IETF Logo Mail Archive

Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02

Paul Wouters <paul@nohats.ca> Mon, 18 March 2019 17:08 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6900131135 for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2019 10:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdtEPToe5T5w for <ipsec@ietfa.amsl.com>; Mon, 18 Mar 2019 10:08:35 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 181FA131128 for <ipsec@ietf.org>; Mon, 18 Mar 2019 10:08:35 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44NN1X11MQzDct; Mon, 18 Mar 2019 18:08:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1552928912; bh=4E+XDVPF0g+0FzEGFNA2MhXljTyTuneI2AZzSrO5FXE=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=cZ0iuhdpYi7zYQnXXNod5LVDAGz2vi3Kxaj//QPbXfoAH1grIPH+WcV9aJBI+N905 px62om7X/prOzo7GxLB3l0g2Hgpw5p6Lws5OQxYIP/KQ73Teq+Ih3BE+xi8K+HXYzG rToLqxe6/QBdCpwc7VNjTuuAzBP4vSdHa5M2eTy0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id pCIpkM4NhJRm; Mon, 18 Mar 2019 18:08:28 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 18 Mar 2019 18:08:27 +0100 (CET)
Received: from [10.0.3.59] (unknown [62.168.35.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id DE86B2FCD9; Mon, 18 Mar 2019 13:08:26 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca DE86B2FCD9
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <001e01d4ddac$5502d770$ff088650$@nm.ifi.lmu.de>
Date: Mon, 18 Mar 2019 18:08:20 +0100
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5EA6ED83-4654-4A49-B429-D0661791EEBD@nohats.ca>
References: <23688.31062.426962.985107@fireball.acr.fi> <01c701d4da41$3c61f890$b525e9b0$@gmail.com> <6454f07af680410e918431971f3489f2@XCH-ALN-010.cisco.com> <001e01d4ddac$5502d770$ff088650$@nm.ifi.lmu.de>
To: Tobias Guggemos <guggemos@nm.ifi.lmu.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LKxXDe-_gwhmm3z7k8LABWLfirQ>
Subject: Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 17:08:39 -0000

Tobias races good points to address, but that can be discussed after adoption too.

I’m in favour of adoption and I would like all ambiguity to be resolved so that this document can be implemented independently from any other future documents.

Paul

Sent from mobile device

> On Mar 18, 2019, at 18:02, Tobias Guggemos <guggemos@nm.ifi.lmu.de> wrote:
> 
> Hey all,
> we have implemented the draft and found a few issues.
> Overall, the separation of IKE_INTERMEDIATE and the
> draft-tjhai-ipsecme-hybrid-qske-ikev2-03 is not clear in some points. 
> 
> I personally like the idea of having a document on how to add a "pre-auth"
> exchange to IKEv2, however we’ve found that the two documents depend quite
> strongly on each other, which we found a bit of an implementation issue:
> 
> 1. The draft does not say anything about payloads to be carried in the
> IKE_INTERMEDIATE message (except SK payload), which means it could either
> transfer "any payload" or "no payload". 
>> From a security perspective, I'd assume "no payload", which means the draft
> specifies how to send an empty SK payload between IKE_INIT and IKE_AUTH,
> where "empty" means encrypted padding.
> So basically, we have a (standard-track RFC) document describing a message
> which cannot (I'd almost say MUST NOT) be implemented without the
> requirement to implement an additional document describing the payload. 
> 
> 2. On the other hand, IKE_INTERMEDIATE describes how to use previously
> exchanged keys in order to secure (encrypt) the IKE_INTERMEDIATE traffic. 
> If IKE_INTERMEDIATE is there to describe the messages and not the key
> exchange, I think the document should only say that the current key in the
> IKE SA should be used.
> 
> I'm not 100% sure if especially point 1 is an actual issue for an IETF
> document and if so how to solve it.
> One idea would be to define a (maybe informational/experimental) document
> like "how to add an additional pre-auth exchange in IKEv2", which can then
> be used by e.g. draft-tjhai-ipsecme-hybrid-qske-ikev2-03 to define the
> actual exchange.
> Another idea would be to define a list of allowed payloads (e.g. by IANA
> registry).
> 
> If the WG thinks that this is not an issue or can be solved after adoption,
> we support adoption and we were about to show and discuss some details on
> that (and other PQKE related stuff) in a presentation in Prague.
> We just wanted to raise awareness and get a discussion on this (potential)
> issue before the adoption call ends.
> 
> Regards
> Tobias
> 
>> -----Ursprüngliche Nachricht-----
>> Von: IPsec <ipsec-bounces@ietf.org> Im Auftrag von Panos Kampanakis
>> (pkampana)
>> Gesendet: Donnerstag, 14. März 2019 20:07
>> An: 'Tero Kivinen' <kivinen@iki.fi>; ipsec@ietf.org
>> Betreff: Re: [IPsec] WG adoptation call for
> draft-smyslov-ipsecme-ikev2-aux-
>> 02
>> 
>> +1 on adopting this draft.
>> 
>> -----Original Message-----
>> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Valery Smyslov
>> Sent: Thursday, March 14, 2019 4:38 AM
>> To: 'Tero Kivinen' <kivinen@iki.fi>; ipsec@ietf.org
>> Subject: Re: [IPsec] WG adoptation call for
> draft-smyslov-ipsecme-ikev2-aux-
>> 02
>> 
>> Hi,
>> 
>> as author of the document I (obviously) support its adoption.
>> It's a building block for QSKE solution (at least how the WG sees it now)
> so I
>> think we should adopt it.
>> 
>> Regards,
>> Valery.
>> 
>>> This document has been stable for some time, and I think it is ready
>>> to go forward. Because of that I will start one week long WG
>>> adoptation call for this draft which will expire end of next week
>>> (2019-03-22).
>>> 
>>> If you have any reasons why this should not be adopted as WG document,
>>> send email to the list as soon as possible.
>>> --
>>> kivinen@iki.fi
>>> 
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>> 
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>> 
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email