Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update
Tobias Brunner <tobias@strongswan.org> Fri, 21 July 2023 12:06 UTC
Return-Path: <tobias@strongswan.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE2D4C14CE4B for <ipsec@ietfa.amsl.com>; Fri, 21 Jul 2023 05:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strongswan.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPJ0L2eWT0uY for <ipsec@ietfa.amsl.com>; Fri, 21 Jul 2023 05:06:18 -0700 (PDT)
Received: from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B73FC14CF1E for <ipsec@ietf.org>; Fri, 21 Jul 2023 05:06:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.codelabs.ch (Postfix) with ESMTP id 0B3045A0002; Fri, 21 Jul 2023 14:06:09 +0200 (CEST)
Received: from mail.codelabs.ch ([127.0.0.1]) by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qefndzi5HY1l; Fri, 21 Jul 2023 14:06:06 +0200 (CEST)
Received: from [IPV6:2a01:8b81:5400:f500:9d71:db78:29ee:3c54] (unknown [IPv6:2a01:8b81:5400:f500:9d71:db78:29ee:3c54]) by mail.codelabs.ch (Postfix) with ESMTPSA id 569125A0001; Fri, 21 Jul 2023 14:06:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=strongswan.org; s=default; t=1689941166; bh=+6iY4+5aKQ09wwO1K0XtcXnh/U/OTKohTV9OkOc+ApE=; h=Date:To:References:From:Subject:In-Reply-To:From; b=ZCoc2Rg9AafTKE4Ny0AzTIsF6g6KLCRKbBXjNJMMSvW+Cdf1TCcppFMFtFLTcplIJ xNxwmrYwDVx3SZbIDpFvgYEWD8Esgp8nfE+Hw2Fxuh+QuNLjenPn6ku/6I1g5qOquF BiJKuQ5aaUKjdDpLSGlU4iVL0jIPP9HfKMEDil2lFMmp2gwdUScTfntBM2vNeWY1eg VNoAzTKQXxBllFWCWUiwV19qmEzwNtAfo/ByNMIree/VaY4WwcTztXWI6J9ss6+ow/ i2P4NoKm3SUCLFXT/CwBI230wr31GL7YteVhBYK9ZosTxLPyaMuS90ZtWZEdNcMpCJ f7YRNawu7ZJnA==
Message-ID: <e16c2b8e-a33f-4c36-e2df-94eab2cd9a2f@strongswan.org>
Date: Fri, 21 Jul 2023 14:06:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US, de-CH-frami
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
References: <85a82884-feb3-48a7-5d43-509d7ee7fddb@nohats.ca>
From: Tobias Brunner <tobias@strongswan.org>
In-Reply-To: <85a82884-feb3-48a7-5d43-509d7ee7fddb@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/lth9gLf0QnqiyLcAON3Ck3k8AnE>
Subject: Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2023 12:06:23 -0000
Hi Paul, > I tried to formulate and solve the issues discussed at the previous > meeting. There was no clear outcome (based on rereading the minutes) > so please check the changes and let the authors know if you disagree. Thanks for the updates. Some notes: * maybe clarify that IPCOMP_SUPPORTED is only sent and a MUST if IPComp was negotiated in the original Child SA. RFC 7296 explicitly states "These payloads MUST NOT occur in messages that do not contain SA payloads." with regards to IPCOMP_SUPPORTED. Is there any clarification required on that? * maybe add "incompatible proposal" as a reason for initiating a regular Child SA rekeying of the first SA (if the KE method used for IKE is not in the Child SA proposal). However, I'd honestly prefer if that was just the standardized behavior for the Child SA created with IKE_AUTH as we really don't know what KE methods the responder has in its Child SA proposal. So just blindly assuming the IKE's KE methods will be accepted seems risky (in particular if multiple key exchanges were involved in creating the IKE SA). That IKE SA's first KE method can still be preferred in the Child SA rekeying request if it's in the initiator's proposal (i.e. use it for the KE payload and list it as first method in the SA payload). But if there is a mismatch, it seems easier to recover during a regular rekeying than blindly trying the IKE KE method, receiving an INVALID_KE_PAYLOAD and then having to initiate a regular rekeying all over anyway (if that's even an option, the draft currently doesn't explicitly say). * I'm still wondering why the critical bit has to be set for the OPTIMIZED_REKEY notify. It's a regular Notify payload, so it MUST be understood by all IKEv2 implementations and setting the bit is basically redundant (the critical bit only concerns the payload type, not the contents such as the notify message type - it's also only allowed to be set in requests so making it an unconditional MUST like that violates RFC 7296 anyway). Regards, Tobias
- [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-o… Paul Wouters
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Tobias Brunner
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Paul Wouters
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Tobias Brunner
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Tero Kivinen
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Tobias Brunner
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Paul Wouters
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Valery Smyslov
- Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloa… Tobias Brunner