Re: [IPsec] Questions about RFC 5723
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 12 July 2019 15:39 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89786120700 for <ipsec@ietfa.amsl.com>; Fri, 12 Jul 2019 08:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.704
X-Spam-Level:
X-Spam-Status: No, score=-0.704 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eX_jQlc8uvqX for <ipsec@ietfa.amsl.com>; Fri, 12 Jul 2019 08:39:32 -0700 (PDT)
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC215120714 for <ipsec@ietf.org>; Fri, 12 Jul 2019 08:39:28 -0700 (PDT)
Received: by mail-wr1-x441.google.com with SMTP id g17so10438689wrr.5 for <ipsec@ietf.org>; Fri, 12 Jul 2019 08:39:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=6uXHxuarYSNKe4FuZMrRZVd0ElQwCWnl3rdoV/Zbrdc=; b=o/Ht1LQi5o1zPD2WiriqtMn7a7H3Br9wFvJ8dqfFSdTyUEFhpnypjfCgC9zQQvNhLj qCLW3ZEMUwDueH0Oyj+oGBnwX1rFl/2fuJYErshT7VBUS9acD0MhSt1AMLYqtpwWTQ8z uDwShwjsfkJVoGBFwSOcD+0HWtaiRLOUxeJAPfrLDJS8iJF36JsjK7XXX6rikHUdfSl2 kE3UrI8dNUArRh3G0Qswditna1YmQar1NlN2aO8MVv3x46wySJJfiB8/dvUw3rEpU2vi 7Dd/NRhzbeujcZckhk309YDHKFE0nfhg2Q+HDcJiIygX5YxrGmMeUao1h7mCEUi44U7q NZCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=6uXHxuarYSNKe4FuZMrRZVd0ElQwCWnl3rdoV/Zbrdc=; b=K/vLKdCFL4AFyYNkMd1nuCfCJeYc+8lTrV3Lx6vcAaKDJdZe+8GU6tXiSeYFWezcGP s31tX0ewvN7GOI73xnWRdJOA87Uznf9ABrbV9N8+L0F+6RiFTmxYux/fU7Dhro0oEY4Q jJHIsCL6PD/qrRMlEL9BPa8Wjo8XzkImxTl8nPZrgIpszStWEUaRVlA2opsUz510yu5h Pw12b9FKhVQfzHlbAzT0g5FfuZ0eip8bY0E4EpUb2M2Jt63wV9oQTWSIZCpK9KXD11IQ 9IT61nUS4VCY2/B74nRy5RFklsHsTrwoEtHsKOGPEpu0JbQ3eE4uCclTDB7RT5Nceqve Nrww==
X-Gm-Message-State: APjAAAWlcdYfHR7C0cdOa7kmta7p5HLUbHk0dJ3kcyLo48SO78GIq2yM 5Aekn4ZEqwrxje0fdL8YKig=
X-Google-Smtp-Source: APXvYqxtAHa/DByvnDSUyUDziqnMoOx6/msLGI/DCXS3zuzQueRxTZcBjzRsKpGAteHuFMMLVVsUag==
X-Received: by 2002:adf:f8cf:: with SMTP id f15mr12115848wrq.333.1562945967515; Fri, 12 Jul 2019 08:39:27 -0700 (PDT)
Received: from [10.0.0.156] (bzq-79-180-44-139.red.bezeqint.net. [79.180.44.139]) by smtp.gmail.com with ESMTPSA id w7sm9844763wrn.11.2019.07.12.08.39.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jul 2019 08:39:26 -0700 (PDT)
To: Paul Wouters <paul@nohats.ca>, Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, ipsec@ietf.org, 'vinay kornapalli' <vinaykornapalli@gmail.com>
References: <alpine.LRH.2.21.1907111548370.26855@bofh.nohats.ca> <023401d53884$4f00aae0$ed0200a0$@gmail.com> <alpine.LRH.2.21.1907121028490.22368@bofh.nohats.ca>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <8168d370-68a6-b376-6187-22f7756d17f3@gmail.com>
Date: Fri, 12 Jul 2019 18:39:24 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <alpine.LRH.2.21.1907121028490.22368@bofh.nohats.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/m_ZYIgiMbRtXm49sI6FqnfRuEVs>
Subject: Re: [IPsec] Questions about RFC 5723
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 15:39:34 -0000
Paul, please don't hesitate to submit an editorial erratum if you think one is needed. If you don't "get" this RFC, it probably means something is missing. Thanks, Yaron On 12/07/2019 17:34, Paul Wouters wrote: > On Fri, 12 Jul 2019, Valery Smyslov wrote: > >> A single (pair of ) IPsec SA is created as result of IKE_AUTH following >> IKE_SA_RESUME, as if it follows IKE_SA_INIT instead of IKE_SA_RESUME. >> If more IPsec SAs are needed they are created via CREATE_CHILD_SA, >> as usual. > > Ahhhhh I totally missed this part when reading the document. Things make > a lot more sense now. Thanks! > >>> Also, when using PFS, these CREATE_CHILD_SA's would do a DH again, at >>> which point one wonders why to do resumption at all if you have more >>> than one IPsec SA, as you would be doing DH's anyway for all children, >>> you might as well do one more for a regular IKE_SA_INIT ? >> >> In any case you save on authentication (this may involve signature >> computing/verification and probably human intervention in case of EAP). > > Indeed. Thanks for the clarifications! > > I guess formally, we would need to add the previous IKE traffic counters > to the current one, since these are all derived from the same DH. > > (yes, for FIPS we need to ensure there is not more than 2^20 or so AES > packets of IKE traffic, even though reaching that would be quite the > accomplishment) > > Paul
- [IPsec] Questions about RFC 5723 Paul Wouters
- Re: [IPsec] Questions about RFC 5723 Valery Smyslov
- Re: [IPsec] Questions about RFC 5723 Paul Wouters
- Re: [IPsec] Questions about RFC 5723 Yaron Sheffer