[IPsec] Re: Mohamed Boucadair's Discuss on draft-ietf-ipsecme-ikev2-downgrade-prevention-06: (with DISCUSS and COMMENT)
mohamed.boucadair@orange.com Thu, 02 July 2026 10:10 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipsec@mail2.ietf.org
Delivered-To: ipsec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 419F510C661B7; Thu, 2 Jul 2026 03:10:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782987013; bh=7h2dCQmrRjn08PBbmxh2Evibx+AfVOCyl42NhJ95yuU=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=OJWZFYxORYD/urjJ4BXBaJCE1opEn2A1jCGIvTsS5Z7+7qtzit7qoAj4NQQrNsEmS +pQYGqXCIY8O7PSOdGjlrbgoedDHvAON4xUrTnCdA8y55XmaQ1G2i2cRf+8AxdbwgM FB3zQtGw9Gt9/1gZWuQDRCDKCQOUMilOJmHlsMy8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMkmRU5ODK3f; Thu, 2 Jul 2026 03:10:12 -0700 (PDT)
Received: from smtp-out.orange.com (smtp-out.orange.com [80.12.126.238]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F0CCE10C661B1; Thu, 2 Jul 2026 03:10:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; i=@orange.com; q=dns/txt; s=orange002; t=1782987012; x=1814523012; h=to:cc:subject:date:message-id:references:in-reply-to: mime-version:content-transfer-encoding:from; bh=Oxd0/fvlaKl6oizcTfexJCZmD/PXw3G/LTnvl8kvRCw=; b=fV1yMJvWolnVgc/CLSOdgqT5Ba+Sg+kVSeRL0ns5+oePEyjv6lY+i+VT tmej9ideaPElPC0Ebxkx4hyBQ4n8YIMTcdsIR/eyqghqO1lm+mHt6yle8 0t4Py6B0P9vUkSSx3OT0qJsFnPhMMM3aYMvWfq/hjmXu3OPHdrmavRT8J XT3iEmRK+dxs6Pm53QomDd4emYAH2EwA4GKT9VHcHjc2dIiVc3Idqg1F7 Tu+FQ1mwOrya+HS/HrjbcqttBNFf65IaZoLnVOqrHwvo7N6nFKirdgOcF gFJ87g4C3ltZqiPkweKM3hiqvW4Ugy/4qSe5DfdYXqiXObz7FgYETaj88 w==;
X-CSE-ConnectionGUID: RbS79Ur+QLaGHWifaI/Y/g==
X-CSE-MsgGUID: bDCRSortQHqu3IK4d5rC8A==
Received: from unknown (HELO opfedv1rlp0g.nor.fr.ftgroup) ([x.x.x.x]) by smtp-out.orange.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 02 Jul 2026 12:10:10 +0200
Received: from unknown (HELO opzinddimail11.si.fr.intraorange) ([x.x.x.x]) by opfedv1rlp0g.nor.fr.ftgroup with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 02 Jul 2026 12:10:10 +0200
Received: from opzinddimail11.si.fr.intraorange (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id 37D4D1530504; Thu, 2 Jul 2026 12:10:04 +0200 (CEST)
Received: from opzinddimail11.si.fr.intraorange (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id 2748E15304FA; Thu, 2 Jul 2026 12:10:04 +0200 (CEST)
Received: from smtp-out365.orange.com (unknown [x.x.x.x]) by opzinddimail11.si.fr.intraorange (Postfix) with ESMTPS; Thu, 2 Jul 2026 12:10:04 +0200 (CEST)
Received: from mail-francecentralazlp17011024.outbound.protection.outlook.com (HELO PAUP264CU001.outbound.protection.outlook.com) ([40.93.76.24]) by smtp-out365.orange.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 02 Jul 2026 12:09:49 +0200
Received: from PAUP264MB6756.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:52c::5) by MRYP264MB6047.FRAP264.PROD.OUTLOOK.COM (2603:10a6:501:72::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.10; Thu, 2 Jul 2026 10:09:45 +0000
Received: from PAUP264MB6756.FRAP264.PROD.OUTLOOK.COM ([fe80::8b83:578b:5221:8deb]) by PAUP264MB6756.FRAP264.PROD.OUTLOOK.COM ([fe80::8b83:578b:5221:8deb%4]) with mapi id 15.21.0181.009; Thu, 2 Jul 2026 10:09:45 +0000
