[IPsec] IPSECKEY algorithm number oddity (and draft-kivinen-ipsecme-oob-pubkey)
Tero Kivinen <kivinen@iki.fi> Tue, 31 March 2015 10:05 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5267B1A8A27 for <ipsec@ietfa.amsl.com>; Tue, 31 Mar 2015 03:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.768
X-Spam-Level:
X-Spam-Status: No, score=0.768 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCI53cWd4wPh for <ipsec@ietfa.amsl.com>; Tue, 31 Mar 2015 03:05:03 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F9F1A8A11 for <ipsec@ietf.org>; Tue, 31 Mar 2015 03:05:01 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t2VA4tCb005855 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 31 Mar 2015 13:04:55 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t2VA4sln002035; Tue, 31 Mar 2015 13:04:54 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21786.28998.830814.421934@fireball.kivinen.iki.fi>
Date: Tue, 31 Mar 2015 13:04:54 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1503092223260.27452@bofh.nohats.ca>
References: <alpine.LFD.2.10.1503092223260.27452@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 10 min
X-Total-Time: 43 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/vB6xtrnbM1bVBLfJC_yBv3iUvMs>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Subject: [IPsec] IPSECKEY algorithm number oddity (and draft-kivinen-ipsecme-oob-pubkey)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 10:05:05 -0000
Paul Wouters writes: > I was looking at the interaction of draft-kivinen-ipsecme-oob-pubkey and > IPSECKEY, since IPSECKEY has an algorithm number but oob-pubkey uses the > SubjectPublicKeyInfo that encodes the algorithm in the SPKI value > itself. I am missing what is the issue here. When you get public key inside the IKEv2 in raw form, you extract the key from there (i.e. decode the ASN.1 and get the key out in internal public key representation). Then you fetch the key from IPSECKEY records and do the same, i.e. again parse the key from DNS record to the internal public key representation. Now you have two public keys, and after that you simply compare them, and thats it. If they match you know that the key used in IKE is same than in DNS. Another use is that you fetch the public key for the other end directly from the IPSECKEY DNS records, and use it, i.e. you ignore the key other end sends to you. > So first, if we were to fix this for IPSECKEY (and I'm not yet > convinced we are there yet, as we might end up with updating > IPSECKEY due to other issues we'll find over the next few months) we > might consider allocating a special algorithm number to signify this > in the IKE Authentication Method registry at > > http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12 > > For instance, 255 :) The keys in IPSECKEY are either DSA or RSA keys, and you can use those in authentication either by using RSA(1), DSA(3) or Digital Signature (14) methods. I do not think we need separate authentication method for it. > Then I noticed that in fact the registry is a two octet value, while in > the IPSECKEY record this is a one octet value: > > https://tools.ietf.org/html/rfc4025#section-2.1 > > That's clearly a bug. Is it worth filing an ERRATA for this or should we > wait and see if we will replace IPSECKEY anyway? Which registry is two octet value? Now I am really confused... -- kivinen@iki.fi
- Re: [IPsec] IPSECKEY algorithm number oddity (and… Michael Richardson
- Re: [IPsec] IPSECKEY algorithm number oddity (and… Paul Wouters
- Re: [IPsec] IPSECKEY algorithm number oddity (and… Michael Richardson
- [IPsec] IPSECKEY algorithm number oddity (and dra… Tero Kivinen
- Re: [IPsec] IPSECKEY algorithm number oddity (and… Paul Wouters
- Re: [IPsec] IPSECKEY algorithm number oddity (and… Tero Kivinen
- [IPsec] IPSECKEY algorithm number oddity (and dra… Paul Wouters