Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04
"Hammell, Jonathan F" <Jonathan.Hammell@cyber.gc.ca> Thu, 13 December 2018 17:40 UTC
Return-Path: <Jonathan.Hammell@cyber.gc.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7CBB130DFA for <ipsec@ietfa.amsl.com>; Thu, 13 Dec 2018 09:40:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSmcusdj2U7Q for <ipsec@ietfa.amsl.com>; Thu, 13 Dec 2018 09:40:27 -0800 (PST)
Received: from beechnut.cse-cst.gc.ca (beechnut.cse-cst.gc.ca [205.193.218.37]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 091BD1200B3 for <ipsec@ietf.org>; Thu, 13 Dec 2018 09:40:26 -0800 (PST)
From: "Hammell, Jonathan F" <Jonathan.Hammell@cyber.gc.ca>
To: "'ipsec@ietf.org'" <ipsec@ietf.org>
Thread-Topic: Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04
Thread-Index: AdSTCe4wj5wa/AqMQCWUoIVyfm/6Ww==
Date: Thu, 13 Dec 2018 17:40:23 +0000
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-classification: UNCLASSIFIED
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Message-Id: <20181213174027.091BD1200B3@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/kuQeE32w5_jFgbJn7z2r7fa1eAQ>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 17:40:30 -0000
Classification: UNCLASSIFIED
The Canadian Centre for Cyber Security has reviewed draft-ietf-ipsecme-qr-ikev2-04 and recommends the authors address the following comments before proceeding to IESG.
1. The table on Page 8 refers to the term 'HAVE PPK' - this term is not used elsewhere in the document. To understand the table the reader is left to surmise its meaning. We understand the term as the Responder being configured with a PPK for the Initiator (identified by the PPK_ID). We recommend either defining what is meant by 'HAVE PPK' or changing the term from 'HAVE PPK' to 'Configured with PPK for the initiator' which is how it is described in the Upgrade procedure or more simply as 'Configured with PPK' .
2. Section Upgrade procedure - We recommend changing the statement "As an optional second step, after all nodes have been upgraded, the administrator may then go back ... and mark the use of PPK as mandatory." to "After all nodes have been upgraded, the administrator SHOULD go back ...".
3. IKEv2 with EAP authentication -the EAP-ikev2 protocol description in the draft is different from that in the EAP-IKEv2 RFC 5106 beyond what we expect because of PPK use (i.e Initiator does not send an AUTH payload in the first EAP-Req message).
a. Firstly, none of the message types from RFC 5106 are used in the draft: EAP-Req, EAP-Res and EAP-Success for example. We recommend using the same notation as in the RFC to describe EAP with PPK.
b. The draft uses the term "EAP" whose meaning is unclear but assumed to mean an EAP type message.
c. The biggest difference appears to be the fact that it is the Responder who sends the EAP-success message. This may be done because an extra IKE_AUTH exchange will be performed, but an explanation could be useful.
We highlight two messages below (**) from the draft that appear to not fit the RFC's description. Also it is not clear what is meant by the term EAP in the messages, we assume that it stands for EAP-Req or EAP-Res.
The portion of the description in the draft (without the IKE_SA_INIT and IKE_AUTH exchanges) is
Initiator Responder
----------------------------------------------------------------
HDR, SK {IDi, [CERTREQ,]
[IDr,] SAi2,
TSi, TSr} -->
<-- HDR, SK {IDr, [CERT,] AUTH,
EAP}
** HDR, SK {EAP} -->
<-- HDR, SK {EAP (success)} **
Compared with the protocol described in RFC 5106 without the initial exchanges
5. R<-I: EAP-Req (HDR, SK{IDi, [CERT], [CERTREQ], [NFID], AUTH})
6. R->I: EAP-Res (HDR, SK{IDr, [CERT], AUTH})
* 7. R<-I: EAP-Success
Figure 1: EAP-IKEv2 Full, Successful Protocol Run
Best regards,
Jonathan
On Fri, 30 Nov 2018, Waltermire, David A. (Fed) wrote:
> This message starts a working group last call (WGLC) on draft-ietf-ipsecme-qr-ikev2-04, which will conclude on December 14, 2018 at UTC 23:59. Please review and provide feedback on the -04 version (https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/). Please indicate if you believe this draft is ready for publication or if you have comments that must be addressed before the draft progresses to the IESG.
- [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Hammell, Jonathan F
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Hammell, Jonathan F
- Re: [IPsec] WGLC on draft-ietf-ipsecme-qr-ikev2-04 Valery Smyslov