From: mohamed.boucadair@orange.com
X-CSE-ConnectionGUID: FxJKTOJcQD2HwSI0lvfawA==
X-CSE-MsgGUID: iT1rqTivSJyrkGvWXx7S2w==
X-TM-AS-ERS: 10.106.160.157-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-DDEI-TLS-USAGE: Used
X-CSE-ConnectionGUID: 8p0cSnIwSN64rdZgYe4xTQ==
X-CSE-MsgGUID: Jc6aMl3rQ92s71Uoq5hWrw==
IronPort-Data: A9a23:JOnhKK+flreecRm6HD7sDrUDCX6TJUtcMsCJ2f8bNWPcYEJGY0x3n 2VKDG6AO/2PNjD2Koh3Odiz/BhTvJOGyN81TAo//iExFiIbosf7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+an9T8mk/jRHNIQMcacUghpXwhoVSw9vhxqnu89k+ZAjMOwa++3k YuaT/b3Zhn/hlaYDkpOs/jd8Ew35qyr0N8llgdWic5j7Qa2e0Y9XMp3yZGZdxPQXoRSF+imc OfPpJnR1n/Z5RokFuS+mb/9dEAQKpaKVeRZoiMLM0QKqkEqSh0ais7XBtJFAatko2zhc+RK9 Tl4ncfYpTHFnEH7sL91vxFwS0mSNEDdkVPNCSDXXce7lyUqf5ZwqhljJBleAGEWxgp4KTFWr fcjLhESVTbd2/i68r2KR7V8uv12eaEHPKtH0p1h5QnwMM58H8zofv2SvJlfwSs6gd1IEbDGf c0FZDFzbRPGJRpSJlMQD5F4l+Ct7pX9W2EA7gPO4/VppTKPpOBy+OCF3N79f9uKTMBYkgCSo X/N9mjwAwsyM8aWzzWItHmrg4cjmAuiA91KTeHgp68CbFu75GdNATgSDkGC8KOi1ReDXMsCK 3MO5X97xUQ13BfwFIWiN/Gim1afoBcac9dUDewhrhuQooLV7h2WLmkJUjAHb8Yp3Oc6XzUky hqIks/nQD13q7CeTH/Y97SZs2n3NS8KK2AYbCMJCBMf7sfupp0yiRTnT9t/HuiylNKdMTDo2 D2BhCkzm7tVitQEv4265UvKiDeh45PJRw8v/S3WU36rqARja+aNZI226F7W695BL4ffQFjpg ZQfs82X7eRLA4uEkieAS+gLAKug4/+XNCWF3gY2RsF7q3Kq5mKpep1W7HdmPkB1P80YeDjvJ kjOpQdW45wVN3yvBUNqX26vI5QylaPbE/X6bdaKMsBCUJdAeVOXwBg7MCZ8wFvRfF4QfbYXF 63zTCpBJXMTCKAiwiC/QewQ2rIt2jo3wWrBQYiikEz+iOLEODiSVKsPN0aIYqYh9qSYrQ7J8 tFZccyX1xFYV+64aS7SmWLyEbzoBSdgbXwVg5UNHgJmHuaAMDx6YxM26e56E7GJZ4wPyo/1E oiVAye0MmYTekEr2S3RMSo/N9sDrL56rHkhOjcrM0rg0H85ee6S0UvrTLNuJeNP3LU6lZZcF qBZE+3eWKgnYmqcoVw1M8KixLGOgTz332piyQL5OmBnJ/aNhmXhprfZQ+cY3HBQVXrn5JJl8 +HIO8GyacNrejmOxf3+MJqHp25dd1BA8A6udyMk+uVuRXg=
IronPort-HdrOrdr: A9a23:6k7SuK8S9H0SudU+5K5uk+F+db1zdoMgy1knxilNoENuH/Bwxv rFoB1E73TJYW4qKQkdcdDpAsm9qADnhOVICO4qTPyftWjdySOVxe5ZnO/fKlHbdREWs9QtrJ uIEJIOQuEYb2IK6voSiTPQe7pO/DDEytHPuQ609QYPcegeUdAE0+4PMHf4LqQZfmh7LKt8OI uX58JBqTblQnIKc8S9CEACWujIt/fLmJjlbRNuPW9r1CC+yReTrJLqGRmR2RkTFxlVx605zG TDmwvloo2+rvCS0HbnpiDuxqUTvOGk5spIBcSKhMRQAC7rkByUaINoXKDHlCwpoduo9E0hnL D30lkd1oVImjLsl1OO0FjQMjrboXQTArjZuBqlaE7Y0IzErfQBeo58bMxiA1zkAgEbzatBOe pwrh+kXtxsfF/9dW3Glqf1vx0GrDvJnVMy1eEUlHBRSo0YdftYqpEe5lpcFNMaEDv9851PKp gYMCjw3ociTbqhVQGsgkB/hNi3GngjFBaPRUYP/sSTzjhNhXh8i08V3tYWkHsM/I80D8As3Z WMDo140LVVCsMGZ6N0A+kMBcOxF2zWWBrJdGafO07uGq0LM2/E75T3/LI27ue3f4Fg9upFpL 3RFFdD8WIicUPnDsODmJVN7xDWWW24GS/gz8lPjqIJyIEUhICbQhFrZGpe4/dI+c9vfPEzc8 zDSa5rPw==
X-Talos-CUID: 9a23:l/EdM2Hmd+iniUPEqmI37BYfIcYEbUb7kivKL323OGs1WIGsHAo=
X-Talos-MUID: 9a23:ItfC9An8TLL41B1Ap7JzdnpAP5lhxqD1Enlcy45Z4vSDLHFwBC2C2WE=
X-IronPort-AV: E=Sophos;i="6.25,143,1779141600"; d="scan'208";a="137014099"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GkLmye5CgP25spvjjZSn17cPQ+sRQiUSsKJ+Xk+yBWbQRu86WOYuC2HXus7tByMvY6yLm/moq3U7BUzrjA5aldWly+Dn324RxUD3NAPpcJVZC+HWzF0u65dkBgAiC8DOMlXFe113xlMSBXZNUgVKmtWFiHNOFNSXMtPvlxXpaztiK6t0QgyN6GQQ3a37twLAng+TnPPt7hcCb+7EUh7G9UmX0hFmTkxePkhsLk3p/loZZqcSLpdUXm5OEPy0dfKN1Ro++te4FsBgE2Cbk8sPe+QT5LhJ0H/zzqWrH9gwMP7wMAp8NhsZlt6gsQwgaCsuR856B6p0llJSv/jMvWMhTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