> -----Original Message----- >> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Valery Smyslov >> Sent: Thursday, March 14, 2019 4:38 AM >> To: 'Tero Kivinen' <kivinen@iki.fi>; ipsec@ietf.org >> Subject: Re: [IPsec] WG adoptation call for > draft-smyslov-ipsecme-ikev2-aux- >> 02 >> >> Hi, >> >> as author of the document I (obviously) support its adoption. >> It's a building block for QSKE solution (at least how the WG sees it now) > so I >> think we should adopt it. >> >> Regards, >> Valery. >> >>> This document has been stable for some time, and I think it is ready >>> to go forward. Because of that I will start one week long WG >>> adoptation call for this draft which will expire end of next week >>> (2019-03-22). >>> >>> If you have any reasons why this should not be adopted as WG document, >>> send email to the list as soon as possible. >>> -- >>> kivinen@iki.fi >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] WG adoptation call for draft-smyslov-ipse… Tero Kivinen
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Panos Kampanakis (pkampana)
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Paul Wouters
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Andreas Steffen
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Paul Wouters
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos