[IPsec] Fwd: IPsec Digest, Vol 181, Issue 4

shubham mamodiya <shubhammamodiya@gmail.com> Thu, 01 August 2019 07:04 UTC

Return-Path: <shubhammamodiya@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF89120058 for <ipsec@ietfa.amsl.com>; Thu, 1 Aug 2019 00:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.987
X-Spam-Level:
X-Spam-Status: No, score=-1.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_MIME_MALF=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVcvp2UHsU5G for <ipsec@ietfa.amsl.com>; Thu, 1 Aug 2019 00:04:37 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94B60120026 for <ipsec@ietf.org>; Thu, 1 Aug 2019 00:04:36 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id s19so49395602lfb.9 for <ipsec@ietf.org>; Thu, 01 Aug 2019 00:04:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=VpROG0VyGG2VQfiKGF6jnYuEs6N7Jk6DbSNCJ/Xp378=; b=JImTVKO2+AH+dhTG5HVNFnjBeevOEBnhe1CXWQTBH/3rxd40vhN5BljRJOWVP+695C EdnZbKnqGJf47EYeTUOc4KUEm7mtDSE4huPur/Mte9PyzzZjpIWQfdx68lzMyvOkQ9yC jI+eUfqqalbY7FX5mI6+/CpTgPYNszDfnp5agvteSqsCOE3aJ2qoy9ypCsgw4/7hQmMX v391Phrx3TRFmOZePlElbsJgvFRD+j7M2elhHOdw1D3b3bQDTSmNIRBQ74U3AJ7eh99C f8XFcYRchnHkTyhmPffppEC4n2pCB6AY9YZEMVIf+gtBBg6EYlct4599BMUgUQEzbtcT q5EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=VpROG0VyGG2VQfiKGF6jnYuEs6N7Jk6DbSNCJ/Xp378=; b=jzEZOBpyDM5AKwOLmiHUdhUsaigf70O9IqlqdX7XiSuaudglyVcBL8zHMiIm1Tvx7R vjHIB5NsWDOV3FYGmE1s2Ni1fL/KxwUIsEkI0y6uFR2chiTC9icoKDZJmaUlLbVMnYvY VsbTLcMXTvBGu+xDwVXgRQKSammTi1D73q9vV6iRIHGKuzHPSfArYSoneGMvVhngC47f c//yEQiCdYNxtFSGWlrD95i/8U2635YDVJA8I+522OhLUbM62tzrD+AzljOjMZqmxDzA 4JybW7gCoPV/inm/gVUP3uzdPleooEXn1Thm4aaV0PTSUprXBFVe8tLtllcD+KE6gV1P KT3w==
X-Gm-Message-State: APjAAAXm6fhAoq2eU9m2B15q9wJTfWtTGQj5BLrbyf5nYdVx+CHdweEt CAZ/qXZq0sLskiARr7RwHvyuARWFgrNhmo2dmbbvyql3
X-Google-Smtp-Source: APXvYqzmdnslpkobf70ZhmrGpt3oEBsLpwHJh/aygodjrKtmpM0/WWat1zFmiEbSgbyoUwXOIf0UG05VZ9RhjWwZGV4=
X-Received: by 2002:ac2:44ce:: with SMTP id d14mr1391451lfm.143.1564643074578; Thu, 01 Aug 2019 00:04:34 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.79.1558551616.30519.ipsec@ietf.org> <CAPz_mZMX_HP-PxktZyxHyOOEZW=Dx8E1jd0F+y51CZnbqUGnaw@mail.gmail.com>
In-Reply-To: <CAPz_mZMX_HP-PxktZyxHyOOEZW=Dx8E1jd0F+y51CZnbqUGnaw@mail.gmail.com>
From: shubham mamodiya <shubhammamodiya@gmail.com>
Date: Thu, 1 Aug 2019 12:34:22 +0530
Message-ID: <CAPz_mZNtph39NX54vc8+H5u+LmLUy5i7dER3GSVWtg0M0F_zPg@mail.gmail.com>
To: ipsec@ietf.org, william.panwei@huawei.com, sandeepkampati@huawei.com, MeduriS.Bharath@huawei.com
Content-Type: multipart/alternative; boundary="000000000000a91c81058f08dab9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/jOX2RS45sSx0_t5j65BY8ERBhDg>
Subject: [IPsec] Fwd: IPsec Digest, Vol 181, Issue 4
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 07:04:40 -0000

