Re: [IPsec] draft-pwouters-ipsecme-child-pfs-info
Tobias Heider <tobias.heider@stusta.de> Mon, 04 March 2024 21:15 UTC
Return-Path: <tobias.heider@stusta.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF55DC151080 for <ipsec@ietfa.amsl.com>; Mon, 4 Mar 2024 13:15:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=stusta.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U29EORh6xKmR for <ipsec@ietfa.amsl.com>; Mon, 4 Mar 2024 13:15:07 -0800 (PST)
Received: from mail.stusta.mhn.de (mail.stusta.mhn.de [141.84.69.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83949C1D80F4 for <ipsec@ietf.org>; Mon, 4 Mar 2024 13:12:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stusta.de; s=default; t=1709586736; bh=+8JiXzHYG7xJtVqMoXOkeJqdW7ukcGHYUOKFn/h6bz0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=AbWdumekYojgdfu6ESa3Hq4AlJBDZpLYlV1yepgc4Ux/ZxMzlZoIZRvVDhl7++kGG zrCfs5lnH7ZMcq+tJ/awEZVLboNIurIy3rRgukpC3RCGZAyWrue5hXkDOtAOhIhJCC CJKut8NUE5L/ZmlIhQfimadgTwN1nnUpYk+hP10ofjmLMdLSKZ+MxtQtIB/LqNBuZj jk04576PJl3+Iuj40ZsdybgxuMlAZl6o+8Rl2UfQ8vbjidnqcomkggzipBx3wxjTVI BT2zLhiV9s4U/MxFG7TgarxRIUR2vVqYb/i6twZmMFcMh5N3XvF1y7UdcQv2oAOB8u nc5zogt4KIdGiQArhw6Sya+xDbaYdg5NRsqovCF02P1H1F1caPtDHuawwX7lexIAMp rw5MFvbz+o/apopEQ2bpZ8D0qWTKJyVMunZDVoW9BSIQFKg+BVWEugjrBxE6iCLTQZ PpAd/uAGBT57CEFLglqP5rgHUxpuZgCbFjOTh7ISb+Pa6SWsV2RZj6NmTLcTle4yh/ aW+I5HSuWpRil8F/3rH9PKWBV71qvAdgyHr4AdiQVsrAHBj7VBMYdCiRlwLwcFofjw yGJqpbGDCXDhCSAmin+oQ5AdMI9iNtl5zCD754FkdbdvWtBjjzwzktXON6S489ik75 AAQyY4ZLUnmhDz4C/j624q8I=
Received: from shodan.l0w.de (p200300eeaf302900a6a71f002932663d.dip0.t-ipconnect.de [IPv6:2003:ee:af30:2900:a6a7:1f00:2932:663d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: 007638) by mail.stusta.mhn.de (Postfix) with ESMTPSA id 4TpWbz6Yhnz4m; Mon, 4 Mar 2024 22:12:14 +0100 (CET)
Date: Mon, 04 Mar 2024 22:12:12 +0100
From: Tobias Heider <tobias.heider@stusta.de>
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Message-ID: <ZeY5LGlOsdF9UIaC@shodan.l0w.de>
References: <d77c6e3d-4eae-a616-8216-61190c46dc69@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <d77c6e3d-4eae-a616-8216-61190c46dc69@nohats.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tYn1cMSiSllVeDssoqmt6Ck_7aY>
Subject: Re: [IPsec] draft-pwouters-ipsecme-child-pfs-info
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 21:15:13 -0000
On Sun, Mar 03, 2024 at 09:14:57PM -0500, Paul Wouters wrote: > > I agreed to write up a draft to discuss the issue regarding rekeying > the initial Child SA and KE/PFS settings. > > Previous discussion/presentation at IETF118: https://datatracker.ietf.org/meeting/118/materials/slides-118-ipsecme-ikev2-dhke-interop-issues-00 > > Initial proposed draft: https://datatracker.ietf.org/doc/draft-pwouters-ipsecme-child-pfs-info/ > > Please let me know what I got wrong :) > > Paul Thanks! This is definitely one of the major pain points for users when it breaks their setup after they thought they just got everything working. I'll see if I can add an OpenIKED implementation. If I remember correctly, one thing we currently do to reduce the pain is always accepting the IKE DH for the Child DH as responder, which catches at least some misconfigurations (at the cost of being a little more permissive in the worst case). > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] draft-pwouters-ipsecme-child-pfs-info Paul Wouters
- Re: [IPsec] draft-pwouters-ipsecme-child-pfs-info Tobias Heider