Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)
"Valery Smyslov" <smyslov.ietf@gmail.com> Wed, 26 February 2020 14:03 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71F9D3A03FC; Wed, 26 Feb 2020 06:03:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.586
X-Spam-Level:
X-Spam-Status: No, score=-0.586 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYg7lVLK0YBM; Wed, 26 Feb 2020 06:03:33 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B82B73A044A; Wed, 26 Feb 2020 06:03:17 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id t23so3205569wmi.1; Wed, 26 Feb 2020 06:03:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=2Wy9WzkZcjdlym76a+sSu2mA+ElwTOakTIhRH4zxSqc=; b=vdvyZNK4kRsjbxrBug6pTTznaEfWfAvc2EWnFj3DxgD5Nm+kLtlBoRIophnHr5SaOK pmGHOF8bwSLDZu47JDJM95/Hvq1PSefeTdlbEu07ocyEJ4ZRK4FuiunUoAkaL094+NoD DLzvixBG6+wAwh0k34K8C/OSTfHAv4VO7DDL0dxFjVROP+r3zlg8AZJ9D7APUkVXWcBr yCSQUfikQcaRdnsTpdGlObRMI89qMT30dDBOj5KhHqQ9pekudQWuL1mjOfUynpxtbJzk qp5MhuD7igEalTUZBjYi1nzjsnRBUwOmQE95CDweyqDtXSkK4/1BC6NF4Z3wsKLr1EaC R0VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=2Wy9WzkZcjdlym76a+sSu2mA+ElwTOakTIhRH4zxSqc=; b=MjMAEFkAAI33qQxdh+g3QQ5eBM9xrJp2aRnamUNIy8pkleG91tia0ry60E3lJAmRDP oxhFeWbCTahDjq+Dc/u51XRtMRjm+UkKj1EV3t6cGaZERbD3afBaBwiLWUm6tVAg1DIU XTlb16zQtX7YQbqC9Cr2p71fnNX8jUxKyqO7hsJYuDLL0vipKB1dbZpC/L2SYaBgSwXN Bg/kxhnntLbV/0Rz+17e2jHymuIB2tPwvVIfZfJPPs0wHBxUHdHNxobgyGg7QxtyqBnt W6Lzsju3BwIn/PVLiUW+sijgDovPhdPU/rDmNGUW31id4EHwQmtzlQW3jjGNLUErHKMJ QrYg==
X-Gm-Message-State: APjAAAXGp9Q29KPjrIQr0J0C0q8xW7s6EXPJXaY350pDMjSayQ+QBoRe TjdA+C2I42nhgC0gJ2ma+4/S2gKR
X-Google-Smtp-Source: APXvYqyOMP6rFSam3+gFOVtupoPg66tL0wdJ60GDiF62d/U6QxguueL0PqOYt58BcslqHQijxtj0SQ==
X-Received: by 2002:a7b:c119:: with SMTP id w25mr5974423wmi.112.1582725788120; Wed, 26 Feb 2020 06:03:08 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id y7sm7920220wmd.1.2020.02.26.06.03.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 26 Feb 2020 06:03:06 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Yoav Nir' <ynir.ietf@gmail.com>, 'Toerless Eckert' <tte@cs.fau.de>
Cc: ipsec@ietf.org, 'Michael Richardson' <mcr+ietf@sandelman.ca>, draft-ietf-anima-autonomic-control-plane@ietf.org
References: <20200224195013.GA3878@faui48f.informatik.uni-erlangen.de> <7EDA9264-8007-4221-9A0D-D967C9AD8BD9@gmail.com>
In-Reply-To: <7EDA9264-8007-4221-9A0D-D967C9AD8BD9@gmail.com>
Date: Wed, 26 Feb 2020 17:03:08 +0300
Message-ID: <0b8001d5ecad$79ce7ad0$6d6b7070$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0B81_01D5ECC6.9F1D3970"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMQRTEh8jiXoowGsPdFJKCFNOl05wMD9EZlpaCl+NA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/yXZYeQ7yFDynfDErWoYNX-hgvts>
Subject: Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 14:03:42 -0000
Hi, a couple of comments. I think that the profile is generally OK, but it seems to me that a few issues persist. 1. The Certificate Encoding "PKCS #7 wrapped X.509 certificate" (1) MUST be supported. See [IKEV2IANA] for this and other IANA IKEv2 parameter names used in this text. “PKCS #7 wrapped X.509 certificate” certificate encoding is deprecated and is not used in IKEv2 (see https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-11). Generally, I see no need for the text that imposes requirements on certificate encoding at all – we never run into the interoperability problems with this? as far as I remember. I suggest to remove this text. 2. If certificate chains are used, all intermediate certificates up to, and including the locally provisioned trust anchor certificate MUST be signaled. See Section 6.10.7 for the sub-CA example in which certificate chains are used. This is confusing. I read this text as the “MUST” is imposed only if “certificate chains are used”. Does it mean that implementations may skip this “MUST” if EE certificate is directly signed by CA certificate and there is no intermediate certificates? Or is it still a chain and “if” is relevant to the case when there is no CA and there is a direct trust to EE certificates (in which case PKI is not needed at all and you can use RAW public keys)? Another point: trust anchors certificates usually are not included in CERT payload in IKEv2. I see draft’s a reasoning that this inclusion would allow better network debugging, but I’m not sure I can buy this argument. Probably more detailed explanation is needed. 