[secdir] secdir review of draft-ietf-ipsecme-rfc7321bis-05
Tero Kivinen <kivinen@iki.fi> Wed, 22 March 2017 16:46 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2BF7129A90; Wed, 22 Mar 2017 09:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bv2xUzAZ35Sf; Wed, 22 Mar 2017 09:46:13 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B7AC129AC6; Wed, 22 Mar 2017 09:46:02 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v2MGjqZU029458 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 22 Mar 2017 18:45:52 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v2MGjpFK024608; Wed, 22 Mar 2017 18:45:51 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22738.43583.681785.129984@fireball.acr.fi>
Date: Wed, 22 Mar 2017 18:45:51 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Christian Huitema <huitema@huitema.net>
Cc: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-ipsecme-rfc7321bis.all@ietf.org
In-Reply-To: <2927d78d-7293-ba53-4aa3-0351e0a6e7b2@huitema.net>
References: <2927d78d-7293-ba53-4aa3-0351e0a6e7b2@huitema.net>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 9 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_1cfYZGgcyUm5_3QcjP-jcGMV8M>
Subject: [secdir] secdir review of draft-ietf-ipsecme-rfc7321bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 16:46:15 -0000
Christian Huitema writes: > The second set of nits contains manual keying. According to the > draft, anyone using manual keying is punished for doing so, and will > only be able to use ENCR_AES_CBC. I assume that there is WG > consensus on that, but the justification that other algorithms > really require IKEv2 is a bit weak. If there is an API to configure > encryption with the results of an IKEv2 negotiation, it could just > as well be used with the results of a manual configuration. Not sure > that the definition of algorithms is the best place to deprecate > manual configuration, even if there are some pretty good reasons to > do that. Using API to configure keying material to the IPsec is not manual keying. There are two options in RFC4301 for key management, section 4.5.1 manual techniques, and 4.5.2 automated key management. Anything that creates keys on the fly (i.e., IKEv2, or API) is automated key management. When using manual techniques the "person manually configures each system with keying material and SA management data relevant to secure communication with other systems." (section 4.5.1 of RFC4301). As there might not be person manually configuring the next keys when the device is rebooted, and when the counters start again from zero, manual keying cannot be used with algorithms like CCM, GCM or CHACHA20 etc. -- kivinen@iki.fi
- [secdir] secdir review of draft-ietf-ipsecme-rfc7… Christian Huitema
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Christian Huitema
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Paul Wouters
- [secdir] secdir review of draft-ietf-ipsecme-rfc7… Tero Kivinen