IETF Logo Mail Archive

Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol

"Valery Smyslov" <svanru@gmail.com> Tue, 09 September 2014 07:11 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 813411A0B0E for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 00:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.561
X-Spam-Level:
X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlWyOGZ81_c8 for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 00:11:05 -0700 (PDT)
Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96AAD1A0B13 for <ipsec@ietf.org>; Tue, 9 Sep 2014 00:11:04 -0700 (PDT)
Received: by mail-la0-f45.google.com with SMTP id pn19so18927436lab.32 for <ipsec@ietf.org>; Tue, 09 Sep 2014 00:11:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=tQbFijjMBa2W4aL4s2R1abEuK12cxq46ECgGRAxI9Gk=; b=nibHjV8XNgIXjVJ9BqHWFHbAA4T1jhMw5n1H/i9CzzTRkC1Udc48R1Zy/OhKyQZsRs swpwuqoR1tu04PGpoP19Djx/OG6lXvuj36zRyTnCyaTjruXULDn79r6WiuSyi2Yp46Se QNbYSpx/laA52IulJBgb0qVDoQojjkbFIs6/5eqTx0mHygIXFzoxgJCJkmSy5rYGhYSo h7VUY3/bimtdZT+eE05IDgQtzrtloM1epJMmEaEJ6SQW6vvs43yWCr4VohyxrWQ1dXwS vwmGX0N6UwKCybd0S1IxYKwz9Ksel0wSdGBVxZlJGHNxK022AmVSglcrg7QxW/839xnz S2rw==
X-Received: by 10.152.36.37 with SMTP id n5mr889406laj.93.1410246662870; Tue, 09 Sep 2014 00:11:02 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id i3sm3991639laa.8.2014.09.09.00.11.00 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Sep 2014 00:11:01 -0700 (PDT)
Message-ID: <0666BB9DE8304DC1891658BFA9FF7EF7@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: "Graham Bartlett (grbartle)" <grbartle@cisco.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, ipsec <ipsec@ietf.org>
References: <540CA9B2.3090807@gmail.com> <DCC36F8DE78A4E5280A9977B4CAC144A@buildpc> <D033575C.2C348%grbartle@cisco.com>
Date: Tue, 09 Sep 2014 11:11:21 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="windows-1251"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/iIg_0Lq6xuPpX649CG0x6h4t4ew
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 07:11:06 -0000

Hi Graham,

> I have one Q.
> 
> If endpoint receives a request to create an unauthenticated IKE SA
> from the IP address, which is configured on the endpoint to be
> authenticated, the request SHOULD be rejected.
> 
> Why is this not MUST be rejected ? Otherwise an attacker could trick the
> responder into revealing their identity (maybe some words around this
> also?).

I was thinking of two possible cases here.
First, even if the initiator was able to certify its identity, 
it might want to keep anonymity for this particular
connection (for example to prevent tracking its
activity). And the other case - the responder's configuration
could be out of date and the IP address it was
configured to be authenticated could already
belong to some other, anonymous host.

Anyway, while SHOULD is pretty strong requirement,
it is not ultimate here: I'm not absolutely sure
that the above cases completely justify it over MUST.
We can discuss it.

And you are right - some (I dare to say "many")
words still need to be added into the Security Considerations
section.

Regards,
Valery.


> Thanks
> 
> Graham
> 
> 
> On 08/09/2014 07:27, "Valery Smyslov" <svanru@gmail.com> wrote:
> 
>>Yes.
>>
>>Obviously, as the author of the document I can see its value,
>>which is describet in the document itself.
>>And I think it's better to standardize it with
>>more people involved, than as individual submission.
>>
>>Regards,
>>Valery.
>>
>>----- Original Message -----
>>From: "Yaron Sheffer" <yaronf.ietf@gmail.com>
>>To: "ipsec" <ipsec@ietf.org>
>>Sent: Sunday, September 07, 2014 10:53 PM
>>Subject: [IPsec] Call for adoption: The NULL Authentication Method in
>>IKEv2Protocol
>>
>>
>>> Dear working group,
>>>
>>> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a
>>>WG 
>>> document. Please respond to this mail with a Yes or No and a short
>>> rationale, at latest by Friday Sep. 12.
>>>
>>> Thanks,
>>> Yaron
>>>
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>
>>_______________________________________________
>>IPsec mailing list
>>IPsec@ietf.org
>>https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email