Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04
"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 14 December 2018 07:09 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A281310BD for <ipsec@ietfa.amsl.com>; Thu, 13 Dec 2018 23:09:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vx-MF7p0ka6y for <ipsec@ietfa.amsl.com>; Thu, 13 Dec 2018 23:09:16 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD0A1310BC for <ipsec@ietf.org>; Thu, 13 Dec 2018 23:09:15 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id n18-v6so3992985lji.7 for <ipsec@ietf.org>; Thu, 13 Dec 2018 23:09:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=ZGGeTDV+RTIw7XI3XucDiO0rm3Wrlg/66/Ne4t/Okxg=; b=Vwzsq9ft01IRE14boKUaBAnsv+jJxZ2csuqplgUT7jKJ6Ri7eCcnKr8gwrqERyxVlJ eR3NLTMpOhlW3YIhtMuhLY01/kLu2okNmB2aGRxpPUXtt9DDbPE9UZN7/pL/LLpFcJYn kBbWyOKf3D5Pp24eudkcuehQZUcBPOvNgTzdZmRu9QLSN3/CwbYtJiyyPyDtS9ruZWSK PusTJzaX90XV0iC+bJ3d60H9c39muqoyCMunMhKwYHYKVO8yfVirIJyiHDxzgjeual8u RtJ4Hct/x8OReWIAavUtmlzfn1JP2KDxpr8hDOLdjYHiDOCklFATXp86zmDUxa9i2NYM ffWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=ZGGeTDV+RTIw7XI3XucDiO0rm3Wrlg/66/Ne4t/Okxg=; b=IkAD76lJJzsZZmEEjkiQhBfxo5OQRcGlJJbGwY+d7jR+qvwP3k9GYcKxqd2/iNAswH A9MtE/9h9QLFdKMTDhfY6wlAssJGRu7l3qPTDBvgd3+jstGEiLVgcFUs0wpCNeLEBpta b7jHK7WXgCvzHiWocPoJPXjk1upVlmScVrvK+NQLmmIUop74R15cMpVRMVnFA+HMNmvs 39q/Dr2Uh+7o2bffeLsLU1HmAxWDMHcBpeWiQAoHDOGtpwwDncHcXZn7ddabWY65IIWS lEBryW+Q8xC3ra7BNQDHf7zqpaGXyNiQlocOcC1PGZI9c4YmIDp7iN2t57MTHw03O8ie LqYw==
X-Gm-Message-State: AA+aEWao38WctM5WRi7ZVwJxptT4z8wmM2rwiTjNgaCHKBiDioZ2KX7n di563nOMYAJCbegt0ID8avutSm0q
X-Google-Smtp-Source: AFSGD/XaWFWbnrNJ3kvpd3phX1KjijX2O3GKCVwgIMQViCiBYQp8wN5vi1W+2+iNYJs5MgGYl8+OlA==
X-Received: by 2002:a2e:55d3:: with SMTP id g80-v6mr1184742lje.78.1544771353435; Thu, 13 Dec 2018 23:09:13 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id q30sm761091lfi.94.2018.12.13.23.09.12 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 13 Dec 2018 23:09:12 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: "'Hammell, Jonathan F'" <Jonathan.Hammell@cyber.gc.ca>, ipsec@ietf.org
References: <20181213174027.091BD1200B3@ietfa.amsl.com>
In-Reply-To: <20181213174027.091BD1200B3@ietfa.amsl.com>
Date: Fri, 14 Dec 2018 10:08:49 +0300
Message-ID: <01fa01d4937b$dd4edaa0$97ec8fe0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJCuH6YkCsi91nYYVdJKq3SgNeIfqShes+Q
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Lb_GqOCs9BoY6S2P2_VOpfm7taM>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 07:09:18 -0000
Hi Jonathan, thank you for your review. Please see my comments inline. > The Canadian Centre for Cyber Security has reviewed draft-ietf-ipsecme-qr-ikev2-04 and recommends the > authors address the following comments before proceeding to IESG. > > 1. The table on Page 8 refers to the term 'HAVE PPK' - this term is not used elsewhere in the document. To > understand the table the reader is left to surmise its meaning. We understand the term as the Responder > being configured with a PPK for the Initiator (identified by the PPK_ID). We recommend either defining what > is meant by 'HAVE PPK' or changing the term from 'HAVE PPK' to 'Configured with PPK for the initiator' which > is how it is described in the Upgrade procedure or more simply as 'Configured with PPK' . I see your point. We'll think how to make this text more clear. > 2. Section Upgrade procedure - We recommend changing the statement "As an optional second step, after all > nodes have been upgraded, the administrator may then go back ... and mark the use of PPK as mandatory." to > "After all nodes have been upgraded, the administrator SHOULD go back ...". I don't think the proposed change is justified. The requirement