IETF Logo Mail Archive

Re: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 08 January 2020 04:55 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B89120041; Tue, 7 Jan 2020 20:55:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jjlVOslR; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=QcE6zwUC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwwWtk4EwVma; Tue, 7 Jan 2020 20:55:15 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39559120025; Tue, 7 Jan 2020 20:55:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10627; q=dns/txt; s=iport; t=1578459315; x=1579668915; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zrV8F8FGa2lkd5PG1HkADd3bscdsg0SFdZwTpl/AvE0=; b=jjlVOslRfFwfxDVONv0VkfO7puW4DBjLkesobGMWjWO4HjCPJ8+OI0uy Jcfdhcaz8i2PJt7SwAVeZxVI6zr53Jgti5edyuhroNrtvtMgK7GLxQ4oW tELbCKbL0A3yQ78EQpKl3Wba7YUlNoCSd5PpY7Q2oNe9lqWfwKTlktV3X c=;
X-Files: smime.p7s : 4024
IronPort-PHdr: 9a23:EB1IDR/mtd0A6/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVdaGAEjjJfjjRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BOCAA7YBVe/4MNJK1mHQEBAQkBEQUFAYF8gVQkBScFbCstIAQLKoQJg0YDiwaCX5gNgUKBEANUAgcBAQEJAwEBGAsKAgEBhEACgWkkOBMCAw0BAQQBAQECAQUEbYU3DIVeAQEBAQMBARARHQEBLAsBCwQCAQgRBAEBHg0CAgIlCxoDCAIEAQ0FCAYUgwGBeU0DHw8BAgygdQKBOIhhdYEygn4BAQWBSUGDChiCBQcDBoE2gVOKRhqBQT+BEUeCTD6CZAEBAQIBgSMJARIBCRgwgl4ygiyNPgYMJoJLiBmWSgqCNoNhgjiBHYU7iUiCR4d+kBuDR4sMiFSSDwIEAgQFAg4BAQWBaSJnWBEIcBU7gmxQGA2NEjhvAQKCSYUUhT90AYEnjSKBU18BAQ
X-IronPort-AV: E=Sophos;i="5.69,408,1571702400"; d="p7s'?scan'208";a="698436346"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Jan 2020 04:55:08 +0000
Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0084t5pp017310 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 8 Jan 2020 04:55:08 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 7 Jan 2020 22:55:04 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 7 Jan 2020 23:55:03 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 7 Jan 2020 22:55:03 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KEx4FabJJmivB4Yx1TxJUmRaC5M344rnYbyi1z8MGtgL75piKT+/uBkaMPYYdmKLvFfKDVcD7Zta3jUTxY4NUdN4Nf0spSBN/ltUnyOGrAkxHBWeLVFV6Xv3ye7drBto16JrE1q6+m9hzCcqcNvubHuf9sU1C94GcNXg/PtZWvij7z9U/xDpzIK0FcTyRTPRbANMkOmT2MUl97eHPzsCjwtDNBrqwdU4381gqKV6HfdGoz9ej+YFrhsmaurVCY/2UsVXfSkvKIQRK+W55ZpoSFjdYAEwPQbVogfj+hzFRa5VJ+J+MVFjE1f48leYFOwNV9m1xt6iPVC1odOReF9pbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hQ05iyFb6l6/kuYTkJNHKk1o59THnS1uo64i7orXVDM=; b=PTaYLeOWsNSjqpHR9vQr+rGeZKDnEN/h+w7iicjBwTXDIx/YsVHI5wWjOQrEuZgUsmGF8uOKxmOPx8WgT4H1c+IqWC1tTxcpAY12XuELZH2Fy9vf4LRaD54EhjQM7JJBi8U42wshZTfWTRtWH+pqoqLVXcoTOrRYFuWIXBOngLi/ZV3qwftjW/G5bD1ckzZg+sEUBcR/bgzvqfqw8TeoYRgHA9Pw/SxLdZyKnjBGzVRMiWPShMT0PsGtBWY5hsuw8IxKw1mdQ1axiXtevu2Ku9l7VhT4d6qwLSYUCQ4CdbhHMgL3CTo8yetosU1fSOMiE1GTwsaJyAbOarQrcgWmJA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hQ05iyFb6l6/kuYTkJNHKk1o59THnS1uo64i7orXVDM=; b=QcE6zwUCoS0ImW5/bjl4o5Go8jpY1MgHHv5YNuIcSOMfuy0IFbJbBqI/MdzGCZVLijFOjDtoAfnlYAFuVt81lbKzIARQMm4mlSXlWlVMr+Vgy1xTvsesSjNE+28bL28EcQITPZRb8J9LU+yz8NjiwmJsHltWYCnq8bV+R9A5Z2o=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by BN7PR11MB2676.namprd11.prod.outlook.com (52.135.254.