Re: [IPsec] Paul Wouters' Yes on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Thu, 18 April 2024 08:09 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7E9C14F700; Thu, 18 Apr 2024 01:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcLHLv0-6UNt; Thu, 18 Apr 2024 01:09:27 -0700 (PDT)
Received: from dpmail.elvis.ru (dpmail.elvis.ru [93.188.44.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8792C14F701; Thu, 18 Apr 2024 01:09:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WiQnkdyug5VUD10l5XXVVjmGCSuP9ONxgVEgN0DY7+U=; b=Qy6hJkGWOgXPRo5iouAGkL65lL 15TD9+Bt5Dr6CHTgQYke8IA/vHNJiH9n3lD9WwC9izJvku6eimNlOoWd6cyPL8IRbJv9//+tXj1DG rJIpkgEFT0a4aWf2GL/oioDy6uHJHs0uZdKc9p2Wke8XFrmCWQ8RwgbsPYx80m7hTFFk=;
Received: from kmail2.elvis.ru ([93.188.44.210]) by dpmail.elvis.ru with esmtp (Exim 4.89) (envelope-from <svan@elvis.ru>) id 1rxMpT-0005Mn-Tm; Thu, 18 Apr 2024 11:09:12 +0300
Received: from mail.office.elvis.ru ([10.111.1.29]) by kmail2.elvis.ru with esmtp (Exim 4.94.2) (envelope-from <svan@elvis.ru>) id 1rxMpT-00Ec3G-LQ; Thu, 18 Apr 2024 11:09:11 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 18 Apr 2024 11:09:11 +0300
Received: from BuildPC (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 18 Apr 2024 11:09:11 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Paul Wouters' <paul.wouters@aiven.io>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-auth-announce@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <171337277810.36700.9099834928472039440@ietfa.amsl.com>
In-Reply-To: <171337277810.36700.9099834928472039440@ietfa.amsl.com>
Date: Thu, 18 Apr 2024 11:09:11 +0300
Message-ID: <000c01da9167$b202adf0$160809d0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHhVgC4jVuZzBo+TLo2gI9FeMywwbFgEpOQ
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-Spam-Scanner: Rspamd work in kmail2.elvis.ru, WHITELIST
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Scanner: Rspamd work in dpmail.elvis.ru, WHITELIST
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/XllDqtFpNWnmQX9S4dW0s5Zi0Ds>
Subject: Re: [IPsec] Paul Wouters' Yes on draft-ietf-ipsecme-ikev2-auth-announce-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 08:09:32 -0000
HI Paul, thank you for your comments, please see inline. > Paul Wouters has entered the following ballot position for > draft-ietf-ipsecme-ikev2-auth-announce-09: Yes > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-auth-announce/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Note that the IANA registry involved here was renamed since the latest draft > was written :) > > Notify Message Type -> Notify Message Status Type > > "IKEv2 Notify Message Types - Status Types" -> IKEv2 Notify Message Status > Type This is already fixed in my local copy (the IANA was so kind to remind me about this change in a personal message :-)) > I wonder if it would make sense to somewhere explain that the authentication > method refers to the AUTH payload, but that a separate peer ID check with its > X.509 identity might need to be done, for which the CA cert that signed the EE > cert could be using a different signature method? For example, the EE-cert > could be using RSA-v1.5 while the AUTH payload could be using RSA-PSS. Or in > some other way explain that peer ID proof checking is not "authentication" as > used in this document? Hmm... I'm not sure where to put this clarification and in which form. I think that there is a chance of over-specification, that might add confusion. You are talking only about signature authentication, and besides that we have PSK. In addition, IKEv2 doesn't require peer ID to match X.509 identity, since they are linked via the local security policy (i.e., it is the policy, which specify which IDs are acceptable and which X.509 identities they correspond to, so the strict matching of them is just a one particular case). If think that this is a real concern, then do you have any concrete text in mind? Regards, Valery.
- [IPsec] Paul Wouters' Yes on draft-ietf-ipsecme-i… Paul Wouters via Datatracker
- Re: [IPsec] Paul Wouters' Yes on draft-ietf-ipsec… Valery Smyslov
- Re: [IPsec] Paul Wouters' Yes on draft-ietf-ipsec… Paul Wouters
- Re: [IPsec] Paul Wouters' Yes on draft-ietf-ipsec… Valery Smyslov
- Re: [IPsec] Paul Wouters' Yes on draft-ietf-ipsec… Paul Wouters