IETF Logo Mail Archive

Re: [IPsec] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06

Paul Wouters <paul.wouters@aiven.io> Mon, 01 April 2024 18:05 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D715C151997 for <ipsec@ietfa.amsl.com>; Mon, 1 Apr 2024 11:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nJ6bJPshDTAW for <ipsec@ietfa.amsl.com>; Mon, 1 Apr 2024 11:05:25 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FCE6C151707 for <ipsec@ietf.org>; Mon, 1 Apr 2024 11:05:25 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a4702457ccbso532453266b.3 for <ipsec@ietf.org>; Mon, 01 Apr 2024 11:05:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1711994723; x=1712599523; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8/3kV2Gn1VW4+IhydGoEuozmd+JCNeDuPexQpnF5k98=; b=UHzC7WUjTKLzjht8urVS53rYydK6SawgKsgghUo+mUOcHz5qYIZa0LFbToZVvIK7Cj xltXv8GF1QcqUBHctJuDoRL6sKKP+nUHAV3rWhtDYXcCAkG12lPHYwbmYMYoGd7tQz9e +xeO5f6aHd4dDAwcDZV/ddQ7PsW0IZPRNh1VI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711994723; x=1712599523; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8/3kV2Gn1VW4+IhydGoEuozmd+JCNeDuPexQpnF5k98=; b=FijemxKoKbidHhXpD071cZThuam0gC6vt+6cQxojVuhONHIanmLeKMBCxXIohKxZlv 7/an2DzJAIj73WRNvBGOdgFul1N27C8UW69F44TkKkpbVwbJXwbtg9eeMRVBrvGk5Ja4 P9CdYXiPFfuEEYIr37ysyixz8XpharaE7TFnXy0aU8d8iXmnvtxUrAgRzEy+6Xg+1Kl6 w0ZgU0FILfmejhaPDPDZTVOM39jEbC7wamwmtItxvwWP55eKnIYwe6eQ7SY4n1fML3OE qVRM8c4MN2eO1nqvxJzHdI/sU3lQbSpBu2kd86Tw4Gm0dJj4cCvmE4gm6oWy7JfezjI3 WO+Q==
X-Forwarded-Encrypted: i=1; AJvYcCW7RtE5Ey68ZzzDScV3NbvRZmmE+tHj5dYLfeC/yFDXwGpRbk/w3aSvcvSBBYfgfRo5dC5sNFnUliC7bW0Y8Q==
X-Gm-Message-State: AOJu0YwbOA2mB3Vg3yk+XkQK93mTmenHN+CyjTncjsuhYebhfUgs52JO WtSfbmRJ8rmqLDL07eOU87IzOosba5OxIX9ks0boSN1oCpBAPVG0DBOgc0wx5wKKsEFBogoRn6m 29BFjWMeYZ3vrJkVjitxr/NEiIPr1iZXBSeM5ig==
X-Google-Smtp-Source: AGHT+IEE1RJ9AOyOHvy8LQkWsqxMjsfXEAQoW923BxW/t89fzFaqgSSdC7egCBrKS8LtxM/nYDaFSaQAGHzKZi8T1Rk=
X-Received: by 2002:a17:906:6dc4:b0:a4e:5403:51c9 with SMTP id j4-20020a1709066dc400b00a4e540351c9mr3825705ejt.67.1711994723351; Mon, 01 Apr 2024 11:05:23 -0700 (PDT)
MIME-Version: 1.0
References: <171173986283.29677.15166968196717624638@ietfa.amsl.com> <03f601da8435$abd224e0$03766ea0$@elvis.ru>
In-Reply-To: <03f601da8435$abd224e0$03766ea0$@elvis.ru>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 01 Apr 2024 14:05:12 -0400
Message-ID: <CAGL5yWbur5rKfL4yoK5JqcBy1cTSUtcJW-3MWdnw-7yGF-pTTQ@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: Reese Enghardt <ietf@tenghardt.net>, gen-art@ietf.org, draft-ietf-ipsecme-ikev2-auth-announce.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005818b406150cd5da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/qEQuA-w2ISIC_0TWq9uCEKYeJKA>
Subject: Re: [IPsec] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 18:05:30 -0000

On Mon, Apr 1, 2024 at 9:08 AM Valery Smyslov <svan@elvis.ru> wrote:

I've added the following sentence to the Introduction:
>
>    Since IKEv2 doesn't allow to use multiple
>    authentication methods and doesn't provide means for peers to
>    indicate to the other side which authentication methods they support,
>    it is possible that in these situations the peer which supports wider
>    range of authentication methods (or authentication token formats)
>    improperly selects the method (or format) which is not supported by
>    the other side.
>

I wouldn't phrase it like it, since if we are talking about the peers using
different authentication
methods (eg client EAPTLS and server X.509 cert) then there are "multiple
authentication methods".

Also, the server could have multiple configurations for the same peer so a
peer could come in using X509 or PSK.

I think the core case is that the peers cannot dictate the auth method the
peer must use. But this document allows
them to inform the peer or what they are going to allow? Although a bit
limited because in IKE_SA_INIT, one does
not have the peer's identity yet, and different peers might only be allowed
specific auth methods.

Paul

v2.23.0 | Report a Bug | By Email