language (MAY, SHOULD, MUST etc.) it IETF documents is usually used in protocol descriptions when some actions are required (or prohibited) to achieve interoperability. Section "Upgrade procedure" is not concerned with the protocol itself, it is just a recommended algorithm for upgrading some system for using PPK. It is not the only algorithm possible. And it isn't concerned with interoperability of different protocol implementations. So, I'd leave the text as is. > 3. IKEv2 with EAP authentication -the EAP-ikev2 protocol description in the draft is different from that in the > EAP-IKEv2 RFC 5106 beyond what we expect because of PPK use (i.e Initiator does not send an AUTH payload > in the first EAP-Req message). This is a confusion. The draft is not relevant to RFC 5106, so the whole comment is a result of misunderstanding. Let me explain. The EAP protocol is a framework for various authentication protocols, called EAP methods. A lot of EAP methods are defined (see https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4). The IKEv2 accommodates EAP as an alternative way to authenticate peers. How EAP is used in IKEv2 is defined in RFC 7296 - the core IKEv2 spec (in particular see Section 2.16). The confusion comes from the fact, that there is also an EAP method called EAP-IKEv2, defined in RFC 5106. This RFC describes how IKEv2-like protocol can be used inside EAP framework to achieve authentication, but it has nothing to do with how EAP framework is used within IKEv2. The draft is concerned with the latter, clarifying things for PPK use case. It is not concerned with EAP-IKEv2 EAP method. Regards, Valery. > a. Firstly, none of the message types from RFC 5106 are used in the draft: EAP-Req, EAP-Res and EAP-Success > for example. We recommend using the same notation as in the RFC to describe EAP with PPK. > b. The draft uses the term "EAP" whose meaning is unclear but assumed to mean an EAP type message. > c. The biggest difference appears to be the fact that it is the Responder who sends the EAP-success message. > This may be done because an extra IKE_AUTH exchange will be performed, but an explanation could be useful. > > We highlight two messages below (**) from the draft that appear to not fit the RFC's description. Also it is > not clear what is meant by the term EAP in the messages, we assume that it stands for EAP-Req or EAP-Res. > > The portion of the description in the draft (without the IKE_SA_INIT and IKE_AUTH exchanges) is > > Initiator Responder > ---------------------------------------------------------------- > HDR, SK {IDi, [CERTREQ,] > [IDr,] SAi2, > TSi, TSr} --> > <-- HDR, SK {IDr, [CERT,] AUTH, > EAP} > ** HDR, SK {EAP} --> > <-- HDR, SK {EAP (success)} ** > > > Compared with the protocol described in RFC 5106 without the initial exchanges > > 5. R<-I: EAP-Req (HDR, SK{IDi, [CERT], [CERTREQ], [NFID], AUTH}) > 6. R->I: EAP-Res (HDR, SK{IDr, [CERT], AUTH}) > * 7. R<-I: EAP-Success > > Figure 1: EAP-IKEv2 Full, Successful Protocol Run > > > Best regards, > Jonathan > > On Fri, 30 Nov 2018, Waltermire, David A. (Fed) wrote: > > > This message starts a working group last call (WGLC) on draft-ietf-ipsecme-qr-ikev2-04, which will conclude > on December 14, 2018 at UTC 23:59. Please review and provide feedback on the -04 version > (https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/). Please indicate if you believe this draft is ready > for publication or if you have comments that must be addressed before the draft progresses to the IESG. > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Hammell, Jonathan F
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Hammell, Jonathan F
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Valery Smyslov