Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review

Paul Wouters <paul@nohats.ca> Tue, 26 May 2015 14:21 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77331B2F14; Tue, 26 May 2015 07:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25jYK9-eUZl4; Tue, 26 May 2015 07:21:03 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F21E1B2EEE; Tue, 26 May 2015 07:20:45 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lwyBJ0H9qzpQ; Tue, 26 May 2015 16:20:40 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=IxUiAxrA
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 6dXZCEGlofDk; Tue, 26 May 2015 16:20:38 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 26 May 2015 16:20:38 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DCC968003D; Tue, 26 May 2015 10:20:31 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432650032; bh=nVXMdo3Ko3jBMcL+3rlXHk0uW/x9Y0HbWyDwfhV1bik=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=IxUiAxrAknvO4hSivPp2yt7ljNWMTO/teavprc1nRklmwPglk7wdD2tb1WAOkwuLN ucyBFr1YUSknjwZJf0ZvV8pP/K3w1cMFCunIotH/sb75AdQmxr43vahmIDsMdzzilk J6CFd7XK3db6Izul7rNPEjhkFYkKPu9XGqzjy2Jg=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4QEKVGI014313; Tue, 26 May 2015 10:20:31 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 26 May 2015 10:20:31 -0400
From: Paul Wouters <paul@nohats.ca>
To: Donald Eastlake <d3e3e3@gmail.com>
In-Reply-To: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1505261012020.12821@bofh.nohats.ca>
References: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/fSmT_Q90vWkjtOWDQBTpoLeIFHA>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 14:21:11 -0000

On Tue, 26 May 2015, Donald Eastlake wrote:

Thanks for the review Donald,

> The Security Considerations section is quite thorough. I did notice one small thing: Section 3.1 is labeled
> "Audit trail and peer identification". But the content of that Security Considerations section is about not
> trusting identification when null authentication is used. It seems to me that a few words to the effect that
> some clear indication should be present in audit/log trails when a purported identity has not been
> authentication should  be included, as I expected them to be from the section heading.

The bulk of that section was moved into section 2.2i and 3.2.

How about:

OLD:

    With NULL Authentication an established IKE session is no longer
    guaranteed to provide a verifiable (authenticated) entity known to
    the system or network.  Implementers that implement NULL
    Authentication should ensure their implementation does not make any
    assumptions that depend on IKE peers being "friendly", "trusted" or
    "identifiable".

NEW:

    With NULL Authentication an established IKE session is no longer
    guaranteed to provide a verifiable (authenticated) entity known to
    the system or network. Any logging of unproven ID payloads that
    were not authenticated should be clearly marked and treated as
    "untrusted", possibly accompanied by logging the remote IP address
    of the IKE session. Rate limiting of logging might be required to
    prevent excessive logging causing system damage.

then move this bit:

    Implementers that implement NULL
    Authentication should ensure their implementation does not make any
    assumptions that depend on IKE peers being "friendly", "trusted" or
    "identifiable".

To just above the "While implementations should..." in section 3.2

Paul