---------- Forwarded message ---------
From: shubham mamodiya <shubhammamodiya@gmail.com>;
Date: Thu, Aug 1, 2019 at 12:30 PM
Subject: Re: IPsec Digest, Vol 181, Issue 4
To: <ipsec@ietf.org>;

Some comments for draft
"draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01.txt".

3.2.3.  Rekeying IKE SAs When Responder's Cryptographic Suites Changed

   At the time of or before rekeying IKE SAs, the responder's
   cryptographic suites may be changed while there is no change of
   initiator's cryptographic suites.  New cryptographic suites may be
   added to the responder, or some outdated cryptographic suites may be
   deleted from the responder.

   In this situation, the initiator sends the SA_UNCHANGED notification
   payload instead of the SA payloads in the CREATE_CHILD_SA request
   message at the time of rekeying IKE SAs.
Kampati, et al.         Expires November 22, 2019               [Page
5]Internet-Draft     IKEv2 Optional Child SA&TS Payloads          May
2019

   If the responder decides to continue using the previously negotiated
   cryptographic suite to rekey the IKE SA, it MAY send the SA_UNCHANGED
   notification payload in the CREATE_CHILD_SA response message, then
   the rekeying is conducted like Section 3.2.1.

   If the responder decides to re-negotiate the cryptographic suite, it
   MUST send NO_PROPOSAL_CHOSEN notification payload in the
   CREATE_CHILD_SA response message.  After receiving this error
   notification, the initiator MUST retry the CREATE_CHILD_SA exchange
   with the SA payloads.  Then the rekeying is conducted in the original
   way defined in [RFC7296].  The CREATE_CHILD_SA message exchange in
   this case is shown below:

   Initiator                         Responder
   --------------------------------------------------------------------
   HDR, SK {N(SA_UNCHANGED), Ni, KEi} -->
                                 <-- HDR, SK {N(NO_PROPOSAL_CHOSEN),
                                         Nr, KEr}
   HDR, SK {SA, Ni, KEi} -->
                                 <-- HDR, SK {SA, *Ni, KEi*}

Comment :

1. If the responder decides to continue using the previously negotiated

   cryptographic suite to rekey the IKE SA, it MAY send the SA_UNCHANGED
   notification payload in the CREATE_CHILD_SA response message, then
   the rekeying is conducted like Section 3.2.1.

>> Better to put exchange diagram for this case also.


2. Nonce and KE notations are not correct in the response message

 If the responder decides to re-negotiate the cryptographic suite, it
   MUST send NO_PROPOSAL_CHOSEN notification payload in the
   CREATE_CHILD_SA response message.  After receiving this error
   notification, the initiator MUST retry the CREATE_CHILD_SA exchange
   with the SA payloads.  Then the rekeying is conducted in the original
   way defined in [RFC7296].  The CREATE_CHILD_SA message exchange in
   this case is shown below:

   Initiator                         Responder
   --------------------------------------------------------------------
   HDR, SK {N(SA_UNCHANGED), Ni, KEi} -->
                                 <-- HDR, SK {N(NO_PROPOSAL_CHOSEN),
                                         Nr, KEr}
   HDR, SK {SA, Ni, KEi} -->
                                 <-- HDR, SK {SA, *Ni, KEi*}

>> In CREATE_CHILD_SA response message, responder MUST not send the same Nonce and KE received from initiator (Ni, KEi).

It MUST be Nr and KEr in the response message.


