[secdir] review of draft-ietf-ipsecme-ikev2bis-10
Tom Yu <tlyu@MIT.EDU> Tue, 04 May 2010 05:29 UTC
Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90E0D28C381; Mon, 3 May 2010 22:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.741
X-Spam-Level:
X-Spam-Status: No, score=0.741 tagged_above=-999 required=5 tests=[AWL=0.740, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwxOwRIxT4FR; Mon, 3 May 2010 22:29:05 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU [18.9.25.15]) by core3.amsl.com (Postfix) with ESMTP id 9AC2F3A68A3; Mon, 3 May 2010 22:23:49 -0700 (PDT)
X-AuditID: 1209190f-b7b20ae000003f85-1e-4bdfaf57bcc4
Received: from mailhub-auth-4.mit.edu (MAILHUB-AUTH-4.MIT.EDU [18.7.62.39]) by dmz-mailsec-scanner-4.mit.edu (Symantec Brightmail Gateway) with SMTP id F7.1D.16261.75FAFDB4; Tue, 4 May 2010 01:23:35 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id o445NXCU027471; Tue, 4 May 2010 01:23:35 -0400
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id o445NWLJ010943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 4 May 2010 01:23:33 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id o445NWhi014878; Tue, 4 May 2010 01:23:32 -0400 (EDT)
To: secdir@ietf.org, iesg@ietf.org, ipsecme-chairs@tools.ietf.org, draft-ietf-ipsecme-ikev2bis.all@tools.ietf.org
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 04 May 2010 01:23:32 -0400
Message-ID: <ldvaasggrzf.fsf@cathode-dark-space.mit.edu>
Lines: 52
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: AAAAARPvoAQ=
Subject: [secdir] review of draft-ietf-ipsecme-ikev2bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2010 05:29:06 -0000
draft-ietf-ipsecme-ikev2bis-10 document intends to replace RFC 4306, the previous specification of IKEv2. My comments focus on the Security Considerations section, which mostly the same as in RFC 4306. None of these comments represents a major issue. Compared to RFC 4306, the Security Considerations section of this document contains additional comments about implementation robustness against attacks (including exhaustion of computational resources) by unauthenticated peers. The following sentence from RFC 4306, referring to Diffie-Hellman exponents, is not present in this document: In particular, these exponents MUST NOT be derived from long-lived secrets like the seed to a pseudo-random generator that is not erased after use. I understand that this sentence was removed because it is impractical for many implementations to comply. For reasonable interpretations of the randomness requirements which are listed a few paragraphs later, I believe it is possible to securely implement this specification without satisfying the RFC 4306 condition on erasing certain pseudo-random number generator seeds after use. The paragraph on the randomness requirements would therefore subsume the above RFC 4306 condition that was deleted. Do the authors agree? The lengthy paragraph warning about non-key-generating EAP methods is mostly unchanged from RFC 4306. I do wonder if channel bindings would help with non-key-generating EAP methods tunneled in protected channels, but am not sufficiently familiar with EAP to know whether this is feasible. (non-key-generating EAP methods might not have any way to perform the additional necessary authentication to achieve channel binding) The SHOULD in RFC 4306 in the sentence beginning "Implementers SHOULD describe the vulnerabilities of non-key-generating EAP methods..." was demoted to a non-capitalized form. Is this intentional? If so, what is the rationale? This document adds a paragraph about "admission control", a term for which I am unable to find a contextually meaningful definition. I agree with the importance of choosing a more carefully evaluated set of trust anchors for IKE authentication than for identification of public web servers, but I am uncertain how that statement relates to (network?) admission control in that paragraph. The added section (5.1) on traffic selector authorization seems reasonable to me. Editorial: "elliptical curve" -> "elliptic curve"