Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?
Valery Smyslov <smyslov.ietf@gmail.com> Sun, 24 May 2020 16:24 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F6B3A0B81 for <ipsec@ietfa.amsl.com>; Sun, 24 May 2020 09:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgotbQqTNWwb for <ipsec@ietfa.amsl.com>; Sun, 24 May 2020 09:24:02 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B85C3A0B7C for <ipsec@ietf.org>; Sun, 24 May 2020 09:24:02 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id z13so8591702ljn.7 for <ipsec@ietf.org>; Sun, 24 May 2020 09:24:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=Id+gH9YJiq3O4cFa+Fmww8JBxExcz3V1PGOTSQ9E47o=; b=CCEOStpmqKbMtPmZp7FyIztUSLe7LuRDmlil8Q2UTWQvubiTUUE7NNxDWJA84GAp4y te/ezIfFvCPzLPWoJt2TdrgNDgNLUHMLRzTzlpXnil4sUzKwEIEmJfLiF9wI2kz5rDdo loz6C5QwTtBWNcvd1A8laqGC/uI9mdu1oopfUliy6sOGiGS1hQ0WBOwODZj+RUbCiSG0 Lu6QWq7cf8b1nW/r4MS9qh9nzMMjhL9BHIRATg7s9rqWBTFgO9ClKFqi9rmb4jIC/1X3 ahPeWoLUADKhN/12Xoonz1fiLTelWcSiKRU7TPkhtr4hxuuuHNEJHVbbQ+5q6yeS9iI8 Z7FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=Id+gH9YJiq3O4cFa+Fmww8JBxExcz3V1PGOTSQ9E47o=; b=g9hRY0UI5vMhsxXVRii82rOFpe1lUjS8RO1bgf8vcv7KNsu+IW6SzwmLcZrRPPW/9b vv1oi+x3FhblBrcXMkxOUWyu1HLk6aEhSxmHxvUFC/peBcaFdj9fKZiRtvj5AMHPdoku CWsKZp57OtXJB1S9goJiSV2Q5/HR4KXl/9YEhnNpSXSJOq90/PLZjwO9VwhqFZ+Sd3H8 HxVI0l+8YwKlGnuLlghTbmwP0GaCHl4G8n2Jj3MTuFRoDuj7CdWVsn/w3+zD0QP81Smw pBH64FvV08GkO3fYxli/weOIeoGiqFzD8PXtkb9QeDhAhmNtkekE2uZAD3cZQfzPj1wA yJvg==
X-Gm-Message-State: AOAM530f5luE60hfH1hDQJbExdOwpUq0XtDfB4JeYGLTjylhA7mN3b4n jg02m8D2XDqAHteNO//8z/YdvgAN
X-Google-Smtp-Source: ABdhPJyQcA+dI1CmWDCRkQbKALpTs/4ww0oadUXvTzp+0cuHo3MhiWuKjlbPjv5F+5PsFu2LMullag==
X-Received: by 2002:a2e:6a11:: with SMTP id f17mr1727777ljc.328.1590337439960; Sun, 24 May 2020 09:23:59 -0700 (PDT)
Received: from chichi (95-27-147-103.broadband.corbina.ru. [95.27.147.103]) by smtp.gmail.com with ESMTPSA id f9sm4293180ljf.99.2020.05.24.09.23.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 May 2020 09:23:58 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Linda Dunbar' <linda.dunbar@futurewei.com>, 'Paul Wouters' <paul@nohats.ca>
Cc: ipsec@ietf.org
References: <SN6PR13MB233450103D13365702E14D7A85B80@SN6PR13MB2334.namprd13.prod.outlook.com> <alpine.LRH.2.21.2005181442060.29444@bofh.nohats.ca> <SN6PR13MB23349CB87CDDCF05E504727B85B60@SN6PR13MB2334.namprd13.prod.outlook.com>
In-Reply-To: <SN6PR13MB23349CB87CDDCF05E504727B85B60@SN6PR13MB2334.namprd13.prod.outlook.com>
Date: Sun, 24 May 2020 19:23:58 +0300
Message-ID: <002d01d631e7$bae0cf30$30a26d90$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFcG9V+LNVx37zPeZAOazGVwjuEIAGD/LLMAlqpkfmpjKEyAA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/hOHv-FZA574vWV8mNrD3Lpl7AEg>
Subject: Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 Auto-Discovery VPN Problem Statement and Requirements?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2020 16:24:04 -0000
