From nobody Mon Sep 1 00:37:29 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A51D1A014C for ; Mon, 1 Sep 2014 00:37:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmhQwJXyNyJ8 for ; Mon, 1 Sep 2014 00:37:24 -0700 (PDT) Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 789D61A011B for ; Mon, 1 Sep 2014 00:37:19 -0700 (PDT) Received: by mail-we0-f178.google.com with SMTP id u57so4947403wes.23 for ; Mon, 01 Sep 2014 00:37:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=v0l3hXPJ3AkgOiKpZYayGJzAywSWAM/2EcLXpn9lajQ=; b=TlOvLKzewUJ9UtGT6uWbEh6VGy1+ZTbzuiKPr8tYhlrFhjihTrXWjXAyuqiKHf8ne2 Y6niA/m3ztaowgxyRuskuXruWCKfBtw4P9hG4t0sn2KlQ2h5u1Mt+LPsJHY7xiwaC5QU Dxd+Y8NZp/b88i+vDtlnfU1LXDDm/vTN6i9BSTZfIrhzZs/Ev4fVHA9SgtSZUttPHRyD bsov9Tc/bsbn9R7+VmuPhGH9CdjonP9n8Cr9wy3vw+6mlyxkg3hQ+xhUIX/3zO5bjuHJ qd6nOtNvxT6L4tmLEzTJvajGS5vv4vB7TOX4l9jZUah6l3Bj69RvTyjrBMjM6jshzaMz OJoQ== X-Received: by 10.195.12.4 with SMTP id em4mr1028685wjd.98.1409557037576; Mon, 01 Sep 2014 00:37:17 -0700 (PDT) Received: from [172.24.251.145] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id xa6sm106168wjc.19.2014.09.01.00.37.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Sep 2014 00:37:17 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_8A28D0D2-627B-4B68-9AC4-5083D5EDB4D7" Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$) From: Yoav Nir In-Reply-To: Date: Mon, 1 Sep 2014 10:37:13 +0300 Message-Id: <583C5D54-E70D-42AE-845C-79CF5CB8F71F@gmail.com> References: To: Avishek Ganguly X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/0vWlapgWZffifKGN16Zscc1Yhps Cc: "ipsec@ietf.org" Subject: Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 07:37:27 -0000 --Apple-Mail=_8A28D0D2-627B-4B68-9AC4-5083D5EDB4D7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi, Avishek English is not my first language, so I=92m not sure what =93exclusive=94 = means below, but I hope I can clarify anyways. Suppose Responder policy is to allow certain groups (say, 19 and 20), = while the Initiator=92s request includes groups 2, 5, and 14 in the SA = payload, and group 2 in the KE payload.=20 It seems like both INVALID_KE_PAYLOAD and NO_PROPOSAL_CHOSEN are = appropriate, but this is not the case. The purpose of the = INVALID_KE_PAYLOAD is to have the Initiator immediately retry (it says = so right after the part you quoted) with the correct group. But we = already no that the Initiator doesn=92t support any of the supported = groups. If it did, then the SA payload would include them. So in this = case, only NO_PROPOSAL_CHOSEN is appropriate. NO_PROPOSAL_CHOSEN is the kind of error that is not correctable without = configuration changes. INVALID_KE_PAYLOAD is an error that should be = automatically corrected immediately. So although it doesn=92t say so explicitly in the RFC, you really need = to evaluate the SA payload first. It might not be worth it to check the = others. Hope this helps Yoav On Sep 1, 2014, at 7:28 AM, Avishek Ganguly = wrote: > Hello, > =20 > I have questions regarding use of NO_PROPOSAL_CHOSEN and = INVALID_KE_PAYLOAD in IKE_SA_INIT exchange in RFC 5996 IKEv2. > According to > "Section 3.10.1. Notify Message Types > NO_PROPOSAL_CHOSEN 14 > None of the proposed crypto suites was acceptable. This can be > sent in any case where the offered proposals (including but not > limited to SA payload values, USE_TRANSPORT_MODE notify, > IPCOMP_SUPPORTED notify) are not acceptable for the responder. > " > according to the above statement it is meant that if initiator sends a = proposal with a Diffie-Hellman group value that is unacceptable by the = responder, then responder must send a NO_PROPOSAL_CHOSEN notification. > =20 > But according to > "Section 1.2. The Initial Exchanges > Because the initiator sends its Diffie-Hellman value in the > IKE_SA_INIT, it must guess the Diffie-Hellman group that the > responder will select from its list of supported groups. If the > initiator guesses wrong, the responder will respond with a Notify > payload of type INVALID_KE_PAYLOAD indicating the selected group. > " > =46rom the INVALID_KE_PAYLOAD description stated above means that = NO_PROPOSAL_CHOSEN case is exclusive of this INVALID_KE_PAYLOAD. > =20 > Is it right interpretation of the above two error types ? > =20 > Thanks and Regards, > Avishek > =20 > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec --Apple-Mail=_8A28D0D2-627B-4B68-9AC4-5083D5EDB4D7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Hi, = Avishek

English is not my first language, so I=92m = not sure what =93exclusive=94 means below, but I hope I can clarify = anyways.

Suppose Responder policy is to allow = certain groups (say, 19 and 20), while the Initiator=92s request = includes groups 2, 5, and 14 in the SA payload, and group 2 in the KE = payload.

It seems like both = INVALID_KE_PAYLOAD and NO_PROPOSAL_CHOSEN are appropriate, but this is = not the case. The purpose of the INVALID_KE_PAYLOAD is to have the = Initiator immediately retry (it says so right after the part you quoted) = with the correct group. But we already no that the Initiator doesn=92t = support any of the supported groups. If it did, then the SA payload = would include them. So in this case, only NO_PROPOSAL_CHOSEN is = appropriate.

NO_PROPOSAL_CHOSEN is the kind of = error that is not correctable without configuration changes. = INVALID_KE_PAYLOAD is an error that should be automatically corrected = immediately.

So although it doesn=92t say so = explicitly in the RFC, you really need to evaluate the SA payload first. = It might not be worth it to check the = others.

Hope this = helps

Yoav

On Sep 1, = 2014, at 7:28 AM, Avishek Ganguly <aganguly@ixiacom.com> = wrote:

Hello,

I have = questions regarding use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD in = IKE_SA_INIT exchange in RFC 5996 IKEv2.
According to
"Section 3.10.1. Notify Message = Types
NO_PROPOSAL_CHOSEN       &= nbsp;           &nb= sp;   14
      None of the proposed crypto = suites was acceptable. This can be
      sent in any case = where the offered proposals (including but not
      limited to SA = payload values, USE_TRANSPORT_MODE notify,
      IPCOMP_SUPPORTED = notify) are not acceptable for the responder.
"
according = to the above statement it is meant that if initiator sends a proposal = with a Diffie-Hellman group value that is unacceptable by the responder, = then responder must send a NO_PROPOSAL_CHOSEN = notification.

But = according to
"Section 1.2. The = Initial Exchanges
Because = the initiator sends its Diffie-Hellman value in the
   IKE_SA_INIT, it must guess the = Diffie-Hellman group that the
   responder will select from its list of = supported groups. If the
   initiator guesses wrong, the responder will = respond with a Notify
   payload of type INVALID_KE_PAYLOAD indicating = the selected group.
"
=46rom the = INVALID_KE_PAYLOAD description stated above means that = NO_PROPOSAL_CHOSEN case is exclusive of this = INVALID_KE_PAYLOAD.

Is it = right interpretation of the above two error types ?

Thanks = and Regards,
Avishek

________________________________= _______________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

= --Apple-Mail=_8A28D0D2-627B-4B68-9AC4-5083D5EDB4D7-- From nobody Mon Sep 1 02:01:57 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 082EE1A014E for ; Mon, 1 Sep 2014 02:01:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.131 X-Spam-Level: X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQ5CvO5H73L4 for ; Mon, 1 Sep 2014 02:01:45 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0139.outbound.protection.outlook.com [207.46.163.139]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B16E1A0282 for ; Mon, 1 Sep 2014 02:01:45 -0700 (PDT) Received: from DM2PR0601MB713.namprd06.prod.outlook.com (10.242.115.155) by DM2PR0601MB715.namprd06.prod.outlook.com (10.242.126.11) with Microsoft SMTP Server (TLS) id 15.0.1015.19; Mon, 1 Sep 2014 09:01:43 +0000 Received: from DM2PR0601MB713.namprd06.prod.outlook.com ([10.242.115.155]) by DM2PR0601MB713.namprd06.prod.outlook.com ([10.242.115.155]) with mapi id 15.00.1015.018; Mon, 1 Sep 2014 09:01:43 +0000 From: Avishek Ganguly To: "ipsec@ietf.org" Thread-Topic: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD Thread-Index: Ac/FnSWEFTen3/ebTi+t+niQ7k32vQAGmYmAAAKv+ZA= Date: Mon, 1 Sep 2014 09:01:42 +0000 Message-ID: <63f489b81d784a368106e901e5d62abb@DM2PR0601MB713.namprd06.prod.outlook.com> References: <583C5D54-E70D-42AE-845C-79CF5CB8F71F@gmail.com> In-Reply-To: <583C5D54-E70D-42AE-845C-79CF5CB8F71F@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [121.242.14.67] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:; x-forefront-prvs: 03218BFD9F x-forefront-antispam-report: SFV:NSPM; SFS:(189002)(129404003)(199003)(24454002)(377454003)(101416001)(19625215002)(76482001)(85852003)(74662001)(21056001)(15975445006)(19609705001)(79102001)(95666004)(107046002)(76176999)(77982001)(20776003)(107886001)(15202345003)(90102001)(99286002)(2501002)(31966008)(19300405004)(87936001)(2351001)(33646002)(105586002)(76576001)(54356999)(108616004)(74502001)(74316001)(19580395003)(83322001)(2656002)(16236675004)(106356001)(80022001)(4396001)(46102001)(81342001)(110136001)(86362001)(50986999)(561944003)(66066001)(19617315012)(85306004)(19580405001)(92566001)(81542001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:DM2PR0601MB715; H:DM2PR0601MB713.namprd06.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: multipart/alternative; boundary="_000_63f489b81d784a368106e901e5d62abbDM2PR0601MB713namprd06p_" MIME-Version: 1.0 X-OriginatorOrg: ixiacom.com X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 04 X-MS-Exchange-CrossPremises-AuthSource: DM2PR0601MB713.namprd06.prod.outlook.com X-MS-Exchange-CrossPremises-SCL: 1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 121.242.14.67 X-MS-Exchange-CrossPremises-avstamp-service: 1.0 X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-OrganizationHeadersPreserved: DM2PR0601MB715.namprd06.prod.outlook.com Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/0IUSVBaYVLshIg-VWJS9zbtN0Rs Subject: Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 09:01:50 -0000 --_000_63f489b81d784a368106e901e5d62abbDM2PR0601MB713namprd06p_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks Yoav for your explanation. > English is not my first language, so I'm not sure what "exclusive" means = below, but I hope I can clarify anyways. By exclusive I mean NO_PROPOSAL_CHOSEN is an error that is not generated be= cause of any DH Group mismatches in KE Payload. So it seems that INVALID_KE_PAYLOAD is an error that should be generated du= ring CREATE_CHILD_SA exchange. And NO_PROPOSAL_CHOSEN is appropriate for IK= E_SA_INIT. Because Before IKE_SA_INIT responder does not know which groups = initiator supports. When responder gets a IKE_SA_INIT with invalid DH GROUP It should assume that there is some configuration issues from initiator sid= e. Regards, Avishek From: Yoav Nir [mailto:ynir.ietf@gmail.com] Sent: Monday, September 01, 2014 1:07 PM To: Avishek Ganguly Cc: ipsec@ietf.org Subject: Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CH= OSEN and INVALID_KE_PAYLOAD Hi, Avishek English is not my first language, so I'm not sure what "exclusive" means be= low, but I hope I can clarify anyways. Suppose Responder policy is to allow certain groups (say, 19 and 20), while= the Initiator's request includes groups 2, 5, and 14 in the SA payload, an= d group 2 in the KE payload. It seems like both INVALID_KE_PAYLOAD and NO_PROPOSAL_CHOSEN are appropriat= e, but this is not the case. The purpose of the INVALID_KE_PAYLOAD is to ha= ve the Initiator immediately retry (it says so right after the part you quo= ted) with the correct group. But we already no that the Initiator doesn't s= upport any of the supported groups. If it did, then the SA payload would in= clude them. So in this case, only NO_PROPOSAL_CHOSEN is appropriate. NO_PROPOSAL_CHOSEN is the kind of error that is not correctable without con= figuration changes. INVALID_KE_PAYLOAD is an error that should be automatic= ally corrected immediately. So although it doesn't say so explicitly in the RFC, you really need to eva= luate the SA payload first. It might not be worth it to check the others. Hope this helps Yoav On Sep 1, 2014, at 7:28 AM, Avishek Ganguly > wrote: Hello, I have questions regarding use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD= in IKE_SA_INIT exchange in RFC 5996 IKEv2. According to "Section 3.10.1. Notify Message Types NO_PROPOSAL_CHOSEN 14 None of the proposed crypto suites was acceptable. This can be sent in any case where the offered proposals (including but not limited to SA payload values, USE_TRANSPORT_MODE notify, IPCOMP_SUPPORTED notify) are not acceptable for the responder. " according to the above statement it is meant that if initiator sends a prop= osal with a Diffie-Hellman group value that is unacceptable by the responde= r, then responder must send a NO_PROPOSAL_CHOSEN notification. But according to "Section 1.2. The Initial Exchanges Because the initiator sends its Diffie-Hellman value in the IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify payload of type INVALID_KE_PAYLOAD indicating the selected group. " >From the INVALID_KE_PAYLOAD description stated above means that NO_PROPOSAL= _CHOSEN case is exclusive of this INVALID_KE_PAYLOAD. Is it right interpretation of the above two error types ? Thanks and Regards, Avishek _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec --_000_63f489b81d784a368106e901e5d62abbDM2PR0601MB713namprd06p_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks Yoav for your expl= anation.

