headers
Karen E. Nielsen (AH/TED | 2 Jan 2004 09:45
Picon
Favicon

RE: new version of IPsec 2401bis

Hi Karen,

Could you please advise my as to where I can find the
new draft.

Thanks,
Karen

> -----Original Message-----
> From: owner-ipsec <at> lists.tislabs.com
> [mailto:owner-ipsec <at> lists.tislabs.com]On Behalf Of Karen Seo
> Sent: 25. december 2003 04:28
> To: ipsec <at> lists.tislabs.com
> Cc: Ted Tso; Barbara Fraser; Tero Kivinen; Angelos Keromytis;
> kseo <at> bbn.com
> Subject: new version of IPsec 2401bis
> 
> 
> Folks,
> 
> We just submitted a revised draft for 2401bis, "Security Architecture 
> for the Internet Protocol".
> 
> Wishing you a Happy Holiday Season!
> Karen
>
Permalink | Reply | 1 comment |
headers
Karen Seo | 2 Jan 2004 20:52
Picon

RE: new version of IPsec 2401bis

Hello Karen,

The IETF secretariat will post the draft to a number of repositories 
where people can pick it up (www.ietf.org/ID.html or the mirror sites 
at www.ietf.org/shadow.html) and will also send out an announcement 
when this happens.  My guess is that it's been held up by the 
holidays/vacations and should be out by next week.

Happy New Year,
Karen

>Hi Karen,
>
>Could you please advise my as to where I can find the
>new draft.
>
>Thanks,
>Karen
>
>>  -----Original Message-----
>>  From: owner-ipsec <at> lists.tislabs.com
>>  [mailto:owner-ipsec <at> lists.tislabs.com]On Behalf Of Karen Seo
>>  Sent: 25. december 2003 04:28
>>  To: ipsec <at> lists.tislabs.com
>>  Cc: Ted Tso; Barbara Fraser; Tero Kivinen; Angelos Keromytis;
>>  kseo <at> bbn.com
>>  Subject: new version of IPsec 2401bis
>>
>>
>>  Folks,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hugo Krawczyk | 2 Jan 2004 21:28
Picon

RE: Clarification of EAP authentication in IKEv2?

thanks Pasi for the clarification.
In light of what you say below we have a few choices on how to proceed:

(1) leave things as they are now, using SK_a as a key to the prf as currently
    specified in sec 2.15, and also as a key to prf in the planned new
    text of 2.16 for computing AUTH (by the initiator in msg 3) in the case of
    EAP methods that do NOT generate keys

(2) change the spec to use the integrity algorithm from SK{} (i.e. type 3)
    instead of prf in the above cases

(3) derive an additional pair of keys from SKEYSEED (call them SK_pi and
    SK_pr) for keying the prf in these two cases.

The first option is the simplest now but wrong from the crypto point of
view as it violates the basic principle of not using the same keys with
different algorithms.
The second solution is simple as it only requires a small change in the
spec language and no implementation difficulty, EXCEPT that if we envision
the use of "authenticated encryption" transforms for ESP (and then for
SK{} too) then the notion of "the integrity algorithm" used in SK{} may
not be well defined (some authenticated-encryption transforms will not
define a stand-alone integrity algorithm).

The last option is the rightest one, cryptographically speaking, but it
requires one more pair of keys derived from SKEYSEED. No big deal (though
I can feel Charlie's resistance to it :)

I guess that it is for Charlie to decide (my vote is obviously for 3)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hugo Krawczyk | 2 Jan 2004 21:46
Picon

RE: Clarification of EAP authentication in IKEv2?


On Wed, 31 Dec 2003 Pasi.Eronen <at> nokia.com wrote:

>
> > Moreover, this envelopping gives a false sense of security
> > which can easily lead applications to, for example, send
> > sensitive information as part of the exchange assuming its
> > protection under SK_e.
>
> It's quite clear that without the signature, the initiator at
> this point (before the AUTH payloads with EAP-derived keys) does
> not know who is the other party it shares SK_e with.But, as
> the EAP methods were designed to be useful even without any
> encryption (during the EAP exchange), Idon't think this false
> sense of security is very important.

