Re: [IPsec] Comments on draft-smyslov-ipsecme-ikev2-auth-announce
Valery Smyslov <smyslov.ietf@gmail.com> Tue, 09 November 2021 11:25 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7D6A3A0EDA for <ipsec@ietfa.amsl.com>; Tue, 9 Nov 2021 03:25:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_15_Rvu3XIu for <ipsec@ietfa.amsl.com>; Tue, 9 Nov 2021 03:25:16 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C3553A0ED3 for <ipsec@ietf.org>; Tue, 9 Nov 2021 03:25:16 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id h11so35652762ljk.1 for <ipsec@ietf.org>; Tue, 09 Nov 2021 03:25:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:content-language :thread-index; bh=HM6Wpx+omkBipN3z7gLkpiXUVZgzcxKpQPcP6zt1Yc4=; b=Fu21DfjcccMrfqPKsqz18GRjzEBNMeLznxj9yRlQR5Zv6+KvxLtdizHPMie2aQo+2Q ++zMzUIVfsGe52Gx72tbwZ/VEKKQHyDtSzFsZZlLGyCuF1Lc9iIxghOuRH5jTTbWvIUy bi4HkzCpzFEFw57DpuPmi6zKB8zA6votqbSABlPWWSEDAVgenDsceaVvhwsOHnjUDOV0 mkEG2qGp+XECUlWkWoetDpRi2KSC7SPT+Hj4TZtJpmnDW9FVJ4TftP2OSqFToUm0mzof tmc7ID9oyirn1FBIq+UFPN9SsvYZXRlf+J1Un8f0poKlmdz5a9A2WIm2ltBjMWhoDibc XRug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:content-language :thread-index; bh=HM6Wpx+omkBipN3z7gLkpiXUVZgzcxKpQPcP6zt1Yc4=; b=OxObbxJ4foa9pR5tnqRRfGzneejjDjG2M3mpA3aRSOz/USMz3rEP3FS3DU6igcUx0a fnEEL/jQVbWQwR5eknO9VQ0RS9H+4E6uwTA9SI8tpfrgxONsmJcSVAvgNRMWrcOpcSCg bo2pXpkj7tB0sK+BefCtgKkbte2Lc/S0cpEk8cu8bpAzdVspSX7jWslvMhGSkEUrzXS8 QB6adAyCzAt/s2vYhQtqB9PtO8GUMUl2gfct/em+fU59yPHaeMIwclXjLyCOan29fhuA qZboJPHSnw7vaIErRPdWhgw2dscl24xvepLJ2cPsyTVzreEgdNoKXRrLDZfImPwhlvI6 Hy+g==
X-Gm-Message-State: AOAM532gZ4a8BBC8+sqnnKCqtlpeCq8B0ymw+etOaoz7/s5Cklum41NM 1S+dc5F5ArLXoeDrESlXsVEOymn1HVM=
X-Google-Smtp-Source: ABdhPJwYo9WCp2mvSkDeYibuqlTdQn6Rfi9AzDwmzujI1qsGTHfdeuTjaqj9VU/bKMSulW0CwrrJug==
X-Received: by 2002:a05:651c:2123:: with SMTP id a35mr6828919ljq.285.1636457112975; Tue, 09 Nov 2021 03:25:12 -0800 (PST)
Received: from chichi (37-144-56-120.broadband.corbina.ru. [37.144.56.120]) by smtp.gmail.com with ESMTPSA id t1sm1792391ljd.43.2021.11.09.03.25.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Nov 2021 03:25:12 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul.wouters=40aiven.io@dmarc.ietf.org>, 'Tero Kivinen' <kivinen@iki.fi>
Cc: ipsec@ietf.org, "'Scott Fluhrer (sfluhrer)'" <sfluhrer=40cisco.com@dmarc.ietf.org>
References: <BL3PR11MB5682B8216D3A393B4D1771DBC1919@BL3PR11MB5682.namprd11.prod.outlook.com> <24969.37073.626018.820410@fireball.acr.fi> <2fe9aba6-6ac5-5af4-5439-867c5ad6f053@nohats.ca>
In-Reply-To: <2fe9aba6-6ac5-5af4-5439-867c5ad6f053@nohats.ca>
Date: Tue, 09 Nov 2021 14:25:08 +0300
Message-ID: <007a01d7d55c$74121a90$5c364fb0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQITNjdT9KgrrlqUI5ai5H2Nb8x5bQF8nEZ0AkKz55qrZk/PYA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/fsxgSJeZAU8j7j4f2LL8jyTEe1M>
Subject: Re: [IPsec] Comments on draft-smyslov-ipsecme-ikev2-auth-announce
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 11:25:21 -0000
Hi Paul, > On Mon, 8 Nov 2021, Tero Kivinen wrote: > > >> Does the AuthMethod apply to the algorithms within the certificate > >> as well? The RFC should clarify this. > > > > The reason for this notify is that if the peer has multiple key pairs > > (i.e., private keys) it needs to pick one private key to sign the AUTH > > payload with. If one of those private keys is using EC and another is > > using RSA, then without this notification there is no way of knowing > > which one to pick (except perhaps by prior configuration or by > > heuristics based on the CERTREQ etc). > > What will be in the notification then? Since the authenticaion method > for both is "RFC 7425 Digital Signatures" as per existing IANA registry > for IKEv2 Authentication Methods. The notification contain a list of supported auth methods. Each method is represented by a structure containing a value for a auth method from https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ike v2-parameters-12 IANA registry AND IF this method is "Digital Signature" (defined in RFC 7427) then IN ADDITION an AlgorithmIdentifier for the supported signature algorithm is included. So, there may be multiple "Digital Signature" auth methods with different AlgorithmIdentifiers. > We would still need a new registry or we need to identify auth algorithms > by their SPKI similar to how we can signature supported hash algorithms. > But we would prob end up with seeing lots of duplicate entries with > slightly different SPKI prefixes. We can use AlgorithmIdentifier, so no new registry is needed. But there is a trade off, so this can be discussed if the draft is adopted. > The RSS-v1.5 vs RSS-PSS is a major pain right now, and implementations > using 7425 and specifying RSA-v1.5 SHA1 are a double pain as the RFCs > clearly doesn't allow that. We run into frequent interop issues with > these. That what this draft tries to address. Regards, Valery. > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Comments on draft-smyslov-ipsecme-ikev2-a… Scott Fluhrer (sfluhrer)
- [IPsec] Comments on draft-smyslov-ipsecme-ikev2-a… Tero Kivinen
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Paul Wouters
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Tero Kivinen
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Valery Smyslov
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Valery Smyslov
- Re: [IPsec] Comments on draft-smyslov-ipsecme-ike… Paul Wouters