+jlybZ8kfmcQvHzeP0+ojgxNuKczhRphhxmVs1FH2gU=; b=AcEN/xYaH8dbD1UEBIccW1ghkTP5lTssHrCzIUvtN0sJZgHP5/JXljK0rqZM3QA5VvKG9XdMAPQW7Vm9DeYSpXtzxOMxiarBR7qlyWtd320dENar64ILlkT/DgMuKw8763MkONzl2661XqOYAzmkIeU2XvIwn064zi4NyHUhzwnHvIHReNJH+8m6zK5JRgxCD7mG/GiKierSlHZTbQe1vttNshCMXyzOgAwNiJ6ITXruTH/q0oaWHf/ZD8HxQoNoWetIIHeACZ9tsCUTTuqN9Nz93GotIgNNjoar+nZuadzA8aQY+yIx0h6GBiZpNLSgobci7nCqVEfPXVdLjv7DHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=orange.com; dmarc=pass action=none header.from=orange.com; dkim=pass header.d=orange.com; arc=none
To: Valery Smyslov <svan@elvis.ru>, 'The IESG' <iesg@ietf.org>
Thread-Topic: Mohamed Boucadair's Discuss on draft-ietf-ipsecme-ikev2-downgrade-prevention-06: (with DISCUSS and COMMENT)
Thread-Index: AQHdCgroj76Bm4nPGU6pXLhQGX4C3Q==
Date: Thu, 02 Jul 2026 10:09:45 +0000
Message-ID: <PAUP264MB6756EEBC4E02366F6FA9D7AD88F52@PAUP264MB6756.FRAP264.PROD.OUTLOOK.COM>
References: <178221609970.1363795.15737249008579281494@dt-datatracker-f9b87776f-8pmmg> <056401dd030f$e0612ac0$a1238040$@elvis.ru> <0dd301dd0953$d9d47d20$8d7d7760$@elvis.ru>
In-Reply-To: <0dd301dd0953$d9d47d20$8d7d7760$@elvis.ru>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=5fea60ed-4964-48ae-8e2d-994084ac2e3f;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2026-07-02T10:08:37Z;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Tag=10, 0, 1, 1;MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_ContentBits=0;MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Enabled=true;MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Method=Standard;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=orange.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PAUP264MB6756:EE_|MRYP264MB6047:EE_
x-ms-office365-filtering-correlation-id: dc413b06-23e6-4f61-9a2e-08ded8220af3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|23010399003|376014|3023799007|4133799003|6133799003|22082099003|18002099003|4143699003|11063799006|56012099006|38070700021|13003099007;
x-microsoft-antispam-message-info: 8V+B7275p5Pqoav2CPC8R6u7PPTipKftdIgqqD2ds4aCSyRI/NsaFrcHYwPIId/UUHAdcjfl2vm5Mdu0dIOLE4iMPfjBz9cZDNec4xdoiy8GiuJbNuEYL7HwP0xXMiMLW/2DBPuez3bR0q1/8jnogq8jy6cBAY3NncmDAEt587qJCf2iXtoqXkuN09AjPbAzAI8C+Uc8Qyrc6xOiYe7pl1EXK9HYrqyxtpLooCpaIOi5WaCp7fGB81Fdvy/S1jioS1YJTvztrzZoUsEj7pA+NdsVVepOEAIkvEqj0DqfvG+rbQDEFzeIsfL2xnKCWAV6FVTYKeW6gXKK1Jxt0ULBtIVN+/bOe2O21XbKoGPYOe2xT48CAlpRThIJ0C/3PbLOVYbdYUrnua++8PvZ3eCqTRgDzy8PskUpeUYwRhXtrIvFbSEkz8NB578FUcTQadLg+ZM9CUxzD8EmrGCZKCbtjY469ZwV5tNGSMJk6k96Aw7BUHSKYgQkWQuRPcy586bjbKKE1dwljDDvw6kek0ze3xOoHn4Sd9ojokPCK0Gtwmi1ywIeqLV+yahM4BlK1FRUA46SbS7XaWGWSsac//YUX7Ch25SzICb88LOKcDbKOJ1k9Jy8I0fRis5M4Acg3x2ttjzEV6YPbXiodMbRtHCUDrlrl3p79u4XCdTPowLaaSc=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAUP264MB6756.FRAP264.