IETF Logo Mail Archive

Re: [IPsec] GDOI and G-IKEv2 payloads

'Toerless Eckert' <tte@cs.fau.de> Wed, 07 February 2024 18:54 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8B4BC14CE55 for <ipsec@ietfa.amsl.com>; Wed, 7 Feb 2024 10:54:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKBu-QBwZ-si for <ipsec@ietfa.amsl.com>; Wed, 7 Feb 2024 10:54:18 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9096C14CE52 for <ipsec@ietf.org>; Wed, 7 Feb 2024 10:54:18 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TVTmk5YrvznkKx; Wed, 7 Feb 2024 19:54:14 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TVTmk4ZyWzkmmK; Wed, 7 Feb 2024 19:54:14 +0100 (CET)
Date: Wed, 07 Feb 2024 19:54:14 +0100
From: 'Toerless Eckert' <tte@cs.fau.de>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: "'Fries, Steffen'" <steffen.fries=40siemens.com@dmarc.ietf.org>, ipsec@ietf.org
Message-ID: <ZcPR1ljxzgLsqpKr@faui48e.informatik.uni-erlangen.de>
References: <DB9PR10MB6354CF46CDE84485FB1510BCF3472@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM> <ZcEQWFuF7Uj_dY-d@faui48e.informatik.uni-erlangen.de> <02ff01da58ce$88f7f630$9ae7e290$@gmail.com> <ZcJayWHonFVxYRhv@faui48e.informatik.uni-erlangen.de> <037401da599c$0242e680$06c8b380$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <037401da599c$0242e680$06c8b380$@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/f5yKRQSQCEEnQ8d-Ij7wAEORE1w>
Subject: Re: [IPsec] GDOI and G-IKEv2 payloads
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 18:54:22 -0000

On Wed, Feb 07, 2024 at 11:02:33AM +0300, Valery Smyslov wrote:
> Hi Toerless,

[snip]

> I don't think core specification should define how all existing extensions
> of an older protocol could be mapped to the current one, but few general
> words could be added.

I was imagining:

a) A table where each row has two columns, one showing the term for the IKEv1/ISAKMP
   extension point, the other the term for the IKEv2 extension point.

   explanations if the functionality achieved by using the new extension point is not the
   same (or better) than the old extension point.

b) Understanding whether one could even transparently support the same extension functionality
   for ISAKMP and IKEv2 by just using an appropriate API. Aka: The registration code point was
   known only to the API provider, so depending on whether ISAKMP/IKEv1 or IKEv2 is being used.
   If this is feasible, it would give developers a good understsanding of the simplicity of
   migration. If this would not be feasible, then that would point to functionalities
   that are not fully backward compatible and/or require more thinking in IKEv2

The solutions that depend on these extensions do also may require some non-extension point
"base" functionality of GDOI, so i too wonder about b) just for the GDOI base functionality.
For example, i could imagine that for reasons of security some crypto suite recommendations
would have changed, so if any deployments of GDOI solutions have some performance aspects,
the newer crypto profiles may make that more challenging on older hardware (but no idea, from
past memory, IPsec seemed to be a lot more friendly with legacy than TLS ;-).

Cheers
    Toerless

> Regards,
> Valery.
> 
> > Cheers
> >     Toerless
> > 
> > On Tue, Feb 06, 2024 at 10:31:43AM +0300, Valery Smyslov wrote:
> > > Hi Toerless,
> > >
> > > first G-IKEv2 should be published as RFC. The draft is currently in
> > > WGLC (for a long time), but received very few reviews so far (and many
> > > thanks to all who reviewed it!).
> > > I'm planning to publish an updated version addressing Daniel's review
> soon.
> > >
> > > Once G-IKEv2 is standardized, there is no problem (IMHO) to do the
> > > equivalent of RFC8052 with it.
> > >
> > > Regards,
> > > Valery.
> > >
> > > > How would someone today do the equivalent of RFC8052 with G-IKEv2 ?
> > > >
> > > > On Mon, Feb 05, 2024 at 04:06:11AM +0000, Fries, Steffen wrote:
> > > > > Hi,
> > > > >
> > > > > I've got a question regarding the relation of G-IKEv2 and GDOI.
> > > > >
> > > > > I realized that G-IKEv2 will be the successor of GDOI and would
> > > > > have a
> > > question
> > > > regarding backward compatibility of payloads defined for GDOI. As
> > > > the
> > > underlying
> > > > exchanges for the base key management changed from IKE to IKEv2 they
> > > > will
> > > not
> > > > be backward compatible. Nevertheless, there have been enhancements
> > > > of GDOI for protocols used in the power system domain like GOOSE and
> > > > Sampled
> > > Values,
> > > > which lead to the definition of new payloads for the ID, SA TEK and
> > > > KD
> > > payloads to
> > > > accommodate the power system protocol parameters in RFC 8052.
> > > > Likewise,
> > > using
> > > > the same approach new payloads of the same types have been defined
> > > > to distribute parameters for PTP (Precision Time Protocol) in IEC
> 62351-9.
> > > > >
> > > > > In general, I realized that there are similar payloads available
> > > > > in
> > > G-IKEv2 but I
> > > > was not quite sure, if it was a design criterion to have backward
> > > compatibility for
> > > > extensions/enhancements defined for GDOI to be usable also in G-IKEv2.
> > > Could
> > > > you please shed some light on this?
> > > > >
> > > > > Best regards
> > > > > Steffen
> > > > >
> > > > > --
> > > > > Steffen Fries
> > > > >
> > > > > Siemens AG
> > > > > Technology
> > > > > Cybersecurity & Trust
> > > > > T CST
> > > > > Otto-Hahn-Ring 6
> > > > > 81739 Munich, Germany
> > > > > Phone: +49 (89) 7805-22928
> > > > > mailto:steffen.fries@siemens.com
> > > > > www.siemens.com
> > > > > [Logo]
> > > > > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> > > Hagemann
> > > > Snabe; Managing Board: Roland Busch, Chairman, President and Chief
> > > Executive
> > > > Officer; Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith
> > > > Wiese; Registered offices: Berlin and Munich, Germany; Commercial
> registries:
> > > Berlin-
> > > > Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE
> > > > 23691322
> > > >
> > > > _______________________________________________
> > > > IPsec mailing list
> > > > IPsec@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/ipsec

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email