IETF Logo Mail Archive

Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04

Roman Danyliw <rdd@cert.org> Thu, 02 November 2023 18:38 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0E43C14CE47 for <ipsec@ietfa.amsl.com>; Thu, 2 Nov 2023 11:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25n2XDkIdE-y for <ipsec@ietfa.amsl.com>; Thu, 2 Nov 2023 11:38:25 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0120.outbound.protection.office365.us [23.103.209.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3332C14CEE3 for <ipsec@ietf.org>; Thu, 2 Nov 2023 11:38:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=HOwM2hEHjSWqajz0SUVFDbjRTA/9kWPHE1/ZRJGFilvJIOiuv7kNdw1Hv0Vw8mZgMCKF1G0MWth+SqPBJYtf+GeNoWxo/1eS+IJ1/u3E3sNBfBKdjlhmcmanCZUOINVPs4PigP0G70PVX+EmLxqBk0uzECek7L4QYwSCcw4mCYCkYWbd4uPt342qaQmiLkOdqN03EeDXYmTvvjw6eMMw1JzRkdfekNOGZZKh7srvM3onDcIhGKLlgP/NE89MSibD+fNKtVje/dmFYfndhQ+q4xxSiHtGJP2BCm+/tLhtLDF2KFhxW8ZSPyocviHXevwcrNGj5ElLYbz/PqhMfQ8Dww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LatB4wZnkW7UHHmqB0JtHIQaEZiaRhi05jWpklEvLzk=; b=PK+TPnbhFB2H4WGU1Z5RcDXRVuuqfh1BTZSesWgRkSAo69EI/BJd/IxUjWQr0Y/98tGXUc3/+s4vDe8tjn+hoIuKGpnSCkWhoaE2faKTLWhaswR0C5LkzE6MJlo4wyjtYLcMPoZLh19yfrMwO+kj6Ln0bIP6oG+D1ssJYy387kTzPlQokKLYoc+Cn1FxGURdEMELbiwmst7nfI5NEkJ7ujOOgE6F0ZwFG24BuonmmuXsv4RUsam8YjDzHjdN3GodBvQUunyUzJh8yO5j0KGzLfr7ZpV0ObkYhiaXGthEnj8w0sIR8+l0mJIW/gZennPjIDi/kvWePJezQniCuEgB6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LatB4wZnkW7UHHmqB0JtHIQaEZiaRhi05jWpklEvLzk=; b=d7LlVHCkCC8R8BaVUt8tACGg4h9bha/b/7p4s2pRC/O0LqQuC8+jNrgBF3GGj9oMGOZTJkYVUEufMl0X7YpgEKKcn2/LOcNHE1XPiU4oB9KrdvGdcHui+93/o3p7J412tUzdP88dpkqEfO3k8QYdmfxeMZfClEK6xZl1fo7vA6A=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1688.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.21; Thu, 2 Nov 2023 18:38:22 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::8428:6d10:2463:aebc]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::8428:6d10:2463:aebc%5]) with mapi id 15.20.6954.021; Thu, 2 Nov 2023 18:38:22 +0000
From: Roman Danyliw <rdd@cert.org>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
Thread-Index: AdoHntxa3qOpV+b2SaSMghAtbAXj3gAhUrSAAWXmedA=
Date: Thu, 02 Nov 2023 18:38:22 +0000
Message-ID: <BN2P110MB1107DD52872E04B30A723C1EDCA6A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB11076E4C10617CF7810E96DEDCDEA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <068901da0824$27c5a4c0$7750ee40$@gmail.com>
In-Reply-To: <068901da0824$27c5a4c0$7750ee40$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1688:EE_
x-ms-office365-filtering-correlation-id: 8eed7ce2-68f0-4f5a-beee-08dbdbd2e44e
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Huq9BGDrE58YFSIhAKUsY2vmeJoKHZa/2rCSaYAGI9KafmCW+miP7g7glzO7wOS0uJU7gUU2B8L36MvpolBNZcxI4olyGWopdOM7AMEcdJ0GpLPJre38ALi/oewBV+iN23bN5TrWGEqlXgICYvbx+oUs84hvIlguVAZJtHcDFLx1lVU26nttk+K9BaWQhUPjjNNYUU5Jra7T+BSqrzEIAB4ktn/F0XAg2d0mBpumUsaWAfREVL8I3qVQziKnl1ZHS9hhC+2IyODM325GAqyHi3Bavg89vXxFvBH+cnjAPbCVV4mel6GyHuIJOBYqSQnOZW/EvxQO/yxrmrVl4yMFQ4lG9nVc4UHB/+VkACi7sWdKd3dOYmhZaCMnlgNpTqT1l/etShck/avPgEgmh7qmsQZRZb0x2U9MEv/DnhJ4SZIbcT6AWwaxgmJ021xLJ8RXOHt7gRO6/j670ca2xvj0GLPz/YIVVc93AlGFr4ISSWIKPYwmkUE1QBV/zGFgsmL/9KdMgakr4kt1qdQtNHG/ps/KGTi3dfTwpXg39CmpnQKOP/KMkY53+J9CSllaBXJHRh7Nqo6cxRrf55jqrKbODEjHpNUBjbeUoMn9w7+eRkNl/vbBtSl1C6DW3CeW/4A8
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(366004)(136003)(396003)(230922051799003)(186009)(1800799009)(64100799003)(451199024)(26005)(66574015)(38100700002)(64756008)(110136005)(76116006)(66476007)(66556008)(66946007)(66446008)(5660300002)(8936002)(8676002)(52536014)(53546011)(41300700001)(9686003)(71200400001)(2906002)(508600001)(6506007)(7696005)(86362001)(122000001)(33656002)(82960400001)(41320700001)(38070700009)(83380400001)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QaEQ1Z8/l6C9C1iaLuC5qfiGxKaIbv+oKena4J2gDYMOkXfl2Ww467AA808629TsBGSS8xdpG9Geca0TqecOgulIINsLtB/nZ8YFi6Qs1P4w+sVlEHuwVpTOTWUpoSaGkFav29qRAX47nGsFO/SRNvoHS19K5CZtIotHJE8j3IGPYjg0QQd3EI8Os8P8kUKXb9fbLpyQrcv/VsXasPmESoW62N+lOk9jGe1IqnhQAVCmbqXQA5LT4qMUwMRqIkiJ2bEYYnkWemLaWnMbRlss8IduDcrvzkwlcqepbgbSqczNhg57u51dkLCZnBVl2ZBTYWm1Q1C42d05aeVwFBWrUb1HaG46nGRJLcBix8HjaTRO1yAekaZ/nN7m3OY7KjT78bGU/o1cT3qX77wvOD/vnBYMz81sYAnK36P0cmqAWAI=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8eed7ce2-68f0-4f5a-beee-08dbdbd2e44e
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2023 18:38:22.2823 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1688
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/vO2tHqibSTG2wWqM-m4Uzf2ocKA>
Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2023 18:38:30 -0000