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(23010399003)(376014)(3023799007)(4133799003)(6133799003)(22082099003)(18002099003)(4143699003)(11063799006)(56012099006)(38070700021)(13003099007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PBc/kv1rFfuJEC27gR5y2xPLZh+znFvCWFj2hRNCSvu6FrmdDCBtZTANyfmquitBcso60iVCQQX0ptzoi83Tpic9r1yoY3lfMPtkZR62V/itRER0aYt667SfQeDZidXKGZxEcdsxjsZt1p5ssFN/3hh4/MvmPz1O5g2ISzaEK9w0dap6IwAAI4cofa+Nhv+i2tfMO+VFEhUdNqSbh6/Uq9d9j5oAzdCIo+K/zfAheOEwJwjfQBMEl1/BmqRy4weYsMsFYTmA+85Yz34lsiyWpE7hGf8nlyYf3IIM7+RJTx81ndz/sZESTd2F6RRf18DEFTf/oPaiWltgROB4NVUrBLGclhZRLWcY+L4xNusgMVEAI4xgHknWg9GDTl/vGxexVgi6qakxQCp2GvUAioa5t0Z1O2ImeRALuzxpJR209qA7pC3Mvg8SZ+vuv/rL8lE0D6cDXORzCHva//k5cTOA6v3WrXnnEOXvQ4DBm+LxXVQadDWiLp08zhnXxk5UUZS1xSsnPn1JldZ8SuXmNUTb/WauJ5AVP8u8G9IrAEk7X0ZvEffPkPmlAF0ADOepcFXb0sHC+qoQJqiiNSiLA00HjrvzFJLhwxBDxX4iYqyCahLEWLnYykkcJU4P/gbBbisnWzvifq51hj1tqGb8m8pTLY+jXfulJnUTPhGfgu0F8ve0dJSY4EdDSM1PiSM3hYZd16TRnQmNECmljHL+X92yrN7PeWcj9J1+tfCD31dRx3BDL/+XQXw/lrxEkcVUG7HIXMAdo85PKJXBNnZleeFFNpIoqfSrgF1z9gnuaBlpzZClsfkJ11oB8oudPt5zP2YL8UqCDHVRVAZd0vR/18FyQAf56gGQ0jwhBFFcQQKilehHKuYqyYn04Ahzjt0+gT+cjGE0ScCJZ+660pUYkknr3HTntNIVY9maBcBDQFmgZLsO2CHJoVFR41/uuiTuItleB1cw+G28rz6zei45xI9lOwkbksplEG9sLUdByRMrgper+ELfli+Xl4HuYanBNW7MShhBOiDVzkSJsWJinz/eWxyyFf302viqVbMlH07bamZOSXEJNLYsC/HEijICX/XTvxkThuJ1cQ1xOaS23fbiu/ELDwTa4uzBW1BPuBaosrEulIzR5NQFlY1bJjqxP37eIdzk45JZelEaBL37QvtKJ4H68tOp5yC0G9OWdWwE/CzdLXJMGci2X6IEMiOFNvZriLth4/46xxUCoxYzk9o4GhhzIph9GosQIz6SU2DzZ6UDOJq1LO/edzHnqj/ZWxvsBUe0OCSnChPTyEgTgATVKp4wzqEPkRQkT7SnRg/haB3D3OXbkYdJ7UubWQbfocmiTMdjBPkgUPmsnRFLRGnH9HoZjI1LXqtBaT8DRnzO3ue63q9gXX5jHKhwsovP5cg4ELOhBdx/SnCDqeNLTGLkMv5FEMDvX12Fxd3sYAFQv1IIqdmVeO12nD37XrfgrwSAkRFUdDpnUj6qyJTvg0fCMbxix+PqHvEI0gNCGo5WliISg2Yf40WGaE+nA46rtELeXISY0D8MLimy4RK/xB3SyYEJD1UQ4cjmBxyume8p9LAHAZj086KED804IN8cV838XCi3wRAAYjiwGvoTi31a6LB6icnrAW2WkshrTXRFM0oHGMctVy2THzHdqLgzMurTXFPAEIV0rxM8qW0l8eNC//YrCt06kBMo93N1YHg9Odb/6iurll3EO2c5wKs6H5IlDYyzDDnO+fwuqklE9jXffPfzqpdLiUXO4PsC6pWmz4g=
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: M6ZAxDoU9faB5qteK1thDreW3bQURmN82kn3f41Ij3NL9ya//OTf6+FJtLp6AHd0ExUJXhXc5A7J+ta0X3rN4dmSWmMvkArNUhnRVRAzqpKV3EN3e2EWLY9z+6PW+DcYgMRceGd+TAC5WnPSFdhFJUjfCVp7vAQMBea6952VvanANcphyP+iYcFT/CLA2wJCbvl5a5nxEwfr2+1ekYs5gRUJLKPxS+grPNd0VGGp2MsLMVpSRLUvSpqdi6oGA4ZXZ6iMbExoCBte+gmcplVpDhpj4afgzmhlXYJ/Wa2H9vbX1NkleaFVm1liYH0O6TO1GDCDrxEZgxbIWoSnG5dO6w==
X-OriginatorOrg: orange.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAUP264MB6756.FRAP264.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: dc413b06-23e6-4f61-9a2e-08ded8220af3
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2026 10:09:45.7152 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 90c7a20a-f34b-40bf-bc48-b9253b6f5d20
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hUIFhoKURPbpzhSl5HhfzdCZ+dSDag+CbdtgkSBoRg0g/qGf3/95DYrcAgQnwwqTBeNqRf1i8MhTJBqMVkNVy1L1r62vzYQ4TEQXcXoquKs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MRYP264MB6047
X-TM-AS-ERS: 10.106.160.157-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-TMASE-Version: DDEI-5.1-9.2.1011-30042.006
X-TMASE-Result: 10--46.176700-10.000000