On Thu, May 23, 2019 at 12:30 AM <ipsec-request@ietf.org>; wrote:

> Send IPsec mailing list submissions to
>         ipsec@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.ietf.org/mailman/listinfo/ipsec
> or, via email, send a message with subject or body 'help' to
>         ipsec-request@ietf.org
>
> You can reach the person managing the list at
>         ipsec-owner@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of IPsec digest..."
>
>
> Today's Topics:
>
>    1. Fwd: New Version Notification for
>       draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01.txt
>       (Panwei (William))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 May 2019 07:37:17 +0000
> From: "Panwei (William)" <william.panwei@huawei.com>;
> To: Paul Wouters <paul@nohats.ca>;, Y Sowji <sowji_eluri@yahoo.com>;,
>         "ipsec@ietf.org"; <ipsec@ietf.org>;
> Cc: Sandeep Kampati <sandeepkampati@huawei.com>;, "Meduri S S Bharath
>         (A)" <MeduriS.Bharath@huawei.com>;
> Subject: [IPsec] Fwd: New Version Notification for
>         draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01.txt
> Message-ID:
>         <
> 30E95A901DB42F44BA42D69DB20DFA6A69F68ABE@nkgeml513-mbx.china.huawei.com>;
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Paul, Sowjanya and folks,
>
>
>
> Thanks a lot for Paul and Sowjanya?s reviews, we have modified our draft
> based on your comments.
>
>
>
> The new version draft includes the following main changes:
>
> 1. Redesign the sections to make the structure more reasonable and the
> draft more readable.
>
> 2. Change the negotiation of support to the IKE_AUTH phase, and change the
> support notification?s name.
>
> 3. Detail the optimization for rekeying IKE SAs, and use SA_UNCHANGED
> notification payload to replace SA payloads.
>
> 4. Detail the optimization for rekeying Child SAs, and use SA_TS_UNCHANGED
> notification payload to replace SA and TS payload.
>
> 5. For rekeying Child SAs, we currently remove the consideration that only
> omitting TS payloads, because we think this kind omitting will introduce
> more complexities. Initiator SA payload, Initiator TS payload, Responder SA
> payload and Responder TS payload, if either of these four payloads can be
> omitted, there will be up to 16 circumstances, that will be too complex.
>
>
>
> Comments and reviews for the new version draft are very welcome.
>
>
>
> Best Regards
>
> Wei Pan
>
>
>
> -----Original Message-----
> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> Sent: Wednesday, May 22, 2019 2:17 PM
> To: Meduri S S Bharath (A) <MeduriS.Bharath@huawei.com>;; Meduri S S
> Bharath (A) <MeduriS.Bharath@huawei.com>;; Panwei (William) <
> william.panwei@huawei.com>;; Sandeep Kampati <sandeepkampati@huawei.com>;
> Subject: New Version Notification for
> draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01.txt
>
>
>
>
>
> A new version of I-D, draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01.txt
>
> has been successfully submitted by Wei Pan and posted to the IETF
> repository.
>
>
>
> Name:             draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt
>
> Revision:         01
>
> Title:                IKEv2 Optional SA&TS Payloads in Child Exchange
>
> Document date:         2019-05-21
>
> Group:             Individual Submission
>
> Pages:              11
>
> URL:
> https://www.ietf.org/internet-drafts/draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01.txt
>
> Status:
> https://datatracker.ietf.org/doc/draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt/
>
> Htmlized:
> https://tools.ietf.org/html/draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01
>
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt
>
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-01
>
>
>
> Abstract:
>
>    This document describes a method for reducing the size of the
>
>    Internet Key Exchange version 2 (IKEv2) exchanges at time of rekeying
>
>    IKE SAs and Child SAs by removing or making optional of SA & TS
>
>    payloads.  Reducing size of IKEv2 exchanges is desirable for low
>
>    power consumption battery powered devices.  It also helps to avoid IP
>
>    fragmentation of IKEv2 messages.
>
>
>
>
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> tools.ietf.org.
>
>
>
> The IETF Secretariat
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mailarchive.ietf.org/arch/browse/ipsec/attachments/20190522/fa389580/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
> ------------------------------
>
> End of IPsec Digest, Vol 181, Issue 4
> *************************************
>