Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-06.txt
Valery Smyslov <smyslov.ietf@gmail.com> Wed, 06 April 2022 12:44 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEEAC3A19B1 for <ipsec@ietfa.amsl.com>; Wed, 6 Apr 2022 05:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rw1J5TF2FnEr for <ipsec@ietfa.amsl.com>; Wed, 6 Apr 2022 05:44:10 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C083C3A19A9 for <ipsec@ietf.org>; Wed, 6 Apr 2022 05:44:09 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id q68so3049789ljb.3 for <ipsec@ietf.org>; Wed, 06 Apr 2022 05:44:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=dkksDhD4uzgq8KkK/+fySbwBFhlx8O0T7mLhRv7Czqs=; b=IjzifNoBxKIzUobt3vQpeVj5nDVOQn+P/tUdL8flLGaPSBWAClG0s1gG7NU04K40gD LMthOuWnjf3y/MEBa2goZubBAVwz0ly4dyonzHNEXRMmWzw2zNClTFHuwMtS3bo0IV7h DdfxdPHqGvYplRrh80++9362GQcHkNLkUnvJotpZH7VyaYwvgUCHkfTIWuTESQ5NiN8H TdvjqeGsKLlyA+ULgtNNL9Wk3jxfNeaeBBUCIGF/08RXadYCue8lT/FefQnt1rm76Sz1 h2YVxlmO2OFf7Moh16uBUI4DRCG+kZMCJcz4Jd4p4EIl+wf9Atm5ap0tN/ZjyKkIzVKa jH3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=dkksDhD4uzgq8KkK/+fySbwBFhlx8O0T7mLhRv7Czqs=; b=O92EVpYU/RaKNzz1PYTBgadfMrNVXqPaVsHWEmz8h1OZRTvh+JnnoW17BcV9TJXSz/ /dMmG1qWSjoHxI2OH9I6H0/X5eu4DLCwqPSjvrp7IGCG80nCG74uzviYbTFNRsQe7kiV o+1swW8XrNYbx5Q2JUn3ecfsUG+8OPQmpTmXxEeIwhFjM8yfVlRJMcmNQCHw2gUsPlLd fDnRFpqQobDWpM6g7Khtr6X5afiukNn+xkYd7I7faHxniFc7Lpi4MUe1jhDZtFF6fUDz PekzPfgk7VxTTsHALQDKHS6GS0fh0XWGuB/iD+gqE7czjmb1dExaIfGvaOFQFui/8cat ApEw==
X-Gm-Message-State: AOAM5334zZFfIy51lB85hE8xgoYLP71XaJqINiR/SKKva3BaIL7vW7pu HTa4EVZI6QZEM2GYZIVt5xJJuvIk8Gw=
X-Google-Smtp-Source: ABdhPJz+vGN5176NQt1YfGsDtE3t6TysiuUEJXavOjjXH4LRFBmE8nWEcFnZx1SaaK6i9DEijdRq8g==
X-Received: by 2002:a05:651c:b22:b0:24b:12c7:cf24 with SMTP id b34-20020a05651c0b2200b0024b12c7cf24mr5096239ljr.433.1649249047369; Wed, 06 Apr 2022 05:44:07 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id g2-20020a2ea4a2000000b0024983b1a8dcsm1577241ljm.105.2022.04.06.05.44.06 for <ipsec@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Apr 2022 05:44:06 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: ipsec@ietf.org
References: <164924807176.8548.6981260676786408454@ietfa.amsl.com>
In-Reply-To: <164924807176.8548.6981260676786408454@ietfa.amsl.com>
Date: Wed, 06 Apr 2022 15:44:07 +0300
Message-ID: <1da401d849b4$02446f90$06cd4eb0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGA+WVAZBQyxb+rBBJX9seeeXwKeq2RcXfQ
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/VtHHmch0N04m4JS4MtTuVO81j14>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-06.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2022 12:44:12 -0000
Hi,
this version addresses discussion we had at IETF 113. In particular:
1. Explicit PSK authentication is removed.
2. USE_TRANSPORT_MODE notification is used as in IKEv2
(which implies a restriction that all IPsec SAs in GSA must use the same mode).
3. Using ESN is MUST NOT now, but it is MUST for GCKS to rekey frequently enough to prevent SN overlap.
4. Using replay protection is clarified. This is probably the most important change,
since the semantics of "Extended Sequence Numbers" transform is enhanced,
which leads to its renaming to "Replay Protection" transform and thus
we formally update RFC 7296 (although only by renaming IANA registry).
See new section 2.6.
5. UDP encapsulation of ESP is prohibited for multicast Data-Security SAs.
6. Default Activation Time Delay and Deactivation Time Delay are set to 0 (no delay,
wasn't specified before).
7. Using tunnel and transport mode clarified.
8. Clarified, that using port 848 in the IKE_SA_INIT exchange doesn't change
behavior comparing to port 500 (in particular, in both cases switch to 4500 in case of NAT).
9. Multiple text improvements.
Please, review.
Regards,
Valery.
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF.
>
> Title : Group Key Management using IKEv2
> Authors : Valery Smyslov
> Brian Weis
> Filename : draft-ietf-ipsecme-g-ikev2-06.txt
> Pages : 68
> Date : 2022-04-06
>
> Abstract:
> This document presents an extension to the Internet Key Exchange
> version 2 (IKEv2) protocol for the purpose of a group key management.
> The protocol is in conformance with the Multicast Security (MSEC) key
> management architecture, which contains two components: member
> registration and group rekeying. Both components require a Group
> Controller/Key Server to download IPsec group security associations
> to authorized members of a group. The group members then exchange IP
> multicast or other group traffic as IPsec packets. This document
> obsoletes RFC 6407. This documents also updates RFC 7296 by renaming
> one of transform types defined there.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-g-ikev2/
>
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-g-ikev2-06
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-g-ikev2-06
>
>
> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-06… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov