Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 11 September 2017 22:12 UTC
Return-Path: <pkampana@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDEF6132D89 for <ipsec@ietfa.amsl.com>; Mon, 11 Sep 2017 15:12:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pR1xoYcSN3w7 for <ipsec@ietfa.amsl.com>; Mon, 11 Sep 2017 15:12:57 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4401126B71 for <ipsec@ietf.org>; Mon, 11 Sep 2017 15:12:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1792; q=dns/txt; s=iport; t=1505167977; x=1506377577; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=64W3JZ6ZcFIsREMTdjviLT9wp+vzdk+bOp/SV8j6If0=; b=V7r4440VP/mszmOpU6aq+JT9YXXQ3x8MHPsE53vAtnCW8IPah2z82CBt NZxwnpAOSVSQ8DpTN3pKCDbyoaLN4DEiOg+oEh1Z9iHCFMC08TRo5Xmm5 bepctdSnamqmJKJSWVkVP+pnI3unCkh959fF4Mflpa3mGT8yDSJyxdHAR A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C6AACNCbdZ/5hdJa1dGQEBAQEBAQEBAQEBBwEBAQEBg1tkbicHjhGQI4F0limCEgoYC4UbAoQjPxgBAgEBAQEBAQFrKIUYAQEBBAEBJRM0FwQCAQgOAwQBAR8JBycLFAkIAgQBEgiKKRCsZDqLMAEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgyuCAoFQgWODKIprBZg0iEAClEaSepR+AhEZAYE4AR84gQ13FUqHG3aJe4EPAQEB
X-IronPort-AV: E=Sophos;i="5.42,380,1500940800"; d="scan'208";a="292220848"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Sep 2017 22:12:56 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v8BMCuAS003531 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Sep 2017 22:12:56 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 11 Sep 2017 17:12:55 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1263.000; Mon, 11 Sep 2017 17:12:55 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Derrell Piper <ddp@electric-loft.org>, "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Thread-Index: AQHTGGR1juMkEWgpNEmBeMtf53kCNqKv2y8w
Date: Mon, 11 Sep 2017 22:12:55 +0000
Message-ID: <9aac45e051ab4a8691773f15e336610b@XCH-ALN-010.cisco.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca> <22933.40647.462618.166901@fireball.acr.fi> <alpine.LRH.2.21.1708171113120.3833@bofh.nohats.ca> <BBCE47D6-F761-415E-B376-F92B0B2F7B8D@electric-loft.org>
In-Reply-To: <BBCE47D6-F761-415E-B376-F92B0B2F7B8D@electric-loft.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.108.5]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/yDTBehtQ-akd6Ys3YZv_sfmxRek>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 22:12:59 -0000
Thank you Derrel. Getting to this a little late. All your comments will be addressed in the next iteration. We will add some clarification text to clear up your points about rfc6023. About rfc6030 we will make clear that this out of scope of this doc or IKE, but it will just be an informative reference. Panos -----Original Message----- From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Derrell Piper Sent: Friday, August 18, 2017 4:56 PM To: ipsec@ietf.org WG <ipsec@ietf.org> Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Notes on draft-fluhrer-qr-ikev2-04, mostly nits: pp. 1 "...pose a serious challenge to cryptography algorithms [deployed?] widely today." pp. 2 "when might one be implemented" -> "when one might be implemented" pp. 3 The Changes section wording confuses me. Does that mean, relative to the last draft? Or does it mean those were the change in -03? pp. 4 "...then it must check if has a..." -> "...if it has a..." pp. 8 "Algorithm=urn:ietf:params:xml:ns:keyprov:pskc:pin" RE: rfc6030, any chance we can not refer to an RFC with XML in it? I strongly object to XML. Does IKEv2 reference any XML? (sticks fingers in ears...) pp. 9 RE: rfc6023 text I would prefer text here that suggests exactly how to achieve post-quantum ID confidentiality. This is vague and that means people will implement it all over the map. I also don't think Child SAs should ever have been made mandatory, so refering to rfc6023 is fine. Overall, I think this document should advance. This is nice and simple, more or less. Derrell _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Derrell Piper
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Graham Bartlett (grbartle)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Vukasin Karadzic
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)