IETF Logo Mail Archive

Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol

"Graham Bartlett (grbartle)" <grbartle@cisco.com> Tue, 09 September 2014 20:37 UTC

Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC241A016B for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 13:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.153
X-Spam-Level:
X-Spam-Status: No, score=-16.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfAWntvRx1BA for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 13:37:16 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0131A0149 for <ipsec@ietf.org>; Tue, 9 Sep 2014 13:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8256; q=dns/txt; s=iport; t=1410295036; x=1411504636; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=4EUUaf/DGBQe2X7Bu/UjfHD3FbMEMjAWej+eQQ3KPsg=; b=mvFphgPKrURk/BM7b0ZkshVB6kbwn1722IXLBdMwuWP3D2EkJ1hHyn0G pnvnWmGJjrY7tal06YYzLCtJsiqFqLEYlARaNxRFJTCxpE+bGGIipTNkb ZGAg/0zPVvY8mT3hGKMfo8LvgUZrBR1abkz6w0tulLPPCFu0PRRmCfBRJ A=;
X-Files: smime.p7s : 3708
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AioFAD9kD1StJA2H/2dsb2JhbABQCYJqI1NXBMocCodMAYENFniEAwEBAQQBAQEaURcEAgEIDgMEAQEBLgIfBgsdCAIEARIOiCADEQEMtkENhl0BEwSNIIFSCgEBNCIGhEYFjyyCFYIGgUqFUoIQjnOGO4NhbIEPOYEHAQEB
X-IronPort-AV: E=Sophos;i="5.04,493,1406592000"; d="p7s'?scan'208";a="353849229"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-2.cisco.com with ESMTP; 09 Sep 2014 20:37:15 +0000
Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s89KbFgo025248 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 9 Sep 2014 20:37:15 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.03.0195.001; Tue, 9 Sep 2014 15:37:15 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Valery Smyslov <svanru@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, ipsec <ipsec@ietf.org>
Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
Thread-Index: AQHPyy4DFcwTtQ+4VEqN7XrYpOOjUZv33bCAgACGbgmAAUXHgA==
Date: Tue, 09 Sep 2014 20:37:15 +0000
Message-ID: <D0351ADC.2C641%grbartle@cisco.com>
References: <540CA9B2.3090807@gmail.com> <DCC36F8DE78A4E5280A9977B4CAC144A@buildpc> <D033575C.2C348%grbartle@cisco.com> <0666BB9DE8304DC1891658BFA9FF7EF7@buildpc>
In-Reply-To: <0666BB9DE8304DC1891658BFA9FF7EF7@buildpc>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [10.55.146.103]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3493143433_11713542"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/NNDEjuaXfwzhWIEateT7yC-I7U8
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 20:37:18 -0000

Hi

Thanks for the clarifications.

I really like the idea of this - as Daniel has said it's well suited for
IoT, but I'm wondering if this could then lend IKEv2 into a similar
concept as 'https' - secure channel and authentication of the headend and
then initiators credentials are sent by some other means..

As you say I think it needs a lot of thought into the security
considerations.


cheers

On 09/09/2014 08:11, "Valery Smyslov" <svanru@gmail.com> wrote:

>Hi Graham,
>
>> I have one Q.
>> 
>> If endpoint receives a request to create an unauthenticated IKE SA
>> from the IP address, which is configured on the endpoint to be
>> authenticated, the request SHOULD be rejected.
>> 
>> Why is this not MUST be rejected ? Otherwise an attacker could trick the
>> responder into revealing their identity (maybe some words around this
>> also?).
>
>I was thinking of two possible cases here.
>First, even if the initiator was able to certify its identity,
>it might want to keep anonymity for this particular
>connection (for example to prevent tracking its
>activity). And the other case - the responder's configuration
>could be out of date and the IP address it was
>configured to be authenticated could already
>belong to some other, anonymous host.
>
>Anyway, while SHOULD is pretty strong requirement,
>it is not ultimate here: I'm not absolutely sure
>that the above cases completely justify it over MUST.
>We can discuss it.
>
>And you are right - some (I dare to say "many")
>words still need to be added into the Security Considerations
>section.
>
>Regards,
>Valery.
>
>
>> Thanks
>> 
>> Graham
>> 
>> 
>> On 08/09/2014 07:27, "Valery Smyslov" <svanru@gmail.com> wrote:
>> 
>>>Yes.
>>>
>>>Obviously, as the author of the document I can see its value,
>>>which is describet in the document itself.
>>>And I think it's better to standardize it with
>>>more people involved, than as individual submission.
>>>
>>>Regards,
>>>Valery.
>>>
>>>----- Original Message -----
>>>From: "Yaron Sheffer" <yaronf.ietf@gmail.com>
>>>To: "ipsec" <ipsec@ietf.org>
>>>Sent: Sunday, September 07, 2014 10:53 PM
>>>Subject: [IPsec] Call for adoption: The NULL Authentication Method in
>>>IKEv2Protocol
>>>
>>>
>>>> Dear working group,
>>>>
>>>> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a
>>>>WG 
>>>> document. Please respond to this mail with a Yes or No and a short
>>>> rationale, at latest by Friday Sep. 12.
>>>>
>>>> Thanks,
>>>> Yaron
>>>>
>>>> _______________________________________________
>>>> IPsec mailing list
>>>> IPsec@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>
>>>_______________________________________________
>>>IPsec mailing list
>>>IPsec@ietf.org
>>>https://www.ietf.org/mailman/listinfo/ipsec
>>

v2.23.0 | Report a Bug | By Email