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2602.12; Wed, 8 Jan 2020 04:55:02 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::e03c:e55a:c03f:5f4f]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::e03c:e55a:c03f:5f4f%7]) with mapi id 15.20.2602.016; Wed, 8 Jan 2020 04:55:02 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "david.waltermire@nist.gov" <david.waltermire@nist.gov>, "draft-ietf-ipsecme-qr-ikev2@ietf.org" <draft-ietf-ipsecme-qr-ikev2@ietf.org>
Thread-Topic: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
Thread-Index: AQHVxWBDRUXe2IfoW0+06Wm2vRLZBqfgKRyg
Date: Wed, 08 Jan 2020 04:55:02 +0000
Message-ID: <BN7PR11MB2547A0216F2B8566B112811AC93E0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <157840447348.21027.3875533519589774243.idtracker@ietfa.amsl.com>
In-Reply-To: <157840447348.21027.3875533519589774243.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1001::17b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c8de91d0-9ef8-451a-4859-08d793f6ec1b
x-ms-traffictypediagnostic: BN7PR11MB2676:
x-microsoft-antispam-prvs: <BN7PR11MB26760A2DC978153329C5B2E4C93E0@BN7PR11MB2676.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(346002)(39860400002)(136003)(366004)(13464003)(199004)(189003)(33656002)(6506007)(71200400001)(7696005)(66446008)(66946007)(64756008)(66616009)(66476007)(224303003)(66556008)(76116006)(186003)(66574012)(52536014)(53546011)(86362001)(81156014)(81166006)(8936002)(4326008)(54906003)(966005)(5660300002)(478600001)(9686003)(2906002)(110136005)(55016002)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2676; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Z225Dnqa1PFqyj6uSCFtLG5WJDc4MSFxuSObUBWHnl7/mpj0VTwmnnj44lAs0HQ+6Vfsnd7QL/1KkCeFUCRrofvhP8mQYEBsJnAQL+mtLE/A0thMUTsJvVadysGxFlanXHK99gRFqjdwwvqA/7ppxSZVcE3dnPu7+9dP3amMIVz3UdUaTu7fgZE7QCENyyqCqZOv0/NleGBKd+idp/JYr3Q8Z/1UKYyykHPgMxbBPo/Dt8c8hdI4z272z6Bq3UdeF0BMw1pASLSPFr/qwTsyzit1O8qBWolHt7w4DANz0zJ8Vc5aL5VG603XL5jyvREaq/PpPmcICHTDXocQXaVQc68nzT4oPtsTB07HUFbgFQf4KEGdlXdItb/J8XMj1luyVM3gNjtkoVdde7I3OjKLRO8+b4hsQUeOFrc6fLDPvQRhIJFNXHwCyybTI3QJz1LBhaf0X/xbmCeUTcNpWxp1ug+E2+Yz+1bCGzymCA3s74C/54D2//+ww7SDzRnb+tdC3nGt2aMUDHXqS8ObCdnEA4PV+Xe43hJIU3ErIhsfm/olMgPX2RfbxiGlez44QQz8
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0012_01D5C5B5.DF412A80"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c8de91d0-9ef8-451a-4859-08d793f6ec1b
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2020 04:55:02.5115 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZTAJLtSDOlGf6F4Cl0L3cZ9T6aOiD3yT5Dyfswe0UF4Ezp57RAta/hoEvbHBwtt/hhaHjfsRFCCI043r4zteYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2676
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xch-aln-008.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/j_mCY9ZeJO5uk7Obf1N6YzNE4C8>
Subject: Re: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 04:55:18 -0000