We disagree. I've seen even "more obvious" protocols being misused. And in
this case I would not blame anyone that sees the protection under SK{} and
assumes that this protection has some actual effect such as protecting the
exchange from an (active) eavsdropper.

>
> > As a more immediate threat, what this signature-less version
> > of ikev2 is doing is to allow the same Asokan-Niemi-Nyberg
> > mitm attacks (in reverse direction) that the key-generating
> >EAP extensions of ikev2 were designed to avoid, namely, the
> > "stealing" of EAP runs from one context to another.
> > Specifically, by impersonating a signature-less responder in
> > the IKE exchange, the attacker can trick an initiator, that is
> > willing to run the EAP method in a IKEv2-context only, to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michael Richardson | 3 Jan 2004 01:00
Picon

draft-ietf-ipsec-ikev2-iana-01.txt


I have updated draft-ietf-ipsec-ikev2-iana-01.txt 
  (available at: http://www.sandelman.ca/SSW/ietf/ipsec/ikev2/ until ID
editor gets to it)

to include comments so far. The chairs asked that I include the IANA 
Considerations from RFC2409, since IKEv2 itself has none. RFC2409
is pretty tight/restricted in its assignments. It predates 2434, so
it doesn't use that terminology, so I've translated, I hope.

** Note the issue of merging:
** a)  IKEv2 Proposal Substructure Protocol-IDs 
** and
** b)  IKEv2 Security Protocol Identifiers 
** is still open, and unremarked upon. 
** They differ only in that b = a + 1.

RFC2409 says:
11.1 Attribute Classes		- Standards Track
11.2 Encryption Algorithm Class - IETF Consensus/Specification Required.
11.3 Hash Algorithm		- IETF Consensus, with extra notes.
11.4 Group Description and Group Type - Specification Required
11.5 Life Type	       - "Specification Required". sort of.

I've been a little less cautious, which is why I'm posting.
This is the result of some years of discussion, and some years of experience
implementing "new things". Thus it is based upon my feelings about
where we should let vendors innovate in isolation, and where they really
need to come clean.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Eastlake III Donald-LDE008 | 3 Jan 2004 02:02

RE: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt

Sounds good to me.

Donald
===========================================================
 Donald E. Eastlake III       Donald.Eastlake <at> Motorola.com
 Motorola Laboratories               1-508-786-7554 (work)
 111 Locke Drive                     1-508-634-2066 (home)
 Marlboro, MA 01752 USA 

-----Original Message-----
From: owner-ipsec <at> lists.tislabs.com [mailto:owner-ipsec <at> lists.tislabs.com] On Behalf Of Tero Kivinen
Sent: Wednesday, December 31, 2003 6:04 AM
To: Paul Hoffman / VPNC
Cc: ipsec <at> lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt

Paul Hoffman / VPNC writes:
> Instead, simply create a new section in this document that aligns 
> with section 3.2.3 of draft-ietf-ipsec-esp-v3-06.txt, say that 
> combined modes will require proper structuring of an ESP 
> implementation, say why combined modes are useful (speed 
> improvements, soon to be required in 802.11), and they say "there are 
> no suggested or required algorithms at this time, but AES-CCM is 
> expected to be of interest in the near future". That way, 
> implementers know that even though there isn't a MUST or SHOULD right 
> now, they still need to think about how their code should look if 
> there is one in the future.

I really like that idea. 
--

--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tero Kivinen | 5 Jan 2004 16:54
Picon
Picon
Favicon

draft-ietf-ipsec-ikev2-iana-01.txt

Michael Richardson writes:
> I have updated draft-ietf-ipsec-ikev2-iana-01.txt 
>   (available at: http://www.sandelman.ca/SSW/ietf/ipsec/ikev2/ until ID
> editor gets to it)

I think the section 4, might need little more text, it took at least
for me some time to realize that this change was for v1 registry, and
the reserved range matches the payload numbers allocated for the
IKEv2. 

