IETF Logo Mail Archive

Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol

"Graham Bartlett (grbartle)" <grbartle@cisco.com> Mon, 08 September 2014 17:12 UTC

Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6F41A8984 for <ipsec@ietfa.amsl.com>; Mon, 8 Sep 2014 10:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.153
X-Spam-Level:
X-Spam-Status: No, score=-16.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7xEYjQW-ED7 for <ipsec@ietfa.amsl.com>; Mon, 8 Sep 2014 10:12:11 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B59B01A894D for <ipsec@ietf.org>; Mon, 8 Sep 2014 10:10:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6891; q=dns/txt; s=iport; t=1410196209; x=1411405809; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=7kY+TeeWba2vkzTjrOcoQjyBQDkB9Cz5LCS9LPPlRw0=; b=FYsnYFbq5QqFO0YVXbn6P3+CQyzYrWFSKIe+mNGWqZ9mtVwsTyT2QCwb yUgBU59RRA6KvLuZ44rxAt6Xc9yBFUuo1gawPuOl6k0Nlmuxzfb1PqHvC xBknHxHOH4ZIThH65lC5IeWIWQf1idY5IbldPb27yclS/CE+yy71Bhj2y U=;
X-Files: smime.p7s : 3708
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AicFACXiDVStJA2B/2dsb2JhbABQCYJqI1NXBMlnCodMAYEVFniEAwEBAQQBAQEaURcEAgEIDgMEAQEvAh8GCx0IAgQBEg6IIAMRAQy1CQ2GXQETBI0ggVIKAQE0IgaERgWPK4IVggaBSoVSghCOc4Y5g2FsgQ85gQcBAQE
X-IronPort-AV: E=Sophos;i="5.04,486,1406592000"; d="p7s'?scan'208";a="75998391"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-4.cisco.com with ESMTP; 08 Sep 2014 17:10:08 +0000
Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id s88HA8uS019535 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 8 Sep 2014 17:10:09 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-aln-x08.cisco.com ([173.36.12.82]) with mapi id 14.03.0195.001; Mon, 8 Sep 2014 12:10:08 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Valery Smyslov <svanru@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, ipsec <ipsec@ietf.org>
Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
Thread-Index: AQHPyy4DFcwTtQ+4VEqN7XrYpOOjUZv33bCA
Date: Mon, 08 Sep 2014 17:10:07 +0000
Message-ID: <D033575C.2C348%grbartle@cisco.com>
References: <540CA9B2.3090807@gmail.com> <DCC36F8DE78A4E5280A9977B4CAC144A@buildpc>
In-Reply-To: <DCC36F8DE78A4E5280A9977B4CAC144A@buildpc>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [10.55.146.101]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3493044605_9956769"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/n_tQBwsTIHJXCvN6YTBcAn7zHEc
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 17:12:23 -0000

Hi Valery



I have one Q.

If endpoint receives a request to create an unauthenticated IKE SA
from the IP address, which is configured on the endpoint to be
authenticated, the request SHOULD be rejected.


Why is this not MUST be rejected ? Otherwise an attacker could trick the
responder into revealing their identity (maybe some words around this
also?).

Thanks

Graham


On 08/09/2014 07:27, "Valery Smyslov" <svanru@gmail.com> wrote:

>Yes.
>
>Obviously, as the author of the document I can see its value,
>which is describet in the document itself.
>And I think it's better to standardize it with
>more people involved, than as individual submission.
>
>Regards,
>Valery.
>
>----- Original Message -----
>From: "Yaron Sheffer" <yaronf.ietf@gmail.com>
>To: "ipsec" <ipsec@ietf.org>
>Sent: Sunday, September 07, 2014 10:53 PM
>Subject: [IPsec] Call for adoption: The NULL Authentication Method in
>IKEv2Protocol
>
>
>> Dear working group,
>>
>> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a
>>WG 
>> document. Please respond to this mail with a Yes or No and a short
>> rationale, at latest by Friday Sep. 12.
>>
>> Thanks,
>> Yaron
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email