<= /p>

> English is not my first language, so I’m = not sure what “exclusive” means below, but I hope I can clarify= anyways.

<= /p>

By exclusive I mean NO_PR= OPOSAL_CHOSEN is an error that is not generated because of any DH Group mis= matches in KE Payload.

<= /p>

So it seems that INVALID_= KE_PAYLOAD is an error that should be generated during CREATE_CHILD_SA exch= ange. And NO_PROPOSAL_CHOSEN is appropriate for IKE_SA_INIT. Because Before IKE_SA_INIT responder does not know which groups initiator = supports. When responder gets a IKE_SA_INIT with invalid DH GROUP

It should assume that the= re is some configuration issues from initiator side.

<= /p>

Regards,

Avishek=

From: Yoav N= ir [mailto:ynir.ietf@gmail.com]
Sent: Monday, September 01, 2014 1:07 PM
To: Avishek Ganguly
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROP= OSAL_CHOSEN and INVALID_KE_PAYLOAD

Hi, Avishek

English is not my first language, so I’m not s= ure what “exclusive” means below, but I hope I can clarify anyw= ays.

Suppose Responder policy is to allow certain groups = (say, 19 and 20), while the Initiator’s request includes groups 2, 5,= and 14 in the SA payload, and group 2 in the KE payload. <= /p>

It seems like both INVALID_KE_PAYLOAD and NO_PROPOSA= L_CHOSEN are appropriate, but this is not the case. The purpose of the INVA= LID_KE_PAYLOAD is to have the Initiator immediately retry (it says so right= after the part you quoted) with the correct group. But we already no that the Initiator doesn’t support = any of the supported groups. If it did, then the SA payload would include t= hem. So in this case, only NO_PROPOSAL_CHOSEN is appropriate.

NO_PROPOSAL_CHOSEN is the kind of error that is not = correctable without configuration changes. INVALID_KE_PAYLOAD is an error t= hat should be automatically corrected immediately.

So although it doesn’t say so explicitly in th= e RFC, you really need to evaluate the SA payload first. It might not be wo= rth it to check the others.

Hope this helps

Yoav

On Sep 1, 2014, at 7:28 AM, Avishek Ganguly <aganguly@ixiacom.com> wrote:

Hello,

I have questions regarding use of NO_PR= OPOSAL_CHOSEN and INVALID_KE_PAYLOAD in IKE_SA_INIT exchange in RFC 5996 IK= Ev2.

According to

"Section 3.10.1. Notify Mess= age Types

NO_PROPOSAL_CHOSEN   &nb= sp;            =        14

      None of = the proposed crypto suites was acceptable. This can be

      sent in = any case where the offered proposals (including but not

      limited = to SA payload values, USE_TRANSPORT_MODE notify,

      IPCOMP_S= UPPORTED notify) are not acceptable for the responder.

"

according to the above statement it is = meant that if initiator sends a proposal with a Diffie-Hellman group value = that is unacceptable by the responder, then responder must send a NO_PROPOSAL_CHOSEN notification.

But according to

"Section 1.2. The Initial Exchange= s

Because the initiator sends its Diffie-= Hellman value in the

   IKE_SA_INIT, it must guess= the Diffie-Hellman group that the

   responder will select from= its list of supported groups. If the

   initiator guesses wrong, t= he responder will respond with a Notify

   payload of type INVALID_KE= _PAYLOAD indicating the selected group.

"

From the INVALID_KE_PAYLOAD description= stated above means that NO_PROPOSAL_CHOSEN case is exclusive of this INVAL= ID_KE_PAYLOAD.

Is it right interpretation of the above= two error types ?

Thanks and Regards,

Avishek

______________________________________= _________
IPsec mailing list
IPsec@= ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

--_000_63f489b81d784a368106e901e5d62abbDM2PR0601MB713namprd06p_-- From nobody Mon Sep 1 02:17:18 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9458F1A02E8 for ; Mon, 1 Sep 2014 02:17:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldsX-KZDXE35 for ; Mon, 1 Sep 2014 02:17:08 -0700 (PDT) Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0461A02E3 for ; Mon, 1 Sep 2014 02:17:06 -0700 (PDT) Received: by mail-lb0-f172.google.com with SMTP id 10so5667126lbg.3 for ; Mon, 01 Sep 2014 02:17:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=cqY3VewTDR/dsuPcSFUmJh3vx1QyMX+IfnTnupENFf8=; b=T5wRbvGqJWsTsbe5D4VyxayjkLJgC/6aYx0tuLfAp17KmR9qdI024JcZgM0MQsCTNi A+zEOqohrvupDMK7bEziYzMzWDMvHbCpuxl4Yvbhiu+krLkDC9ujkXu5N6H5AABB/bhC JPf2qRnrjAh+ds0smDtUtwVgIC4QWjQPOMCnrfT/Xvbv0qN0BT7gUeYer6tD6BtTVdMd 2MRTO6wXh14rnaYw+o6saLDEJsfe5IcHsMPnfvKpSjZvx2gRaIGpINTg8ScNoydUSEUP 6XnegekkBd+ydPp3i+IfGyucTNde5MsKUXXL195hhwnY1VkHcclh7cmgaPIzdYL+K2IX YogQ== X-Received: by 10.112.147.74 with SMTP id ti10mr26021693lbb.29.1409563025197; Mon, 01 Sep 2014 02:17:05 -0700 (PDT) Received: from [172.24.251.145] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id m5sm174882laa.37.2014.09.01.02.17.03 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Sep 2014 02:17:04 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_943F574A-0672-499F-8C27-7A03BF866254" Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$) From: Yoav Nir In-Reply-To: <63f489b81d784a368106e901e5d62abb@DM2PR0601MB713.namprd06.prod.outlook.com> Date: Mon, 1 Sep 2014 12:17:00 +0300 Message-Id: <8EE786E7-5AFE-4224-91CB-0029ABB1735A@gmail.com> References: <583C5D54-E70D-42AE-845C-79CF5CB8F71F@gmail.com> <63f489b81d784a368106e901e5d62abb@DM2PR0601MB713.namprd06.prod.outlook.com> To: Avishek Ganguly X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/aUT4DKupdpqhHnmzZFbSb3CtnPI Cc: "ipsec@ietf.org" Subject: Re: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 09:17:10 -0000 --Apple-Mail=_943F574A-0672-499F-8C27-7A03BF866254 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On Sep 1, 2014, at 12:01 PM, Avishek Ganguly = wrote: > Thanks Yoav for your explanation. > =20 > > English is not my first language, so I=92m not sure what =93exclusive=94= means below, but I hope I can clarify anyways. > =20 > By exclusive I mean NO_PROPOSAL_CHOSEN is an error that is not = generated because of any DH Group mismatches in KE Payload. > =20 > =20 > So it seems that INVALID_KE_PAYLOAD is an error that should be = generated during CREATE_CHILD_SA exchange. And NO_PROPOSAL_CHOSEN is = appropriate for IKE_SA_INIT. Because Before IKE_SA_INIT responder does = not know which groups initiator supports. When responder gets a = IKE_SA_INIT with invalid DH GROUP > It should assume that there is some configuration issues from = initiator side. > =20 No. Both are appropriate in both exchanges. Both CCSA and IKE_SA_INIT have SA payloads and KE payloads. Since there = is no requirement that the new (rekeyed) IKE SA have the same algorithms = and groups of the old IKE SA, the proposals may be different.=20 Regardless of whether we are creating a new authenticated IKE SA, a = Child SA with PFS or a rekeyed IKE SA, you could have an empty = intersection of group sets (leading to a NO_PROPOSAL_CHOSEN) or a wrong = choice of group in KE payload (leading to INVALID_KE_PAYLOAD) --Apple-Mail=_943F574A-0672-499F-8C27-7A03BF866254 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252

On Sep 1, 2014, at 12:01 PM, Avishek = Ganguly <aganguly@ixiacom.com> = wrote:

Thanks Yoav for your = explanation.

> = English is not my first language, so I=92m not sure what =93exclusive=94 = means below, but I hope I can clarify anyways.

By exclusive I mean = NO_PROPOSAL_CHOSEN is an error that is not generated because of any DH = Group mismatches in KE Payload.

So it seems that = INVALID_KE_PAYLOAD is an error that should be generated during = CREATE_CHILD_SA exchange. And NO_PROPOSAL_CHOSEN is appropriate for = IKE_SA_INIT. Because Before IKE_SA_INIT responder does not know which = groups initiator supports. When responder gets a IKE_SA_INIT with = invalid DH GROUP
It should assume that there is some configuration = issues from initiator side.

No. = Both are appropriate in both exchanges.

Both = CCSA and IKE_SA_INIT have SA payloads and KE payloads. Since there is no = requirement that the new (rekeyed) IKE SA have the same algorithms and = groups of the old IKE SA, the proposals may be = different.

