Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
Paul Wouters <paul.wouters@aiven.io> Mon, 01 April 2024 18:05 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA94C14CE4D for <last-call@ietfa.amsl.com>; Mon, 1 Apr 2024 11:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r95hsJX0qDE6 for <last-call@ietfa.amsl.com>; Mon, 1 Apr 2024 11:05:25 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9321FC15108E for <last-call@ietf.org>; Mon, 1 Apr 2024 11:05:25 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-56845954ffeso6076953a12.2 for <last-call@ietf.org>; Mon, 01 Apr 2024 11:05:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1711994723; x=1712599523; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8/3kV2Gn1VW4+IhydGoEuozmd+JCNeDuPexQpnF5k98=; b=UHzC7WUjTKLzjht8urVS53rYydK6SawgKsgghUo+mUOcHz5qYIZa0LFbToZVvIK7Cj xltXv8GF1QcqUBHctJuDoRL6sKKP+nUHAV3rWhtDYXcCAkG12lPHYwbmYMYoGd7tQz9e +xeO5f6aHd4dDAwcDZV/ddQ7PsW0IZPRNh1VI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711994723; x=1712599523; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8/3kV2Gn1VW4+IhydGoEuozmd+JCNeDuPexQpnF5k98=; b=cT6RhQKh0SsvF8HUzrwpv2l66wawk+H2Ycf9oD9aELAdKknbjJvEiDvbvnMn9ne8in GDKrNddFCy80zvhsHugaKSd3g2bQkjvK/zZsytl+3rh5QQ7rfvmRLaX7UnHGI07sXJC5 3Qm+yBX/a3311MUtK5XtUsiWg6U7wwvR7H/op/acDa0Aht0oUl9AQGGz7Lyxku9aetMf aje6UO/lrTo20CjkZlOjASPp/lPisRUO9ZZDFQnyuWPiz7Dxuyd5aDQd32Lw+3UyMIGt yDulOAT5ttf57446Zk1iy35LQ3bE/CM9MEPtaOkL9jP3n4lzCrpNoeBuTVfs0IzC+Iuh l7cA==
X-Forwarded-Encrypted: i=1; AJvYcCXWoAREAS6CZ0xnlFlQMXYSai2tpPkZmuU9YUUq++TpJwKcMIi92xhOPe8zHVG5aEANic5R5sMzyooIo3aPblP/xco=
X-Gm-Message-State: AOJu0Yy1vMDlGeoPXymfX1trSOZ8Lx4kZEfvHk/41e+dnxjUekYAZnEk 7NcFyDijGKu4Pc/aR1U9LRdxiW2YPKipmqBVZCbTJmWwoNsADvAWDXsmQEvrcQIq4baes4xbzi4 b+/jGPHs/xwsjY95C7VYxizMCdIAc9PhqDYYDFA==
X-Google-Smtp-Source: AGHT+IEE1RJ9AOyOHvy8LQkWsqxMjsfXEAQoW923BxW/t89fzFaqgSSdC7egCBrKS8LtxM/nYDaFSaQAGHzKZi8T1Rk=
X-Received: by 2002:a17:906:6dc4:b0:a4e:5403:51c9 with SMTP id j4-20020a1709066dc400b00a4e540351c9mr3825705ejt.67.1711994723351; Mon, 01 Apr 2024 11:05:23 -0700 (PDT)
MIME-Version: 1.0
References: <171173986283.29677.15166968196717624638@ietfa.amsl.com> <03f601da8435$abd224e0$03766ea0$@elvis.ru>
In-Reply-To: <03f601da8435$abd224e0$03766ea0$@elvis.ru>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 01 Apr 2024 14:05:12 -0400
Message-ID: <CAGL5yWbur5rKfL4yoK5JqcBy1cTSUtcJW-3MWdnw-7yGF-pTTQ@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: Reese Enghardt <ietf@tenghardt.net>, gen-art@ietf.org, draft-ietf-ipsecme-ikev2-auth-announce.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005818b406150cd5da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/Y3iDH9xnH-F5EbMqQRkSTfBZB3k>
Subject: Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-auth-announce-06
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 18:05:29 -0000
On Mon, Apr 1, 2024 at 9:08 AM Valery Smyslov <svan@elvis.ru> wrote: I've added the following sentence to the Introduction: > > Since IKEv2 doesn't allow to use multiple > authentication methods and doesn't provide means for peers to > indicate to the other side which authentication methods they support, > it is possible that in these situations the peer which supports wider > range of authentication methods (or authentication token formats) > improperly selects the method (or format) which is not supported by > the other side. > I wouldn't phrase it like it, since if we are talking about the peers using different authentication methods (eg client EAPTLS and server X.509 cert) then there are "multiple authentication methods". Also, the server could have multiple configurations for the same peer so a peer could come in using X509 or PSK. I think the core case is that the peers cannot dictate the auth method the peer must use. But this document allows them to inform the peer or what they are going to allow? Although a bit limited because in IKE_SA_INIT, one does not have the peer's identity yet, and different peers might only be allowed specific auth methods. Paul
- [Last-Call] Genart last call review of draft-ietf… Reese Enghardt via Datatracker
- Re: [Last-Call] Genart last call review of draft-… Valery Smyslov
- Re: [Last-Call] Genart last call review of draft-… Paul Wouters
- Re: [Last-Call] Genart last call review of draft-… Valery Smyslov
- Re: [Last-Call] Genart last call review of draft-… Paul Wouters
- Re: [Last-Call] Genart last call review of draft-… Reese Enghardt
- Re: [Last-Call] [***SPAM***] Re: Genart last call… Valery Smyslov
- Re: [Last-Call] [***SPAM***] Re: Genart last call… Reese Enghardt