IETF Logo Mail Archive

[IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04

Roman Danyliw <rdd@cert.org> Wed, 25 October 2023 23:57 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E736C180DD9 for <ipsec@ietfa.amsl.com>; Wed, 25 Oct 2023 16:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpe60-c3z-6P for <ipsec@ietfa.amsl.com>; Wed, 25 Oct 2023 16:57:19 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0110.outbound.protection.office365.us [23.103.209.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 205FFC151080 for <ipsec@ietf.org>; Wed, 25 Oct 2023 16:57:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=o+vn6ri8PjsUxm29jqPp4oM9R3XA1EcV1vWgQdUEoLRewA0ELacHm+PH5ZjIF4f2NxscCLgOjXFthrvcrxNwFOyYgd0elICP1hgcoWsMxkTTENTCpJ5itdwvyLQplPfXiEQETvAATwJ+RVDSiuoeaoWj5SlBN1BVVRhp9uk/5vI24wUwqNnnGcyuWhcbGPm7kQGtNDI995XdOak7HNxw3tgO2NwXe+ek9HZWMK0+BJvw2HNjuQjtYYzhXw+Fudwnm30yqmPqCF/JlvdbBtRknLFIVyQFoFmXbUqwsfJ+7xeNy9Vkd79HshjuwrCHvFaiGjKDFJnm6GB9wlrqqvIDOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mpJkLXqSQzN6qPX0NV1pY3I7hInVYjaeuGJFNZ0NPLU=; b=X851qDqFg20pTpmlhfzZJLNeopF26PJdfc6XnFdp7/ftJXu9yoDItd215HxQSFfy9qFaHGc8O+2WVElI+I4JxmQB4eJRMeRowD/t6DAUokNekWjaCBh9LSarin1xCDRxkOq9b1qrP8+MI38PecIlFHQZgHrOC14oIPT/rd7dF0QbDEt9hvf8SXBvA+uI1/9nGvammTQcD25xbkVNqjQ1KtkieTNN49k8rSgZYd98QWKOUT0PCzK+fJpWJGrCHH9J9zXiRMvOTP4XNX9xIP5WoGQv6Z7xofO4VTzXLzeRwFnu0gopMSC/r4/JxrXHhAqiPFnmpjFpqYGzbG2unqul6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mpJkLXqSQzN6qPX0NV1pY3I7hInVYjaeuGJFNZ0NPLU=; b=tNA0bckEb2gDdzpOW3MEuP7k/dVOPA7KBYTafeml2g70BuDe5vgYy8M4Tp44wW9loubtmdAQrD1ZOKTDdIuf8s3TeD7LEf54BxVXeWboZqUjL7sMANnWoU2kLoDrbvDFmzbph0AzLiqGNsKUq6xNPgmDgw5EXx53P6s0EnSkoZE=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1591.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.51; Wed, 25 Oct 2023 23:57:15 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::44ae:335c:4fd2:ea74]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::44ae:335c:4fd2:ea74%6]) with mapi id 15.20.6863.051; Wed, 25 Oct 2023 23:57:15 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
Thread-Index: AdoHntxa3qOpV+b2SaSMghAtbAXj3g==
Date: Wed, 25 Oct 2023 23:57:15 +0000
Message-ID: <BN2P110MB11076E4C10617CF7810E96DEDCDEA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1591:EE_
x-ms-office365-filtering-correlation-id: 18451289-274b-465a-761e-08dbd5b61d2c
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: U8QTBHuN70Kxu2o4shbs7oDAsY0B2S5Yq+PrKVXOhSAxDaDD2E/EQaWSnmCuhY4tQog6FjQIl4e1ZiCBwo3TgMMEdqrPgoP97Y+asLshZgxluLtNBsXAo2OGEidtoKUU32mXlBZ1uVGmZBJod5G2wSIM32FQFbg0OVsrVsTzrBPDZ5Gea9nxNf2nZLJoQExgdsJby+QUfb8pZ5Ysys/9jRDr34z6q63Utpp81DMMa/70s3AkAKKc4ImEhbEEkTt+KTfwJnaOjp+hfGWneMAhVTvkQ27JJ8ezaoHn63v1FcpEmxScWPN2PJ3YZOWlIUU4s2szax/xh3eSNamcLIqeO838QxaNn90vycQnIBVntQwYd63pfl4q245l7iRfG21WcjBDxosGB1VtksO5+JumchW2oenyV3FxYjCmjvC39SCI+I4s2xRiu8ztYJkjUUmGj6Wsd2OZNZKwW9YWOsFYPuv8bgN0hJo8NooH11CIcK58Bp5j/jtRbpl8MTzlNgZUMCh4F2acmPkcII4bEBssB55oP7nCt8crcP1vmJb7H65FwEQNjaTztVffrCU29NDLNGJZS2Fhx1HTQ3937t5m8pgCA5aTn4Vcn809BvqD0b8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(396003)(366004)(136003)(230922051799003)(1800799009)(186009)(451199024)(64100799003)(55016003)(2906002)(38100700002)(6916009)(76116006)(66946007)(122000001)(66556008)(508600001)(66446008)(71200400001)(6506007)(64756008)(82960400001)(7696005)(41300700001)(9686003)(83380400001)(66574015)(66476007)(86362001)(5660300002)(33656002)(52536014)(8676002)(8936002)(26005)(38070700009)(41320700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MDMPK3OjQWshQfzRrr+R3+Tx7SV9ywy5KeOnMZP9qAyJJuaNaA5Xhy0Y0z+RMqRBuSbPAV4N03UprKcPwcOtN6QGnhr+DOu1KhPuFVrsluU21r2Iq06pnYTXa28tvIRNp3Eby1qGSwNsAWx+QP3KY5wmgQHrhuzH8Bn2CYIMEX/0T3Rb3av2NcsIW5QjXIGpIOyTbYm0eiEwswV2xB36P/PZAaGoAp97KP1GhD6r0nnRBJHKURKqfRx/FdxdBd+1CzHdxOiNPmLhDxDQeIgblXKCSzuah/cfkzSP+q5X8EdTNhqOoF5MIK2kfEQOw4qFLtdTjPZd+lo+RbhfxWD/C41z2XTzAu0ZMWi9jvvHzhElH9cNzzP0QxMgZXJzHXvbBPhrJHjff8jeSe+Gx6Y0i+/LxUQpINHeidFYXI/UIxYbyL3QXWjxNnnSgeUb9EUg7AnfXjhTYWUZ7SSWK/I0+q6eNUkZI56QU87JIgwtgn1HkuXMJkzOPmlX1Uwb2uPkPCVRHPqEbeKlRiKjRc+H9yh2c8pt+MzMBb+SUcG7LIT4SGMTCEggjvUb5x0czt7l9RkiAUVhWRV8G+42qBatPofQy04lE/ghs4YuSdMqnI85NwLL6YCx8UNSu1cy7PTyyqnb2oX3xIgGTGwGpxEsD3FkJiGEi09tuJ4NVdquz1UC89aK7vMAEfq89+CnpUcpWSeBxlyxwy8wbEMZu8mr3ZIdA8hjd90fiQVSZMRfQmD1gRL0jDkZHC/lMdXjzJaBL/V5r2tLXIVuV2xUkMbKwCZvJmjCS4h+/Lchf90AdftM5/6B/w4pkhUTCEYCxr4FNDj+rBUmzYH6rQeAmWIo5eC4y18TfiGbm43QCTbvprOi6+kcE443CoWHG1CiZnw+d2ixn4pJoIxFvLc0/o5VMmHLrMX2HwTR/DW5pept2ZecZ9iysjLyl9FhkaEOEGK5a0PTFa3txdFb+zh6FoQyT32Y4xsOhXDVNfYpDFnPp7+XXnA5i77THunNY1bBuGNS8BNkKKEOgsF7xggwNVbOqsn5nJZve9gedIjyyItx0J7OLhVUHdnOW2jTWcV8jn4WKDseq/gM1beZFSMzOE0nna+duC2nHXkhmE7k8iZbQRpciS0HocHLrOhL0cXCm/CJqYRWMhr8GhYq/SVOpElyhzfQN4c+hCLbE2WD2VrKZY/dsLVzI9NbkzVANB4915sDplXDMLrbB1HzqSOgoRtYdBsg6ehON5BJi5+Cp15eJLTnqd8bi0UUrW/WA6EVurHBziY/NfJ83c8aTcLoQAGb4fPaufh9y+lAp8OHI0pYrO44oAhJB13cKOZozBNcwFIBygBybg65aWLApYZ8JRKVDl/6s+v9yc3HL0e9+rYKSu8FIOQimEKaaBJSZVaNQ0by7BPne7OF1WRnpQTTiJusI7z6j3tvloTtl0nBHua4mhWWPir/Ndp8QmSYDLXxesdeIPVKaFIuFSFAvkGst6W6rWp2n0pHn7Cgngj7X/dj3c0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 18451289-274b-465a-761e-08dbd5b61d2c
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2023 23:57:15.3133 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1591
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/XfdriGpIsZoDdjrHqUE6CgMjf7Y>
Subject: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 23:57:23 -0000