Regardless of whether we are = creating a new authenticated IKE SA, a Child SA with PFS or a rekeyed = IKE SA, you could have an empty intersection of group sets (leading to a = NO_PROPOSAL_CHOSEN) or a wrong choice of group in KE payload (leading to = INVALID_KE_PAYLOAD)

= --Apple-Mail=_943F574A-0672-499F-8C27-7A03BF866254-- From nobody Mon Sep 1 07:39:27 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119971A0A92 for ; Mon, 1 Sep 2014 07:39:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.789 X-Spam-Level: X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_NEUTRAL=0.779] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4wlvGf2e-Mk for ; Mon, 1 Sep 2014 07:39:21 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319791A0977 for ; Mon, 1 Sep 2014 07:16:18 -0700 (PDT) Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s81EGECJ015508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 1 Sep 2014 17:16:14 +0300 (EEST) Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s81EGD5O019563; Mon, 1 Sep 2014 17:16:13 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21508.32685.533369.15287@fireball.kivinen.iki.fi> Date: Mon, 1 Sep 2014 17:16:13 +0300 From: Tero Kivinen To: Avishek Ganguly In-Reply-To: References: X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd) X-Edit-Time: 10 min X-Total-Time: 10 min Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/neRr0YGEPySGMmmChopfM0Gm-sg Cc: "ipsec@ietf.org" Subject: [IPsec] Question Regarding IKEv2 RFC5996 Use of NO_PROPOSAL_CHOSEN and INVALID_KE_PAYLOAD X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 14:39:26 -0000 Avishek Ganguly writes: > I have questions regarding use of NO_PROPOSAL_CHOSEN and > INVALID_KE_PAYLOAD in > IKE_SA_INIT exchange in RFC 5996 IKEv2. > > According to > > "Section 3.10.1. Notify Message Types > > NO_PROPOSAL_CHOSEN 14 > None of the proposed crypto suites was acceptable. This can be > sent in any case where the offered proposals (including but not > limited to SA payload values, USE_TRANSPORT_MODE notify, > IPCOMP_SUPPORTED notify) are not acceptable for the responder. > " > > according to the above statement it is meant that if initiator sends a > proposal with a Diffie-Hellman group value that is unacceptable by the > responder, then responder must send a NO_PROPOSAL_CHOSEN notification. There is no must in the NO_PROPOSAL_CHOSEN text. It says "This can be sent...". In general what IKEv2 error message you get back depends on the implementation and about the order where the implementation parses things. For example some implementation might check the SA first and return NO_PROPOSAL_CHOSEN, but other implementation might check the SA limit first and return NO_ADDITIONAL_SAS if SA limit is already reached. Another similar case might be for example TS_UNACCEPTABLE error. Some implementations do have catch-all policy which says no algorithm proposal is valid for other addresses, thus instead of returning TS_UNACCEPTABLE error when proposed something that is outside their policy, they always return NO_PROPOSAL_CHOSEN as regardless what initiator proposed it cannot fullfill their no algorithm is allowed policy... So do not try to guess what error other end might return... > But according to > > "Section 1.2. The Initial Exchanges > Because the initiator sends its Diffie-Hellman value in the > IKE_SA_INIT, it must guess the Diffie-Hellman group that the > responder will select from its list of supported groups. If the > initiator guesses wrong, the responder will respond with a Notify > payload of type INVALID_KE_PAYLOAD indicating the selected group. > " > > From the INVALID_KE_PAYLOAD description stated above means that > NO_PROPOSAL_CHOSEN case is exclusive of this INVALID_KE_PAYLOAD. INVALID_KE_PAYLOAD is special case, as it is not really an error notification, it is notification telling that yes, your proposal was ok, but you selected wrong group in your KE payload, please try again with correct group. I.e. the INVALID_KE_PAYLOAD is used if the initiator used group in KE payload that is not allowed by the responder, but included some other group that is acceptable in the SA payload. I.e. if there is a way to recover, then you send INVALID_KE_PAYLOAD and tell which group should be used. If none of the groups in the SA payload is acceptable then you send NO_PROPOSAL_CHOSEN, as there is no way to continue, without changing the policy. -- kivinen@iki.fi From nobody Tue Sep 2 06:46:39 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA79A1A03C2 for ; Tue, 2 Sep 2014 06:46:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.561 X-Spam-Level: X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OwAUP9I-U9Y for ; Tue, 2 Sep 2014 06:46:29 -0700 (PDT) Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8031A1A8756 for ; Tue, 2 Sep 2014 06:46:05 -0700 (PDT) Received: by mail-la0-f48.google.com with SMTP id gl10so7896608lab.35 for ; Tue, 02 Sep 2014 06:45:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:subject:date:mime-version:content-type :content-transfer-encoding; bh=fsTqltUSMjX6zvmhJFprXrPXI2pBlQJnrJUV5+5sKdc=; b=R8jTyvULP9iQCvcFOTpvVZzZ38Gthks7tC85xblIl6cDowiFNDXWVR2I/WMe+PqtEJ ++sRLQ8umo2b7QxtiFDw2ja5sDQjXa4ENeupI/+ZK/xEEJZqpSUec6WUpkwFIrUZPu2R nR8T12pTCDWnLfS0ctGmH22CxkGxeFGjIJMSCliwfqeyaOQFPX3u6v7ckWEuAkrc0m4N 6CMfJFVqR10Rp5lgzjQm+wNnSXU0/DMAByoOTOyqqh2RcfHfWTKki1tjmhzXuvyVSST3 s5MXnWlho3X2rrRsmKeYZpxFP857lot3hzGvQf0OQnsAQMhmPZE6rAM5dbdrXVonnYs4 aa6A== X-Received: by 10.152.22.170 with SMTP id e10mr35467765laf.30.1409665558005; Tue, 02 Sep 2014 06:45:58 -0700 (PDT) Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id y5sm2544592laa.20.2014.09.02.06.45.56 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 02 Sep 2014 06:45:57 -0700 (PDT) Message-ID: <164B71A9D45447FEBDD4560944B3C740@buildpc> From: "Valery Smyslov" To: Date: Tue, 2 Sep 2014 17:46:00 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/mScKP_8WZs2LiB8lCcip05ndB2w Subject: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-03.txt X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2014 13:46:31 -0000 Hi all, I've posted a new version of the draft-smyslov-ipsecme-ikev2-null-auth. It has the following differences from previous: 1. New Identity Type ID_NULL is introduced to indicate that no Identity is provided (instead of using reserved value 0 for this purpose) 2. The door opener example is replaced with the remote sensor example. 3. Security Consideration Section is updated. I still have an issue with the naming. Probably the "NULL Authentication" and the "ID_NULL" are not the most appropriate variants, but nobody from the vast majority of list subscribers, who have english as their native language, clearly let me know that yet and suggest better variants. Regards, Valery Smyslov. > A new version of I-D, draft-smyslov-ipsecme-ikev2-null-auth-03.txt > has been successfully submitted by Valery Smyslov and posted to the > IETF repository. > > Name: draft-smyslov-ipsecme-ikev2-null-auth > Revision: 03 > Title: The NULL Authentication Method in IKEv2 Protocol > Document date: 2014-09-02 > Group: Individual Submission > Pages: 9 > URL: > http://www.ietf.org/internet-drafts/draft-smyslov-ipsecme-ikev2-null-auth-03.txt > Status: > https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-null-auth/ > Htmlized: > http://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-null-auth-03 > Diff: > http://www.ietf.org/rfcdiff?url2=draft-smyslov-ipsecme-ikev2-null-auth-03 > > Abstract: > This document introduces the NULL Authentication Method for the IKEv2 > Protocol. This method provides a way to omit peer authentication in > the IKEv2. It may be used to preserve anonymity of or in the > situations, where no trust relationship exists between the parties. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > From nobody Tue Sep 2 15:04:49 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902DD1A0720; Tue, 2 Sep 2014 15:04:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6XJZN0hj5mw; Tue, 2 Sep 2014 15:04:45 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 65CA91A0792; Tue, 2 Sep 2014 15:04:43 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.6.2.p5 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140902220443.1541.40721.idtracker@ietfa.amsl.com> Date: Tue, 02 Sep 2014 15:04:43 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/K0fi1wd7RAdQivBq4C3yPCdhvh8 Cc: ipsecme mailing list , ipsecme chair , RFC Editor Subject: [IPsec] Protocol Action: 'IKEv2 Fragmentation' to Proposed Standard (draft-ietf-ipsecme-ikev2-fragmentation-10.txt) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2014 22:04:48 -0000 The IESG has approved the following document: - 'IKEv2 Fragmentation' (draft-ietf-ipsecme-ikev2-fragmentation-10.txt) as Proposed Standard This document is the product of the IP Security Maintenance and Extensions Working Group. The IESG contact persons are Kathleen Moriarty and Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-fragmentation/ Technical Summary This document describes a method to avoid IP fragmentation in large IKEv2 messages. It shows how to perform fragmentation in IKEv2 itself, replacing them by series of smaller messages. This allows IKEv2 messages to traverse network devices that don't allow IP fragments to pass through. Given that this is a protocol extension, it is meant to be a Proposed Standard. Working Group Summary Was there anything in the WG process that is worth noting? The WG discussion of the document was fairly good, with about average participation (which for the IPsecME WG means "the chairs had to beg a bit for more participants, but we then got them"). We also got a "TSVDIR-ish review" of the draft, which got good discussion on the list. There was a reasonable amount of give-and- take, and the WG Last Call was uncontentious. A significant point was brought up during IETF Last Call, and was added to the Security Considerations as a result of the SecDir review. A few issues came up during the first IESG review. Another series of edits occurred along with detailed reviews by a couple of area experts. The edited draft went back through WG last call and is ready for IESG review again. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type, or other Expert Review, what was its course (briefly)? In the case of a Media Type Review, on what date was the request posted? Personnel Paul Hoffman (IPsecME WG co-chair) is the document shepherd and Kathleen Moriarty is the responsible AD. From nobody Thu Sep 4 08:10:32 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5561A8915; Thu, 4 Sep 2014 08:10:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q9EMw7PzjmMq; Thu, 4 Sep 2014 08:10:26 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFAA1A8907; Thu, 4 Sep 2014 08:10:10 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.6.2.p6 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140904151010.28272.7982.idtracker@ietfa.amsl.com> Date: Thu, 04 Sep 2014 08:10:10 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/AQtq7P-EbGZx6t29azQXhc25UeE Cc: ipsecme mailing list , ipsecme chair , RFC Editor Subject: [IPsec] CORRECTED Protocol Action: 'IKEv2 Fragmentation' to Proposed Standard (draft-ietf-ipsecme-ikev2-fragmentation-10.txt) X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2014 15:10:28 -0000 The IESG has approved the following document: - 'IKEv2 Fragmentation' (draft-ietf-ipsecme-ikev2-fragmentation-10.txt) as Proposed Standard This document is the product of the IP Security Maintenance and Extensions Working Group. The IESG contact persons are Kathleen Moriarty and Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-fragmentation/ Technical Summary This document describes a method to avoid IP fragmentation in large IKEv2 messages. It shows how to perform fragmentation in IKEv2 itself, replacing them by series of smaller messages. This allows IKEv2 messages to traverse network devices that don't allow IP fragments to pass through. Given that this is a protocol extension, it is meant to be a Proposed Standard. Working Group Summary Was there anything in the WG process that is worth noting? The WG discussion of the document was fairly good, with about average participation (which for the IPsecME WG means "the chairs had to beg a bit for more participants, but we then got them"). We also got a "TSVDIR-ish review" of the draft, which got good discussion on the list. There was a reasonable amount of give-and- take, and the WG Last Call was uncontentious. A significant point was brought up during IETF Last Call, and was added to the Security Considerations as a result of the SecDir review. A few issues came up during the first IESG review. Another series of edits occurred along with detailed reviews by a couple of area experts. The edited draft went back through WG last call and is ready for IESG review again. Document Quality The draft had working group consensus and there is one implementation to date. The WG discussion of the document was fairly good, with about average participation (which for the IPsecME WG means "the chairs had to beg a bit for more participants, but we then got them"). We also got a "TSVDIR-ish review" of the draft, which got good discussion on the list. There was a reasonable amount of give-and-take, and the WG Last Call was uncontentious. A significant point was brought up during IETF Last Call, and was added to the Security Considerations." Personnel Paul Hoffman (IPsecME WG co-chair) is the document shepherd and Kathleen Moriarty is the responsible AD. From nobody Fri Sep 5 06:05:58 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D531A06B0 for ; Fri, 5 Sep 2014 06:05:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.139 X-Spam-Level: * X-Spam-Status: No, score=1.139 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id boJbxf2IMmYk for ; Fri, 5 Sep 2014 06:05:45 -0700 (PDT) Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F7411A016A for ; Fri, 5 Sep 2014 06:05:44 -0700 (PDT) Received: by mail-lb0-f174.google.com with SMTP id n15so3911498lbi.33 for ; Fri, 05 Sep 2014 06:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=hKoHlGjunmfNO12IIyzPHC3N8sVED3t7fvc+EmguTBY=; b=mmIoYsOM9Mmj5Y/YE+a9nox/Gl7Cxf0VsROjBi5mUXzqpevdXX3qGsPZ/EzfneVEi2 TNufZdbWRIFQ4SYjxZquNeOSu4xN2oqGGQUytFe7AT2dLtsdn6teSZRr1XJkE5nUqKb5 bYRSSv8dECmmPVJim0YNT0nFywKXeWcngXE8I/vGkC3kOZBbhrRIm4RJrVID/RAMfGln PfCHZZ4BUU3oi8Hut24bWRNQcDssUnQILHZlR8azvboZHwDKk4T8Wk1POcz6e1AtYByV vkNUDK7iBys31InUmQpA9PWECrOIz45QxxUxxshmYqOQnAOoJmwLy98TC9Sd6VXs6q8w tSNA== X-Received: by 10.152.28.230 with SMTP id e6mr11765056lah.62.1409922342091; Fri, 05 Sep 2014 06:05:42 -0700 (PDT) Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id yx5sm716615lbb.35.2014.09.05.06.05.40 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 05 Sep 2014 06:05:41 -0700 (PDT) Message-ID: From: "Valery Smyslov" To: "Tero Kivinen" References: <21493.55390.157248.181030@fireball.kivinen.iki.fi> <21504.31762.454252.961126@fireball.kivinen.iki.fi> Date: Fri, 5 Sep 2014 17:05:42 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/S-m7cVngzL1MIA9XR6p_uggWI7E Cc: ipsec@ietf.org Subject: Re: [IPsec] Typos in draft-kivinen-ipsecme-ikev2-rfc5996bis-04 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2014 13:05:49 -0000 Section 2.23, 4th bullet: o The recipient of either the NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP notification MAY compare the supplied value to a SHA-1 hash of the SPIs, source or recipient IP address (respectively), address, and port, and if they don't match, it SHOULD enable NAT traversal. [...] It seems that there is an extra "address". Shouldn't it be: o The recipient of either the NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP notification MAY compare the supplied value to a SHA-1 hash of the SPIs, source or recipient IP address and port (respectively), and if they don't match, it SHOULD enable NAT traversal. [...] or o The recipient of either the NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP notification MAY compare the supplied value to a SHA-1 hash of the SPIs, source or recipient (respectively) IP address and port, and if they don't match, it SHOULD enable NAT traversal. [...] From nobody Sun Sep 7 11:53:16 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C3A11A069F for ; Sun, 7 Sep 2014 11:53:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.424 X-Spam-Level: * X-Spam-Status: No, score=1.424 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOKxax6vLGR0 for ; Sun, 7 Sep 2014 11:53:14 -0700 (PDT) Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EC9B1A069B for ; Sun, 7 Sep 2014 11:53:14 -0700 (PDT) Received: by mail-wg0-f44.google.com with SMTP id y10so197292wgg.15 for ; Sun, 07 Sep 2014 11:53:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=5OyMQZ+SEnhxUBl7G2tlZySoMf6lD+w+c/EriWhszUk=; b=ebA8SPO/YQgsjmjssFG4B3NuM3HUuzL6i7VRfuKxLRHo4F7q2Uo+EjvjwEIramRHwh AihqjpSsv/RK4RVDvQrqczpP0Tf3D1XxHg1NTpKGLfvMDLypxiY/NM3tlRfrFcVaFLwq A+K8d/0V4Ii8ItGAZEwxBgtcL+W4pbyty7AnthVXAIahPIj+PG7p6OUz/HB1cm/s2u55 ymgqm361Xh8ivGVDToNF1sAiR4MkUTT0l8rld39Ys3HipsVpyVHKRWokYThfg+xmlOHC 3M2TfkbozbJr2fMZRNL1/jCo08pN1zG8zNgDEYjL/RoYGpeHfJb0/KlhzVroqU3pMv+c 429Q== X-Received: by 10.180.101.129 with SMTP id fg1mr17243903wib.20.1410115992802; Sun, 07 Sep 2014 11:53:12 -0700 (PDT) Received: from [10.0.0.9] (bzq-79-177-135-86.red.bezeqint.net. [79.177.135.86]) by mx.google.com with ESMTPSA id u7sm9123002wif.7.2014.09.07.11.53.11 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Sep 2014 11:53:12 -0700 (PDT) Message-ID: <540CA995.6050203@gmail.com> Date: Sun, 07 Sep 2014 21:53:09 +0300 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: ipsec Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/06N2nYy8RKGTVuWPNxpjpelqYII Subject: [IPsec] Calls for adoption X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2014 18:53:15 -0000 Hi ipsecme folks,

