Re: [secdir] secdir review of draft-ietf-ipsecme-ikev2-resumption-07

Yaron Sheffer <yaronf@checkpoint.com> Mon, 14 September 2009 15:34 UTC

Return-Path: <yaronf@checkpoint.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 99B363A680B for <secdir@core3.amsl.com>; Mon, 14 Sep 2009 08:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.916
X-Spam-Level:
X-Spam-Status: No, score=-2.916 tagged_above=-999 required=5 tests=[AWL=0.683, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0ZGlT2nipOd for <secdir@core3.amsl.com>; Mon, 14 Sep 2009 08:34:15 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 4E6993A68CF for <secdir@ietf.org>; Mon, 14 Sep 2009 08:34:15 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n8EFYjSr013012; Mon, 14 Sep 2009 18:34:45 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 14 Sep 2009 18:34:44 +0300
From: Yaron Sheffer <yaronf@checkpoint.com>
To: Sean Turner <turners@ieca.com>, secdir <secdir@ietf.org>
Date: Mon, 14 Sep 2009 18:34:42 +0300
Thread-Topic: [secdir] secdir review of draft-ietf-ipsecme-ikev2-resumption-07
Thread-Index: Aco1SnMt8alEMyA7SlmZ/REuhKipTwABSNsw
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190A978FBE2@il-ex01.ad.checkpoint.com>
References: <4AAE56EF.5080002@ieca.com>
In-Reply-To: <4AAE56EF.5080002@ieca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-ipsecme-ikev2-resumption-07.all@tools.ietf.org" <draft-ietf-ipsecme-ikev2-resumption-07.all@tools.ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-ipsecme-ikev2-resumption-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2009 15:34:19 -0000

Hi Sean,

Thanks for your comments. We will address them in the next version of the draft.

Regarding your second technical comment: the draft specifically only allows resumption to the same gateway that issued the ticket. And this gateway supports the new exchange, by definition, which makes our text sort of redundant.

Thanks,
	Yaron

> -----Original Message-----
> From: secdir-bounces@ietf.org [mailto:secdir-bounces@ietf.org] On Behalf
> Of Sean Turner
> Sent: Monday, September 14, 2009 17:45
> To: secdir; iesg@ietf.org
> Cc: draft-ietf-ipsecme-ikev2-resumption-07.all@tools.ietf.org
> Subject: [secdir] secdir review of draft-ietf-ipsecme-ikev2-resumption-07
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
>   These comments were written primarily for the benefit of the security
> area directors.  Document editors and WG chairs should treat these
> comments just like any other last call comments.
> 
> This ID is intended for the Standards Track.  It defines an efficient
> way to resume an IKE/IPsec session using a previous established IKE SA
> without the need to re-run the key exchange protocol from the beginning.
>   The approach is similar to that used by TLS session resumption, but
> modified for IKEv2.
> 
> Summary: This draft is basically ready for publication, but has nits
> that should be fixed before publication.
> 
> Technical comments:
> 
> 4.3.1 does not require gateways to reject reused tickets (it's a
> SHOULD).  Shouldn't there be some text in the security considerations
> about gateways accepting reused tickets or text to say it's not a
> security consideration because of x, y, and z?  It's different than the
> considerations put forth in 9.8 because it addresses why the client must
> not present reused tickets.
> 
> 4.3.2 states: "The client SHOULD NOT use this exchange type unless it
> knows that the gateway supports it."  What is the mechanism to determine
> whether the gateways support these new exchanges?  What happens when the
> client sends a request and the gateway doesn't support the response?
> What error message is returned from the gateway?  This might all be
> defined elsewhere in the IKE suite of specs, but this ID should probably
> point to that text wherever it is.
> 
> Editorial comments:
> 
> 4.3.2: Should the may be MAY in the following: The first message may be
> rejected in?
> 
> 4.3.2:  r/value ./value.
> 
> 5: Note 6 is missing a ")"
> 
> 6.1: r/MUST be protected so that only unauthorized access is not
> allowed/MUST be protected so that only authorized access is allowed
> 
> 9.3: r/as possible. and/as possible, and
> 
> Cheers,
> 
> spt
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> 
> Scanned by Check Point Total Security Gateway.