IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)

Valery Smyslov <svan@elvis.ru> Wed, 08 January 2020 09:27 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E4712002F; Wed, 8 Jan 2020 01:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hbmg4n-oNNrJ; Wed, 8 Jan 2020 01:27:19 -0800 (PST)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69169120024; Wed, 8 Jan 2020 01:27:18 -0800 (PST)
Received: from kmail2.elvis.ru ([93.188.44.210]) by akmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ip7cQ-0003lp-N9; Wed, 08 Jan 2020 12:27:15 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail2.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1ip7cL-0007qT-Vi; Wed, 08 Jan 2020 12:27:14 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 8 Jan 2020 12:27:09 +0300
Received: from chichi (10.100.100.7) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Wed, 8 Jan 2020 12:27:06 +0300
From: Valery Smyslov <svan@elvis.ru>
To: "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, 'Mirja Kühlewind' <ietf@kuehlewind.net>, 'The IESG' <iesg@ietf.org>
CC: ipsec@ietf.org, ipsecme-chairs@ietf.org, david.waltermire@nist.gov, draft-ietf-ipsecme-qr-ikev2@ietf.org
References: <157840447348.21027.3875533519589774243.idtracker@ietfa.amsl.com> <BN7PR11MB2547A0216F2B8566B112811AC93E0@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB2547A0216F2B8566B112811AC93E0@BN7PR11MB2547.namprd11.prod.outlook.com>
Date: Wed, 08 Jan 2020 12:27:04 +0300
Message-ID: <00bc01d5c605$ca5916f0$5f0b44d0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGY4KgrgL+s46p1j/ZhtxErcpkYXQMbldDrqEFcWkA=
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2020/01/08 08:44:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2020/01/08 02:05:00 #14989725
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in akmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/NSC-AaZUQXYsuvhtRzybL8_Cpkc>
Subject: Re: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 09:27:23 -0000

Hi Panos, Mirja,

> Hi Mirja,
> 
> To try to answer your questions
> 
> 1) You are right. This is mentioned in a paragraph below that reads
> 
>    [...] or continue without using the
>    PPK (if the PPK was not configured as mandatory and the initiator
>    included the NO_PPK_AUTH notification in the request).
> 
> But for clarity we will slightly rephrase the sentence you pointed out to
> 
>    only if using PPKs for communication with this responder
>    is optional for the initiator (based on the mandatory_or_not flag),
>    then the initiator MAY include a notification NO_PPK_AUTH in the
>    above message.

After re-reading this para, I think that uppercase "MAY" is not needed here,
because if the initiator doesn't include NO_PPK_AUTH, then it leaves
no chances for the responder to complete IKE SA without using PPK,
so in this case using PPK becomes in fact mandatory. I think the proper text should be:

    For this purpose, if using PPKs for communication with this responder
    is optional for the initiator (based on the mandatory_or_not flag),
    then the initiator includes a notification NO_PPK_AUTH in the
    above message.

> 2) It is a little hard to include a time that would match all situations. It really
> depends on the server DoS protection policy and when it kicks on. The
> initiator cannot really know how fast is considered too fast for the
> responder so it has to make a conservative decision. Adding a " (e.g.,
> seconds) " would probably suffice here.

Since this situation is most probably caused by misconfiguration (or some attack),
I think that the period of inactivity for the initiator should be longer, at least several minutes.
Anyway, I agree that it's hard to give universal advice here.
I'd leave the text as is, since the reference to "misconfiguration"
in this para gives in my opinion enough hint of how long to wait.

> 3) Waiting for one or two RTTs is probably a good rule. The side-effect could
> be that the initiator stays waiting for responses for too long which delays
> the handshake. I am not sure we can mandate in absolute time because it
> depends on the relative distance between client and server. We can
> probably include " (e.g., one round-trip) " in the text.

I think one or two RTT is too short, moreover since it's an initial request,
no RTT is yet measured (IKEv2 uses UDP as primary transport).
We try here to be in line with core IKEv2 spec, which deliberately 
doesn't give any concrete figures of how long to wait for an response
(section 2.4 of RFC7296). So, I'd leave the text as is.

> 4) I am not sure adding one more notification for downgrade detection
> adds much here. Remember IKEv2 has subsequent messages to do
> IKE_AUTH etc and we wanted to not introduce more significant deviations
> on IKEv2.
> 
> If the PPK is optional for both peers then downgrade is possible but it is the
> cost of being flexible to allow some peers to use PPK and some to not. If any
> of the peers has PPK as mandatory then downgrade will be caught and
> rejected as explained in the Sec Considerations section, so I think we are OK
> there.

I agree with Panos: the downgrade is possible only if using PPK is optional
for both, in which case both parties agree that downgrade is OK.

Regards,
Valery.

> Rgs,
> Panos
> 
> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Mirja Kühlewind via
> Datatracker
> Sent: Tuesday, January 07, 2020 8:41 AM
> To: The IESG <iesg@ietf.org>
> Cc: ipsec@ietf.org; ipsecme-chairs@ietf.org; david.waltermire@nist.gov;
> draft-ietf-ipsecme-qr-ikev2@ietf.org
> Subject: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-
> ikev2-10: (with COMMENT)
> 
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-ipsecme-qr-ikev2-10: No Objection
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 1) One small question on section 3:
> "if using PPKs for communication with this responder
>    is optional for the initiator, then the initiator MAY include a
>    notification NO_PPK_AUTH in the above message."
> This does mean that NO_PPK_AUTH notification should not be sent when
> the mandatory_or_not flag indicates that PPK is mandatory, right? Or is that
> a separate configuration? Would be good to clarify in the doc!
> 
> 2) Section 6 says:
> "In this situation, it is RECOMMENDED
>    that the initiator caches the negative result of the negotiation for
>    some time and doesn't make attempts to create it again for some time,"
> Would it be possible to give any hints about what "some time" means or at
> least the order of magnitude? Maybe it could be recommended to wait a
> couple of seconds? Or how long is it usually expected to take until the half-
> open connection will be expired?
> 
> 3) Also here:
> "then the initiator doesn't abort the
>    exchange immediately, but instead waits some time for more responses
>    (possibly retransmitting the request)."
> How long should one wait? Probably 1-2 RTTs if the RTT is known or maybe
> there is some good max value like 500ms or 1s or more...?  Is there any risk
> in waiting too long?
> 
> 3) And one high-level comment (without knowing to much details about
> IKEv2):
> Would it be possible do a downgrade detection, meaning when non-PKK
> encryption is established the initiator would tell the responser again that it
> was initially requesting PKK, just to double-check...?
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email