X-TMASE-MatchedRID: fSYce/2kgDxsdE4HLlr9UEVheb3LuAj2EUw76ALZYKlOzdpi14JtQhsa qLb8oXEZpSErGw83CXnqVE7N/Ki9I0zWdJPTaF/M8kBJA1pv1PGbd5vUwYg0gSkNRoHocY9SE7g Sa1PBB8MTl3/mhBEIUn6+g6I5BRjP9skjC2OiNpJ0lSyV8VXy1VhkmCjWYvWlVS1xB0Pa2dQEo7 RuIMv80O1xQwyw61Rvir+UzrpxsgwXjQrzMcbnJfOF7smqYrWmUrLQDoO1CVfCMaC3pV+Uy3hwD sWUjwy4rnaMf4rorRytR2rJMOXtIA6i4XqJUkvnaps/EoPWap95ax/05CgrEciWcPzYjPLpI0Jo St2fAOmVYCv1OtnOYxL5Zfb03wURNjabQqx1nJiSEi2v+x8u1YOGpR5yhwqnBgMjvFD8H/1Ign4 oZy92IbfaMgQ7+FGac/Om6+lZjJTrMWE41VhFTJNrG/k+iz71+Q0iIJ/EcU0HgEx+rhLN4jOBFH 8ycPGeblBg1bTdAWYF8LHyNn1d+UdRX+q/OXWrNA4dfXa2SiJCwoCEEWjBPJWa6EbToghtx38lK Qe4nReEduExgF9eHoSLNcKFd2mMhD89jdf7yE2vcKxaDyY7BOT5AnjO7TXtZQNW+8jXg8sfI0Sd 61Sdgt0d9OObpKLEvfXmny4eu9Sofh8+yPJQx10A8d+Y1fEBLlqDBcB+i/rwBlbv6A2i7KBqWAW /LKnquzbONGu34M5JaBN/LkZiHGVMWPZof7TlinAJQ2S8fPS69rtClqkCjeuLKunpGCmtHyfwyG caqgfoTYG8HWQfFO0wo2kO5qKmwScFSvfga29nO+ALb7hccDmoMBkrmuf/mCYM4MaoFU8SCDdzA MeX/ZtCsRQ8taUOQNEwQFee4eUvYerXo1O1A5nlaSYSNNzIcYO7LzLWqS4ibGdC+CRqLTr099Bu ZzibftwZ3X11IV0=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,28:1,33:0,34:0,42:1-0
X-TMASE-INERTIA: 0-0;;;;
X-TMASE-XGENCLOUD: 9f4d1e76-d66b-4084-8b57-72b55e061d10-0-0-200-0
X-TMASE-EurekaRID: h66UK4ZTfvOPMs8JdWGYR+4E2qfogjIxqP/+/8i2VFPUkpPXncb+SRmzH T7+2EmKenaC1lrPiJwZX7q8pXdwW7Ysl9+8ppmdJA4adQLr2aK/j/ioSTnvuCgKvh4H1vG4v8gm iF78cQa4dM8QzBNNM4fxoknvfP9hvklvvmlCXIxa6VUrybgRV+LIcLVw+R/kwIWYjj6bkv41L5/ Bm6iYlY1gjpWK9/hm9+oM9ELdW/kMjLLnBybgY/bLjclfzFs1+1JIyuFy709BMxILOtniKlDzDJ ygy1zI3aTaqO4A56icXCIcSShiH9TfgZp6Xk5hP+qkxTxpXOBcgbEK6fmMJNADxUNGpdtrJ1JCQ V3xvSrQDN62Dlki6YMQpI/HjUhp2QZoX8PcZtrnn0QsPU/puZtXAT9pYXlNLwW82CWzdO9iJGrJ EDup4Z3vKJD6Itvey1H2CONwGPBsCX1pjHv5k3xc0YafYW9ZomSu0zmXMKlpuHCZ+btsLDvuQZo 8lIimunfzYc0PhgDaiLFN7tU8ZlU3Zzw2SmFtDRoOmJ1Zis88ppSW1HGG4VXUlLGfLPwImFg6OR 7pOWSyjfCsRAJepOAKN/2i80uz
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2WKFTWOSFBQABVM6OOA4UKAJHBQOCWK7
X-Message-ID-Hash: 2WKFTWOSFBQABVM6OOA4UKAJHBQOCWK7
X-MailFrom: mohamed.boucadair@orange.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-ipsecme-ikev2-downgrade-prevention@ietf.org" <draft-ietf-ipsecme-ikev2-downgrade-prevention@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "kivinen@iki.fi" <kivinen@iki.fi>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: Mohamed Boucadair's Discuss on draft-ietf-ipsecme-ikev2-downgrade-prevention-06: (with DISCUSS and COMMENT)
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YnmL7dO7Z_UPbYRDUA453H0Bi7E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>
Hi Valery, Thank you for this update. These changes resolve the issues. Will clear right now. Cheers, Med > -----Message d'origine----- > De : Valery Smyslov <svan@elvis.ru> > Envoyé : mercredi 1 juillet 2026 14:19 > À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; > 'The IESG' <iesg@ietf.org> > Cc : draft-ietf-ipsecme-ikev2-downgrade-prevention@ietf.org; > ipsec@ietf.org; ipsecme-chairs@ietf.org; kivinen@iki.fi > Objet : RE: Mohamed Boucadair's Discuss on draft-ietf-ipsecme- > ikev2-downgrade-prevention-06: (with DISCUSS and COMMENT) > > > Hi Med, > > we decided to change the text in Section 7 to avoid using the > normative language, so that the problematic references can be left > informative. We hope this resolves your DISCUSS. > > New version: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/08/ > The diff: > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > author-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-ipsecme-ikev2- > downgrade-prevention- > 