Hi Linda, > Paul, > > Thank you very much for the detailed explanation. > > What is " you can do auth-null for passive attack protection"? does it mean > "NO Authentication"? Yes, NULL authentication method in IKEv2 provides no authentication. It is intended to be used in cases where no trust relationship exists between peers or where authentication is performed by other means. It only protects against passive attacks. > If two peers have shared CA, does it mean there is no need for > Authentication? If peers have shared CA they can mutually authenticate themselves and there is no need for NULL authentication in this case. Hope this helps, Valery. > Thanks, Linda > > > > -----Original Message----- > From: Paul Wouters <paul@nohats.ca> > Sent: Monday, May 18, 2020 1:52 PM > To: Linda Dunbar <linda.dunbar@futurewei.com> > Cc: ipsec@ietf.org WG <ipsec@ietf.org> > Subject: Re: [IPsec] Is there any drafts or RFCs on solutions to RFC 7018 > Auto-Discovery VPN Problem Statement and Requirements? > > On Mon, 18 May 2020, Linda Dunbar wrote: > > > We are experiencing the problems described in RFC 7018 (Auto-Discovery > > VPN Problem Statement and Requirements), i.e. the problem of enabling > a large number of peers (primarily Gateway) to communicate directly using > IPsec to protect the traffic between them. > > unfortunately, standarization failed because vendors wanted their own > solution standarized, and the WG didn't want multiple standards, so it > decided to do none. > > For libreswan, we do "Opportunistic IPsec", which is basically "just try host- > to-host IPsec, fail to either clear or block depending on policy". > We also have a "you can do auth-null for passive attack protection" > in one or both directions" and a migration path from there to fully > authenticated IPsec. Authentication based on a shared CA or DNSSEC. > > These are packet trigger based solutions. > > It works well for most meshes, and requires no proprietary or new > standards.. The only two non-standard parts are that when using > certificates, we allow requiring an addictional call to match the IKE ID with > certificate SAN in the DNS (to prevent a compromised node from pretending > to be another node in the mesh) and we have one non-standarized payload > to signify we can do auth-null as well as authenticated IPsec, which we > hopefully can retire once this document gets adopted / implemented: > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdat > atracker.ietf.org%2Fdoc%2Fdraft-smyslov-ipsecme-ikev2-auth- > announce%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C > 1a29cf55dab94e9d7e3b08d7fb5c9754%7C0fee8ff2a3b240189c753a1d5591f > edc%7C1%7C0%7C637254247407162655&sdata=8%2B%2FxIlUKattjsk9 > 57tdKCXR137ntP8WZ5YcnNsBzBD4%3D&reserved=0 > > > Is there any drafts describing the solutions to the problems identified by > RFC7018? > > There might be the old drafts of the autovpn candidates, but as that is all > incompatible and/or proprietary, and mostly from before my time, I have > not looked at those solutions much. > > One issue I have with Cisco solutions, is that they now prefer to wrap > everything in GRE, which isn't the best from a security point of view. > > NHRP (using opennhrp) seems somewhat popular too? > > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Is there any drafts or RFCs on solutions … Linda Dunbar
- Re: [IPsec] Is there any drafts or RFCs on soluti… Praveen Sathyanarayan
- Re: [IPsec] Is there any drafts or RFCs on soluti… vishwas.ietf
- Re: [IPsec] Is there any drafts or RFCs on soluti… Linda Dunbar
- Re: [IPsec] Is there any drafts or RFCs on soluti… Paul Wouters
- Re: [IPsec] Is there any drafts or RFCs on soluti… Linda Dunbar
- Re: [IPsec] Is there any drafts or RFCs on soluti… Valery Smyslov