Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-00.txt
Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 25 December 2013 05:41 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86541AE21A for <ipsec@ietfa.amsl.com>; Tue, 24 Dec 2013 21:41:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_34=0.6, J_CHICKENPOX_39=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20yL-Imw85Df for <ipsec@ietfa.amsl.com>; Tue, 24 Dec 2013 21:41:41 -0800 (PST)
Received: from mail-ea0-x22d.google.com (mail-ea0-x22d.google.com [IPv6:2a00:1450:4013:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id EF1E71AE207 for <ipsec@ietf.org>; Tue, 24 Dec 2013 21:41:40 -0800 (PST)
Received: by mail-ea0-f173.google.com with SMTP id o10so3108846eaj.18 for <ipsec@ietf.org>; Tue, 24 Dec 2013 21:41:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=8q78Xvt/9ttVXzH+ljoExXj4NSdqRUli4ckUlVwV8os=; b=RRbZSLSVhvQK+YXnURfFR8h5QROuYU83UrviQZ2e5TIQypJRcDr38Gcj4FV9+mrH0S UNqvk6BjcgCyxq9zV/4OJZlBT7Qn8EF7gdUC1tbCakijoDMI9ZvTUFf6E06dKHL3a+kI cOvwJvuxAj3buktGTa0f7GQiZn5i+pp8s2c9A4piAL9kk+I8h2+zicm7IBMbMnP7PaFm ecIaGcBtBx9j7MrRs6bHMBP3RV2AmFD3JspQcWzJlwPZG/pgEdmo+kuzVAUUTr6+KuUA Q9qj60u4Fu1Zj/3OVVInUJzLq92UDpc8l0sXNoRvFUuBF5oKeGd66HQhcnxgONriVVgA bfyA==
X-Received: by 10.14.204.135 with SMTP id h7mr299421eeo.104.1387950096633; Tue, 24 Dec 2013 21:41:36 -0800 (PST)
Received: from [10.0.0.6] (bzq-79-180-155-33.red.bezeqint.net. [79.180.155.33]) by mx.google.com with ESMTPSA id l4sm60914715een.13.2013.12.24.21.41.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 24 Dec 2013 21:41:36 -0800 (PST)
Message-ID: <52BA700E.5040909@gmail.com>
Date: Wed, 25 Dec 2013 07:41:34 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Valery Smyslov <svanru@gmail.com>, ipsec@ietf.org
References: <C687BD9EA2204F1087D18646766A3C7B@buildpc> <52BA0DEA.8040404@gmail.com> <01E73A999255430F803315D676238C09@buildpc>
In-Reply-To: <01E73A999255430F803315D676238C09@buildpc>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Dec 2013 05:41:43 -0000
Hi Valery, Yes, between EAP+signature (RFC 5996) and EAP+EAP (RFC 5998), there's very little justification for EAP+null, and it is very likely to create security issues. I think we should mention EAP, and expressly forbid it in this context (MUST NOT). Thanks, Yaron On 12/25/2013 07:18 AM, Valery Smyslov wrote: > Hi Yaron, > >> Hi Valery, >> >> Thanks for posting this draft. >> >> One quick comment: the interaction of your proposal with EAP is not >> clear to me, i.e. when one peer uses Null auth and the other uses EAP. >> There are cases where this should be forbidden (e.g. MSCHAP, where the >> unauthenticated peer can mount a dictionary attack) and other cases >> where this is OK. Specifically, for the methods listed as "safe" in >> Sec. 4 of RFC 5998, I believe this use would be secure. > > Actually, I think that NULL Auth should not be used with EAP. > Section 2.16 of RFC5996 states: > > In addition to authentication using public key signatures and shared > secrets, IKE supports authentication using methods defined in RFC > 3748 [EAP]. Typically, these methods are asymmetric (designed for a > user authenticating to a server), and they may not be mutual. For > this reason, these protocols are typically used to authenticate the > initiator to the responder and MUST be used in conjunction with a > public-key-signature-based authentication of the responder to the > initiator. > > I agree with you, that in some cases using NULL Auth with EAP > might be secure, but as IKEv2 already requires responder > to use signature auth with EAP, I don't see any reason to change it. > > Do you think it's worth to mention that in the draft and provide > a reference to the text from RFC5996? > >> Happy holidays! > >> Yaron > > Happy New Year! > > Valery. > >> On 12/24/2013 03:47 PM, Valery Smyslov wrote: >>> Hi all, >>> >>> I've just posted a draft, defining NULL Authentication method in IKEv2. >>> This method may be used for anonymous access or in situations, >>> when peers don't have any trust relationship, but still want >>> to get protection at least against passive attacks. >>> >>> Regards, >>> Valery. >>> >>> >>> ----- Original Message ----- From: <internet-drafts@ietf.org> >>> To: "Valery Smyslov" <svan@elvis.ru>; "Valery Smyslov" <svan@elvis.ru> >>> Sent: Tuesday, December 24, 2013 5:40 PM >>> Subject: New Version Notification for >>> draft-smyslov-ipsecme-ikev2-null-auth-00.txt >>> >>> >>> >>> A new version of I-D, draft-smyslov-ipsecme-ikev2-null-auth-00.txt >>> has been successfully submitted by Valery Smyslov and posted to the >>> IETF repository. >>> >>> Name: draft-smyslov-ipsecme-ikev2-null-auth >>> Revision: 00 >>> Title: The NULL Authentication Method in IKEv2 Protocol >>> Document date: 2013-12-24 >>> Group: Individual Submission >>> Pages: 8 >>> URL: >>> http://www.ietf.org/internet-drafts/draft-smyslov-ipsecme-ikev2-null-auth-00.txt >>> >>> >>> Status: >>> https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-null-auth/ >>> Htmlized: >>> http://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-null-auth-00 >>> >>> >>> Abstract: >>> This document defines the NULL Authentication Method for IKEv2 >>> Protocol. This method provides a way to omit peer authentication in >>> IKEv2 and to explicitely indicate it in the protocol run. This >>> method may be used to preserve anonymity or in situations, where no >>> trust relationship exists between the parties. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Fw: New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Yoav Nir
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters