Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth-01
"Valery Smyslov" <svanru@gmail.com> Thu, 05 June 2014 13:36 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8240D1A0159 for <ipsec@ietfa.amsl.com>; Thu, 5 Jun 2014 06:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.346
X-Spam-Level:
X-Spam-Status: No, score=-0.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, TVD_FINGER_02=1.215] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wVv3mgVIKObq for <ipsec@ietfa.amsl.com>; Thu, 5 Jun 2014 06:36:48 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 552DA1A0143 for <ipsec@ietf.org>; Thu, 5 Jun 2014 06:36:48 -0700 (PDT)
Received: by mail-la0-f54.google.com with SMTP id pv20so573743lab.41 for <ipsec@ietf.org>; Thu, 05 Jun 2014 06:36:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=QqKEZxCvZyBA+y2qebO1ZtP5ePOUkccdW1VZgF/MZdY=; b=DH0hUuN96awn1t5tpmpkioIzrgYflTpb1UNxjyszzCyW5ynhS2gLOjY1GVFW3J+/eg vi5oAS8YZI9f7swxr5eDCFakzQYtyFJdSiRoa6+Bl0FhuVSu06m43X9dCeblUoTV8+f1 dY6xXqHhSZwpJMdjgRSCKZXmem4e37shZkSDXRsHSTPtPc6o69DZwPKtJVOc1y4Om9Q3 kYadaeMAZDqBmWE+EOxtgA0eveld90CvUxBW53pkCW17MPbpi3kNIZa1Hh5JroIwf9o+ 6Tnqwuf2C+XKcdQrb1aLEQcy9v9h99k6oi61OzTuHdmxnT+O13VG2zOAEWGnHe6NgtHK dXgQ==
X-Received: by 10.152.4.227 with SMTP id n3mr46821077lan.16.1401975400706; Thu, 05 Jun 2014 06:36:40 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id z1sm5021619lal.6.2014.06.05.06.36.39 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 05 Jun 2014 06:36:39 -0700 (PDT)
Message-ID: <A300E68E84B24E7CA90488750722CC9B@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
References: <alpine.LFD.2.10.1406040952110.23900@bofh.nohats.ca> <6B4DF0DF50834023A731B29091A790F2@buildpc> <20615.1401898830@sandelman.ca> <alpine.LFD.2.10.1406041246400.23900@bofh.nohats.ca> <2862.1401912208@sandelman.ca> <78E351CE-8058-4529-8973-72963A10536C@gmail.com>
Date: Thu, 05 Jun 2014 17:36:42 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="windows-1252"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/rpunzce4jzVOD9pVtE9HYx1yMxc
Cc: ipsec@ietf.org
Subject: Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 13:36:49 -0000
Hi Yoav, > >> AUTH_ANON ? Although I think AUTH_NONE is more in line with how we name > >> things. > > > > I don't agree that it is anonymous. It says that the identity was not > > authenticated, it didn't say that no identity was provided. > > Section 2.2 says that “As peer identity is meaningless in this case, > Identification Data SHOULD > be omited from ID Payload”([1]), and even if sent, it MUST be ignored by > IKE. So it’s really not provided. True. > > Clearly: the identity can't be trusted and can't be used in anyway. > > So, given that, how does one look up acceptable TSx in the PAD? > > That’s a good question. What prevents a random attacker from sending a TSr > covering IP address 8.8.8.8, > and getting a whole bunch of DNS queries. That’s easier than bugging the > ISP or break the wifi password. I think it depends on use case. If unauthenticated peer performs remote access to RAS then the server will most likely assign him/her an IP address from internal space and the situation you have describe won't happen. And if the peer didn't request the address, the server should probably reject the connection. > Yoav > > [1] sic - “omitted” should have two t's Thanks, fixed. Regards, Valery.
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul Wouters
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Valery Smyslov
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Michael Richardson
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul Wouters
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Michael Richardson
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Yoav Nir
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Paul
- Re: [IPsec] draft-smyslov-ipsecme-ikev2-null-auth… Valery Smyslov