Hi Mirja,

To try to answer your questions

1) You are right. This is mentioned in a paragraph below that reads 

   [...] or continue without using the
   PPK (if the PPK was not configured as mandatory and the initiator
   included the NO_PPK_AUTH notification in the request).

But for clarity we will slightly rephrase the sentence you pointed out to 

   only if using PPKs for communication with this responder
   is optional for the initiator (based on the mandatory_or_not flag), 
   then the initiator MAY include a notification NO_PPK_AUTH in the 
   above message.

2) It is a little hard to include a time that would match all situations. It really depends on the server DoS protection policy and when it kicks on. The initiator cannot really know how fast is considered too fast for the responder so it has to make a conservative decision. Adding a " (e.g., seconds) " would probably suffice here. 

3) Waiting for one or two RTTs is probably a good rule. The side-effect could be that the initiator stays waiting for responses for too long which delays the handshake. I am not sure we can mandate in absolute time because it depends on the relative distance between client and server. We can probably include " (e.g., one round-trip) " in the text. 

4) I am not sure adding one more notification for downgrade detection adds much here. Remember IKEv2 has subsequent messages to do IKE_AUTH etc and we wanted to not introduce more significant deviations on IKEv2. 

If the PPK is optional for both peers then downgrade is possible but it is the cost of being flexible to allow some peers to use PPK and some to not. If any of the peers has PPK as mandatory then downgrade will be caught and rejected as explained in the Sec Considerations section, so I think we are OK there. 

Rgs,
Panos

-----Original Message-----
From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Mirja Kühlewind via Datatracker
Sent: Tuesday, January 07, 2020 8:41 AM
To: The IESG <iesg@ietf.org>
Cc: ipsec@ietf.org; ipsecme-chairs@ietf.org; david.waltermire@nist.gov; draft-ietf-ipsecme-qr-ikev2@ietf.org
Subject: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)

Mirja Kühlewind has entered the following ballot position for
draft-ietf-ipsecme-qr-ikev2-10: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

1) One small question on section 3:
"if using PPKs for communication with this responder
   is optional for the initiator, then the initiator MAY include a
   notification NO_PPK_AUTH in the above message."
This does mean that NO_PPK_AUTH notification should not be sent when the mandatory_or_not flag indicates that PPK is mandatory, right? Or is that a separate configuration? Would be good to clarify in the doc!

2) Section 6 says:
"In this situation, it is RECOMMENDED
   that the initiator caches the negative result of the negotiation for
   some time and doesn't make attempts to create it again for some time,"
Would it be possible to give any hints about what "some time" means or at least the order of magnitude? Maybe it could be recommended to wait a couple of seconds? Or how long is it usually expected to take until the half-open connection will be expired?

3) Also here:
"then the initiator doesn't abort the
   exchange immediately, but instead waits some time for more responses
   (possibly retransmitting the request)."
How long should one wait? Probably 1-2 RTTs if the RTT is known or maybe there is some good max value like 500ms or 1s or more...?  Is there any risk in waiting too long?

3) And one high-level comment (without knowing to much details about IKEv2):
Would it be possible do a downgrade detection, meaning when non-PKK encryption is established the initiator would tell the responser again that it was initially requesting PKK, just to double-check...?


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email