08&data=05%7C02%7Cmohamed.boucadair%40orange.com%7Ca726cb0330e245f > 3dba908ded76b22d8%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C639 > 185052320149109%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIl > YiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D > %7C0%7C%7C%7C&sdata=MF5803sKKuiw1dufzwutTK4DkuVB9VJt00wh4nU8go0%3D > &reserved=0 > > Regards, > Chris & Valery. > > > Hi Med, > > > > please, see inline. > > > > > Mohamed Boucadair has entered the following ballot position > for > > > draft-ietf-ipsecme-ikev2-downgrade-prevention-06: Discuss > > > > > > When responding, please keep the subject line intact and reply > to > > > all email addresses included in the To and CC lines. (Feel > free to > > > cut this introductory paragraph, however.) > > > > > > > > > Please refer to > > > > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > ww > > > w.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling- > ballot-po > > > > sitions%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7Ca726cb0 > 33 > > > > 0e245f3dba908ded76b22d8%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0 > %7 > > > > C639185052320167079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydW > Us > > > > IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D% > 3D > > > > %7C0%7C%7C%7C&sdata=tKKtCLW6jU%2FQHbkRlJnYHK%2BLIPI1H9HRZtDNZUQ9MG > A% > > > 3D&reserved=0 for more information about how to handle DISCUSS > and > > > COMMENT positions. > > > > > > > > > The document, along with other ballot positions, can be found > here: > > > > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > da > > > tatracker.ietf.org%2Fdoc%2Fdraft-ietf-ipsecme-ikev2-downgrade- > preven > > > > tion%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7Ca726cb0330 > e2 > > > > 45f3dba908ded76b22d8%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C > 63 > > > > 9185052320182281%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsI > lY > > > > iOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D% > 7C > > > > 0%7C%7C%7C&sdata=4gypKVa67fAGGZr%2BMe1%2BVJP6IiCuFwc9EhltAU7yf20%3 > D& > > > reserved=0 > > > > > > > > > > > > -------------------------------------------------------------- > ------ > > > -- > > > DISCUSS: > > > -------------------------------------------------------------- > ------ > > > -- > > > > > > Hi Valery and Christopher, > > > > > > Thank you for the effort put into this well-written spec. > > > > > > Thanks Dhruv Dhody for the OPSDIR review. Thanks to the > authors for > > > the follow-up. I saw that you added an ops cons section in > your github copy. Thanks. > > > > > > I have two straightforward points to discuss. Let me know if I > missed something: > > > > > > # IKE_INTERMEDIATE exchange > > > > > > CURRENT: > > > If peers > > > support the extension defined in this document, then they > MUST treat > > > modified blocks of data to be signed (or MAC'ed) defined in > Section 6 > > > as replacements for blocks of data defined in Section 2.15 > of IKEv2 > > > [RFC7296], so that in case of IKE_INTERMEDIATE the IntAuth > is added > > > to these modified