At the Toronto meeting we reviewed 3 documents. We would like to know if the group is interested in adopting one or more of them as WG documents. We plan to issue separate calls for adoption for each one, with a duration of one work-week (5 days) each, starting today.

Thanks,
Yaron
From nobody Sun Sep 7 11:53:44 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25711A06A5 for ; Sun, 7 Sep 2014 11:53:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.101 X-Spam-Level: X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dly86feRu0Z for ; Sun, 7 Sep 2014 11:53:43 -0700 (PDT) Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46F81A06A4 for ; Sun, 7 Sep 2014 11:53:42 -0700 (PDT) Received: by mail-wi0-f171.google.com with SMTP id hi2so1601759wib.10 for ; Sun, 07 Sep 2014 11:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=JnrX4HKzkLrstMrJB+zZmre49KcfJ2MWRcgUXaM1vvw=; b=gR4xeNu+Qr3Lf/uAXxs0ieiyln8BXedMJK4/4XZWpHabg1Urr47GuU3v7k9ueWgGCe Ji4hidD+LFkaexwlLiTFd18WOIFvDIIGlrQeLINoani8jy7h5MVuwboZc7SQ1ov0dFrx d7zcoanIweoyPRRUZheRvE1oSAJypaVhvBVJIFv/h897ij8UyX64D6QTG6d+kggPXU4/ z+nj2Fyf9N23J4mIaXxI8tDiMc0ZmIkV0gqJMWpL+r7Ro53XnGPRoBurcZU3QadGnQti hHgH01l3UuaLUn7Zf2iYLJfTMeiyDso0qk7XAhgvA0daPrhM9WAXH3PGrESUtaeYGMqA t41g== X-Received: by 10.180.91.70 with SMTP id cc6mr17601153wib.66.1410116021331; Sun, 07 Sep 2014 11:53:41 -0700 (PDT) Received: from [10.0.0.9] (bzq-79-177-135-86.red.bezeqint.net. [79.177.135.86]) by mx.google.com with ESMTPSA id gk17sm9238308wic.16.2014.09.07.11.53.40 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Sep 2014 11:53:40 -0700 (PDT) Message-ID: <540CA9B2.3090807@gmail.com> Date: Sun, 07 Sep 2014 21:53:38 +0300 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: ipsec Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/7oDHl3kkW8suM7EUvXkrLpceGKw Subject: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2014 18:53:44 -0000 Dear working group, This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG document. Please respond to this mail with a Yes or No and a short rationale, at latest by Friday Sep. 12. Thanks, Yaron From nobody Sun Sep 7 23:27:31 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C2F81A0056 for ; Sun, 7 Sep 2014 23:27:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.7 X-Spam-Level: X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMWC4wbCnZXx for ; Sun, 7 Sep 2014 23:27:28 -0700 (PDT) Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB781A6F1F for ; Sun, 7 Sep 2014 23:27:28 -0700 (PDT) Received: by mail-lb0-f181.google.com with SMTP id z11so2958893lbi.12 for ; Sun, 07 Sep 2014 23:27:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=B3QTjdpaAFgyrMLaMLfMkC8ECDW/O3L2D+VyTkL5jY4=; b=lYL56PF20REid6EwfjY4irrv0kNajAfQCGzvcB80MAg1bLVjtB+Tu6uBE6+FxwEEUk oljtPI96epcdqq74O5dUSVs3DuET48gUl6PxRr9FxhnvFl4438lDiC+rsXqfX3G+Vhlp vJgYwkOMEKzKqjfDCTmIAJdmnPyANodB0xVK9LRv6wC3ACIBiAVKdFrDmC4mMlqvd6ly 9JWHJM+eZMOFxY7PfpVXRmCkSGBu+uaaq24u2P8AZcwCnabSRdHv41qmkoInIMJVtsjm N/iP0ea3VCyqvfuA95kLRHgdHqd0SrV0E75n7G2Qe0QeiglGvh56F5tDp6bkO2iWg7u9 piRg== X-Received: by 10.112.17.2 with SMTP id k2mr8478148lbd.28.1410157646419; Sun, 07 Sep 2014 23:27:26 -0700 (PDT) Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id xy9sm3241605lbb.6.2014.09.07.23.27.25 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 07 Sep 2014 23:27:25 -0700 (PDT) Message-ID: From: "Valery Smyslov" To: "Yaron Sheffer" , "ipsec" References: <540CA9B2.3090807@gmail.com> Date: Mon, 8 Sep 2014 10:27:25 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/d12ifIgsLfactTA6aFI4KL6tu9s Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 06:27:30 -0000 Yes. Obviously, as the author of the document I can see its value, which is describet in the document itself. And I think it's better to standardize it with more people involved, than as individual submission. Regards, Valery. ----- Original Message ----- From: "Yaron Sheffer" To: "ipsec" Sent: Sunday, September 07, 2014 10:53 PM Subject: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol > Dear working group, > > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG > document. Please respond to this mail with a Yes or No and a short > rationale, at latest by Friday Sep. 12. > > Thanks, > Yaron > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec From nobody Mon Sep 8 06:04:34 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5321A87D4 for ; Mon, 8 Sep 2014 06:04:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.753 X-Spam-Level: X-Spam-Status: No, score=-1.753 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.652] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnwYfUlnxFGL for ; Mon, 8 Sep 2014 06:04:31 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2034B1A87CE for ; Mon, 8 Sep 2014 06:04:30 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2BD8280416; Mon, 8 Sep 2014 09:04:27 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1410181467; bh=30PofIZ0wA5Vfgpl43lmx5Se5FXRWFklqNIVu0dikfI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JdiHMq7RzoZBwBrSjaI0Q4RVCcivp7aQn1a0Yw8nLINrV8UumuE6KVeuV+AsI1Z3c O5/JB63vPae9IPNPhbul+q/T/LqPGW0zp5cC5in/8Wc5l2WCwghEbae1e2DiDGiyQ2 mhBFnXIvhJmsSfcL/r44sMRgby72teCrZ6c3t+UI= Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s88D4QIq003224; Mon, 8 Sep 2014 09:04:26 -0400 X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs Date: Mon, 8 Sep 2014 09:04:26 -0400 (EDT) From: Paul Wouters To: Yaron Sheffer In-Reply-To: <540CA9B2.3090807@gmail.com> Message-ID: References: <540CA9B2.3090807@gmail.com> User-Agent: Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Rbq8tre4WLoyIANXEYwP6ZXhNYA Cc: ipsec Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 13:04:33 -0000 On Sun, 7 Sep 2014, Yaron Sheffer wrote: > Subject: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 > Protocol > > Dear working group, > > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG > document. Please respond to this mail with a Yes or No and a short rationale, > at latest by Friday Sep. 12. Yes. This feature is very useful for opportunistic scenario's to defend against pervasive monitoring with no IPsec configuration needed on the client side. We are implementing this and it is important to interoperate with other implementations. Paul From nobody Mon Sep 8 07:54:14 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08C01A8847 for ; Mon, 8 Sep 2014 07:54:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.653 X-Spam-Level: X-Spam-Status: No, score=-8.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoxAhY0BzvCn for ; Mon, 8 Sep 2014 07:54:11 -0700 (PDT) Received: from ausxipps301.us.dell.com (ausxipps301.us.dell.com [143.166.148.223]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60D081A8842 for ; Mon, 8 Sep 2014 07:54:11 -0700 (PDT) DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns; h=X-LoopCount0:X-IronPort-AV:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version:Return-Path; b=fbZ8QqQud/V/BNtjtX3mTrsyyDTt+KmpZV5bU5uHzbCuNWzQxgi9kA75 fLh8t/5Ps7SsEaOhbfYObIVmAjXAWFFIvATbH1sr7e/HQqEUx7XBCieI0 aQW3IGJ5QN8eNhQ/lOxUI7Xysn9iR4MXm0BGtnS6xSsrM6jOhZWm/R9J2 o=; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1410188051; x=1441724051; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=jvoV54u3o16ObN9umwSJXfU5P7EYZlBvVGjDRXyC6Hk=; b=VfoREBkPJa4bzH99aZ/ZEdJoW0kAB2czxSqF+wRFjHsYL6o14fO2oHqz f00itYEQVfM6ygquFBlmd0rF28tR0vYHnAwSA9aNHfkv6Y8tz7HYeVNmw MMJfQs6SDhrQxoS7CwCA00PDsLrI7uXiiHx2G7CwtIiB/aVUMSJT1PPyg Y=; X-LoopCount0: from 10.170.28.39 X-IronPort-AV: E=Sophos;i="5.04,486,1406610000"; d="scan'208";a="564034293" From: To: Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol Thread-Index: AQHPy3S+RQfjeqJSdUuFetBAvZq/+g== Date: Mon, 8 Sep 2014 14:54:09 +0000 Message-ID: References: <540CA9B2.3090807@gmail.com> In-Reply-To: <540CA9B2.3090807@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.152.216.26] Content-Type: text/plain; charset="Windows-1252" Content-ID: <397F1DF8D33F774FB7C8650E5B8C48F7@dell.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/CcbUhRF6FJ7DVoqYOdLGoAqEvdE Cc: ipsec@ietf.org Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 14:54:13 -0000 On Sep 7, 2014, at 2:53 PM, Yaron Sheffer wrote: > Dear working group, >=20 > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG= document. Please respond to this mail with a Yes or No and a short rationa= le, at latest by Friday Sep. 12. Maybe. I understand and support the rationale for this draft. =20 The Security Considerations seems to be inadequate. Whenever possible, rea= l authentication should be used. So the Security Considerations should exp= licitly and strongly emphasize that, and recommend that products that incor= porate Null authentication should strive to avoid its use whenever possible= , and steer users away from its use when they can. A related question: does the use of Null authentication open up the Bellovi= n attack? It seems that it would. If so, my answer changes to =93NO=94. paul From nobody Mon Sep 8 10:12:27 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6F41A8984 for ; Mon, 8 Sep 2014 10:12:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.153 X-Spam-Level: X-Spam-Status: No, score=-16.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7xEYjQW-ED7 for ; Mon, 8 Sep 2014 10:12:11 -0700 (PDT) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B59B01A894D for ; Mon, 8 Sep 2014 10:10:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6891; q=dns/txt; s=iport; t=1410196209; x=1411405809; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=7kY+TeeWba2vkzTjrOcoQjyBQDkB9Cz5LCS9LPPlRw0=; b=FYsnYFbq5QqFO0YVXbn6P3+CQyzYrWFSKIe+mNGWqZ9mtVwsTyT2QCwb yUgBU59RRA6KvLuZ44rxAt6Xc9yBFUuo1gawPuOl6k0Nlmuxzfb1PqHvC xBknHxHOH4ZIThH65lC5IeWIWQf1idY5IbldPb27yclS/CE+yy71Bhj2y U=; X-Files: smime.p7s : 3708 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AicFACXiDVStJA2B/2dsb2JhbABQCYJqI1NXBMlnCodMAYEVFniEAwEBAQQBAQEaURcEAgEIDgMEAQEvAh8GCx0IAgQBEg6IIAMRAQy1CQ2GXQETBI0ggVIKAQE0IgaERgWPK4IVggaBSoVSghCOc4Y5g2FsgQ85gQcBAQE X-IronPort-AV: E=Sophos;i="5.04,486,1406592000"; d="p7s'?scan'208";a="75998391" Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-4.cisco.com with ESMTP; 08 Sep 2014 17:10:08 +0000 Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id s88HA8uS019535 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 8 Sep 2014 17:10:09 GMT Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-aln-x08.cisco.com ([173.36.12.82]) with mapi id 14.03.0195.001; Mon, 8 Sep 2014 12:10:08 -0500 From: "Graham Bartlett (grbartle)" To: Valery Smyslov , Yaron Sheffer , ipsec Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol Thread-Index: AQHPyy4DFcwTtQ+4VEqN7XrYpOOjUZv33bCA Date: Mon, 8 Sep 2014 17:10:07 +0000 Message-ID: References: <540CA9B2.3090807@gmail.