Re: [IPsec] Disabling replay protection

Valery Smyslov <smyslov.ietf@gmail.com> Fri, 17 February 2023 07:16 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805A0C1522D7 for <ipsec@ietfa.amsl.com>; Thu, 16 Feb 2023 23:16:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8xlonGtjDLD for <ipsec@ietfa.amsl.com>; Thu, 16 Feb 2023 23:16:23 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A010C14CE2D for <ipsec@ietf.org>; Thu, 16 Feb 2023 23:16:23 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id 4-20020a05600c22c400b003dc4fd6e61dso223445wmg.5 for <ipsec@ietf.org>; Thu, 16 Feb 2023 23:16:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=EJ/2xnKds5dvyiCiGxyKwGgS806q+Yu8A32+nlgEIDs=; b=oFlZ/W+2dz5FJKNZTw/IN1mxrUM4fvUQolsJa/pI7j8VxBl04gz3UG0IZsADwBQgLu 98u2vmAQAflpPiSLMBcbRTRDzW+sgYTSu0VaBk6PpfR8E0uGW1GOvcX/aovzhTo536YU 4GT/95PeJ9di2LeoG3m8ZoPqx8TihyY1xGoTExFjI85CfhLND7/7daVT+QeazmFX41ve uk2gjrnptdilZG9WTGOKqa7QZ/S+uKbHLOk4sWO0ch9JFLYwijmGBqYlTYZBp9xlk16O 1L5Mg2SBsN0UiDtJWdgDN70ZQbkOhRZsmlVjUNQtz5Yq+iQ/iP3V3mTwQS1yV+DHYqLV +6ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EJ/2xnKds5dvyiCiGxyKwGgS806q+Yu8A32+nlgEIDs=; b=mg+Y8x1QLF4HdJDmmu84xRrdMub2ljzywp/AAxOGvP6nizfKF0d78zkW3PKwBYsZDR smCWmz9My416vue8IVUUaBNMhsaZvVeflEitChT8mCYyE9gwebQZbqzzpVwkycYIT0cy 7nannl/dxS6oTwALbyifjahfICNRTeqShhUY9X6Ux90qkcmo/Xwl3q8WcaEEkND7D5f3 Q6mlxS+2Lnqj0qddjd+ZsPcpD6BiNOVJ0wyKBQNbN6KvwbuTUiT0Un+aJLuy4XY7ZuNG 9xJDPhYC7yTtErOOfXdLpjWYsCcG/jdpeIuLmQKKOLhtnT9jzixva+by4tQA6qynd0CJ inUQ==
X-Gm-Message-State: AO0yUKV0hHymIUO5DARzwqOd+NhVoIXU8uBMmkgqI5mWV7mP36uxt4Cc Uhfp5HJyILTE9zWTv2iojbPim4Z/+pA=
X-Google-Smtp-Source: AK7set+AIZ03YDGJ7mrNnfe7jeqfMelGrus5JKWnML9TplgiLrE+GlohzzOUEnA0ZDhjXfqYGWSa8A==
X-Received: by 2002:a05:600c:a4c:b0:3e2:1fb8:ab1d with SMTP id c12-20020a05600c0a4c00b003e21fb8ab1dmr1208724wmq.18.1676618181649; Thu, 16 Feb 2023 23:16:21 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id n6-20020a05600c500600b003dc433355aasm4134069wmr.18.2023.02.16.23.16.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Feb 2023 23:16:21 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>, 'Benjamin Schwartz' <ietf@bemasc.net>
Cc: ipsec@ietf.org
References: <CAJF-iTQo_=e7oox+yktegB6jWKWzSQ1vTDEgg8bGKM-bZrf8sA@mail.gmail.com> <805a44da-c37c-ec19-4eaf-b49340e48e2f@nohats.ca>
In-Reply-To: <805a44da-c37c-ec19-4eaf-b49340e48e2f@nohats.ca>
Date: Fri, 17 Feb 2023 10:16:22 +0300
Message-ID: <0dca01d9429f$bdae99b0$390bcd10$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG4hjyUN7wgGlFB95Uw7Ut5Cd7oDwGycfcvrwacX1A=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/amPF13TqRlIYbZoGS5I33Qfj9_E>
Subject: Re: [IPsec] Disabling replay protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 07:16:27 -0000

Hi,

> > Hi IPSECME,
> >
> > RFC 4302 (ESP) says "if an SA establishment protocol such as IKE is employed, the receiver SHOULD
> notify the sender, during SA establishment, if the
> > receiver will not provide anti-replay protection".
> >
> > I haven't been able to find any mechanism for this in IKEv2 (or IKEv1).  Is there a way to do this?  Or is
> this a mismatch between ESP and IKEv2?

In IPsec the replay protection is a local matter of receiver, 
the sender must always increment the Sequence Number as if 
the replay protection is always on.

> Indeed, I don't see it for IKEv2 either. Funny enough there is
> IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED for RFC 6311.

That is for different purpose :-)

> For IKEv1 I do see 24577 REPLAY-STATUS, referencing RFC 2407,
> https://www.rfc-editor.org/rfc/rfc2407.html#section-4.6.3.2
> 
> So this was just never ported up to IKEv2 it seems.
> 
> At $dayjob, we would call this an "easy onboarding task" :)
> 
> Probably worth writing up a 3 page IKEv2 notification status payload for.

Another approach would be to generalize the Transform Type 5
as the way to control the replay protection status
(see draft-ietf-ipsecme-g-ikev2-07, Section 2.6.)

Regards,
Valery.

> Paul
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec