[IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt
Tero Kivinen <kivinen@iki.fi> Mon, 03 March 2014 15:04 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE5C1A0102 for <ipsec@ietfa.amsl.com>; Mon, 3 Mar 2014 07:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZuIhhrrXAbOn for <ipsec@ietfa.amsl.com>; Mon, 3 Mar 2014 07:04:11 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id B017E1A004A for <ipsec@ietf.org>; Mon, 3 Mar 2014 07:04:10 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s23F44up020636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 3 Mar 2014 17:04:04 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s23F443D006722; Mon, 3 Mar 2014 17:04:04 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21268.39396.785431.297271@fireball.kivinen.iki.fi>
Date: Mon, 03 Mar 2014 17:04:04 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc>
References: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 126 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/fo7TL9oMmTTAHuZgacF98Sr09AY
Cc: ipsec@ietf.org
Subject: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 15:04:13 -0000
Valery Smyslov writes: > I've posted new version of the NULL Auth Method draft. > It addresses comments received from Yaron Sheffer and Paul Wouters. Ah, I just managed to read the -00 version... Oh well, reading diffs next... Anyways I think the document is in quite good shape, I think the section 2.2 needs to be more specific about how to send the empty ID payload. I think the idea of sending ID_IPV4_ADDR with 0 bytes of data is very bad idea. The current text says you can omit data, and that the type can be anything. The problem is that in most cases the implementation has code that will parse the ID payload using standard rules and now if the ID payload has type of ID_IPV4_ADDR and 0 bytes of data, the parsing will fail. It would be better to say that if you are sending empty ID payload, you msut use ID_KEY_ID type which already allows any data, including empty. Actually I now noticed you changed the "SHOULD be ignored" to "MUST be ignored", and I think that is again bad idea. I think logging and auditing the ID for problem solving purposes is good idea even if it does not have any meaning for the authentication. I.e. at least then I can contact helpdesk and say that my NULL authentication connection to server 1.2.3.4 failed, and I have no idea why, can you help. Oh, my ID payload had ID_KEY_ID 0324234mkdsff43r5, if that helps you to find it from your logs... -- kivinen@iki.fi
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer
- [IPsec] Fw: New Version Notification for draft-sm… Valery Smyslov
- [IPsec] Fw: New Version Notification for draft-sm… Tero Kivinen
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Tero Kivinen
- Re: [IPsec] Fw: New Version Notification for draf… Tero Kivinen
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Tero Kivinen
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Paul Wouters
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] Fw: New Version Notification for draf… Yaron Sheffer