Re: [IPsec] Questions about RFC 5723
Paul Wouters <paul@nohats.ca> Fri, 12 July 2019 14:35 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58875120192 for <ipsec@ietfa.amsl.com>; Fri, 12 Jul 2019 07:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10NHdVHlXcdu for <ipsec@ietfa.amsl.com>; Fri, 12 Jul 2019 07:35:01 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D9941201D5 for <ipsec@ietf.org>; Fri, 12 Jul 2019 07:35:01 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 45lb6p3Q0CzDZl; Fri, 12 Jul 2019 16:34:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1562942098; bh=eb9P3WV3lNwhld/Rm/T0Bosccu6LYJ2TmzmmOXncYb4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=R7mwvfo8rUv/dXtkEl8NHzI9uAOzBv9BBU7WnL4sfT72Z6EbMuqHB+cSgvXJPVcff HVP0CDjeMYoYiLERaCyxm6dWu7YXjcZ1uyBeWR1B6CSCDZTOK7DywXBVCblFW/aLPy ADuTr6p2Lho83mBPH9YLo/pFpeJjaQog3M+B3Cbg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id VaQzhQ0V2FAH; Fri, 12 Jul 2019 16:34:57 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 12 Jul 2019 16:34:56 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5291B4392F0; Fri, 12 Jul 2019 10:34:55 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5291B4392F0
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4D449406B8FB; Fri, 12 Jul 2019 10:34:55 -0400 (EDT)
Date: Fri, 12 Jul 2019 10:34:55 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: 'Yaron Sheffer' <yaronf.ietf@gmail.com>, 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, ipsec@ietf.org, 'vinay kornapalli' <vinaykornapalli@gmail.com>
In-Reply-To: <023401d53884$4f00aae0$ed0200a0$@gmail.com>
Message-ID: <alpine.LRH.2.21.1907121028490.22368@bofh.nohats.ca>
References: <alpine.LRH.2.21.1907111548370.26855@bofh.nohats.ca> <023401d53884$4f00aae0$ed0200a0$@gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/fcfKZsfOZ-_hSYrmWi_yr3WnPn4>
Subject: Re: [IPsec] Questions about RFC 5723
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 14:35:03 -0000
On Fri, 12 Jul 2019, Valery Smyslov wrote: > A single (pair of ) IPsec SA is created as result of IKE_AUTH following > IKE_SA_RESUME, as if it follows IKE_SA_INIT instead of IKE_SA_RESUME. > If more IPsec SAs are needed they are created via CREATE_CHILD_SA, > as usual. Ahhhhh I totally missed this part when reading the document. Things make a lot more sense now. Thanks! >> Also, when using PFS, these CREATE_CHILD_SA's would do a DH again, at >> which point one wonders why to do resumption at all if you have more >> than one IPsec SA, as you would be doing DH's anyway for all children, >> you might as well do one more for a regular IKE_SA_INIT ? > > In any case you save on authentication (this may involve signature > computing/verification and probably human intervention in case of EAP). Indeed. Thanks for the clarifications! I guess formally, we would need to add the previous IKE traffic counters to the current one, since these are all derived from the same DH. (yes, for FIPS we need to ensure there is not more than 2^20 or so AES packets of IKE traffic, even though reaching that would be quite the accomplishment) Paul
- [IPsec] Questions about RFC 5723 Paul Wouters
- Re: [IPsec] Questions about RFC 5723 Valery Smyslov
- Re: [IPsec] Questions about RFC 5723 Paul Wouters
- Re: [IPsec] Questions about RFC 5723 Yaron Sheffer