Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
Tobias Heider <heidert@nm.ifi.lmu.de> Thu, 21 March 2019 09:16 UTC
Return-Path: <heidert@nm.ifi.lmu.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 481361277CE for <ipsec@ietfa.amsl.com>; Thu, 21 Mar 2019 02:16:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RSdCyyRgt1r for <ipsec@ietfa.amsl.com>; Thu, 21 Mar 2019 02:16:05 -0700 (PDT)
Received: from acheron.ifi.lmu.de (acheron.ifi.lmu.de [IPv6:2001:4ca0:4000:1:129:187:214:135]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2A2126C01 for <ipsec@ietf.org>; Thu, 21 Mar 2019 02:16:04 -0700 (PDT)
Received: from [192.168.17.134] (unknown [83.135.23.200]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: heidert) by acheron.ifi.lmu.de (Postfix) with ESMTPSA id C61D13683F0; Thu, 21 Mar 2019 10:16:02 +0100 (CET)
To: Valery Smyslov <smyslov.ietf@gmail.com>, 'Tobias Guggemos' <guggemos@nm.ifi.lmu.de>, 'Tero Kivinen' <kivinen@iki.fi>, ipsec@ietf.org
References: <23688.31062.426962.985107@fireball.acr.fi> <01c701d4da41$3c61f890$b525e9b0$@gmail.com> <6454f07af680410e918431971f3489f2@XCH-ALN-010.cisco.com> <001e01d4ddac$5502d770$ff088650$@nm.ifi.lmu.de> <059301d4de2d$faa5a000$eff0e000$@gmail.com> <000a01d4de79$31d3cc00$957b6400$@nm.ifi.lmu.de> <06b701d4deed$706f1310$514d3930$@gmail.com> <a1bc12d7-7c8c-cd12-f0fa-cb6bd9bb7265@cip.ifi.lmu.de> <077301d4dfbc$60031f10$20095d30$@gmail.com>
From: Tobias Heider <heidert@nm.ifi.lmu.de>
Message-ID: <2f35bfb4-1d83-fb5e-c686-76c34f1424a5@nm.ifi.lmu.de>
Date: Thu, 21 Mar 2019 10:16:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <077301d4dfbc$60031f10$20095d30$@gmail.com>
Content-Type: multipart/alternative; boundary="------------FD7A48888080A6985DA32EC7"
Content-Language: en-US-large
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/xomBrrPcoasxjEY7GXO3v5PGEds>
Subject: Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 09:16:09 -0000
>>>> If there is a chance that this is a potential thread (and I >>>> fear it'll be impossible to proof the opposite), my feeling is >>>> that the document should say that IKE_INTERMEDIATE MUST NOT be >>>> supported without the support of at least one document defining >>>> the payload. >>> That is implied. I can make this more explicit, by adding >>> something like that: >>> >>> Successful exchange of INTERMEDIATE_EXCHANGE_SUPPORTED >>> notification only confirms that both parties support >>> INTERMEDIATE exchange. It is not enough condition to start doing >>> INTERMEDIATE exchange. A separate documents that utilize this >>> exchange MUST define the conditions in which peers would do >>> INTERMEDIATE exchanges, the conditions for ending the sequence of >>> these exchanges and start IKE_AUTH, and the payloads these >>> exchanges should carry. >>> >>> Is it OK for you? >> I was wondering about what happens when multiple documents utilize >> the IKE_INTERMEDIATE exchange at the same time. Can two different >> documents utilize a single exchange of IKE_INTERMEDIATE messages, >> or must every document add an additional exchange of >> IKE_INTERMEDIATE messages? > > It's a good question. My idea is that each application document must > define this, as well as the order of INTERMEDIATE exchanges, if it > matters. So, I assume that by default each application will utilize > its own INTERMEDIATE , but some applications could benefit from > piggybacking. But this must be clearly described in corresponding > document In that case, wouldn't it be better to not have a single IKE_INTERMEDIATE exchange type ID but one for each document and use-case. That way an implementation could easily check the exchange type, check if the SA is in a state to accept this specific type of exchange, and then check if the exchange type and contained payloads match. IMO this would allow packet handling and parsing implementations a lot more robust and allow to filter corrupt/unexpected packets early. >> Currently the only "user" is the Hybrid PQKE draft which adds up >> to seven INTERMEDIATE exchanges before the IKE_AUTH, could i just >> define a draft that includes an additional payload in the first >> INTERMEDIATE exchange (not knowing whether Hybrid KE is used or >> not) or would i have to add an eighth INTERMEDIATE exchange? > > I think that corresponding application document must define this. > QSKE exchanges would most probably take place before any other > INTERMEDIATE exchange, since they update the keys and increase IKE SA > protection, but again, it must be defined in the application > documents. >> I couldn't find any info on this in the current draft and i feel >> like this is quite relevant for future users of the exchange. > > I don't think it must be defined in this draft. Instead, it must be > defined in the documents utilizing this exchange. Note, that these > documents will appear one by one, so every next published document > must have a section describing how this application of INTERMEDIATE > should deal with the already defined applications (whether it is OK > to combine payloads or not, what is the relative order etc.) Then we must be incredibly cautious that every document using IKE_INTERMEDIATE specifies explicitly what happens if other known users are used in conjunction, as well as what happens for every possible combination of other known users. If one document for example would specify to always be the first INTERMEDIATE exchange, it would block any following document from doing the same without losing compatibility, as there clearly can't be two first INTERMEDIATE exchanges. In that case, isn't the effort of having to explicitly specify every single case actually the same as if every of these documents would simply specify it's own exchange that takes place between IKE_SA_INIT and IKE_AUTH? What is the advantage of using INTERMEDIATE then, instead of just rolling your own solution? Regards, Tobias
- [IPsec] WG adoptation call for draft-smyslov-ipse… Tero Kivinen
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Panos Kampanakis (pkampana)
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Paul Wouters
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Andreas Steffen
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Paul Wouters
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos