Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth-01
Paul <paul@nohats.ca> Thu, 05 June 2014 03:12 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99FBE1A03CF for <ipsec@ietfa.amsl.com>; Wed, 4 Jun 2014 20:12:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.65
X-Spam-Level:
X-Spam-Status: No, score=-2.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-q35N4KOM-g for <ipsec@ietfa.amsl.com>; Wed, 4 Jun 2014 20:12:21 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C2361A0180 for <ipsec@ietf.org>; Wed, 4 Jun 2014 20:12:21 -0700 (PDT)
Received: from [193.110.157.228] (unknown [76.10.157.65]) by bofh.nohats.ca (Postfix) with ESMTPSA id 67755800C9; Wed, 4 Jun 2014 23:12:14 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1401937934; bh=fLm0vn5eqRHV3EwcY/CoqHNfkGRXzbD59V3kYj3jznM=; h=References:In-Reply-To:Cc:From:Subject:Date:To; b=p+tknzPrxOEYTT2g0NA33YwGnVuZaUQcrTHVbw2YKaU8nE2WUq4DwnL8C9RJDh1Qq LBKejiPBwoFOVMVNXbX6qomP3vfuzHWj+PuukXMiNIL8l10ktE5xcEs9P+5viSccOH E4O0L7e4zPPBCC+e0aO8R37bhcFsbjPGu/CMDonM=
References: <alpine.LFD.2.10.1406040952110.23900@bofh.nohats.ca> <6B4DF0DF50834023A731B29091A790F2@buildpc> <20615.1401898830@sandelman.ca> <alpine.LFD.2.10.1406041246400.23900@bofh.nohats.ca> <2862.1401912208@sandelman.ca> <78E351CE-8058-4529-8973-72963A10536C@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <78E351CE-8058-4529-8973-72963A10536C@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <D521D82D-5DF8-4541-9024-E540C4FFA093@nohats.ca>
X-Mailer: iPhone Mail (11D201)
From: Paul <paul@nohats.ca>
Date: Wed, 04 Jun 2014 23:12:15 -0400
To: Yoav Nir <ynir.ietf@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/ivczNWL0weOPs-eow3PpKH2ql64
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Subject: Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 03:12:22 -0000
Sent from my iPhone > On Jun 4, 2014, at 17:55, Yoav Nir <ynir.ietf@gmail.com> wrote: > > > > Section 2.2 says that “As peer identity is meaningless in this case, Identification Data SHOULD be omited from ID Payload”([1]), and even if sent, it MUST be ignored by IKE. So it’s really not provided. There wasn't consensus on that but I'm clearly if that opinion as well. > > That’s a good question. What prevents a random attacker from sending a TSr covering IP address 8.8.8.8, and getting a whole bunch of DNS queries. That’s easier than bugging the ISP or break the wifi password. Our implementation has a global option that allows only rfc1918 and related (eg 25/8) for NATT. We might be able to not need it with the Linux VTI hooks and NAT, but that's still a work in progress. For the protocol work I'd say that is all local implementation. >> I think that the opportunistic encryption use case given can not make any >> sense without reference to the PAD. > > I think that’s the hard part of any opportunistic IPsec. It’s not always better than nothing, because you might be making it easier for Eve. > > Yoav > > [1] sic - “omitted” should have two t's > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul Wouters
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Valery Smyslov
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Michael Richardson
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul Wouters
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Michael Richardson
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Yoav Nir
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Valery Smyslov