Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
"Graham Bartlett (grbartle)" <grbartle@cisco.com> Tue, 09 September 2014 20:37 UTC
Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC241A016B for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 13:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.153
X-Spam-Level:
X-Spam-Status: No, score=-16.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfAWntvRx1BA for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 13:37:16 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0131A0149 for <ipsec@ietf.org>; Tue, 9 Sep 2014 13:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8256; q=dns/txt; s=iport; t=1410295036; x=1411504636; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=4EUUaf/DGBQe2X7Bu/UjfHD3FbMEMjAWej+eQQ3KPsg=; b=mvFphgPKrURk/BM7b0ZkshVB6kbwn1722IXLBdMwuWP3D2EkJ1hHyn0G pnvnWmGJjrY7tal06YYzLCtJsiqFqLEYlARaNxRFJTCxpE+bGGIipTNkb ZGAg/0zPVvY8mT3hGKMfo8LvgUZrBR1abkz6w0tulLPPCFu0PRRmCfBRJ A=;
X-Files: smime.p7s : 3708
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AioFAD9kD1StJA2H/2dsb2JhbABQCYJqI1NXBMocCodMAYENFniEAwEBAQQBAQEaURcEAgEIDgMEAQEBLgIfBgsdCAIEARIOiCADEQEMtkENhl0BEwSNIIFSCgEBNCIGhEYFjyyCFYIGgUqFUoIQjnOGO4NhbIEPOYEHAQEB
X-IronPort-AV: E=Sophos;i="5.04,493,1406592000"; d="p7s'?scan'208";a="353849229"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-2.cisco.com with ESMTP; 09 Sep 2014 20:37:15 +0000
Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s89KbFgo025248 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 9 Sep 2014 20:37:15 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.03.0195.001; Tue, 9 Sep 2014 15:37:15 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Valery Smyslov <svanru@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, ipsec <ipsec@ietf.org>
Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
Thread-Index: AQHPyy4DFcwTtQ+4VEqN7XrYpOOjUZv33bCAgACGbgmAAUXHgA==
Date: Tue, 09 Sep 2014 20:37:15 +0000
Message-ID: <D0351ADC.2C641%grbartle@cisco.com>
References: <540CA9B2.3090807@gmail.com> <DCC36F8DE78A4E5280A9977B4CAC144A@buildpc> <D033575C.2C348%grbartle@cisco.com> <0666BB9DE8304DC1891658BFA9FF7EF7@buildpc>
In-Reply-To: <0666BB9DE8304DC1891658BFA9FF7EF7@buildpc>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [10.55.146.103]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3493143433_11713542"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/NNDEjuaXfwzhWIEateT7yC-I7U8
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 20:37:18 -0000
Hi Thanks for the clarifications. I really like the idea of this - as Daniel has said it's well suited for IoT, but I'm wondering if this could then lend IKEv2 into a similar concept as 'https' - secure channel and authentication of the headend and then initiators credentials are sent by some other means.. As you say I think it needs a lot of thought into the security considerations. cheers On 09/09/2014 08:11, "Valery Smyslov" <svanru@gmail.com> wrote: >Hi Graham, > >> I have one Q. >> >> If endpoint receives a request to create an unauthenticated IKE SA >> from the IP address, which is configured on the endpoint to be >> authenticated, the request SHOULD be rejected. >> >> Why is this not MUST be rejected ? Otherwise an attacker could trick the >> responder into revealing their identity (maybe some words around this >> also?). > >I was thinking of two possible cases here. >First, even if the initiator was able to certify its identity, >it might want to keep anonymity for this particular >connection (for example to prevent tracking its >activity). And the other case - the responder's configuration >could be out of date and the IP address it was >configured to be authenticated could already >belong to some other, anonymous host. > >Anyway, while SHOULD is pretty strong requirement, >it is not ultimate here: I'm not absolutely sure >that the above cases completely justify it over MUST. >We can discuss it. > >And you are right - some (I dare to say "many") >words still need to be added into the Security Considerations >section. > >Regards, >Valery. > > >> Thanks >> >> Graham >> >> >> On 08/09/2014 07:27, "Valery Smyslov" <svanru@gmail.com> wrote: >> >>>Yes. >>> >>>Obviously, as the author of the document I can see its value, >>>which is describet in the document itself. >>>And I think it's better to standardize it with >>>more people involved, than as individual submission. >>> >>>Regards, >>>Valery. >>> >>>----- Original Message ----- >>>From: "Yaron Sheffer" <yaronf.ietf@gmail.com> >>>To: "ipsec" <ipsec@ietf.org> >>>Sent: Sunday, September 07, 2014 10:53 PM >>>Subject: [IPsec] Call for adoption: The NULL Authentication Method in >>>IKEv2Protocol >>> >>> >>>> Dear working group, >>>> >>>> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a >>>>WG >>>> document. Please respond to this mail with a Yes or No and a short >>>> rationale, at latest by Friday Sep. 12. >>>> >>>> Thanks, >>>> Yaron >>>> >>>> _______________________________________________ >>>> IPsec mailing list >>>> IPsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>>_______________________________________________ >>>IPsec mailing list >>>IPsec@ietf.org >>>https://www.ietf.org/mailman/listinfo/ipsec >>
- [IPsec] Call for adoption: The NULL Authenticatio… Yaron Sheffer
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Graham Bartlett (grbartle)
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Yaron Sheffer
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Hugo Krawczyk
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Daniel Migault
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Graham Bartlett (grbartle)
- Re: [IPsec] Call for adoption: The NULL Authentic… Hugo Krawczyk
- Re: [IPsec] Call for adoption: The NULL Authentic… Yaron Sheffer
- [IPsec] Call for adoption: The NULL Authenticatio… Tero Kivinen
- Re: [IPsec] Call for adoption: The NULL Authentic… Michael Richardson
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters