Re: [IPsec] GDOI and G-IKEv2 payloads

Toerless Eckert <tte@cs.fau.de> Mon, 05 February 2024 16:44 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9EFC14E513 for <ipsec@ietfa.amsl.com>; Mon, 5 Feb 2024 08:44:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acsJPgpfSXrS for <ipsec@ietfa.amsl.com>; Mon, 5 Feb 2024 08:44:23 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12666C14F5EF for <ipsec@ietf.org>; Mon, 5 Feb 2024 08:44:13 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TTBzX5Y3rznkKX; Mon, 5 Feb 2024 17:44:08 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TTBzX4YwkzkmlL; Mon, 5 Feb 2024 17:44:08 +0100 (CET)
Date: Mon, 05 Feb 2024 17:44:08 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "Fries, Steffen" <steffen.fries=40siemens.com@dmarc.ietf.org>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <ZcEQWFuF7Uj_dY-d@faui48e.informatik.uni-erlangen.de>
References: <DB9PR10MB6354CF46CDE84485FB1510BCF3472@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DB9PR10MB6354CF46CDE84485FB1510BCF3472@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YaJtd8k7SGXx6YHHI2sW0Kc8kpM>
Subject: Re: [IPsec] GDOI and G-IKEv2 payloads
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 16:44:27 -0000

How would someone today do the equivalent of RFC8052 with G-IKEv2 ?

On Mon, Feb 05, 2024 at 04:06:11AM +0000, Fries, Steffen wrote:
> Hi,
> 
> I've got a question regarding the relation of G-IKEv2 and GDOI.
> 
> I realized that G-IKEv2 will be the successor of GDOI and would have a question regarding backward compatibility of payloads defined for GDOI. As the underlying exchanges for the base key management changed from IKE to IKEv2 they will not be backward compatible. Nevertheless, there have been enhancements of GDOI for protocols used in the power system domain like GOOSE and Sampled Values, which lead to the definition of new payloads for the ID, SA TEK and KD payloads to accommodate the power system protocol parameters in RFC 8052. Likewise, using the same approach new payloads of the same types have been defined to distribute parameters for PTP (Precision Time Protocol) in IEC 62351-9.
> 
> In general, I realized that there are similar payloads available in G-IKEv2 but I was not quite sure, if it was a design criterion to have backward compatibility for extensions/enhancements defined for GDOI to be usable also in G-IKEv2. Could you please shed some light on this?
> 
> Best regards
> Steffen
> 
> --
> Steffen Fries
> 
> Siemens AG
> Technology
> Cybersecurity & Trust
> T CST
> Otto-Hahn-Ring 6
> 81739 Munich, Germany
> Phone: +49 (89) 7805-22928
> mailto:steffen.fries@siemens.com
> www.siemens.com
> [Logo]
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and Chief Executive Officer; Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322