Re: [IPsec] Candidate charter text is now in wiki
David Schinazi <dschinazi@apple.com> Wed, 29 November 2017 03:47 UTC
Return-Path: <dschinazi@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940A1127863 for <ipsec@ietfa.amsl.com>; Tue, 28 Nov 2017 19:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dOdBBu6hA_w for <ipsec@ietfa.amsl.com>; Tue, 28 Nov 2017 19:47:53 -0800 (PST)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBC8612741D for <ipsec@ietf.org>; Tue, 28 Nov 2017 19:47:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1511927273; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=p9bJOjcRaxckOS9mVuqKFE1OYv7rXlT9qm+hvl/CQLk=; b=VPVpTk9DiiW57DC5oTdmvWW/TJxrukHd2YH5Ur7WHl+MmonuOPQ5N3+uQL5pyt92 uBq1OBB6H1Bt4z3c7iqE7QPJEKhcJvWlRO1DVGSAWARKYD3vTG7k+mvn1nV+6pY4 VyRbk67lTuQRYV92fy/MXTSUU7uqCG0lFp6o/iUl2st1uN6sXAag28BqrCSCfUOg X4tg0yqXIEO4ReZAVIfVFAKVPViBoH0xbLdrojxIDCNiqI4NjUrwvuKaYeM94UI0 uUxRAC9WGhmFCA1/6V0Oc8aIhN/shZP5sJujIZbc3bZN5UbddS/KYaQqStgm3XsQ nRnxNuxn8/XwZ/oVfj5CUg==;
Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 11.43.16042.9ED2E1A5; Tue, 28 Nov 2017 19:47:53 -0800 (PST)
X-AuditID: 11973e12-801fd9c000003eaa-0b-5a1e2de90c88
Received: from kencur.apple.com (kencur.apple.com [17.151.62.38]) by relay8.apple.com (Apple SCV relay) with SMTP id D9.AF.22651.9ED2E1A5; Tue, 28 Nov 2017 19:47:53 -0800 (PST)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.234.35.34] (unknown [17.234.35.34]) by kencur.apple.com (Oracle Communications Messaging Server 8.0.2.1.20171102 64bit (built Nov 2 2017)) with ESMTPSA id <0P05008XIUJRRH30@kencur.apple.com>; Tue, 28 Nov 2017 19:47:53 -0800 (PST)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
In-reply-to: <787AE7BB302AE849A7480A190F8B93300A07C37A@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Date: Tue, 28 Nov 2017 19:47:47 -0800
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Content-transfer-encoding: quoted-printable
Message-id: <84472A32-CABA-4CFC-AA4D-BCAF070E9959@apple.com>
References: <23054.29098.665202.402605@fireball.acr.fi> <787AE7BB302AE849A7480A190F8B93300A07C37A@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.3445.1.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrOLMWRmVeSWpSXmKPExsUi2FCYpvtSVy7KoLVN32L/lhdsFkfPP2dz YPJYsuQnk8fhrwtZApiiuGxSUnMyy1KL9O0SuDL6VkcUTJWo6N+4hr2BcY1wFyMnh4SAicTB NdfZuxi5OIQE1jBJ3N8/nRkmsWn3NTBbSGATo8SknmoQm1dAUOLH5HssXYwcHMwC6hJTpuRC 9DYySbyfdYUNpEZYQFqi68JdVgjbSuL1oYuMIPVsAloSB9YYgYQ5BVIkdt2/zQoSZhFQlXj1 2h0kzAxkzppwmwnC1pZ48u4CK8RWG4l76/cyQlzTzyjRNJ0XxBYRUJTY/WQrE8TFihJHZs5h BjlHQuAvq8S6VV2sExiFZyG5ehbC1bOQrFjAyLyKUSg3MTNHNzPPRC+xoCAnVS85P3cTIyik p9sJ7WA8tcrqEKMAB6MSD6/GatkoIdbEsuLK3EOM0hwsSuK8ObJyUUIC6YklqdmpqQWpRfFF pTmpxYcYmTg4pRoYw/wCXjWH1JhkzF/+wkzuvXuVlErZDdUrvJcUgmofvlxotfbeilzFxZ2H W56n9UsmZPzkF3dT+Gy87Fltwi2zW9x/GJMexTAElfSXHEjjvcq8Pv3jKY/XiXzKMZzGwVfi Wk5My34UbbIxSeFhW8qNvfUdL4rbEudUlivfKnilbOldwcRhzarEUpyRaKjFXFScCABikt6T SgIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFLMWRmVeSWpSXmKPExsUiON1OTfelrlyUQfcxdYv9W16wWRw9/5zN gcljyZKfTB6Hvy5kCWCK4rJJSc3JLEst0rdL4MroWx1RMFWion/jGvYGxjXCXYycHBICJhKb dl9jBrGFBDYxSkzqqQaxeQUEJX5MvsfSxcjBwSygLjFlSm4XIxdQSSOTxPtZV9hAaoQFpCW6 LtxlhbCtJF4fusgIUs8moCVxYI0RSJhTIEVi1/3brCBhFgFViVev3UHCzEDmrAm3mSBsbYkn 7y6wQmy1kbi3fi8jxDX9jBJN03lBbBEBRYndT7YyQVysKHFk5hzmCYwCs5AcOgvh0FlIpi5g ZF7FKFCUmpNYaaGXWFCQk6qXnJ+7iREUgg2FaTsYm5ZbHWIU4GBU4uG9sEI2Sog1say4MvcQ owQHs5IIb+UkoBBvSmJlVWpRfnxRaU5q8SFGaQ4WJXHezyvFo4QE0hNLUrNTUwtSi2CyTByc Ug2MS/ZsO8O0ZPbdeu+UWVInlIsOH95b7aNsJdotYMhq3NxyU/HOtMSkNZ2L7vQlJJ3bcs51 DvseIbZ98t9NF5e8LjdyPqF74bvS2TkX17AY7933vq5J1TpRpHY5Y03r9o1sSw4kqB5vzMm5 Ns/izTudK3EJdyTbmKKWpLxmmDT/SfiBjju1RxaGKLEUZyQaajEXFScCAL8pBAE9AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/qqFNsUfmuFg0ibfzS9SBwhbgnhU>