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.4.140807 x-originating-ip: [10.55.146.101] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3493044605_9956769" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/n_tQBwsTIHJXCvN6YTBcAn7zHEc Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 17:12:23 -0000 --B_3493044605_9956769 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Hi Valery I have one Q. If endpoint receives a request to create an unauthenticated IKE SA from the IP address, which is configured on the endpoint to be authenticated, the request SHOULD be rejected. Why is this not MUST be rejected ? Otherwise an attacker could trick the responder into revealing their identity (maybe some words around this also?). Thanks Graham On 08/09/2014 07:27, "Valery Smyslov" wrote: >Yes. > >Obviously, as the author of the document I can see its value, >which is describet in the document itself. >And I think it's better to standardize it with >more people involved, than as individual submission. > >Regards, >Valery. > >----- Original Message ----- >From: "Yaron Sheffer" >To: "ipsec" >Sent: Sunday, September 07, 2014 10:53 PM >Subject: [IPsec] Call for adoption: The NULL Authentication Method in >IKEv2Protocol > > >> Dear working group, >> >> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a >>WG >> document. Please respond to this mail with a Yes or No and a short >> rationale, at latest by Friday Sep. 12. >> >> Thanks, >> Yaron >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > >_______________________________________________ >IPsec mailing list >IPsec@ietf.org >https://www.ietf.org/mailman/listinfo/ipsec --B_3493044605_9956769 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIOeAYJKoZIhvcNAQcCoIIOaTCCDmUCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGgggw+MIIEpzCCA4+gAwIBAgIQZmBP5MZi1b5ckUheWh5wbTANBgkqhkiG9w0BAQUFADBU MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEqMCgGA1UEAxMhR2xv YmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIEcyMB4XDTE0MDEyNTIyNDE0OFoXDTE2MDYw MzExMDA1OFowQDEbMBkGA1UEAwwSZ3JiYXJ0bGVAY2lzY28uY29tMSEwHwYJKoZIhvcNAQkB FhJncmJhcnRsZUBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq YhYxolKrFoPfXuZTQdAiQVFg14EvWwIEMyXxhfH2RiwOSJRSsUVmTNYG8HdeSf0JdzjAMh9p ODgxLC90Q1nbLyBqmEAKElWTasAnATKBCD7aLhce+25cznTT4FDpJsvvU2lZFPWXSLQm3bNR +mEDP6pd8zR1ItOKBlNmGtwypUUvi4KrKRPzx1cSgVTN0Xocj4fC5N8Rj3tOqOns+EHOX4Rw oy/rebHjQyv1cRr6FyGhRuz24hPv8mAGr/iF0cMphAsujaGKyAo+tA05K3nI0fdoeCx2wdEs vo8jIeeZVii07b3K9+VdJQmerVKJyMfQT6gLkyuassY/5aXlglNxAgMBAAGjggGHMIIBgzAO BgNVHQ8BAf8EBAMCBaAwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wHQYDVR0RBBYwFIESZ3Ji YXJ0bGVAY2lzY28uY29tMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3Nw ZXJzb25hbHNpZ24xZzIuY3JsMFUGCCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAoY5aHR0cDov L3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NwZXJzb25hbHNpZ24xZzIuY3J0MB0G A1UdDgQWBBRBHvZ1Aur9AFGMEId10iH6yeUX3jAfBgNVHSMEGDAWgBTsrJjMJ3KTz1YyzSPH nY1FhfQiAzANBgkqhkiG9w0BAQUFAAOCAQEAdhq5YZv5ZCu0/HdQF1S3f+quesVc39HKv+Fe 2rmKuJcxfGOFZGpKhJDa1+sFeN/T+e2e6UJ0Yy90GLqi5U1fioD3XRhsFiVOh7CbJQESF2Xx U1bhdutZFh6Ythe28iRPY6HQjJ/7ke5IQBWvLnAbCIzgy0GgZB9Vj+a2z6bzmfR6KAuLaMqM vahvJ0w+DeHMEOVnVzCdZzHMaEOXZHw/uZj5/hGvkp2C0rH/LhGunfAPX12WhVQSsgxWJhaF 8D49Ymrt7PWBsLokx06/15XwY2ogBmfLmeN/WhMy5HUiLn3EnzwF+RK2MStCDpP5AWzdnrTR tM43+AJrHwoI7H+C9DCCBBYwggL+oAMCAQICCwQAAAAAAS9O4SzhMA0GCSqGSIb3DQEBBQUA MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdS b290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTEwNDEzMTAwMDAwWhcN MTkwNDEzMTAwMDAwWjBUMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTEqMCgGA1UEAxMhR2xvYmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIEcyMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8aUcr5BvPNGjx0+LH0uRqeZCHrYQ7KN3QuahfxY8 fAzAbnvNDzGdEMyKn3+YX+k/QbAGNJOSFRxrAfhviF7WGcqDlin3HracDqMRgwrknWuFeqxh N2J7uXs3Y0zluJEkEittRXv+ZdXOG/Gp3gtoz5P9noc5jBbfWQpQBhcaJA2ucABbUVTHDTxi 7dBY8mTWq6kRAkGWBybHwq0YX+jaHudtQw0oBEmxjpJFP9qIXu0ckU/+OhtnAhrgzrsd4oAy qgc6u4dBYERcjDJFohihjbzPozgKDSSbdr44uO3p9Bg6ibjCxn2besLrIE7upoxvV09Fsf7h DeD/jcvs64z8pQIDAQABo4HlMIHiMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ AgEAMB0GA1UdDgQWBBTsrJjMJ3KTz1YyzSPHnY1FhfQiAzBHBgNVHSAEQDA+MDwGBFUdIAAw NDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8w MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDAf BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOCAQEAr7un yEtmt9Ia7hmNpqP+xMd0t5hLM0QBY8G3Dlg70XI6F+ZeSZeeXgCtUT/JhdQ+HsJ8+c6HypDu vg/OZ0gILDFIa9LDfRWm+tHIgxKaJjtCy0izg838dLwwnt/O3kA9N/htEYev2lsmWYCV9cVU m5V1tW3XuYNg6SbtcDRH+Ki1RED9es3R0BgHSm012KPxsiAOOxuhm1D3Iqs1qe6ms5WTKXVg wb/j/kplOa13nshhc8zULVO+oAlD4+7czNK2RJiTvhJiDJDRTZy3DJ3BCQ8rXOGdWzDEI5ui B8TZ0s327g44Ylc6dgKgYelNn9RLYjNETX8OIJZlr0tFYpcYrDCCA3UwggJdoAMCAQICCwQA AAAAARVLWsOUMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJv b3QgQ0EwHhcNOTgwOTAxMTIwMDAwWhcNMjgwMTI4MTIwMDAwWjBXMQswCQYDVQQGEwJCRTEZ MBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMHUm9vdCBDQTEbMBkGA1UEAxMS R2xvYmFsU2lnbiBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2g7m mY3Oo+NPin778YuDJWvqSB/xKrC5lREEvfBj0eJnZs8c3c8bSCvujYmOmq8pgGWr6cctEsur HExwB6E9CjDNFY1P+N3UjFAVHO9Q7sQu9/zpUvKRfeBt1TUwjl5Dc/JB6dVq47KJOlY5OG8G PIhpWypNxadUuGyJzJv5PMrl/Yn1EjySeJbW3HRuk0Rh0Y3HRrJ1DoboGYrVbWzVeBaVounI Cjjr8iQTT3NUkxOFOhu8HjS1iwWMuXeLsdsfIJGrCVNukM57N3S5cEeRIlFjFnmusa5BJgjI GSvRRqpI1mQq14M0/ywqwWwZQ0oHhefTfPYhaO/q8lKff5OQzwIDAQABo0IwQDAOBgNVHQ8B Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYHtmGkUNl8qJUC99BM00qP/8 /UswDQYJKoZIhvcNAQEFBQADggEBANZz53xPdtCNv+y6or40xSgytXz8bJwsK70JnlO/a16q EUi25Qijs8o9YU3TRgmzPsOg42NVG/K676054UO5OKPmL4omO++gUFb5xgr9OM3EC3BRlJeY BN/DX5TVFckUQZzEXXVkFQ3/VTDsho//De8suWNG9qr837xp/S4SSGSa4JXwpu8pjwGxFbUM HaX+aSxpJHges6cccWLuysiXrBddisL4R4ZuKsRWMZXQZ4mFK/lspl1GnQyqguSZUd1wt9tW PWHkauFc1vb+Pd5BzAeuY1K/U1P0K+nH/bb3gl+F0kEY24GzBBzFH6SAbxUgyd4MiAod1mZV 4vxIySkmaeAxggH+MIIB+gIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxT aWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiAxIENBIC0gRzIC EGZgT+TGYtW+XJFIXloecG0wDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQxIgQgioIY VXF7EUSLDagdFVZx98jx3/zKShlPJcVDbochKH4wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMTQwOTA4MTcxMDA1WjANBgkqhkiG9w0BAQEFAASCAQBWCib8 FFBeUHk1Sz0QSGSUwBJYGzobFwXZgUBQOgrCalHkKlnpcClFoSrS8jql/WV+KZ+De7ouxBg9 Ptnnhq8RIa2Phq9rVL6rfm9tAk1RUc3HIwL2gORMfLYPLcaAzVuzLYXci7DAtJXqWPp2/tMy QTgwiIiD901PoGqzJjW20pkdyzEVsHA8YAI5fwmy+TOxZYqP80aeGmMXzs+VUcb0qZ9ubHHj Y7TN1AZ1u0gjDefrONqxyznoBe2Y1W+cmqcO7b3VyDHEgNC9yL7KQwud2Fju5bMerSVMSHoo hh8p4jUF5j9JpYMxnawFOa3KdcvWmYEEOSePHiZdCYUFMqUp --B_3493044605_9956769-- From nobody Mon Sep 8 11:17:52 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98C001A0263 for ; Mon, 8 Sep 2014 11:17:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.652 X-Spam-Level: X-Spam-Status: No, score=-3.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.652] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3QyUA1h96ls for ; Mon, 8 Sep 2014 11:17:47 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B81F61A0262 for ; Mon, 8 Sep 2014 11:17:47 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 313BE80416; Mon, 8 Sep 2014 14:17:46 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1410200266; bh=+jXUuWDfZ/IBCQsAdT7N8g3pH2ypboe/2C2QJcJYLDo=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=PalyhIxZotprYYZEgoTwQj7+eeAVzbBqgbmniUbGSYN1FMXqI8MEN1GzR6TAmGkuu 6Hl2bgR4ptRKoqqBv7RgTTkJPI7nqcIAeNV6A+TK9Uh1o6F8Sw36SAS6NAEBuzF36+ Z6jqI/cEimfeDPpnZx7jR5la+A+7RNhZRktYUsJA= Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s88IHjZm025568; Mon, 8 Sep 2014 14:17:45 -0400 X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs Date: Mon, 8 Sep 2014 14:17:44 -0400 (EDT) From: Paul Wouters To: Paul_Koning@Dell.com In-Reply-To: Message-ID: References: <540CA9B2.3090807@gmail.com> User-Agent: Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/3V87BY5DQKPReX8HgU_FU9Rd9Aw Cc: ipsec@ietf.org Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 18:17:49 -0000 On Mon, 8 Sep 2014, Paul_Koning@Dell.com wrote: > Maybe. > > I understand and support the rationale for this draft. > > The Security Considerations seems to be inadequate. Whenever possible, real authentication should be used. So the Security Considerations should explicitly and strongly emphasize that, and recommend that products that incorporate Null authentication should strive to avoid its use whenever possible, and steer users away from its use when they can. I think that is better formulated as "use null authentication only if the alternative is to send plaintext". > A related question: does the use of Null authentication open up the Bellovin attack? It seems that it would. If so, my answer changes to �NO�. I find multiple references to a "Bellovin attack", but all seem to be active attacks. Unauthenticated connections are not protected from active attacks. However, with IKE one peer can authenticate the other without letting itself be authenticated - like TLS clients. That _is_ a protection against active attacks while still using null auth in one direction. Paul From nobody Mon Sep 8 11:37:47 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 058EE1A02D0 for ; Mon, 8 Sep 2014 11:37:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.953 X-Spam-Level: X-Spam-Status: No, score=-5.953 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEhwRljG66_P for ; Mon, 8 Sep 2014 11:37:42 -0700 (PDT) Received: from ausc60ps301.us.dell.com (ausc60ps301.us.dell.com [143.166.148.206]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25BBA1A02BC for ; Mon, 8 Sep 2014 11:37:41 -0700 (PDT) DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns; h=X-LoopCount0:X-IronPort-AV:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version:Return-Path; b=DeMIf5lhbPKhD2kcIkZH76TqyKb0VPo527wQAS/hwrJ7Hb0goleTPb4Z h4KJswpbLw4EP8aEcyyGMV7iQP8pKxE8FGoPzDjRvR7uLIHtPHgNIrfox OB9M6EivkFb6xQEKuLgQaTZ6EtTSpqpImpyLfE4GmVb3oi6sKRJls2ALD Y=; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1410201462; x=1441737462; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=0AHYa1yVVFRMYd1WOFjMByc2xA9I8vIg6fHVLyzqU4k=; b=kWEqgZEO+ey/gFa+2bx6bxQz/AT3aMALNuEdIt1BA0cQT6B1JwqmMatC wvdbUAMo5N7cxxhUzBvSMtT19XdlEyDKRw1raUkNW0JA5g+G+eiJIKgJC CfK0T6UiIJdusdo157tRRLiAhk9PgZRlLYAU9qF1VNI/YQUjIlAlKwkZO A=; X-LoopCount0: from 10.170.28.41 X-IronPort-AV: E=Sophos;i="5.04,487,1406610000"; d="scan'208";a="576769739" From: To: Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol Thread-Index: AQHPy3S+pO6kHNlTNUC0lCro6ItLEpv330YAgAAFiwA= Date: Mon, 8 Sep 2014 18:37:35 +0000 Message-ID: <7C9AB479-042F-4039-9F02-4483F9C8385C@dell.com> References: <540CA9B2.3090807@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.152.216.26] Content-Type: text/plain; charset="Windows-1252" Content-ID: <8EB4CEB4498ECF4C8C90727ADDED4195@dell.