3. IKEv2 authentication MUST use authentication method 14 ("Digital Signature") for ACP certificates; this authentication method can be used with both RSA and ECDSA certificates, as indicated by a PKIX- style OID. I think it’s better to rephrase this more accurately: “indicated by an ASN.1 object AlgorithmIdentifier” (which may include parameters besides OID). A typo in the title of 6.7.1.1.2.: s/RFC847/RFC8247 Regards, Valery. From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Yoav Nir Sent: Tuesday, February 25, 2020 11:18 PM To: Toerless Eckert Cc: ipsec@ietf.org WG; Michael Richardson; draft-ietf-anima-autonomic-control-plane@ietf.org Subject: Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane) Hi, Toerless. I trimmed below most of your background info. On 24 Feb 2020, at 21:50, Toerless Eckert <tte@cs.fau.de> wrote: [hope its fine to cross-post ipsec and ipsecme given how one is concluded, but may have more long-time subscribers] ipsec is this group’s mailing list. I don’t know that there even is an ipsecme@ietf.org We're looking for opinions about an IPsec profile for "Autonomic Control Plane" draft-ietf-anima-autonomic-control-plane, or specifically 6.7.1.1.1 of: https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/be056679b9c9cac8c2d664958a3b91585b010a83/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane.txt Quick background so you do not need to read anything more than 6.7.1.1.1: I read a little more. Hope you don’t mind. The profile seems fine to me. There is one thing that I think is missing. The profile specifies that the ACP nodes should use tunnel mode (when GRE is not used), because: IPsec tunnel mode is required because the ACP will route/forward packets received from any other ACP node across the ACP secure channels, and not only its own generated ACP packets. With IPsec transport mode, it would only be possible to send packets originated by the ACP node itself. OK. When IKEv2 is used to negotiate tunnel-mode SAs (and transport mode, but that’s not important here) they need an IPsec policy that specifies traffic selectors so that IKEv2 can specify traffic selectors. Nowhere in your draft do I see a specification of what traffic selectors need to be negotiated. If I understand the above paragraph correctly, both the source of the packet and the destination can be the IP address of any ACP node, neither of which are required to be the tunnel endpoints. This implies some sort of generic traffic selector. The draft should specify this, IMO Yoav
- [IPsec] IPsec profile feedback wanted (draft auto… Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Yoav Nir
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Yoav Nir
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Yoav Nir
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- Re: [IPsec] IPsec profile feedback wanted (draft … 'Toerless Eckert'
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Tero Kivinen
- Re: [IPsec] IPsec profile feedback wanted (draft … Yoav Nir
- Re: [IPsec] IPsec profile feedback wanted (draft … Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- [IPsec] Interop with microsoft CA (was: IPsec pro… 'Toerless Eckert'
- Re: [IPsec] Interop with microsoft CA (was: IPsec… Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- [IPsec] Troubleshooting IPsec peer certs (was: Re… 'Toerless Eckert'
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Paul Wouters
- Re: [IPsec] Troubleshooting IPsec peer certs (was… 'Toerless Eckert'
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Michael Richardson
- Re: [IPsec] IPsec profile feedback wanted (draft … 'Toerless Eckert'
- Re: [IPsec] IPsec profile feedback wanted (draft … Paul Wouters
- Re: [IPsec] IPsec profile feedback wanted (draft … Benjamin Kaduk
- Re: [IPsec] IPsec profile feedback wanted (draft … Toerless Eckert
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- Re: [IPsec] IPsec profile feedback wanted (draft … 'Toerless Eckert'
- Re: [IPsec] IPsec profile feedback wanted (draft … 'Toerless Eckert'
- Re: [IPsec] IPsec profile feedback wanted (draft … Valery Smyslov
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Tero Kivinen
- Re: [IPsec] IPsec profile feedback wanted (draft … Tero Kivinen
- Re: [IPsec] Troubleshooting IPsec peer certs (was… 'Toerless Eckert'
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Tero Kivinen
- Re: [IPsec] Troubleshooting IPsec peer certs (was… 'Toerless Eckert'
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Tero Kivinen
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Michael Richardson
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Tero Kivinen
- Re: [IPsec] Troubleshooting IPsec peer certs (was… Michael Richardson
- [IPsec] Tero: Re: Troubleshooting IPsec peer cert… Toerless Eckert