Subject: Re: [IPsec] Candidate charter text is now in wiki
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Nov 2017 03:47:55 -0000
Hi Tero,
Here is proposed charter text for the "Mitigating privacy concerns" section:
IKEv2 is currently vulnerable to the two following privacy concerns:
1) It's not possible to run a server that obfuscates IKEv2/IPsec using TLS.
Today thanks to RFC 8229 it is possible to run an IKEv2/IPsec server on TCP port 443 with TLS.
However if a government agent tries to send an SA_INIT over that it will discover that this server runs IKEv2/IPsec, and may blacklist it.
We should add a mechanism to IKEv2 that allows the server to only respond to SA_INIT from known entities (e.g. that possess a shared secret).
2) The privacy of the initiator's identity in the presence of a man in the middle attacker is not protected
Today an attacker with full control of the network can receive the IDi/IDr sent by the initiator in the first AUTH packet.
We should add a mechanism to IKEv2 that allows the initiator to only send IDi/IDr to known entities (e.g. that possess a shared secret).
Thanks,
David Schinazi
> On Nov 16, 2017, at 22:35, mohamed.boucadair@orange.com wrote:
>
> Dear Tero,
>
> It seems that you missed this text for the address failure codes (Nov 13):
> https://www.ietf.org/mail-archive/web/ipsec/current/msg11724.html
>
> I'm resending it fwiw:
>
> RFC7296 defines a generic notification code that is related to a
> failure to handle an internal address failure. That code does not
> explicitly allow an initiator to determine why a given address family
> is not assigned, nor whether it should try using another address
> family. The Working Group will specify a set of more specific
> notification codes that will provide sufficient information to the
> IKEv2 initiator about the encountered failure.
>
> Cheers,
> Med
>
>> -----Message d'origine-----
>> De : IPsec [mailto:ipsec-bounces@ietf.org] De la part de Tero Kivinen
>> Envoyé : vendredi 17 novembre 2017 06:21
>> À : ipsec@ietf.org
>> Objet : [IPsec] Candidate charter text is now in wiki
>>
>> I put the candidate charter text to the wiki. This includes the
>> changes in the first two paragraphs, removes items already done, and
>> list of new items. I have not yet added the items that came too late
>> to have charter text bashed in the meeting to the wiki.
>>
>> For those items which do not have text yet, it would be good idea if
>> those people could send new proposed text to the list so we could bash
>> those at the same time as we go and check the other pieces.
>>
>> So read that candidate charter text and comment it on the list.
>>
>> Wiki address is https://trac.ietf.org/trac/ipsecme/wiki/recharter2017
>> --
>> kivinen@iki.fi
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki mohamed.boucadair
- Re: [IPsec] Candidate charter text is now in wiki David Schinazi
- Re: [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki mohamed.boucadair
- Re: [IPsec] Candidate charter text is now in wiki Tero Kivinen
- Re: [IPsec] Candidate charter text is now in wiki mohamed.boucadair
- Re: [IPsec] Candidate charter text is now in wiki Paul Wouters
- Re: [IPsec] Candidate charter text is now in wiki Yoav Nir