>   IKEv2 Exchange types may created by Standards Action.

Do we really need standard action here, wouldn't the specification
required be enough. 

>   IKEv2 Payload Types may be allocated by Specification Required.

This is propably the first resource we are running out... We already
have 48 reserved numbers, and when extensions are made they quite
often want to use their own payloads... I still think the
specification required is the correct fr this. 

>   IKEv2 Proposal Substructure Protocol-IDs may be allocated by Standards Action.

Why standards action, why not specification required? I do not think
we are going to have too many of those, but on the other hand some of
those extensions might not be on standard track. I would suggest
specification required for this too.

>   IKEv2 Encryption Transform IDs may be allocated by expert review.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Michael Richardson | 5 Jan 2004 17:26
Picon

Re: draft-ietf-ipsec-ikev2-iana-01.txt


>>>>> "Charlie" == Charlie Kaufman <charliek <at> microsoft.com> writes:
    >> ** Note the issue of merging:
    >> ** a)  IKEv2 Proposal Substructure Protocol-IDs 
    >> ** and
    >> ** b)  IKEv2 Security Protocol Identifiers 
    >> ** is still open, and unremarked upon. 
    >> ** They differ only in that b = a + 1.

    Charlie> The difference was a transcription error in one of the IKEv2 drafts that
    Charlie> I have fixed in the latest (unposted) draft. There should be only one
    Charlie> set of values, labeled Security Protocol Identifiers, with the values: 1
    Charlie> for IKE, 2 for AH and 3 for ESP. These match the values assigned in
    Charlie> IKEv1.  

  Thank you for clearing this up Charlie!
  I have removed Proposal Substructure Protocol-IDs.

  Charlie, do you have any comments on the amending formulae?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr <at> xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Permalink | Reply | 0 comments |
headers
owner-ipsec | 5 Jan 2004 17:21

(unknown)

(firewall-user <at> sentry.gw.tislabs.com [192.94.214.100])
	by lists.tislabs.com (8.9.1/8.9.1) with ESMTP id XAA03218
	Sun, 4 Jan 2004 23:15:37 -0500 (EST)
nutshell.tislabs.com via csmap (V6.0)
	id srcAAArDa4Y5; Sun, 4 Jan 04 23:23:50 -0500
by mail2.microsoft.com with Microsoft SMTPSVC(6.0.3790.1041);
	 Sun, 4 Jan 2004 20:26:29 -0800
(InterScan E-Mail VirusWall NT); Sun, 04 Jan 2004 20:26:29 -0800
by inet-hub-05.redmond.corp.microsoft.com with Microsoft  
SMTPSVC(6.0.3790.0);
	 Sun, 4 Jan 2004 20:26:29 -0800
x-mimeole: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Subject: RE: ikev2-11 nit
Date: Sun, 4 Jan 2004 20:26:27 -0800
Message-ID:  
<F5F4EC6358916448A81370AF56F211A5016A433F <at> RED-MSG 
-51.redmond.corp.microsoft.com>
Thread-Topic: ikev2-11 nit
thread-index: AcPFucwtE242d0PLQrasCL319OgtDgNijnwg
From: "Charlie Kaufman" <charliek <at> microsoft.com>
To: "Jari Arkko" <jari.arkko <at> kolumbus.fi>, <ipsec <at> lists.tislabs.com>
X-OriginalArrivalTime: 05 Jan 2004 04:26:29.0615 (UTC)  
FILETIME=[17269FF0:01C3D344]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by  
lists.tislabs.com id XAA03219
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Kent | 5 Jan 2004 18:02
Picon

new 2401bis versions ...

Folks,

A revised 2401bis was transmitted to the Secretariat on Christmas 
eve, but has not yet shown up as an I-D.

Over the holidays, Karen and I have been busy making additional 
revisions.  So, we will submit a newer version tomorrow, and ask Paul 
to post it to the archives for faster distribution.  please don't 
bother reading the per-Xmas version when it is posted.

Thanks, and sorry for the confusion,

Steve
Permalink | Reply | 0 comments |

Gmane