blocks. > > > > > > Adhering to this requires RFC9242. I think that RFC should be > listed > > > as normative. > > > > I understand your point, but it is questionable from our logic. > > > > Our logic is as follows - normative references must _absolutely_ > be > > read to correctly implement the spec. If we make RFC 9242 > normative, > > but (for some arbitrary reason) an implementer does not intend > to > > implement it, wanting to only add a downgrade prevention to the > core > > IKEv2, then reading RFC 9242 is not needed. > > > > Please, don't get me wrong - it's not a big deal to make RFC > 9242 > > normative, but my internal feeling of consistency will suffer :- > ) > > > > We don't have conditional normative references, alas :-) > > > > Note that we previously published RFCs with sections describing > > interactions with other IKEv2 extensions and RFCs listed there > were > > still listed as informative (even in presence of some normative > > language). See Section 4 of RFC 9593 and SEction 4 of RFC 9242 > as examples. > > > > > # Resumption > > > > > > CURRENT: > > > The information of whether an implementation used the new > > > authentication logic for old SA MUST be stored in the > ticket and the > > > implementation MUST act the same way when doing resumption. > > > > > > There is not ticket discussion in the base IKEv2 spec (or I > missed > > > it). Why > > > RFC5723 isn't listed as normative here? > > > > For the same logic as above. > > > > > > > -------------------------------------------------------------- > ------ > > > -- > > > COMMENT: > > > -------------------------------------------------------------- > ------ > > > -- > > > > > > # Full symmetry > > > > > > CURRENT: > > > 1. The attacker must be on the path with the ability to > intercept > > > communications between the peers and to modify their > messages. > > > > > > I think the condition is even stronger as the attacker has to > be > > > on-path for both directions and for the ** full ** exchanges. > > > > This is true, but does not the current text imply this? I mean > that we > > do not add any restrictions on message direction etc,, thus, in > my > > reading, it automatically means that an attacker must be able to > read > > and modify messages in both directions and for the unlimited > > duration.Perhaps my reading is too liberal :-) > > > > > # Given the attack assumptions, how the initiator is expected > to be > > > behave if the attacker blocks received messages with the > extension. > > > Is it usual to disable some extensions when such failures are > > > experienced by a peer? If so, the benefits of the new > extension can be nullified by such attacker behavior. > > > > If both peers support this extension, then the attacker cannot > _force_ > > peers to establish IKE SA as if this extension is not supported. > > However, the attacker can always _prevent_ peers from > establishing IKE > > SA. If the attacker is on the path an can block IKE messages > then it > > is impossible to prevent this kind of attack, with or without > this extension. > > > > > # Receiver side > > > > > > CURRENT: > > > If the responder supports