IETF Logo Mail Archive

Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update

Tero Kivinen <kivinen@iki.fi> Mon, 24 July 2023 15:31 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2FDDC14F721 for <ipsec@ietfa.amsl.com>; Mon, 24 Jul 2023 08:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9m3bmruTWI53 for <ipsec@ietfa.amsl.com>; Mon, 24 Jul 2023 08:31:15 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3730C14CE4F for <ipsec@ietf.org>; Mon, 24 Jul 2023 08:30:54 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id 4R8kdS2b5VzyVh; Mon, 24 Jul 2023 18:30:52 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1690212652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gHVZl+RusLpyX+XV+yz4167h+JMv9rw/6cHVqRkzIPQ=; b=WK/5T0hiVzRB3snwVIKFggGchBjV3vTjmln/Z1uUI+/AR8qtp1Kt3zjbvEILdlRtBzhQBm ZP++jrpkV/ppfO1sSL2Pxopzp5+OIOswhV733PhujqieBUIAbDixDtOAXLeLeDW0ooclYr 5y+Tfq+MjN9V0E3GhO7wzoa5OUkPdSw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1690212652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gHVZl+RusLpyX+XV+yz4167h+JMv9rw/6cHVqRkzIPQ=; b=q+nq5UaXM6WybaG85rspbD08RZmGIe+n0LrIjlUkv7oYVP33+3Jk61cae4ZC1a9RVUVZia bmUR3Sq8vkt+SKF+aohpgs5rkT4iUrReibGkJUjpblTtfRfxGtBZWHIxZAPMGII3gO42mz xlGJmFiUmzbsOtiHWxJMSLddsCb+NZI=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1690212652; a=rsa-sha256; cv=none; b=wxjrKkkWjQQw7grSV3os/N/VYxISRS9zQu8kQLhNSCU2Rbqg/li5HqLTh8NNh9e7bkgydd PHDrgyp6OJWIjXJ9Z6P1NKF11Xs6uvf5UDr7+CnIqxgwVu1mMSNZ6RInLB9mVw9VG4V4D6 r/UKVRkB/pzmLs5ZbrLPbBdRxEm+tZc=
Received: by fireball.acr.fi (Postfix, from userid 15204) id AB68625C1310; Mon, 24 Jul 2023 18:30:51 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25790.39211.656098.702869@fireball.acr.fi>
Date: Mon, 24 Jul 2023 18:30:51 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Tobias Brunner <tobias@strongswan.org>
Cc: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <f6d53207-5895-8e27-a4fa-678fb1913621@strongswan.org>
References: <85a82884-feb3-48a7-5d43-509d7ee7fddb@nohats.ca> <e16c2b8e-a33f-4c36-e2df-94eab2cd9a2f@strongswan.org> <718511a9-a593-d832-dff7-669d5c3b9e7b@nohats.ca> <f6d53207-5895-8e27-a4fa-678fb1913621@strongswan.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 15 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/vLXHrrAViZ9C0XcqqnUE5BFoR-c>
Subject: Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2023 15:31:16 -0000

Tobias Brunner writes:
> It already states in section 3:  "Non-optimized, regular rekey requests
> MUST always be accepted."
...
> So you're saying some configs, that are valid for regular IKEv2, will
> just not work with this extension?  And we'll only know once there is

Combining those two, I think this is fine. I.e., this is optimization
and it does NOT NEED to optimize every single possible configuration.
We can clearly state that if you are using certain configurations you
can't use this optimization, and have to fall back to normal rekey.

For example we could say that if you are negotiating multiple
protocols (AH + ESP or ESP + IPCOMP), or if you are using anything
else than one single KE algorithm for create child sa, you need to use
regular rekey.

> The only way to avoid that would be the extension either making
> childless IKE SAs mandatory, or strictly prohibiting inconsistent KE
> configs between IKE and Child SAs, taking away quite a bit of
> flexibility IKEv2 offers.

You do not need to make childless IKE SA mandatory, you simply need to
do first rekey after initial sa creation using normal rekey, and if
that normal rekey has SA/KE payloads that are acceptable for the
optimized rekey in the future, then you can use optimized rekeys in
the future. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email