Hi Valery!

Thanks for -05.  Reducing the thread down to areas of discussion.

> -----Original Message-----
> From: Valery Smyslov <smyslov.ietf@gmail.com>
> Sent: Thursday, October 26, 2023 11:51 AM
> To: 'Roman Danyliw' <rdd@cert.org>; ipsec@ietf.org
> Subject: Re: [IPsec] AD Review of draft-ietf-ipsecme-ikev2-auth-announce-04

[snip]
 
> > ** Section 5.  Please add the Security Considerations of the specifically
> negotiated auth methods apply.
> 
> This is not a negotiation, this is announcement, just to help the other side to
> correctly choose among several possible methods. Since this is a hint,
> implementations may use it as other hints that are already available (e.g. CAs
> from CERTREQ). Thus I'm not sure what specifically should be added to the
> Security Considerations section. Do you have some proposed text?

I was looking primarily for a reminder that the different methods being suggested each have their own security considerations.  
 
> > ** Section 6.  The “Notify Message Types - Status Types” registry has
> > three fields.  Please formally say that this document should be the reference.
> 
> Done.
> 
> I also have off-the-list conversation with Daniel Van Geest, who made some
> good proposals, which I would also like to include in the draft if the WG agrees.
> 
> 1. Specify that auth announcements are included into the
> SUPPORTED_AUTH_METHODS notification
>     in the order of their preferences for the sender. This doesn't break anything
> (the receiver is free to ignore the order),
>     but might help it to make the best choice.
> 
> 2. Clarify that peers may send the SUPPORTED_AUTH_METHODS independently
> of whether it was received
>     (this is not a negotiation). This is what actually the draft says now, just stress
> this for clarification.
> 
> 3. Specify interaction with RFC 4739 (Multiple Authentication Exchanges in the
> Internet Key Exchange (IKEv2) Protocol).
>     In particular. allow sending multiple SUPPORTED_AUTH_METHODS
> notifications in a message
>     (also add a clarification that if multiple SUPPORTED_AUTH_METHODS
> notifications are included in a message
>      and the receiver doesn't know why, the all included announcements form a
> single list).

I see this proposed text is in -05.  

WG chairs: can you please check that this has consensus of the WG.

Thanks,
Roman

v2.23.0 | Report a Bug | By Email