[IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-ikev2-intermediate-09: (with COMMENT)
Martin Duke via Datatracker <noreply@ietf.org> Wed, 02 March 2022 20:17 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F843A0C4C; Wed, 2 Mar 2022 12:17:15 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Martin Duke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ipsecme-ikev2-intermediate@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, ynir.ietf@gmail.com, ynir.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.46.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Martin Duke <martin.h.duke@gmail.com>
Message-ID: <164625223564.17953.1128366395669864994@ietfa.amsl.com>
Date: Wed, 02 Mar 2022 12:17:15 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/gcewAtrnlTVBs9eIazhzhm-S8NY>
Subject: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-ikev2-intermediate-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2022 20:17:16 -0000
Martin Duke has entered the following ballot position for draft-ietf-ipsecme-ikev2-intermediate-09: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-intermediate/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (3.2) "Implementations MUST verify that Message IDs in the IKE_INTERMEDIATE messages [increment by 1]". Or what? In any case, isn't this fully enforced by the WINDOW_SIZE parameter in Sec 2.3 of RFC 7296? That is, if WINDOW_SIZE == 1, any message that doesn't increment by 1 will simply be ignored. If WINDOW_SIZE > 1, receiving an increment > 1 is in fact legal (due to packet loss) but the window will not advance until all IDs are received? (5) The security considerations hint at it with all the DoS talk, but it would be valuable to place some limits on the kind of information that can be contained in IKE_INTERMEDIATE and how it is processed. The document doesn't appear to explicitly restrict these messages to overflow from IKE_SA_INIT messages, so if an extension sends e.g. user data in these what are the implications? I'd suggest that applications not process such data until AUTH exchange is complete. While I am not particularly happy with solely using the WINDOW_SIZE mechanism to regulate the amount of data in flight, IMO that is an issue with RFC 7296 and not this document.
- [IPsec] Martin Duke's No Objection on draft-ietf-… Martin Duke via Datatracker
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke