IETF Logo Mail Archive

Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

"Valery Smyslov" <smyslov.ietf@gmail.com> Wed, 26 February 2020 14:03 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71F9D3A03FC; Wed, 26 Feb 2020 06:03:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.586
X-Spam-Level:
X-Spam-Status: No, score=-0.586 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYg7lVLK0YBM; Wed, 26 Feb 2020 06:03:33 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B82B73A044A; Wed, 26 Feb 2020 06:03:17 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id t23so3205569wmi.1; Wed, 26 Feb 2020 06:03:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=2Wy9WzkZcjdlym76a+sSu2mA+ElwTOakTIhRH4zxSqc=; b=vdvyZNK4kRsjbxrBug6pTTznaEfWfAvc2EWnFj3DxgD5Nm+kLtlBoRIophnHr5SaOK pmGHOF8bwSLDZu47JDJM95/Hvq1PSefeTdlbEu07ocyEJ4ZRK4FuiunUoAkaL094+NoD DLzvixBG6+wAwh0k34K8C/OSTfHAv4VO7DDL0dxFjVROP+r3zlg8AZJ9D7APUkVXWcBr yCSQUfikQcaRdnsTpdGlObRMI89qMT30dDBOj5KhHqQ9pekudQWuL1mjOfUynpxtbJzk qp5MhuD7igEalTUZBjYi1nzjsnRBUwOmQE95CDweyqDtXSkK4/1BC6NF4Z3wsKLr1EaC R0VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=2Wy9WzkZcjdlym76a+sSu2mA+ElwTOakTIhRH4zxSqc=; b=MjMAEFkAAI33qQxdh+g3QQ5eBM9xrJp2aRnamUNIy8pkleG91tia0ry60E3lJAmRDP oxhFeWbCTahDjq+Dc/u51XRtMRjm+UkKj1EV3t6cGaZERbD3afBaBwiLWUm6tVAg1DIU XTlb16zQtX7YQbqC9Cr2p71fnNX8jUxKyqO7hsJYuDLL0vipKB1dbZpC/L2SYaBgSwXN Bg/kxhnntLbV/0Rz+17e2jHymuIB2tPwvVIfZfJPPs0wHBxUHdHNxobgyGg7QxtyqBnt W6Lzsju3BwIn/PVLiUW+sijgDovPhdPU/rDmNGUW31id4EHwQmtzlQW3jjGNLUErHKMJ QrYg==
X-Gm-Message-State: APjAAAXGp9Q29KPjrIQr0J0C0q8xW7s6EXPJXaY350pDMjSayQ+QBoRe TjdA+C2I42nhgC0gJ2ma+4/S2gKR
X-Google-Smtp-Source: APXvYqyOMP6rFSam3+gFOVtupoPg66tL0wdJ60GDiF62d/U6QxguueL0PqOYt58BcslqHQijxtj0SQ==
X-Received: by 2002:a7b:c119:: with SMTP id w25mr5974423wmi.112.1582725788120; Wed, 26 Feb 2020 06:03:08 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id y7sm7920220wmd.1.2020.02.26.06.03.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 26 Feb 2020 06:03:06 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Yoav Nir' <ynir.ietf@gmail.com>, 'Toerless Eckert' <tte@cs.fau.de>
Cc: ipsec@ietf.org, 'Michael Richardson' <mcr+ietf@sandelman.ca>, draft-ietf-anima-autonomic-control-plane@ietf.org
References: <20200224195013.GA3878@faui48f.informatik.uni-erlangen.de> <7EDA9264-8007-4221-9A0D-D967C9AD8BD9@gmail.com>
In-Reply-To: <7EDA9264-8007-4221-9A0D-D967C9AD8BD9@gmail.com>
Date: Wed, 26 Feb 2020 17:03:08 +0300
Message-ID: <0b8001d5ecad$79ce7ad0$6d6b7070$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0B81_01D5ECC6.9F1D3970"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMQRTEh8jiXoowGsPdFJKCFNOl05wMD9EZlpaCl+NA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/yXZYeQ7yFDynfDErWoYNX-hgvts>
Subject: Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 14:03:42 -0000

Hi,

 

a couple of comments.