this extension then it also > includes this > > > notification in the response message regardless of whether > it was > > > received in the request or not. > > > > > > ## What is the benefit of sending the extension back even if > this is > > > not offered by the initiator? > > > > > > ## I suspect this is to ease implementations and avoid > conditional > > > handling at the responder but I may be missing something here. > > > > No, this trick is the only way to prevent the attacker from > disabling this extension. > > Note, that the attacker has a lot of capabilities for this > attack - it > > can read and modify even encrypted IKE messages and can forge > signature of one peer (but not both). > > This "strange" behavior, when the responder always sends > notification > > even if it does not receive it makes it possible to prevent > > notification stripping by the attacker even for the current > IKEv2 > > authentication - thus the attacker cannot force peers to not use > this > > extension if they support it - otherwise SA won't be > established. > > > > > # nits > > > > > > ## Conversation > > > > > > CURRENT: > > > on this protocol by having the peers confirm they have > participated > > > in the same conversation. > > > > > > There is formally no such concept in the base spec. Do we > refer to session? > > > Something else? > > > > Hmm... IKE SA establishment? Session is more like SA, but we are > > referring to the process of its establishment, which includes > several exchanges. > > Do you think that "conversation" is not clear for readers? > > > > > ## > > > > > > CURRENT: > > > The details of how authentication is performed in IKEv2 are > defined > > > in Section 2.15 of IKEv2 [RFC7296]. > > > > > > I would expect the same title is the cited RFC to be used here > (and > > > similar) but seems that the we are mixing reference labels and > RFC numbers. > > > > Tero always asks for adding short RFC title (sometimes informal) > > before references (that in most cases are RFC numbers). Just for > readers' convenience. > > > > > ## I will send you a PR with some few suggestions [1]. Feel > free to > > > grab whatever useful for you. > > > > Thanks! > > > > Regards, > > Valery (for authors). > > > > > Cheers, > > > Med > > > > > > [1] > > > > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > gi > > > thub.com%2Fsmyslov%2Fikev2-downgrade- > prevention%2Fpull%2F54&data=05% > > > > 7C02%7Cmohamed.boucadair%40orange.com%7Ca726cb0330e245f3dba908ded7 > 6b > > > > 22d8%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C6391850523201964 > 23 > > > > %7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwM > CI > > > > sIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sda > ta > > > =Fwwgf4pBOJ1LMB%2BV56XQhJMM3Tt65jvjiSWPXeMPZC4%3D&reserved=0 > > > > ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [IPsec] Mohamed Boucadair's Discuss on draft-ietf… Mohamed Boucadair via Datatracker
- [IPsec] Re: Mohamed Boucadair's Discuss on draft-… Valery Smyslov
- [IPsec] Re: Mohamed Boucadair's Discuss on draft-… Valery Smyslov
- [IPsec] Re: Mohamed Boucadair's Discuss on draft-… mohamed.boucadair