[IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Tero Kivinen <kivinen@iki.fi> Thu, 17 August 2017 13:49 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E46B132444 for <ipsec@ietfa.amsl.com>; Thu, 17 Aug 2017 06:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdBr2s0OxWTn for <ipsec@ietfa.amsl.com>; Thu, 17 Aug 2017 06:49:07 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 620C01323AF for <ipsec@ietf.org>; Thu, 17 Aug 2017 06:49:07 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v7HDmues007915 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 17 Aug 2017 16:48:56 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v7HDmtTQ011372; Thu, 17 Aug 2017 16:48:55 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22933.40647.462618.166901@fireball.acr.fi>
Date: Thu, 17 Aug 2017 16:48:55 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Vukasin Karadzic <vukasin.karadzic@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
In-Reply-To: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 7 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ZZs40Gyn36Z6_sLDa0aZ4YFXpdQ>
Subject: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 13:49:09 -0000
Paul Wouters writes: > Received PPK_SUPPORT Have PPK PPK Mandatory Action > ------------------------------------------------------------------ > Yes No * Standard IKE protocol > Yes Yes * Include PPK_SUPPORT > > Basically, we are in the case where "Have PPK" is not yet known. I think the discussion earlier was that we solve this by policy, where responder is configured BEFORE initiator. I.e., if responder sees initiator that says PPK is supported (meaning initiator has PPK) then responder is safe to assume that it has also been configured PPK for that ID. Anyways if this guess turns out to be wrong, it can then fail the exchange later, and mark that peer as not having PPK when it reconnects, i.e., add peer IP-address to temporary list saying that if connection comes from this IP-address, and says it has supports PPK, we do not have PPK for it, so fall back to standard IKE. Anyways this kind of text needs to be added to the protocol draft. I do not like to make this document any more complicated than what is required, as I like to get this document out so it can be implemented, even when we know there are some corner cases which require manual configuration. -- kivinen@iki.fi
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Derrell Piper
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Graham Bartlett (grbartle)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Vukasin Karadzic
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)