 

I think that the profile is generally OK, but it seems to me that a few issues persist.

 

1. The

   Certificate Encoding "PKCS #7 wrapped X.509 certificate" (1) MUST be

   supported.  See [IKEV2IANA] for this and other IANA IKEv2 parameter

   names used in this text.

 

    “PKCS #7 wrapped X.509 certificate” certificate encoding is deprecated and is not used in IKEv2 

     (see https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-11).

     Generally, I see no need for the text that imposes requirements on certificate encoding at all – 

     we never run into the interoperability problems with this? as far as I remember. I suggest to remove this text.

 

2.   If certificate chains are used, all intermediate certificates up to,

   and including the locally provisioned trust anchor certificate MUST

   be signaled.  See Section 6.10.7 for the sub-CA example in which

   certificate chains are used.

 

    This is confusing. I read this text as the “MUST” is imposed only if 

    “certificate chains are used”. Does it mean that implementations 

    may skip this “MUST” if EE certificate is directly signed by CA certificate

    and there is no intermediate certificates? Or is it still a chain

    and “if” is relevant to the case when there is no CA and there is a direct trust to EE certificates

    (in which case PKI is not needed at all and you can use RAW public keys)?

     

     Another point: trust anchors certificates usually are not included in CERT payload in IKEv2.

     I see draft’s a reasoning that this inclusion would allow better network debugging,

     but I’m not sure I can buy this argument. Probably more detailed

     explanation is needed.

 

3.   IKEv2 authentication MUST use authentication method 14 ("Digital

   Signature") for ACP certificates; this authentication method can be

   used with both RSA and ECDSA certificates, as indicated by a PKIX-

   style OID.

 

    I think it’s better to rephrase this more accurately: “indicated by an ASN.1 object AlgorithmIdentifier”

    (which may include parameters besides OID).

 

A typo in the title of 6.7.1.1.2.:  s/RFC847/RFC8247

 

Regards,

Valery.

 

From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Tuesday, February 25, 2020 11:18 PM
To: Toerless Eckert
Cc: ipsec@ietf.org WG; Michael Richardson; draft-ietf-anima-autonomic-control-plane@ietf.org
Subject: Re: [IPsec] IPsec profile feedback wanted (draft autonomic control plane)

 

Hi, Toerless.

 

I trimmed below most of your background info.





On 24 Feb 2020, at 21:50, Toerless Eckert <tte@cs.fau.de> wrote:

 

[hope its fine to cross-post ipsec and ipsecme given how one is concluded, but may have
more long-time subscribers]

 

ipsec is this group’s mailing list. I don’t know that there even is an ipsecme@ietf.org





We're looking for opinions about an IPsec profile for "Autonomic Control Plane"
draft-ietf-anima-autonomic-control-plane, or specifically 6.7.1.1.1 of:

https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/be056679b9c9cac8c2d664958a3b91585b010a83/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane.txt

Quick background so you do not need to read anything more than 6.7.1.1.1:

 

I read a little more. Hope you don’t mind.

 

The profile seems fine to me. There is one thing that I think is missing.

 

The profile specifies that the ACP nodes should use tunnel mode (when GRE is not used), because:

   IPsec tunnel mode is required because the ACP will route/forward
   packets received from any other ACP node across the ACP secure
   channels, and not only its own generated ACP packets.  With IPsec
   transport mode, it would only be possible to send packets originated
   by the ACP node itself.

OK. When IKEv2 is used to negotiate tunnel-mode SAs (and transport mode, but that’s not important here) they need an IPsec policy that specifies traffic selectors so that IKEv2 can specify traffic selectors.  Nowhere in your draft do I see a specification of what traffic selectors need to be negotiated.

 

If I understand the above paragraph correctly, both the source of the packet and the destination can be the IP address of any ACP node, neither of which are required to be the tunnel endpoints.  This implies some sort of generic traffic selector.  The draft should specify this, IMO

 

Yoav

v2.23.0 | Report a Bug | By Email