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/oKmyTBzX6UM5yOYT_65tWpH47aw Cc: ipsec@ietf.org Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 18:37:45 -0000 On Sep 8, 2014, at 2:17 PM, Paul Wouters wrote: > On Mon, 8 Sep 2014, Paul_Koning@Dell.com wrote: >=20 >> Maybe. >>=20 >> I understand and support the rationale for this draft. >>=20 >> The Security Considerations seems to be inadequate. Whenever possible, = real authentication should be used. So the Security Considerations should = explicitly and strongly emphasize that, and recommend that products that in= corporate Null authentication should strive to avoid its use whenever possi= ble, and steer users away from its use when they can. >=20 > I think that is better formulated as "use null authentication only if the > alternative is to send plaintext=94. That is a very good way to state it. Thanks. >> A related question: does the use of Null authentication open up the Bell= ovin attack? It seems that it would. If so, my answer changes to =93NO=94= . >=20 > I find multiple references to a "Bellovin attack", but all seem to be act= ive > attacks. Unauthenticated connections are not protected from active attack= s. > However, with IKE one peer can authenticate the other without letting its= elf > be authenticated - like TLS clients. That _is_ a protection against > active attacks while still using null auth in one direction. I was referring to https://www.cs.columbia.edu/~smb/papers/badesp.pdf . The existing security considerations section refers to a man in the middle = attack. Bellovin=92s attack is not a man in the middle attack. It does no= t require being able to modify the data stream under attack at all. For th= at reason, it is likely to be easier to execute and harder to detect. =20 In any event, if we=92re going to have a new IPSec mode that weakens the no= rmal properties of IPSec, we need to be very explicit and very detailed abo= ut what precisely you lose by using this mode. I would expect a security c= onsiderations section that takes up at least half the total page count of t= he document, as opposed to just a third of a page as it is right now. For example, right now the security considerations section does NOT say tha= t =93Unauthenticated connections are not protected from active attacks=94. = It only says that they are not protected from man in the middle attacks.=20 paul From nobody Mon Sep 8 11:53:16 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975A31A0317 for ; Mon, 8 Sep 2014 11:53:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7gsbaMJod3V for ; Mon, 8 Sep 2014 11:53:13 -0700 (PDT) Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0171E1A02D4 for ; Mon, 8 Sep 2014 11:53:12 -0700 (PDT) Received: by mail-wg0-f41.google.com with SMTP id k14so1203467wgh.24 for ; Mon, 08 Sep 2014 11:53:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Q93U6PzRombG1UzTF6kQ0ME1X367GDlafAKUXHvyc8E=; b=MFAL+jYNbzzvsaMU4wW8n7VwkBUUygK3P5vXmVskF+ftuaITgOsnbRD3ixxq1fcqb0 pZSzoEMU/ulpsCNE7ydu6cfP0oD4GpckGnSYwV6sEpmKNw2VICDI0TrAe+FtkwCOit+n DQxWFBz4sEWbGuTSEgExi/JPSyIHlR1Xy92bNx8QVVpPIyqJen15OBlATPSFsOcIFglx cS32xOVNqVP82Ln6ZeL/gi963RPdzHf2X47LjZEsbfmRs/zzAXVPj+JLCwH2HXyEv6uM chtHg2fCCwu4bJlacDUE8M8kAFIjrHMoRON4rccT/1hoTbkOzLFWn++ObmOW92ZdtQrP rNww== X-Received: by 10.194.185.230 with SMTP id ff6mr5419411wjc.120.1410202391488; Mon, 08 Sep 2014 11:53:11 -0700 (PDT) Received: from [10.0.0.9] (bzq-79-177-135-86.red.bezeqint.net. [79.177.135.86]) by mx.google.com with ESMTPSA id ua8sm12088829wjc.7.2014.09.08.11.53.07 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Sep 2014 11:53:11 -0700 (PDT) Message-ID: <540DFB07.6000806@gmail.com> Date: Mon, 08 Sep 2014 21:52:55 +0300 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Paul_Koning@Dell.com, paul@nohats.ca References: <540CA9B2.3090807@gmail.com> <7C9AB479-042F-4039-9F02-4483F9C8385C@dell.com> In-Reply-To: <7C9AB479-042F-4039-9F02-4483F9C8385C@dell.com> Content-Type: text/plain; charset=windows-1255; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Wsdqsak3XxeV5gqQgx3d6V7VlIs Cc: ipsec@ietf.org Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 18:53:14 -0000 Paul and Paul (and yet another Paul), Just a process comment: this is a call for adoption, a "first call" not a last call. There may still be many issues with the document, which we will fix as a group *if* the document is adopted. So is the document dealing with an important problem, and is it good enough as a starting point of a solution? Thanks, Yaron From nobody Mon Sep 8 12:51:16 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7ED51A0340 for ; Mon, 8 Sep 2014 12:51:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.953 X-Spam-Level: X-Spam-Status: No, score=-5.953 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMtd6r3RSvHg for ; Mon, 8 Sep 2014 12:51:14 -0700 (PDT) Received: from ausxipps310.us.dell.com (AUSXIPPS310.us.dell.com [143.166.148.211]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B0A11A0326 for ; Mon, 8 Sep 2014 12:51:14 -0700 (PDT) DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns; h=X-LoopCount0:X-IronPort-AV:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version:Return-Path; b=JSvvKHXkpGcTMa5oZh3s3ML1Tm/bxxrdiXQhuHTm1M1BU1RAT+w/UXpQ 3Frp6OigZgrPKcADkCztEOePRJs4fC/prLbij5UAf2XWrhxdrtLVn7D9A iE0w03YAOcD7H7jbAkRZjlL67JmFFFfT6Tc2hhGxcPQfLSl8Q6EtGRHL3 k=; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1410205874; x=1441741874; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Cf745U+4u0EHXgpbyqISvT7troDJ/tJtSzirSiCRw8M=; b=v2/b3CO3/49uyjHEWCp3E4jmWush7Jwy5kP92O3tyQ6JnanfstC+oyD4 HvWm3DxjI0yPkQ9USmqYW4ht8weIN7I7+xcxiVkpzhfou97uA0P291Rhi Lp3WJg8y7Ml6sCqTacYC22GjE0+lrit9NmlVYQL+cIawTmrEVXnEhccAo 4=; X-LoopCount0: from 10.175.216.251 X-IronPort-AV: E=Sophos;i="5.04,488,1406610000"; d="scan'208";a="80158074" From: To: Thread-Topic: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol Thread-Index: AQHPy3S+pO6kHNlTNUC0lCro6ItLEpv330YAgAAFiwCAAARKgIAAEDSA Date: Mon, 8 Sep 2014 19:51:11 +0000 Message-ID: <619F8199-A01A-4964-9717-831B72698AAE@dell.com> References: <540CA9B2.3090807@gmail.com> <7C9AB479-042F-4039-9F02-4483F9C8385C@dell.com> <540DFB07.6000806@gmail.com> In-Reply-To: <540DFB07.6000806@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.152.216.26] Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Kxz7Z8yFRU4j6bqb1Gyab1DKKBA Cc: ipsec@ietf.org, paul@nohats.ca Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 19:51:15 -0000 On Sep 8, 2014, at 2:52 PM, Yaron Sheffer wrote: > Paul and Paul (and yet another Paul), >=20 > Just a process comment: this is a call for adoption, a "first call" not a= last call. There may still be many issues with the document, which we will= fix as a group *if* the document is adopted. So is the document dealing wi= th an important problem, and is it good enough as a starting point of a sol= ution? >=20 > Thanks, > Yaron Thanks for pointing that out. Thinking of this as =93first call=94 helps a= lot. Ok, then my answer is =93yes=94 =97 reason being =93this is an important pr= oblem to fix and the direction makes sense=94. paul From nobody Mon Sep 8 17:23:33 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 737601A02C2 for ; Mon, 8 Sep 2014 17:23:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.277 X-Spam-Level: X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTp6qTPNQw0n for ; Mon, 8 Sep 2014 17:23:28 -0700 (PDT) Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27061A0266 for ; Mon, 8 Sep 2014 17:23:21 -0700 (PDT) Received: by mail-lb0-f180.google.com with SMTP id b12so1086983lbj.11 for ; Mon, 08 Sep 2014 17:23:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=0EvlatmQw++6GsweoSU+3WmCaCLr9/h9ae38Ggtrr8Q=; b=I9gmPCBd6T93r+Bi4kQTE8H78cD2LV8S8t7vuPM9/WhayvODi3EKoRpOlhKT8oByAi VtVL6yeFtg7F153J7FJPxjxrbkmXyBxaBlwh5NAKCRwSvvsmNiMXDKA/i0QjltyTcHTO 6ceXY2/lKcaD7MzAjwxGEIgG1/Hm/vuMvxT1mpH9FShQDle4PAY4XTgyXA9KhK/wbluY wVSOstwWTkwQmctiSQxJfr/Rw1+XAcRLyfibkIesS/iQy03lYoCS9bJRcbzSgGCtYIDb Pq/9h25IfeV5PCy02qr3/+zNfzBbTmGDPUCgnY/b8ocQcBnBpKC/TVelB2augNpTwSc7 tyQg== X-Received: by 10.152.42.231 with SMTP id r7mr32466317lal.23.1410222200137; Mon, 08 Sep 2014 17:23:20 -0700 (PDT) MIME-Version: 1.0 Sender: hugokraw@gmail.com Received: by 10.25.16.135 with HTTP; Mon, 8 Sep 2014 17:22:50 -0700 (PDT) In-Reply-To: References: <540CA9B2.3090807@gmail.com> From: Hugo Krawczyk Date: Mon, 8 Sep 2014 20:22:50 -0400 X-Google-Sender-Auth: CL9JzxCZq3A34Glk82cKDXL3Hpg Message-ID: To: Paul_Koning@dell.com Content-Type: multipart/alternative; boundary=001a11c34bc64b2b46050296f109 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/IJr0K2YHLFaLZgX7t-saq0Y_fYg Cc: IPsecme WG Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 00:23:30 -0000 --001a11c34bc64b2b46050296f109 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The subject line (and the comment on Bellovin attack) caught my eye. I don't follow the discussions in this list so I don't know how much the need and dangers of unauthenticated methods were discussed here. I want to point out that (and probably many did before me) that un-authentication is a very tricky option especially in a protocol that was created with mutual authentication as a core requirement and assumption. I can see potential benefits and uses but I can also see it abused and misused (the internet draft doesn't do too good a job warning about it but even if it did, people will misuse it). But requirements aside, I cannot vow for the security of IKE's key exchange in a one-way authentication mode. No one (that I know, definitely not me) designed this protocol to support one-way authentication. So the question of whether it is secure in this setting has not been investigated. Moreover, I see that the draft uses shared-key fields for the anonymous side of the communication and, I imagine, the other can use signature-based authentication. What security properties do you get from that mix-and-match authentication methods? One likely misuse of this technique is that people will use unauthenticated (or one-way) IKE and will run some other authentication on top of it (say, password based or whatever). Well, protocols do not necessarily compose securely. TLS had many failures like that (BEAST, re-negotiation, triple handshake, ...) and IPsec saw examples of that in the combinations of unauthenticated ESP and AH. IKE's cryptographic design has endured the test of time but these variations (or improvisations) endanger it. Finally, since Bellovin's attack was mentioned, I want to make sure that no one is thinking of not using the MAC authentication at the IP packet level, right? Hugo On Mon, Sep 8, 2014 at 10:54 AM, wrote: > > On Sep 7, 2014, at 2:53 PM, Yaron Sheffer wrote: > > > Dear working group, > > > > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a > WG document. Please respond to this mail with a Yes or No and a short > rationale, at latest by Friday Sep. 12. > > Maybe. > > I understand and support the rationale for this draft. > > The Security Considerations seems to be inadequate. Whenever possible, > real authentication should be used. So the Security Considerations shoul= d > explicitly and strongly emphasize that, and recommend that products that > incorporate Null authentication should strive to avoid its use whenever > possible, and steer users away from its use when they can. > > A related question: does the use of Null authentication open up the > Bellovin attack? It seems that it would. If so, my answer changes to = =E2=80=9CNO=E2=80=9D. > > paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > --001a11c34bc64b2b46050296f109 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

