IETF Logo Mail Archive

Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update

Tobias Brunner <tobias@strongswan.org> Fri, 21 July 2023 12:06 UTC

Return-Path: <tobias@strongswan.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE2D4C14CE4B for <ipsec@ietfa.amsl.com>; Fri, 21 Jul 2023 05:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strongswan.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPJ0L2eWT0uY for <ipsec@ietfa.amsl.com>; Fri, 21 Jul 2023 05:06:18 -0700 (PDT)
Received: from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B73FC14CF1E for <ipsec@ietf.org>; Fri, 21 Jul 2023 05:06:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.codelabs.ch (Postfix) with ESMTP id 0B3045A0002; Fri, 21 Jul 2023 14:06:09 +0200 (CEST)
Received: from mail.codelabs.ch ([127.0.0.1]) by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qefndzi5HY1l; Fri, 21 Jul 2023 14:06:06 +0200 (CEST)
Received: from [IPV6:2a01:8b81:5400:f500:9d71:db78:29ee:3c54] (unknown [IPv6:2a01:8b81:5400:f500:9d71:db78:29ee:3c54]) by mail.codelabs.ch (Postfix) with ESMTPSA id 569125A0001; Fri, 21 Jul 2023 14:06:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=strongswan.org; s=default; t=1689941166; bh=+6iY4+5aKQ09wwO1K0XtcXnh/U/OTKohTV9OkOc+ApE=; h=Date:To:References:From:Subject:In-Reply-To:From; b=ZCoc2Rg9AafTKE4Ny0AzTIsF6g6KLCRKbBXjNJMMSvW+Cdf1TCcppFMFtFLTcplIJ xNxwmrYwDVx3SZbIDpFvgYEWD8Esgp8nfE+Hw2Fxuh+QuNLjenPn6ku/6I1g5qOquF BiJKuQ5aaUKjdDpLSGlU4iVL0jIPP9HfKMEDil2lFMmp2gwdUScTfntBM2vNeWY1eg VNoAzTKQXxBllFWCWUiwV19qmEzwNtAfo/ByNMIree/VaY4WwcTztXWI6J9ss6+ow/ i2P4NoKm3SUCLFXT/CwBI230wr31GL7YteVhBYK9ZosTxLPyaMuS90ZtWZEdNcMpCJ f7YRNawu7ZJnA==
Message-ID: <e16c2b8e-a33f-4c36-e2df-94eab2cd9a2f@strongswan.org>
Date: Fri, 21 Jul 2023 14:06:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US, de-CH-frami
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
References: <85a82884-feb3-48a7-5d43-509d7ee7fddb@nohats.ca>
From: Tobias Brunner <tobias@strongswan.org>
In-Reply-To: <85a82884-feb3-48a7-5d43-509d7ee7fddb@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/lth9gLf0QnqiyLcAON3Ck3k8AnE>
Subject: Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2023 12:06:23 -0000

Hi Paul,

> I tried to formulate and solve the issues discussed at the previous
> meeting. There was no clear outcome (based on rereading the minutes)
> so please check the changes and let the authors know if you disagree.

Thanks for the updates.  Some notes:

 * maybe clarify that IPCOMP_SUPPORTED is only sent and a MUST if IPComp
   was negotiated in the original Child SA.

   RFC 7296 explicitly states "These payloads MUST NOT occur in messages
   that do not contain SA payloads." with regards to IPCOMP_SUPPORTED.
   Is there any clarification required on that?

 * maybe add "incompatible proposal" as a reason for initiating a
   regular Child SA rekeying of the first SA (if the KE method used
   for IKE is not in the Child SA proposal).

   However, I'd honestly prefer if that was just the standardized
   behavior for the Child SA created with IKE_AUTH as we really don't
   know what KE methods the responder has in its Child SA proposal.  So
   just blindly assuming the IKE's KE methods will be accepted seems
   risky (in particular if multiple key exchanges were involved in
   creating the IKE SA).  That IKE SA's first KE method can still be
   preferred in the Child SA rekeying request if it's in the initiator's
   proposal (i.e. use it for the KE payload and list it as first
   method in the SA payload).  But if there is a mismatch, it seems
   easier to recover during a regular rekeying than blindly trying the
   IKE KE method, receiving an INVALID_KE_PAYLOAD and then having to
   initiate a regular rekeying all over anyway (if that's even an
   option, the draft currently doesn't explicitly say).

 * I'm still wondering why the critical bit has to be set for the
   OPTIMIZED_REKEY notify.  It's a regular Notify payload, so it MUST be
   understood by all IKEv2 implementations and setting the bit is
   basically redundant (the critical bit only concerns the payload type,
   not the contents such as the notify message type - it's also only
   allowed to be set in requests so making it an unconditional MUST like
   that violates RFC 7296 anyway).

Regards,
Tobias

v2.23.0 | Report a Bug | By Email