IETF Logo Mail Archive

Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06

Paul Wouters <paul.wouters@aiven.io> Mon, 01 April 2024 18:05 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA94C14CE4D for <last-call@ietfa.amsl.com>; Mon, 1 Apr 2024 11:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r95hsJX0qDE6 for <last-call@ietfa.amsl.com>; Mon, 1 Apr 2024 11:05:25 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9321FC15108E for <last-call@ietf.org>; Mon, 1 Apr 2024 11:05:25 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-56845954ffeso6076953a12.2 for <last-call@ietf.org>; Mon, 01 Apr 2024 11:05:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1711994723; x=1712599523; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8/3kV2Gn1VW4+IhydGoEuozmd+JCNeDuPexQpnF5k98=; b=UHzC7WUjTKLzjht8urVS53rYydK6SawgKsgghUo+mUOcHz5qYIZa0LFbToZVvIK7Cj xltXv8GF1QcqUBHctJuDoRL6sKKP+nUHAV3rWhtDYXcCAkG12lPHYwbmYMYoGd7tQz9e +xeO5f6aHd4dDAwcDZV/ddQ7PsW0IZPRNh1VI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711994723; x=1712599523; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8/3kV2Gn1VW4+IhydGoEuozmd+JCNeDuPexQpnF5k98=; b=cT6RhQKh0SsvF8HUzrwpv2l66wawk+H2Ycf9oD9aELAdKknbjJvEiDvbvnMn9ne8in GDKrNddFCy80zvhsHugaKSd3g2bQkjvK/zZsytl+3rh5QQ7rfvmRLaX7UnHGI07sXJC5 3Qm+yBX/a3311MUtK5XtUsiWg6U7wwvR7H/op/acDa0Aht0oUl9AQGGz7Lyxku9aetMf aje6UO/lrTo20CjkZlOjASPp/lPisRUO9ZZDFQnyuWPiz7Dxuyd5aDQd32Lw+3UyMIGt yDulOAT5ttf57446Zk1iy35LQ3bE/CM9MEPtaOkL9jP3n4lzCrpNoeBuTVfs0IzC+Iuh l7cA==
X-Forwarded-Encrypted: i=1; AJvYcCXWoAREAS6CZ0xnlFlQMXYSai2tpPkZmuU9YUUq++TpJwKcMIi92xhOPe8zHVG5aEANic5R5sMzyooIo3aPblP/xco=
X-Gm-Message-State: AOJu0Yy1vMDlGeoPXymfX1trSOZ8Lx4kZEfvHk/41e+dnxjUekYAZnEk 7NcFyDijGKu4Pc/aR1U9LRdxiW2YPKipmqBVZCbTJmWwoNsADvAWDXsmQEvrcQIq4baes4xbzi4 b+/jGPHs/xwsjY95C7VYxizMCdIAc9PhqDYYDFA==
X-Google-Smtp-Source: AGHT+IEE1RJ9AOyOHvy8LQkWsqxMjsfXEAQoW923BxW/t89fzFaqgSSdC7egCBrKS8LtxM/nYDaFSaQAGHzKZi8T1Rk=
X-Received: by 2002:a17:906:6dc4:b0:a4e:5403:51c9 with SMTP id j4-20020a1709066dc400b00a4e540351c9mr3825705ejt.67.1711994723351; Mon, 01 Apr 2024 11:05:23 -0700 (PDT)
MIME-Version: 1.0
References: <171173986283.29677.15166968196717624638@ietfa.amsl.com> <03f601da8435$abd224e0$03766ea0$@elvis.ru>
In-Reply-To: <03f601da8435$abd224e0$03766ea0$@elvis.ru>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 01 Apr 2024 14:05:12 -0400
Message-ID: <CAGL5yWbur5rKfL4yoK5JqcBy1cTSUtcJW-3MWdnw-7yGF-pTTQ@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: Reese Enghardt <ietf@tenghardt.net>, gen-art@ietf.org, draft-ietf-ipsecme-ikev2-auth-announce.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005818b406150cd5da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/Y3iDH9xnH-F5EbMqQRkSTfBZB3k>
Subject: Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 18:05:29 -0000

On Mon, Apr 1, 2024 at 9:08 AM Valery Smyslov <svan@elvis.ru> wrote:

I've added the following sentence to the Introduction:
>
>    Since IKEv2 doesn't allow to use multiple
>    authentication methods and doesn't provide means for peers to
>    indicate to the other side which authentication methods they support,
>    it is possible that in these situations the peer which supports wider
>    range of authentication methods (or authentication token formats)
>    improperly selects the method (or format) which is not supported by
>    the other side.
>

I wouldn't phrase it like it, since if we are talking about the peers using
different authentication
methods (eg client EAPTLS and server X.509 cert) then there are "multiple
authentication methods".

Also, the server could have multiple configurations for the same peer so a
peer could come in using X509 or PSK.

I think the core case is that the peers cannot dictate the auth method the
peer must use. But this document allows
them to inform the peer or what they are going to allow? Although a bit
limited because in IKE_SA_INIT, one does
not have the peer's identity yet, and different peers might only be allowed
specific auth methods.

Paul

v2.23.0 | Report a Bug | By Email