The subject line (and the comment on Bellovin a= ttack) caught my eye. I don't follow the discussions in this list so I = don't know how much the need and dangers of unauthenticated methods wer= e discussed here. I want to point out that (and probably many did before me= ) that un-authentication is a very tricky option especially in a protocol t= hat was created with mutual authentication as a core requirement and assump= tion. I can see potential benefits and uses but I can also see it abused an= d misused (the internet draft doesn't do too good a job warning about i= t but even if it did, people will misuse it).

But requirements aside= , I cannot vow for the security of IKE's key exchange in a one-way auth= entication mode. No one (that I know, definitely not me) designed this prot= ocol to support one-way authentication. So the question of whether it is se= cure in this setting has not been investigated. Moreover, I see that the dr= aft uses shared-key fields for the anonymous side of the communication and,= I imagine, the other can use signature-based authentication. What security= properties do you get from that mix-and-match authentication methods?
=

One likely misuse of this technique is that people wil= l use unauthenticated (or one-way) IKE and will run some other authenticati= on on top of it (say, password based or whatever). Well, protocols do not n= ecessarily compose securely. TLS had many failures like that (BEAST, re-neg= otiation, triple handshake, ...) and IPsec saw examples of that in the comb= inations of unauthenticated ESP and AH. IKE's cryptographic design has = endured the test of time but these variations (or improvisations) endanger = it.

Finally, since Bellovin's attack was mentio= ned, I want to make sure that no one is thinking of not using the MAC authe= ntication at the IP packet level, right?

Hugo
<= br>

On Mon, Sep 8, 2014 at 10:54 AM, = <Paul_Koning@dell.com> wrote:

On Sep 7, 2014, at 2:53 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> Dear working group,
>
> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a= WG document. Please respond to this mail with a Yes or No and a short rati= onale, at latest by Friday Sep. 12.

Maybe.

I understand and support the rationale for this draft.

The Security Considerations seems to be inadequate.=C2=A0 Whenever possible= , real authentication should be used.=C2=A0 So the Security Considerations = should explicitly and strongly emphasize that, and recommend that products = that incorporate Null authentication should strive to avoid its use wheneve= r possible, and steer users away from its use when they can.

A related question: does the use of Null authentication open up the Bellovi= n attack?=C2=A0 It seems that it would.=C2=A0 If so, my answer changes to = =E2=80=9CNO=E2=80=9D.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/ipsec