Hi!

I performed an AD review of draft-ietf-ipsecme-ikev2-auth-announce-04.  Thanks for the work on this document.  I have the following feedback:


** Section 3.1
If the initiator is configured to use Extensible Authentication Protocol (EAP) for authentication in IKEv2 (see Section 2.16 of [RFC7296]), then it SHOULD NOT send the SUPPORTED_AUTH_METHODS notification.

-- Since SHOULD NOT vs. MUST NOT is used, under what circumstances would it be appropriate to use EAP + SUPPORTED_AUTH_METHODS?

** Section 3.2

If more authentication methods are defined in future, the corresponding documents must describe the semantics of the announcements for these methods.

-- Should this be a s/must/MUST?

** Section 3.2
The blob always starts with an octet containing the length of the blob followed by an octet containing the authentication method. Authentication methods are represented as values from the "IKEv2 Authentication Method" registry defined in [IKEV2-IANA].

-- The reference in [IKEV2-IANA] is incorrect.  It should be pointing to Parameter 12.

OLD
[IKEV2-IANA]
    IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters", <http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-7>.

NEW
[IKEV2-IANA]  IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters",
<https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12>

** Section 3.2.3.  Please provide a normative reference DER.  I believe it is:

   [X.690]    ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
              Information technology - ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER).

** Section 5.  Please add the Security Considerations of the specifically negotiated auth methods apply.

** Section 6.  The “Notify Message Types - Status Types” registry has three fields.  Please formally say that this document should be the reference.

Thanks,
Roman

v2.23.0 | Report a Bug | By Email