[IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt

Tero Kivinen <kivinen@iki.fi> Mon, 03 March 2014 15:04 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE5C1A0102 for <ipsec@ietfa.amsl.com>; Mon, 3 Mar 2014 07:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZuIhhrrXAbOn for <ipsec@ietfa.amsl.com>; Mon, 3 Mar 2014 07:04:11 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id B017E1A004A for <ipsec@ietf.org>; Mon, 3 Mar 2014 07:04:10 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s23F44up020636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 3 Mar 2014 17:04:04 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s23F443D006722; Mon, 3 Mar 2014 17:04:04 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21268.39396.785431.297271@fireball.kivinen.iki.fi>
Date: Mon, 3 Mar 2014 17:04:04 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Valery Smyslov" <svanru@gmail.com>
In-Reply-To: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc>
References: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 126 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/fo7TL9oMmTTAHuZgacF98Sr09AY
Cc: ipsec@ietf.org
Subject: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 15:04:13 -0000

Valery Smyslov writes:
> I've posted new version of the NULL Auth Method draft.
> It addresses comments received from Yaron Sheffer and Paul Wouters.

Ah, I just managed to read the -00 version... Oh well, reading diffs
next...

Anyways I think the document is in quite good shape, I think the
section 2.2 needs to be more specific about how to send the empty ID
payload. I think the idea of sending ID_IPV4_ADDR with 0 bytes of
data is very bad idea. The current text says you can omit data, and
that the type can be anything. The problem is that in most cases the
implementation has code that will parse the ID payload using standard
rules and now if the ID payload has type of ID_IPV4_ADDR and 0 bytes
of data, the parsing will fail.

It would be better to say that if you are sending empty ID payload,
you msut use ID_KEY_ID type which already allows any data, including
empty.

Actually I now noticed you changed the "SHOULD be ignored" to "MUST be
ignored", and I think that is again bad idea. I think logging and
auditing the ID for problem solving purposes is good idea even if it
does not have any meaning for the authentication. I.e. at least then I
can contact helpdesk and say that my NULL authentication connection to
server 1.2.3.4 failed, and I have no idea why, can you help. Oh, my ID
payload had ID_KEY_ID 0324234mkdsff43r5, if that helps you to find it
from your logs... 
-- 
kivinen@iki.fi