--001a11c34bc64b2b46050296f109-- From nobody Tue Sep 9 00:11:07 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 813411A0B0E for ; Tue, 9 Sep 2014 00:11:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.561 X-Spam-Level: X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlWyOGZ81_c8 for ; Tue, 9 Sep 2014 00:11:05 -0700 (PDT) Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96AAD1A0B13 for ; Tue, 9 Sep 2014 00:11:04 -0700 (PDT) Received: by mail-la0-f45.google.com with SMTP id pn19so18927436lab.32 for ; Tue, 09 Sep 2014 00:11:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=tQbFijjMBa2W4aL4s2R1abEuK12cxq46ECgGRAxI9Gk=; b=nibHjV8XNgIXjVJ9BqHWFHbAA4T1jhMw5n1H/i9CzzTRkC1Udc48R1Zy/OhKyQZsRs swpwuqoR1tu04PGpoP19Djx/OG6lXvuj36zRyTnCyaTjruXULDn79r6WiuSyi2Yp46Se QNbYSpx/laA52IulJBgb0qVDoQojjkbFIs6/5eqTx0mHygIXFzoxgJCJkmSy5rYGhYSo h7VUY3/bimtdZT+eE05IDgQtzrtloM1epJMmEaEJ6SQW6vvs43yWCr4VohyxrWQ1dXwS vwmGX0N6UwKCybd0S1IxYKwz9Ksel0wSdGBVxZlJGHNxK022AmVSglcrg7QxW/839xnz S2rw== X-Received: by 10.152.36.37 with SMTP id n5mr889406laj.93.1410246662870; Tue, 09 Sep 2014 00:11:02 -0700 (PDT) Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id i3sm3991639laa.8.2014.09.09.00.11.00 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Sep 2014 00:11:01 -0700 (PDT) Message-ID: <0666BB9DE8304DC1891658BFA9FF7EF7@buildpc> From: "Valery Smyslov" To: "Graham Bartlett $grbartle$" , "Yaron Sheffer" , "ipsec" References: <540CA9B2.3090807@gmail.com> Date: Tue, 9 Sep 2014 11:11:21 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/iIg_0Lq6xuPpX649CG0x6h4t4ew Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 07:11:06 -0000 Hi Graham, > I have one Q. > > If endpoint receives a request to create an unauthenticated IKE SA > from the IP address, which is configured on the endpoint to be > authenticated, the request SHOULD be rejected. > > Why is this not MUST be rejected ? Otherwise an attacker could trick the > responder into revealing their identity (maybe some words around this > also?). I was thinking of two possible cases here. First, even if the initiator was able to certify its identity, it might want to keep anonymity for this particular connection (for example to prevent tracking its activity). And the other case - the responder's configuration could be out of date and the IP address it was configured to be authenticated could already belong to some other, anonymous host. Anyway, while SHOULD is pretty strong requirement, it is not ultimate here: I'm not absolutely sure that the above cases completely justify it over MUST. We can discuss it. And you are right - some (I dare to say "many") words still need to be added into the Security Considerations section. Regards, Valery. > Thanks > > Graham > > > On 08/09/2014 07:27, "Valery Smyslov" wrote: > >>Yes. >> >>Obviously, as the author of the document I can see its value, >>which is describet in the document itself. >>And I think it's better to standardize it with >>more people involved, than as individual submission. >> >>Regards, >>Valery. >> >>----- Original Message ----- >>From: "Yaron Sheffer" >>To: "ipsec" >>Sent: Sunday, September 07, 2014 10:53 PM >>Subject: [IPsec] Call for adoption: The NULL Authentication Method in >>IKEv2Protocol >> >> >>> Dear working group, >>> >>> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a >>>WG >>> document. Please respond to this mail with a Yes or No and a short >>> rationale, at latest by Friday Sep. 12. >>> >>> Thanks, >>> Yaron >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >> >>_______________________________________________ >>IPsec mailing list >>IPsec@ietf.org >>https://www.ietf.org/mailman/listinfo/ipsec > From nobody Tue Sep 9 00:42:07 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9E141A0B78 for ; Tue, 9 Sep 2014 00:42:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6VnzlMP-w1Y for ; Tue, 9 Sep 2014 00:42:02 -0700 (PDT) Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5F6B1A0B75 for ; Tue, 9 Sep 2014 00:42:01 -0700 (PDT) Received: by mail-wi0-f173.google.com with SMTP id em10so14987wid.0 for ; Tue, 09 Sep 2014 00:42:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Auwgj8x8Hi5l2bEpwQVOFoVbict+fCxUraRwWLdqciE=; b=aCZF33D1KeuxnFpezS6jJBcGajmx4siyJGhzgj52tv92mA6ti4Gsupc56C8BNF2r97 UtvS03Il0T5aSZzjnAneUiPwkPgi87RBnfMdS4pR7//App8RvdBQX8vrME0RQBIgahjk oNe5gjj2ZhTEEJg49o0pg0e/gmh5X9q6iCkFJHLN3pxfjE/Pb5k4+XsZ2s9uqtIUeyrB bDB+Ibbh04LWfP02QlOK11nJktySX0YwHJ+KhzSPNP/TCyNQq+wyw4kZvOuzDwH5nSGN g0HWfY3X5/PY0aIk0uZRG0q/m0D0GOr3di8yAHZxeL9w1BHSFLrDCVg6vFMYSfFMiCES 4cdA== MIME-Version: 1.0 X-Received: by 10.194.63.205 with SMTP id i13mr40847190wjs.74.1410248520134; Tue, 09 Sep 2014 00:42:00 -0700 (PDT) Received: by 10.194.137.67 with HTTP; Tue, 9 Sep 2014 00:42:00 -0700 (PDT) In-Reply-To: <540CA9B2.3090807@gmail.com> References: <540CA9B2.3090807@gmail.com> Date: Tue, 9 Sep 2014 09:42:00 +0200 Message-ID: From: Daniel Migault To: Yaron Sheffer Content-Type: multipart/alternative; boundary=047d7ba97a801674dc05029d1202 Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/NV7pWBTwikLxrq93xqjvU8fcv74 Cc: ipsec Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 07:42:04 -0000 --047d7ba97a801674dc05029d1202 Content-Type: text/plain; charset=UTF-8 Hi, I am in favor of adopting this draft. In my case I see it as a way to ease IPsec deployment in IoT with opportunistic encryption. BR, Daniel On Sun, Sep 7, 2014 at 8:53 PM, Yaron Sheffer wrote: > Dear working group, > > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG > document. Please respond to this mail with a Yes or No and a short > rationale, at latest by Friday Sep. 12. > > Thanks, > Yaron > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58 --047d7ba97a801674dc05029d1202 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi,

I am in favor of adopting= this draft. In my case I see it as a way to ease IPsec deployment in IoT w= ith opportunistic encryption.

BR,

Daniel

<= div class=3D"gmail_extra">

On Sun, Sep 7, 201= 4 at 8:53 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrot= e:

Dear working group,

This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as= a WG document. Please respond to this mail with a Yes or No and a short ra= tionale, at latest by Friday Sep. 12.

Thanks,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Yaron

_______________________________________________
IPsec mailing list
IPsec@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/ipsec

--
Daniel Migault
Orang= e Labs -- Security
+33 6 70 72 69 58 --047d7ba97a801674dc05029d1202-- From nobody Tue Sep 9 02:41:44 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF911A06B6 for ; Tue, 9 Sep 2014 02:41:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qjnoz-1_DZvl for ; Tue, 9 Sep 2014 02:41:39 -0700 (PDT) Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928B01A89BA for ; Tue, 9 Sep 2014 02:41:26 -0700 (PDT) Received: by mail-wg0-f48.google.com with SMTP id m15so2740834wgh.7 for ; Tue, 09 Sep 2014 02:41:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=88pt4P/rd33D8KERwFiYSidcUzdBj/IxvRflhERkoEM=; b=pVF+gxA6weYF4qCgQjbOknmFhWcyASOa8Z6ezXsHVfF0ctkg480RBBffTWfoKZVdpR SIQnufhKZOUrAgJQiPBY9fkmhQMfghNMCj4j2HeJgeNDNzoj5x1jDb1Oxo8Im30DI9Eu 4rwtcXvfgFrPxwHXnXM7LrSNAbU0ZnxGIFoXfAatWGFQRMRI3I/BD5F5fCcAzm9+SWBs lA+IrrI6mrnzmSMubs37XB2m68JbxvrV/PtWSEEtXymJDIiPz202gdcwFNNQPZTjzqLq wp/LGz8g2SiPAB/O57JP3z8rMDLMa9E1kM/H616WYMbmitww5mACL/S3a2V2BN6ubey6 eY/g== X-Received: by 10.180.35.134 with SMTP id h6mr29283866wij.0.1410255685253; Tue, 09 Sep 2014 02:41:25 -0700 (PDT) Received: from [192.168.0.17] ([41.212.114.217]) by mx.google.com with ESMTPSA id lm18sm14886092wic.22.2014.09.09.02.41.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 09 Sep 2014 02:41:24 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$) From: Les Leposo In-Reply-To: Date: Tue, 9 Sep 2014 12:40:31 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: <94FA376D-8F43-4327-B4E6-8E4BF06C7D60@gmail.com> References: To: ipsec@ietf.org X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/4v6OAlPtFNQzkj8gSMCHZ8hO4_s Subject: Re: [IPsec] IPsec Digest, Vol 125, Issue 9 X-BeenThere: ipsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Discussion of IPsec protocols List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 09:41:41 -0000 imho, this would be useful for bring-up work i.e. for both developers = and deployers. However, as folks already pointed out, there are significant security = tradeoffs (and mitigations) that SHOULD/MUST to be explicated (i.e.more = verbiage). Points to consider: 1) allowing unauthenticated IKE-SAs (and in turn CHILD-SAs) to be = established, would open up opportunities for ikev2 "exhaustion attacks" = that previously weren't there (on the server side), no? 2) this feature could also tempt network admins to fallback to 'null = authentication' as a work-around/short-cut in cases where they are = unable to properly configure a deployment. It would help if better use cases are highlighted: A) the anonymity use case is subjective because, one could simply use a = psk/cert that identifies an "access group" as opposed to an "individual" = psk/cert, no? B) the "low power" sensor use case is also subjective because, if the = sensor data is truly confidential, would you want to make sure the = sensor wont be redirected to a rogue/fake server? $0.02 On Sep 8, 2014, at 10:00 PM, ipsec-request@ietf.org wrote: > Send IPsec mailing list submissions to > ipsec@ietf.org >=20 > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/ipsec > or, via email, send a message with subject or body 'help' to > ipsec-request@ietf.org >=20 > You can reach the person managing the list at > ipsec-owner@ietf.org >=20 > When replying, please edit your Subject line so it is more specific > than "Re: Contents of IPsec digest..." >=20 >=20 > Today's Topics: >=20 > 1. Re: Call for adoption: The NULL Authentication Method in > IKEv2 Protocol (Yaron Sheffer) >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Mon, 08 Sep 2014 21:52:55 +0300 > From: Yaron Sheffer > To: Paul_Koning@Dell.com, paul@nohats.ca > Cc: ipsec@ietf.org > Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method > in IKEv2 Protocol > Message-ID: <540DFB07.6000806@gmail.com> > Content-Type: text/plain; charset=3Dwindows-1255; format=3Dflowed >=20 > Paul and Paul (and yet another Paul), >=20 > Just a process comment: this is a call for adoption, a "first call" = not=20 > a last call. There may still be many issues with the document, which = we=20 > will fix as a group *if* the document is adopted. So is the document=20= > dealing with an important problem, and is it good enough as a starting=20= > point of a solution? >=20 > Thanks, > Yaron >=20 >=20 >=20 > ------------------------------ >=20 > Subject: Digest Footer >=20 > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >=20 >=20 > ------------------------------ >=20 > End of IPsec Digest, Vol 125, Issue 9 > ************************************* From nobody Tue Sep 9 04:08:07 2014 Return-Path: X-Original-To: ipsec@ietfa.amsl.com Delivered-To: ipsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912131A6FCA for ; Tue, 9 Sep 2014 04:08:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.561 X-Spam-Level: X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOkS2W1Zmz4q for ; Tue, 9 Sep 2014 04:08:03 -0700 (PDT) Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F2F11A6FD3 for ; Tue, 9 Sep 2014 04:08:02 -0700 (PDT) Received: by mail-la0-f54.google.com with SMTP id b17so19385454lan.13 for ; Tue, 09 Sep 2014 04:08:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=glMGF1s3y8aMW5SQLR1S4/TdrDHtZe3a+mEObV5j4FM=; b=B5syUZi3Z/svXS8HVO4lTaF9BhyfFZ2sL3OR2U8xlfWGRIw0zt3MFnraqifCL8+XUY PfnnOM3BME2ac43wXaK4sEPE5ogSLnt1loLVWMtEQ0hy3yCmL52Wayf9as/r6PCPA46R VyVHLHoOE5YOkFiTDrPtoD1f8UAENYUef1TQWXZN1ZvbBnbD6/jhoMaYBAFo0KkUFgoY 38soctAzjWkDGtLMTlvEKnqOnEwN922MiEoHC3yTPzgAhYn1C3j+262smyqA6T8jEkB0 XmcByp1EwLpz7B6r5Jzq4w3nJ0INB52I7Loe3m097hqT35n4nn6THiSlHhJIKkN6mnLU MCVA== X-Received: by 10.152.27.38 with SMTP id q6mr35453188lag.60.1410260880255; Tue, 09 Sep 2014 04:08:00 -0700 (PDT) Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id xh2sm4454396lbb.7.2014.09.09.04.07.58 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Sep 2014 04:07:59 -0700 (PDT) Message-ID: From: "Valery Smyslov" To: "Les Leposo" , References: