IETF Logo Mail Archive

Re: [IPsec] Review of draft-ietf-ipsecme-ikev2-null-auth

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 27 February 2015 22:21 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B34BE1A0393 for <ipsec@ietfa.amsl.com>; Fri, 27 Feb 2015 14:21:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ez-Xx2b0GgwP for <ipsec@ietfa.amsl.com>; Fri, 27 Feb 2015 14:21:24 -0800 (PST)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BF601A0378 for <ipsec@ietf.org>; Fri, 27 Feb 2015 14:21:24 -0800 (PST)
Received: from [10.20.30.109] (142-254-17-245.dsl.dynamic.fusionbroadband.com [142.254.17.245]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t1RMLLVG097422 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 27 Feb 2015 15:21:22 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-245.dsl.dynamic.fusionbroadband.com [142.254.17.245] claimed to be [10.20.30.109]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <54F0E873.2020508@gmail.com>
Date: Fri, 27 Feb 2015 14:21:21 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <80906232-2112-40D6-ADBA-95A23137C513@vpnc.org>
References: <CAHbuEH6tenb-OG8F0kF5m3RoSdXk3k-AEqjpqNZD-j4iYW6DvQ@mail.gmail.com> <55B72ED0-2A97-4BD5-AFB9-CA71F7FDAAA6@vpnc.org> <54F0E873.2020508@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/ogWW3--6MmQdCTSyxGZxEnDK6TE>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-ikev2-null-auth
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2015 22:21:24 -0000

On Feb 27, 2015, at 1:58 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> 
>> 
>> That's a good question, and you can see it both ways.
>> 
>> - The draft says that the PAD processing in RFC 4301 needs to be updated for this draft, so the draft updates RFC 4301.
>> 
>> - Implementations of RFC 4301 that do not care about IKEv2 using this draft should not be updated, so this draft doesn't update 4301, just the 4301 processing when using IKEv2 and this draft.
>> 
>> I tend toward the second interpretation, but am happy either way. What do others think?
>> 
>> --Paul Hoffman
> 
> I tend the other way, so we need an example or two. If you read the abstract of RFC 6040, it says: "On decapsulation, [RFC 6040] updates both RFC 3168 and RFC 4301 to add new behaviours for previously unused combinations of inner and outer headers." Which means that even though existing implementations are not affected until they encounter these new message variants, we use "Updates" because new implementations are expected to include the new behavior.

That's an interesting example, one from outside our WG. Note, however, that RFC 6040 is the *only* RFC that updates RFC 4301 so far. It seems odd that it is the only one like this draft that says "and you need to change your PAD processing for this new thing".

--Paul Hoffman

v2.23.0 | Report a Bug | By Email