Nortel Contivity Client with XAuth (Key-ID)

From lpatricky6a7eap@msn.com Sun Jun 1 00:59:22 2003 Received: from hotmail.com (bay3-dav56.bay3.hotmail.com [65.54.169.86]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h517xMAF097014 for ; Sun, 1 Jun 2003 00:59:22 -0700 (PDT) (envelope-from lpatricky6a7eap@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 1 Jun 2003 00:59:17 -0700 Received: from 62.240.34.244 by bay3-dav56.bay3.hotmail.com with DAV; Sun, 01 Jun 2003 07:59:17 +0000 X-Originating-IP: [62.240.34.244] X-Originating-Email: [lpatricky6a7eap@msn.com] From: "Rupert Brass" Subject: HGH... a miracle? To: "Decoste Delvecchio" X-MSMail-Priority: Normal X-Accept-Language: en Importance: Normal X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2500.0000 X-Mailer: MSN Explorer 7.00.0021.1900 Content-Type: multipart/alternative; boundary="hC012iquKpGRJvUi2dJFN381l8gskb4QRHAfP42uN4Uk4rcHJXQW21xm11Mc" Content-Transfer-Encoding: 7bit Message-ID: X-OriginalArrivalTime: 01 Jun 2003 07:59:17.0394 (UTC) FILETIME=[B3499720:01C32813] Date: 1 Jun 2003 00:59:17 -0700 --hC012iquKpGRJvUi2dJFN381l8gskb4QRHAfP42uN4Uk4rcHJXQW21xm11Mc Content-Transfer-Encoding: 7bit Content-Type: text/html; charset="US-ASCII" Is Slow Metabolism Preventing You From Losing Weight?

Click here and finally get some results.

HGH has been specially formulated to increase the effectiveness of your body to break down energy that has been stored in your bodies fat cells.
In fact, it is so effective that you'll even lose weight while you rest.

Click here and see how HGH can help you achieve your weight loss goals.

Don't want any more adverts? visit here
--hC012iquKpGRJvUi2dJFN381l8gskb4QRHAfP42uN4Uk4rcHJXQW21xm11Mc-- From owner-ipsec@lists.tislabs.com Sun Jun 1 21:14:14 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h524EDAF085575; Sun, 1 Jun 2003 21:14:14 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA07921 Sun, 1 Jun 2003 23:30:51 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Sun, 1 Jun 2003 21:36:28 -0600 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: New algorithms and suites drafts Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi again. As Barbara said on Friday, we will have two documents for the algorithms: the MUST/SHOULD/MAY document and a UI document. The UI suite document is at . As Jeff said the other day, he turned in draft-ietf-ipsec-ikev2-algorithms-01.txt. A temporary version is available at ; it should be available from the IETF repository soon. In the -01 draft, Jeff included a UI suite (based on what he was asked on the mailing list earlier). He and I are sitting together at the moment, and he agreed that the UI suites should only be in the UI document. The -02 draft will not have his current section 5. Sorry for the mis-alignment. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Mon Jun 2 07:00:21 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h52E0KAF041753; Mon, 2 Jun 2003 07:00:20 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA10511 Mon, 2 Jun 2003 09:28:35 -0400 (EDT) From: Charlie_Kaufman@notesdev.ibm.com In-Reply-To: <3ECA65EA.8000500@creeksidenet.com> To: "jpickering@creeksidenet.com" Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com Subject: Re: v7 nits MIME-Version: 1.0 X-Mailer: Lotus Notes Build V602_05062003 May 06, 2003 Message-ID: Date: Sat, 31 May 2003 19:50:29 -0400 X-MIMETrack: Serialize by Router on Ace/Iris(Build V602_05222003NP|May 22, 2003) at 05/31/2003 07:46:39 PM, Serialize complete at 05/31/2003 07:46:39 PM Content-Type: multipart/alternative; boundary="=_alternative 007215A085256D37_=" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk This is a multipart message in MIME format. --=_alternative 007215A085256D37_= Content-Type: text/plain; charset="US-ASCII" Good catch. I've tightened the wording. My expectation (which is what I tightened the wording to) was that this protocol type was effectively a modifier of the SPIs listed because a system could have ESP and AH SAs with the same SPIs at the same time. So I tightened the wording to say that this is only used if it concerns an existing SA. So in the example you give, where no SA exists, an implementation would send a zero and ignore the received value. Someone had already pointed out the ambiguity in the nat hash; I fixed it. --Charlie jpickering@creeksidenet.com wrote on 05/20/2003 01:29:14 PM: > > As long as we are still stuck in the bogs of identity usage, a > couple of points of v7 clarification would be also appreciated: > > Text on protocol for notifications states: > > For notifications > concerning IPsec SAs this field will contain either (2) > to indicate AH or (3) to indicate ESP. For notifications > for which no protocol ID is relevant, this field MUST be > sent as zero and MUST be ignored. > > What about "no prop chosen" for child props that include both > AH and ESP? What about "ipcomp supported" requests with > both AH and ESP props? I would claim that protocol ID is > not relevant, but the sentence above says I still need a "2" or "3". > Also, what SPI in these cases? > > For "nat detection source/dest ip" notifies, text says to hash SPIs, > address and port. Which spis are to be used and in which order? > > Jeff > > > > > > > --=_alternative 007215A085256D37_= Content-Type: text/html; charset="US-ASCII"
Good catch. I've tightened the wording. My expectation (which is what I tightened the wording to) was that this protocol type was effectively a modifier of the SPIs listed because a system could have ESP and AH SAs with the same SPIs at the same time. So I tightened the wording to say that this is only used if it concerns an existing SA. So in the example you give, where no SA exists, an implementation would send a zero and ignore the received value.

Someone had already pointed out the ambiguity in the nat hash; I fixed it.

--Charlie

jpickering@creeksidenet.com wrote on 05/20/2003 01:29:14 PM: > > As long as we are still stuck in the bogs of identity usage, a > couple of points of v7 clarification would be also appreciated: > > Text on protocol for notifications states: > > For notifications > concerning IPsec SAs this field will contain either (2) > to indicate AH or (3) to indicate ESP. For notifications > for which no protocol ID is relevant, this field MUST be > sent as zero and MUST be ignored. > > What about "no prop chosen" for child props that include both > AH and ESP? What about "ipcomp supported" requests with > both AH and ESP props? I would claim that protocol ID is > not relevant, but the sentence above says I still need a "2" or "3". > Also, what SPI in these cases? > > For "nat detection source/dest ip" notifies, text says to hash SPIs, > address and port. Which spis are to be used and in which order? > > Jeff > > > > > > > --=_alternative 007215A085256D37_=-- From owner-ipsec@lists.tislabs.com Mon Jun 2 07:01:22 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h52E1LAF041786; Mon, 2 Jun 2003 07:01:22 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA10510 Mon, 2 Jun 2003 09:28:29 -0400 (EDT) From: Charlie_Kaufman@notesdev.ibm.com In-Reply-To: <3ED36A6F.5010309@polito.it> To: derenale@polito.it Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com Subject: Re: IKE_SA SPI with a changed address MIME-Version: 1.0 X-Mailer: Lotus Notes Build V602_05062003 May 06, 2003 Message-ID: Date: Sat, 31 May 2003 19:50:31 -0400 X-MIMETrack: Serialize by Router on Ace/Iris(Build V602_05222003NP|May 22, 2003) at 05/31/2003 07:46:39 PM, Serialize complete at 05/31/2003 07:46:39 PM Content-Type: multipart/alternative; boundary="=_alternative 007470A185256D37_=" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk This is a multipart message in MIME format. --=_alternative 007470A185256D37_= Content-Type: text/plain; charset="US-ASCII" derenale@polito.it wrote on 05/27/2003 09:38:55 AM: > what would happen in IKEv2 if the Initiator and Responder change their > IP adresses after have established an IKE_SA? The current spec is intentionally vague on this issue. The short answer is that most likely the IKE_SA would fail. There is certainly nothing in the spec that would require implementations to do anything that would ever allow this to work. There have been a number of proposals to enhance the protocol to make it possible for IPsec endpoints to change IP addresses and maintain an established SA (in support of both NATs and Mobile IP). All have problems, mostly because different scenarios require different approaches. I expect this will be an area of continued experimentation followed eventually by standardization. The current spec is vague to allow that experimentation. --Charlie --=_alternative 007470A185256D37_= Content-Type: text/html; charset="US-ASCII"
derenale@polito.it wrote on 05/27/2003 09:38:55 AM: > what would happen in IKEv2 if the Initiator and Responder change their > IP adresses after have established an IKE_SA?
The current spec is intentionally vague on this issue. The short answer is that most likely the IKE_SA would fail. There is certainly nothing in the spec that would require implementations to do anything that would ever allow this to work. There have been a number of proposals to enhance the protocol to make it possible for IPsec endpoints to change IP addresses and maintain an established SA (in support of both NATs and Mobile IP). All have problems, mostly because different scenarios require different approaches.

I expect this will be an area of continued experimentation followed eventually by standardization. The current spec is vague to allow that experimentation.

--Charlie --=_alternative 007470A185256D37_=-- From owner-ipsec@lists.tislabs.com Mon Jun 2 07:05:52 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h52E5nAF041996; Mon, 2 Jun 2003 07:05:51 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA10588 Mon, 2 Jun 2003 09:37:32 -0400 (EDT) Message-Id: <200306021129.HAA01757@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec@lists.tislabs.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-ciph-aes-ctr-04.txt Date: Mon, 02 Jun 2003 07:29:32 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Using AES Counter Mode With IPsec ESP Author(s) : R. Housley Filename : draft-ietf-ipsec-ciph-aes-ctr-04.txt Pages : 19 Date : 2003-5-30 This document describes the use of AES Counter Mode, with an explicit initialization vector, as an IPsec Encapsulating Security Payload confidentiality mechanism. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ciph-aes-ctr-04.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-ciph-aes-ctr-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-ciph-aes-ctr-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-5-30152148.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-ciph-aes-ctr-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-ciph-aes-ctr-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-5-30152148.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec@lists.tislabs.com Mon Jun 2 07:08:26 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h52E8PAF042082; Mon, 2 Jun 2003 07:08:25 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA10565 Mon, 2 Jun 2003 09:35:32 -0400 (EDT) Message-Id: <200306021129.HAA01741@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec@lists.tislabs.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-ciph-aes-ccm-03.txt Date: Mon, 02 Jun 2003 07:29:27 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Using AES CCM Mode With IPsec ESP Author(s) : R. Housley Filename : draft-ietf-ipsec-ciph-aes-ccm-03.txt Pages : 13 Date : 2003-5-30 This document describes the use of AES CCM Mode, with an explicit initialization vector, as an IPsec Encapsulating Security Payload (ESP) mechanism to provide confidentiality, data origin authentication, connectionless integrity. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ciph-aes-ccm-03.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-ciph-aes-ccm-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-ciph-aes-ccm-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-5-30152138.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-ciph-aes-ccm-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-ciph-aes-ccm-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-5-30152138.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec@lists.tislabs.com Tue Jun 3 03:53:17 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53AokAF032794; Tue, 3 Jun 2003 03:53:17 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id FAA18160 Tue, 3 Jun 2003 05:53:16 -0400 (EDT) Date: Tue, 3 Jun 2003 11:51:23 +0200 To: ipsec@lists.tislabs.com Subject: need for encrypting IKE QM exchange Message-ID: <20030603095123.GD29366@www.mobile-ip.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i From: jfl@mobile-ip.de (Floroiu John) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi, There is a question I would like to ask regarding the need to encrypt the IKE Quick Mode exchange. I couldn't find throughout RFC2408 and RFC2409 a clear explanation to why SA, Nx, KE need to be encrypted (since the messages are authenticated anyway). SA, Nx and KE only indicate to a potential attacker the transforms that are being used and the SA's lifetime, which imo is harmless. Clearly IDci, IDcr must be encrypted, and the only answer I could figure out to the question above is that, since the protocol does not provide support for individual payloads to be encrypted, the whole message is encrypted instead. Looking at JFK I noticed however that "sa" and "sa'" are also transported (within message 3 and 4) in encryted form. The ultimate question is whether, assuming another protocol than IKE is used to negotiate SAs, SA, Nx and KE could be transported in plain text. Of course it is "better" to have them encrypted, but I cannot understand why would it be "worse" to have them in clear. Any comments would be gratly appreciated. John. From owner-ipsec@lists.tislabs.com Tue Jun 3 06:17:49 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53DHnAF040562; Tue, 3 Jun 2003 06:17:49 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id IAA19423 Tue, 3 Jun 2003 08:49:22 -0400 (EDT) X-Originating-IP: [64.114.95.129] X-Originating-Email: [askrywan@hotmail.com] From: "Andrew Krywaniuk" To: ipsec@lists.tislabs.com, paul.hoffman@vpnc.org Date: Mon, 02 Jun 2003 18:45:10 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 02 Jun 2003 22:45:11.0281 (UTC) FILETIME=[9FE2D610:01C32958] Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >Hi again. As Barbara said on Friday, we will have two documents for the >algorithms: the MUST/SHOULD/MAY document and a UI document. The UI suite >document is at >. A lot of people (I wasn't one of them) complained that IKEv1 was too hard to understand because you have to consult 3 different RFCs. One of the primary motivations of IKEv2 was to consolidate everything into one giant protocol description. But now for algorithms and ciphersuites, we seem to have no problem with creating extra documents at the last minute. I'm just wondering... was there a straw poll or a discussion where WG members expressed their preference for two documents? (I don't remember one.) If this is simply a matter of Paul and Jeff not stepping on each others' toes, couldn't there just be one document with 2 authors? Andrew -------------------------------------- The odd thing about fairness is when we strive so hard to be equitable that we forget to be correct. _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From owner-ipsec@lists.tislabs.com Tue Jun 3 06:21:33 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53DLWAF040990; Tue, 3 Jun 2003 06:21:33 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id IAA19372 Tue, 3 Jun 2003 08:38:24 -0400 (EDT) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: IPsec bakeoff : Interoperability Tests at ETSI Sophia Antipolis FRANCE 21-25 July 2003 Date: Tue, 3 Jun 2003 14:43:42 +0200 Message-ID: <4091553999CBE4409CC2B562152B5A3302060B11@email10.etsihq.org> Thread-Topic: IPsec bakeoff : Interoperability Tests at ETSI Sophia Antipolis FRANCE 21-25 July 2003 Thread-Index: AcMpzcNbTKV+eLHqQciVDuGQNC+UCA== From: =?iso-8859-1?Q?Patrick_Ren=E9_Guillemin?= To: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by lists.tislabs.com id IAA19369 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Dear All, This email is to remind you of the IPsec bakeoff organized by ETSI (Sophia Antipolis FRANCE 21-25 July 2003 = the week after IETF 57 in Vienna, Austria). Registration is open until July 6 at http://www.etsi.org/plugtests/02UpcomingEvents/IPsec/IPsec_home.htm click on "Registration login" For those who have are willing to attend, please register quickly so as to allow us to better prepare the event. Details: In addition to our new native IPv6 access, ETSI will provide (LAN and WLAN) with direct IPv4 access at 2x10 Mbps on the same network to tests: - IPsec over IPv6 and IPv4 - Manual IPsec - IKEv1 and IKEv2 - NAT-T - Remote access extensions - ... and more as you like As for other events, testing guidelines will be given but no tests are mandatory and participants select tests according to their wish. In addition to interoperability we could organize IPsec performance and scalability tests if enough participants are interested. During the week, we could book rooms to allow attendees to organize talks about subjects such as: - IPsec benchmarking methodology IETF draft - PPVPN - IPv6 v2 or IPv8 Feedback on generic problems encountered will be shared during the event. It is reminded that detailed information shared during the event is confidential and the event strictly reserved to technical people with products. Marketing and Sales representatives as well as observers are not allowed. A discussion list dedicated to the event has been set up. To subscribe to the PLUGTESTS-IPsec mailing list: send to listserv@list.etsi.org the following command: subscribe PLUGTESTS-IPsec (Firstname Lastname) in the body of the message. - For web archives see http://list.etsi.org/plugtests-ipsec.html Best Regards Patrick GUILLEMIN Plugtests - Technical Coordinator ETSI - European Telecommunications Standards Institute Tel: +33 4 92 94 4331 - Fax: +33 4 92 38 5231 http://www.etsi.org/plugtests From owner-ipsec@lists.tislabs.com Tue Jun 3 06:43:04 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53DeXAF041824; Tue, 3 Jun 2003 06:43:03 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id IAA19461 Tue, 3 Jun 2003 08:57:27 -0400 (EDT) Message-Id: <200306031147.HAA27449@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec@lists.tislabs.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-ikev2-algorithms-01.txt Date: Tue, 03 Jun 2003 07:47:27 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Cryptographic Algorithms for use in the Internet Key Exchange Version 2 Author(s) : J. Schiller Filename : draft-ietf-ipsec-ikev2-algorithms-01.txt Pages : 7 Date : 2003-6-2 The IPSec series of protocols makes use of various cryptographic algorithms in order to provide security services. The Internet Key Exchange (IKE [RFC2409] and IKEv2 [IKEv2]) provide a mechanism to negotiate which algorithms should be used in any even association. However to ensure interoperability between disparate implementations it is necessary to specify a set of mandatory to implement algorithms to ensure at least one algorithm that all implementations will have available. This document defines the current set of mandatory to implement algorithms for use of IKEv2 as well as specifying algorithms that should be implemented because they made be promoted to mandatory at some future time. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-algorithms-01.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-ikev2-algorithms-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-ikev2-algorithms-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-6-2145642.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-ikev2-algorithms-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-ikev2-algorithms-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-6-2145642.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec@lists.tislabs.com Tue Jun 3 06:45:10 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53DgbAF041876; Tue, 3 Jun 2003 06:45:09 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id IAA19470 Tue, 3 Jun 2003 08:58:28 -0400 (EDT) Message-Id: <200306031147.HAA27467@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec@lists.tislabs.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-ikev2-08.txt Date: Tue, 03 Jun 2003 07:47:32 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Internet Key Exchange (IKEv2) Protocol Author(s) : C. Kaufman Filename : draft-ietf-ipsec-ikev2-08.txt Pages : 97 Date : 2003-6-2 This document describes version 2 of the IKE (Internet Key Exchange) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining security associations. This version of IKE simplifies the design by removing options that were rarely used and simplifying the encoding. This version of the IKE specification combines the contents of what were previously separate documents, including ISAKMP (RFC 2408), IKE (RFC 2409), the Internet DOI (RFC 2407), NAT Traversal, Legacy authentication, and remote address acquisition. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-08.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-ikev2-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-ikev2-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-6-2145654.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-ikev2-08.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-ikev2-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-6-2145654.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec@lists.tislabs.com Tue Jun 3 09:14:51 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53GEnAF052912; Tue, 3 Jun 2003 09:14:50 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA20593 Tue, 3 Jun 2003 11:33:21 -0400 (EDT) From: Charlie_Kaufman@notesdev.ibm.com Subject: New IKEv2 draft -08 To: ipsec@lists.tislabs.com X-Mailer: Lotus Notes Build V601_12032002NP December 03, 2002 Message-ID: Date: Tue, 3 Jun 2003 11:14:14 -0400 X-MIMETrack: Serialize by Router on Ace/Iris(Build V602_05222003NP|May 22, 2003) at 06/03/2003 11:38:35 AM MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Just to let people know, I posted a revised IKEv2 draft incorporating the recent comments. There were no bits on the wire changes, but a substantial number of fixed typos and clarifications. I believe the intent is to go to last call with this one. It hasn't shown up on the I-D site yet, but Paul Hoffman has temporarily posted it on his site (as he announced Saturday): > Charlie has posted a new version of the main IKEv2 document. A > temporary version can be found at > > > --Paul Hoffman, Director > --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 3 10:35:10 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53HZ8AF055619; Tue, 3 Jun 2003 10:35:10 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA20967 Tue, 3 Jun 2003 12:44:28 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: References: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 3 Jun 2003 10:50:14 -0600 To: Charlie_Kaufman@notesdev.ibm.com, ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Re: New IKEv2 draft -08 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >Just to let people know, I posted a revised IKEv2 draft incorporating >the recent comments. There were no bits on the wire changes, but a >substantial number of fixed typos and clarifications. I believe the >intent is to go to last call with this one. It hasn't shown up on the >I-D site yet, but Paul Hoffman has temporarily posted it on his site >(as he announced Saturday): > > > Charlie has posted a new version of the main IKEv2 document. A > > temporary version can be found at > > The real draft appeared this morning (and the same is true for Jeff's algorithm requirements draft), so I nuked the temporary drafts. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 3 11:03:49 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53I1GAF057304; Tue, 3 Jun 2003 11:03:48 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA21193 Tue, 3 Jun 2003 13:30:23 -0400 (EDT) Message-Id: <4.3.2.7.2.20030603102719.050c84c8@mira-sjc5-4.cisco.com> X-Sender: byfraser@mira-sjc5-4.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 03 Jun 2003 10:32:01 -0700 To: ipsec@lists.tislabs.com From: Barbara Fraser Subject: Working Group Last Call IKEv2 Cc: tytso@mit.edu, Barbara Fraser Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi, This is a working group last call for comments on the IKEv2 draft, draft-ietf-ipsec-ikev2-08.txt, for progression to Proposed Standard: This last call will expire in three weeks on June 23, 2003. thanks, Barb and Ted From owner-ipsec@lists.tislabs.com Tue Jun 3 13:56:26 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53KrpAF066246; Tue, 3 Jun 2003 13:56:26 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id QAA22104 Tue, 3 Jun 2003 16:13:10 -0400 (EDT) Message-Id: <200306032018.h53KIxvj025073@thunk.east.sun.com> From: Bill Sommerfeld To: jfl@mobile-ip.de (Floroiu John) cc: ipsec@lists.tislabs.com Subject: Re: need for encrypting IKE QM exchange In-Reply-To: Your message of "Tue, 03 Jun 2003 11:51:23 +0200." <20030603095123.GD29366@www.mobile-ip.de> Reply-to: sommerfeld@east.sun.com Date: Tue, 03 Jun 2003 16:18:59 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk > There is a question I would like to ask regarding the need to > encrypt the IKE Quick Mode exchange. I couldn't find throughout > RFC2408 and RFC2409 a clear explanation to why SA, Nx, KE need to be > encrypted (since the messages are authenticated anyway). > > SA, Nx and KE only indicate to a potential attacker the transforms that > are being used and the SA's lifetime, which imo is harmless. others may disagree. also, selector values are exchanged, which may indicate port number / protocol of the protected traffic, leaking information about the traffic being carried. - Bill From owner-ipsec@lists.tislabs.com Tue Jun 3 21:35:59 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h544XSAF080923; Tue, 3 Jun 2003 21:35:59 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA25111 Tue, 3 Jun 2003 23:57:43 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 3 Jun 2003 21:03:24 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Greetings again. draft-ietf-ipsec-algorithms uses the standard definitions for MUST, SHOULD, and so on. It adds three new terms: SHOULD+ This term means the same as SHOULD. However it is likely that an algorithm marked as SHOULD+ will be promoted at some future time to be a MUST SHOULD- This terms means the same as SHOULD. However an algorithm marked as SHOULD- may be deprecated to a MAY in a future version of this document. MUST- This term means the same as MUST. However we expect at some point that this algorithm will no longer be a MUST in a future document. Although its status will be determined at a later time, it is reasonable to expect that if a future revision of a document alters the status of a MUST- algorithm, it will remain at least a SHOULD or a SHOULD-. The concept of SHOULD+ and MUST- is good, but SHOULD- is not useful and is confusing to implementers. In the current draft, there are only two items that are marked as SHOULD-: ENCR_DES_IV64 1 [RFC1827] SHOULD- ENCR_DES 2 [RFC2405] SHOULD- There is no good reason for DES to be a SHOULD or a SHOULD-. No one who cares about security would use it, and the only reason we see it in use in IPsec today is that it is still the MUST for IKEv1. Any use of DES should be a MAY. If IKEv2 lists DES as MAY instead of SHOULD-, that will hasten the demise of the use of DES in environments that should be using stronger keys. An additional benefit would be to make this RFC more understandable. (In less polite terms: let's finally dump DES from any level of requirement!) --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 3 21:36:01 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h544XTAF080924; Tue, 3 Jun 2003 21:36:01 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA25112 Tue, 3 Jun 2003 23:57:44 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 3 Jun 2003 16:34:50 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Greetings again. draft-ietf-ipsec-algorithms lists the following pseudo-random functions: 4.1.4. IKEv2 Transform Type 2 Algorithms Transfer Type 2 Algorithms are pseudo-random functions used to generate random values when needed. Name Number Defined In Status RESERVED 0 PRF_HMAC_MD5 1 [RFC2104] MAY PRF_HMAC_SHA1 2 [RFC2104] MUST PRF_HMAC_TIGER 3 [RFC2104] MAY PRF_AES128_CBC 4 [CIPH-AES] SHOULD It lists the following for integrity algorithms: 4.1.5. IKEv2 Transform Type 3 Algorithms Transfer Type 3 Algorithms are Integrity algorithms used to protect data against tampering. Name Number Defined In Status NONE 0 AUTH_HMAC_MD5_96 1 [RFC2403] MAY AUTH_HMAC_SHA1_96 2 [RFC2404] MUST AUTH_DES_MAC 3 MAY AUTH_KPDK_MD5 4 [RFC1826] MAY AUTH_AES_XCBC_96 5 SHOULD Some implementers have said that they would like to use PRF_AES128_CBC and AUTH_AES_XCBC_96 when they use AES for encryption in constrained hardware. Basically, why implement PRF_HMAC_SHA1 and AUTH_HMAC_SHA1_96 when PRF_AES128_CBC is good enough and it will clearly take less silicon. I followed this logic when I specified PRF_AES128_CBC and AUTH_AES_XCBC_96 in the VPN-2 UI suite. I propose that PRF_AES128_CBC be listed as SHOULD+ instead of SHOULD so that implementers know that they should be implementing it soon. Otherwise, I should change the VPN-2 UI suite to use PRF_HMAC_SHA1 and AUTH_HMAC_SHA1_96. Does anyone object to raising these two uses of AES to SHOULD+? --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 3 22:09:23 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5459JAF081904; Tue, 3 Jun 2003 22:09:22 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id AAA25392 Wed, 4 Jun 2003 00:41:40 -0400 (EDT) Date: Wed, 4 Jun 2003 00:47:16 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: Re: Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Tue, 3 Jun 2003, Paul Hoffman / VPNC wrote: > (In less polite terms: let's finally dump DES from any level of requirement!) Agreed! About time. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 4 02:21:18 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h549LHAF015589; Wed, 4 Jun 2003 02:21:17 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id EAA27119 Wed, 4 Jun 2003 04:50:25 -0400 (EDT) Date: Wed, 4 Jun 2003 10:48:29 +0200 To: Bill Sommerfeld , ipsec@lists.tislabs.com Subject: Re: need for encrypting IKE QM exchange Message-ID: <20030604084829.GA3545@www.mobile-ip.de> References: <20030603095123.GD29366@www.mobile-ip.de> <200306032018.h53KIxvj025073@thunk.east.sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200306032018.h53KIxvj025073@thunk.east.sun.com> User-Agent: Mutt/1.3.28i From: jfl@mobile-ip.de (Floroiu John) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk > > SA, Nx and KE only indicate to a potential attacker the transforms that > > are being used and the SA's lifetime, which imo is harmless. > > others may disagree. Thanks for the answer. I had this feeling indeed, but I wasn't sure about the reasons ;-) I actually overlooked the selectors, which provide indeed information about the traffic being exchanged through a security gateway. Regarding the other parameters, maybe the lifetime is the most sensitive. KE is essentially a public parameter, SPIs are seen afterwards in clear. As for the transforms, they are not many of them (so that one may try them in turn) and their strength, I believe, comes from the algorithm itself rather than from hiding its identity. > also, selector values are exchanged, which may indicate port number / > protocol of the protected traffic, leaking information about the > traffic being carried. John. From owner-ipsec@lists.tislabs.com Wed Jun 4 09:07:21 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54G6fAF042142; Wed, 4 Jun 2003 09:07:21 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA29789 Wed, 4 Jun 2003 11:27:01 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16094.4355.911606.608931@pkoning.dev.equallogic.com> Date: Wed, 4 Jun 2003 11:32:19 -0400 From: Paul Koning To: paul.hoffman@vpnc.org Cc: ipsec@lists.tislabs.com Subject: Re: Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms References: X-Mailer: VM 7.07 under 21.4 (patch 8) "Honest Recruiter" XEmacs Lucid Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >>>>> "Paul" == Paul Hoffman > writes: Paul> ... Paul> There is no good reason for DES to be a SHOULD or a SHOULD-. No Paul> one who cares about security would use it, and the only reason Paul> we see it in use in IPsec today is that it is still the MUST Paul> for IKEv1. Any use of DES should be a MAY. I'd prefer SHOULD NOT for ENCR_DES. As for ENCR_DES_IV64, why is that mentioned at all? Has it ever been seen in the wild? I'd just drop that one entirely. paul From owner-ipsec@lists.tislabs.com Wed Jun 4 09:16:29 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54GDwAF043124; Wed, 4 Jun 2003 09:16:28 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA29902 Wed, 4 Jun 2003 11:46:29 -0400 (EDT) Message-Id: <200306041551.h54Fpm812033@yogi> X-Mailer: exmh version 2.6.2 03/21/2003 with nmh-1.0.4 To: ipsec@lists.tislabs.com Subject: protocol encoding in proposal differs from IKEv1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jun 2003 10:51:48 -0500 From: "Stephen C. Koehler" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk I just noticed that the protocol encoding in IKEv2 is different from IKEv1. Is this correct?? >From IKEv2: o Protocol-Id (1 octet) - Specifies the protocol identifier for the current negotiation. Zero (0) indicates IKE, one (1) indicated ESP, and two (2) indicates AH. The IKEv2 DOI encodes ISAKMP as 1, AH as 2, and ESP as 3. >From an implementer's standpoint, I would like to point out (i.e., complain) that differences such as this make it very inconvenient to have IKEv1 and IKEv2 coexist in the same piece of code. My biggest complaint is that the the payload structures have changed from IKEv1 to IKEv2, but the payload type numbers have not. I think it would have been better to give a new number to any structure that changed. In the above case, the proposal structure is identical, but the encoding of one of the files has changed. -- Steve Koehler koehler@securecomputing.com From owner-ipsec@lists.tislabs.com Wed Jun 4 10:34:40 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54HYdAF045606; Wed, 4 Jun 2003 10:34:39 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA00368 Wed, 4 Jun 2003 12:56:09 -0400 (EDT) Message-ID: <49B96FCC784BC54F9675A6B558C3464ED7C15F@mail.netoctave.com> From: David Blaker To: ipsec@lists.tislabs.com Subject: RE: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ Date: Wed, 4 Jun 2003 12:47:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C32AB9.0CEDE720" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C32AB9.0CEDE720 Content-Type: text/plain Although I have seen discussions of using AES for a PRF function on the IPSec mailing list, I am unaware of a formal definition that is documented in a draft. draft-ietf-ipsec-ciph-aes-cbs-05.txt makes no mention of a prf function, as far as I can tell. If PRF_AES128_CBC is to be either a SHOULD or a SHOULD+, then someone first needs to define it somewhere. Would one of the proposers of this algorithm please provide a draft? David Blaker, VP System Engineering CyberGuard Corporation -----Original Message----- From: Paul Hoffman / VPNC [mailto:paul.hoffman@vpnc.org] Sent: Tuesday, June 03, 2003 7:35 PM To: ipsec@lists.tislabs.com Subject: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ Greetings again. draft-ietf-ipsec-algorithms lists the following pseudo-random functions: 4.1.4. IKEv2 Transform Type 2 Algorithms Transfer Type 2 Algorithms are pseudo-random functions used to generate random values when needed. Name Number Defined In Status RESERVED 0 PRF_HMAC_MD5 1 [RFC2104] MAY PRF_HMAC_SHA1 2 [RFC2104] MUST PRF_HMAC_TIGER 3 [RFC2104] MAY PRF_AES128_CBC 4 [CIPH-AES] SHOULD It lists the following for integrity algorithms: 4.1.5. IKEv2 Transform Type 3 Algorithms Transfer Type 3 Algorithms are Integrity algorithms used to protect data against tampering. Name Number Defined In Status NONE 0 AUTH_HMAC_MD5_96 1 [RFC2403] MAY AUTH_HMAC_SHA1_96 2 [RFC2404] MUST AUTH_DES_MAC 3 MAY AUTH_KPDK_MD5 4 [RFC1826] MAY AUTH_AES_XCBC_96 5 SHOULD Some implementers have said that they would like to use PRF_AES128_CBC and AUTH_AES_XCBC_96 when they use AES for encryption in constrained hardware. Basically, why implement PRF_HMAC_SHA1 and AUTH_HMAC_SHA1_96 when PRF_AES128_CBC is good enough and it will clearly take less silicon. I followed this logic when I specified PRF_AES128_CBC and AUTH_AES_XCBC_96 in the VPN-2 UI suite. I propose that PRF_AES128_CBC be listed as SHOULD+ instead of SHOULD so that implementers know that they should be implementing it soon. Otherwise, I should change the VPN-2 UI suite to use PRF_HMAC_SHA1 and AUTH_HMAC_SHA1_96. Does anyone object to raising these two uses of AES to SHOULD+? --Paul Hoffman, Director --VPN Consortium ------_=_NextPart_001_01C32AB9.0CEDE720 Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to = SHOULD+ Although I have seen discussions of using AES for a = PRF function on the IPSec mailing list, I am unaware of a formal = definition that is documented in a draft. = draft-ietf-ipsec-ciph-aes-cbs-05.txt makes no mention of a prf function, as far as I can tell. If = PRF_AES128_CBC is to be either a SHOULD or a SHOULD+, then someone = first needs to define it somewhere. Would one of the proposers of = this algorithm please provide a draft? David Blaker, VP System Engineering CyberGuard Corporation -----Original Message----- From: Paul Hoffman / VPNC [<3d.htm>mailto:paul.hoffman@vpnc.org]<= /FONT> Sent: Tuesday, June 03, 2003 7:35 PM To: ipsec@lists.tislabs.com Subject: Promoting PRF_AES128_CBC and = AUTH_AES_XCBC_96 from SHOULD to SHOULD+ Greetings again. draft-ietf-ipsec-algorithms lists = the following pseudo-random functions: 4.1.4. IKEv2 Transform Type 2 Algorithms Transfer Type 2 Algorithms are pseudo-random = functions used to generate random values when needed. = Name &n= bsp; Number Defined In Status = RESERVED &nbs= p; 0 = PRF_HMAC_MD5 = 1 = [RFC2104] MAY = PRF_HMAC_SHA1 = 2 = [RFC2104] MUST = PRF_HMAC_TIGER = 3 = [RFC2104] MAY = PRF_AES128_CBC = 4 [CIPH-AES] = SHOULD It lists the following for integrity = algorithms: 4.1.5. IKEv2 Transform Type 3 Algorithms Transfer Type 3 Algorithms are Integrity algorithms = used to protect data against tampering. = Name &n= bsp; Number = Defined In Status = NONE &n= bsp; 0 = AUTH_HMAC_MD5_96 = 1 = [RFC2403] MAY = AUTH_HMAC_SHA1_96 = 2 = [RFC2404] MUST = AUTH_DES_MAC = 3 = ; = ; MAY = AUTH_KPDK_MD5 = 4 = [RFC1826] MAY = AUTH_AES_XCBC_96 = 5 = ; = ; SHOULD Some implementers have said that they would like to = use PRF_AES128_CBC and AUTH_AES_XCBC_96 when they use = AES for encryption in constrained hardware. Basically, why implement = PRF_HMAC_SHA1 and AUTH_HMAC_SHA1_96 when PRF_AES128_CBC is good enough = and it will clearly take less silicon. I followed this logic = when I specified PRF_AES128_CBC and AUTH_AES_XCBC_96 in the VPN-2 UI = suite. I propose that PRF_AES128_CBC be listed as SHOULD+ = instead of SHOULD so that implementers know that they should be = implementing it soon. Otherwise, I should change the VPN-2 UI suite to use = PRF_HMAC_SHA1 and AUTH_HMAC_SHA1_96. Does anyone object to raising these two uses of AES = to SHOULD+? --Paul Hoffman, Director --VPN Consortium ------_=_NextPart_001_01C32AB9.0CEDE720-- From owner-ipsec@lists.tislabs.com Fri Jun 6 12:05:19 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56J5IAF031053; Fri, 6 Jun 2003 12:05:19 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA15964 Fri, 6 Jun 2003 14:14:33 -0400 (EDT) Message-ID: <2A8DB02E3018D411901B009027FD3A3F03676096@mchp905a.mch.sbs.de> From: Tschofenig Hannes To: "'ipsec@lists.tislabs.com'" Subject: Question regarding user identity confidentiality Date: Fri, 6 Jun 2003 15:20:36 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk hi all, i have read the ikev2 tuturial and ikev2 and i have a question about the user identity confidentiality: before secure legacy authentication was added to ikev2 i agreed with the selected user id confidentiality approach where the identity of the initiator is revealed first. at that time it is was difficult to assume a client-server architecture (i.e. which entity starts ike) and therefore which entity has to be protected. for remote access solutions using secure legacy authentication (by using eap) things are a little bit different. with eap you have the following message flow (taken from section 3.16 of [draft-ietf-ipsec-ikev2-08.txt]): Initiator Responder ----------- ----------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, [CERTREQ] HDR, SK {IDi, [CERTREQ,] [IDr,] SAi2, TSi, TSr} --> <-- HDR, SK {IDr, [CERT,] AUTH, EAP } HDR, SK {EAP, [AUTH] } --> The draft says "By including an IDi payload but not an AUTH payload, the initiator has declared an identity but has not proven it." (message 3) Section 3.16 additionally says: "Note that since IKE passes an indication of initiator identity in message 3 of the protocol, EAP based prompts for Identity SHOULD NOT be used." To me this seems that protection of the user identity against an active attack cannot be provided for eap methods (except if tunneled methods are used). this seems to have some disadvantages for remote access solutions where you have a client-server relationship. possible solutions are: a) ignore user id conf. b) suggest to use a tunneled method within ikev2/eap when user identity confidentiality is required. this clearly has a performance disadvantage since you create two tunnels (for server to client authentication) in addition to the eap method for client to server authentication. c) change the handling for secure legacy auth. and let the responder authenticate to the initiator first d) others? am i wrong with my observations? ciao hannes From owner-ipsec@lists.tislabs.com Fri Jun 6 12:56:26 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56JuPAF032451; Fri, 6 Jun 2003 12:56:26 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA16178 Fri, 6 Jun 2003 15:22:13 -0400 (EDT) Message-Id: <4.3.2.7.2.20030606121942.04ed4dc0@mira-sjc5-4.cisco.com> X-Sender: byfraser@mira-sjc5-4.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 06 Jun 2003 12:27:08 -0700 To: Internet-Drafts@ietf.org From: Barbara Fraser Subject: Problem with draft-ietf-ipsec-ikev2-algorithms-02.txt Cc: jis@mit.edu, tytso@mit.edu, byfraser@cisco.com, ipsec@lists.tislabs.com, angelos@cs.columbia.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi, Re: draft-ietf-ipsec-ikev2-algorithms-02.txt Ted and I were looking for this draft and noticed that the link for the -02 document on the IPsec wg page is broken. When we checked the ftp site, there were no copies of this document at all, even the earlier -01 version. We believe Jeff submitted the -02 document on June 3. There has been no announcement of this draft which leads us to believe something happened in the middle of ID's handling of this document. Thanks for looking into this, Barb and Ted From owner-ipsec@lists.tislabs.com Fri Jun 6 13:13:14 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56KDDAF032930; Fri, 6 Jun 2003 13:13:14 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA16341 Fri, 6 Jun 2003 15:46:15 -0400 (EDT) Date: Fri, 6 Jun 2003 15:52:03 -0400 From: "Theodore Ts'o" To: David Blaker Cc: ipsec@lists.tislabs.com Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ Message-ID: <20030606195203.GB4070@think> References: <49B96FCC784BC54F9675A6B558C3464ED7C15F@mail.netoctave.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <49B96FCC784BC54F9675A6B558C3464ED7C15F@mail.netoctave.com> User-Agent: Mutt/1.5.4i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, Jun 04, 2003 at 12:47:57PM -0400, David Blaker wrote: > Although I have seen discussions of using AES for a PRF function on > the IPSec mailing list, I am unaware of a formal definition that is > documented in a draft. draft-ietf-ipsec-ciph-aes-cbs-05.txt makes no > mention of a prf function, as far as I can tell. If PRF_AES128_CBC > is to be either a SHOULD or a SHOULD+, then someone first needs to > define it somewhere. Would one of the proposers of this algorithm please > provide a draft? Good catch. It appears that ikev2-algorithms-01 is in error: PRF_AES128_CBC is not defined in draft-ietf-ipsec-aes-cbc-05, and I don't see any drafts where it is defined. So we need to modify ikev2-algorithms to point at a (currently non-existent) I-D, and we need to find a volunteer to quickly gin up an I-D which defines PRF_AES128_CBC. Barbara and I believe that this shouldn't hold up the IETF last call for draft-ietf-ipsec-algorithms, since writing up this PRF AES I-D should be something that can be done quickly, however, with the dangling reference the algorithms document will stall when it hits the RFC editor, so we will need to plug this reference quickly. - Ted From drobertmjkyjpxoh7gdf0@msn.com Fri Jun 6 16:26:13 2003 Received: from hotmail.com (bay3-dav140.bay3.hotmail.com [65.54.169.170]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56NQDAF039642 for ; Fri, 6 Jun 2003 16:26:13 -0700 (PDT) (envelope-from drobertmjkyjpxoh7gdf0@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 6 Jun 2003 16:26:08 -0700 Received: from 212.170.242.64 by bay3-dav140.bay3.hotmail.com with DAV; Fri, 06 Jun 2003 23:26:08 +0000 X-Originating-IP: [212.170.242.64] X-Originating-Email: [drobertmjkyjpxoh7gdf0@msn.com] To: "Schrawder Vitiello" Subject: loving women want you From: "Graap Saglibene" X-Originating-Ip: [7.930.85.01] X-Priority: 3 (Normal) Content-Type: multipart/alternative; boundary="I2uTPp6aVeiXCsFwjI0cp8S0d45ykhwqEOmo31jmjKYkPyOh7Gef0naDbB5bGjFy4W" Content-Transfer-Encoding: 7bit Message-ID: X-OriginalArrivalTime: 06 Jun 2003 23:26:08.0786 (UTC) FILETIME=[02535720:01C32C83] Date: 6 Jun 2003 16:26:08 -0700 --I2uTPp6aVeiXCsFwjI0cp8S0d45ykhwqEOmo31jmjKYkPyOh7Gef0naDbB5bGjFy4W Content-Transfer-Encoding: 7bit Content-Type: text/html; charset="ISO-8859-1" Searching And Still Haven't Found A That Someone Special?
Don't spend another day alone, take your first step towards a better life.

Visit Us Here And Choose The Woman You'd Like Meet

You can browse through our database of pictures and bio's of beautiful Russian women
looking for a western man just like you!

Join Today For FREE And Start A Relationship That Will Last A Life Time

Visit Us Online Here

here To Be Taken Off
--I2uTPp6aVeiXCsFwjI0cp8S0d45ykhwqEOmo31jmjKYkPyOh7Gef0naDbB5bGjFy4W-- From owner-ipsec@lists.tislabs.com Fri Jun 6 17:05:50 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5705nAF040942; Fri, 6 Jun 2003 17:05:49 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id TAA17341 Fri, 6 Jun 2003 19:34:37 -0400 (EDT) Date: Sat, 7 Jun 2003 02:40:27 +0300 (IDT) From: Hugo Krawczyk To: "Theodore Ts'o" cc: David Blaker , IPsec WG Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ In-Reply-To: <20030606195203.GB4070@think> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk > > Good catch. It appears that ikev2-algorithms-01 is in error: > PRF_AES128_CBC is not defined in draft-ietf-ipsec-aes-cbc-05, and I > don't see any drafts where it is defined. So we need to modify > ikev2-algorithms to point at a (currently non-existent) I-D, and we > need to find a volunteer to quickly gin up an I-D which defines > PRF_AES128_CBC. that's easy: the right document to point out is draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt. The function defined there is exactly what the algorithms I-D calls PRF_AES128_CBC (maybe we should rename it to PRF_AES128_XCBC), except that draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt mandates the truncation to 96 bits which is not necessary (nor recommended) here. Thus one can define PRF_AES128_XCBC by referring to the above I-D and saying that no truncation takes place (all the 128 bits of output from AES128 are output by the prf). This means ignoring the text in draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt after sec 4.2. It would be nice if draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt is reorganized a bit such as first aes-xcbc-mac is defined with output equal to the block length (does this draft refer only to aes128?) Then a section about truncation is added where aes-xcbc-mac-96 is defined. A couple of test cases for aes-xcbc-mac could be added. In this way ikev2 could cleanly refer to aes-xcbc-mac as defined in draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt. Hugo From owner-ipsec@lists.tislabs.com Fri Jun 6 17:06:06 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h57066AF040956; Fri, 6 Jun 2003 17:06:06 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id TAA17389 Fri, 6 Jun 2003 19:42:44 -0400 (EDT) Date: Sat, 7 Jun 2003 02:48:48 +0300 (IDT) From: Hugo Krawczyk To: Tschofenig Hannes cc: "'ipsec@lists.tislabs.com'" Subject: Re: Question regarding user identity confidentiality In-Reply-To: <2A8DB02E3018D411901B009027FD3A3F03676096@mchp905a.mch.sbs.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hannes, You are late to this party... This issue has been discussed in a couple of threads in this list (the last of which took place in March and carried the subject "Do ipsec vendors care about privacy?"). This represented my failed attempt to get the WG to decide on what seems as the obvious requirement to protect the user's id in the EAP exchange. Even the "provocative" subject of the thread (and the positive answer to that question given by several ipsec vendors) was insufficient to market the idea. If you read the thread you'll see some people claiming that doing so would add significant complexity to the protocol. I do not agree. I have the feeling that a silent majority would have supported this, but that's how silent majorities work, they remain silent... :) Hugo On Fri, 6 Jun 2003, Tschofenig Hannes wrote: > hi all, > > i have read the ikev2 tuturial and ikev2 and i have a question about the > user identity confidentiality: > > before secure legacy authentication was added to ikev2 i agreed with the > selected user id confidentiality approach where the identity of the > initiator is revealed first. at that time it is was difficult to assume a > client-server architecture (i.e. which entity starts ike) and therefore > which entity has to be protected. > > for remote access solutions using secure legacy authentication (by using > eap) things are a little bit different. > > with eap you have the following message flow (taken from section 3.16 of > [draft-ietf-ipsec-ikev2-08.txt]): > > Initiator Responder > ----------- ----------- > HDR, SAi1, KEi, Ni --> > > <-- HDR, SAr1, KEr, Nr, [CERTREQ] > > HDR, SK {IDi, [CERTREQ,] [IDr,] > SAi2, TSi, TSr} --> > > <-- HDR, SK {IDr, [CERT,] AUTH, > EAP } > > HDR, SK {EAP, [AUTH] } --> > > The draft says "By including an IDi payload but not an AUTH payload, the > initiator has declared an identity but has not proven it." (message 3) > > Section 3.16 additionally says: "Note that since IKE passes an indication of > initiator identity in message 3 of the protocol, EAP based prompts for > Identity SHOULD NOT be used." > > To me this seems that protection of the user identity against an active > attack cannot be provided for eap methods (except if tunneled methods are > used). this seems to have some disadvantages for remote access solutions > where you have a client-server relationship. > > possible solutions are: > > a) ignore user id conf. > b) suggest to use a tunneled method within ikev2/eap when user identity > confidentiality is required. this clearly has a performance disadvantage > since you create two tunnels (for server to client authentication) in > addition to the eap method for client to server authentication. > c) change the handling for secure legacy auth. and let the responder > authenticate to the initiator first > d) others? > > am i wrong with my observations? > > ciao > hannes > From owner-ipsec@lists.tislabs.com Fri Jun 6 17:17:39 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h570HbAF041189; Fri, 6 Jun 2003 17:17:39 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id TAA17453 Fri, 6 Jun 2003 19:54:29 -0400 (EDT) Message-Id: <5.2.0.9.2.20030606195908.043c5358@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 06 Jun 2003 20:00:20 -0400 To: action@ietf.org From: Russ Housley Subject: Fwd: Problem with draft-ietf-ipsec-ikev2-algorithms-02.txt Cc: jis@mit.edu, tytso@mit.edu, byfraser@cisco.com, ipsec@lists.tislabs.com, angelos@cs.columbia.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Please fix the link to draft-ietf-ipsec-ikev2-algorithms-02.txt on the IPsec WG web page and make sure the document is in the repository. Russ >Delivered-To: housley@mail.binhost.com >Delivered-To: alias-582@vigilsec.com >X-Sender: byfraser@mira-sjc5-4.cisco.com >X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 >Date: Fri, 06 Jun 2003 12:27:08 -0700 >To: Internet-Drafts@ietf.org >From: Barbara Fraser >Subject: Problem with draft-ietf-ipsec-ikev2-algorithms-02.txt >Cc: jis@mit.edu, tytso@mit.edu, byfraser@cisco.com, ipsec@lists.tislabs.com, > angelos@cs.columbia.edu >Sender: owner-ipsec@lists.tislabs.com > >Hi, > >Re: draft-ietf-ipsec-ikev2-algorithms-02.txt > >Ted and I were looking for this draft and noticed that the link for the >-02 document on the IPsec wg page is broken. When we checked the ftp >site, there were no copies of this document at all, even the earlier -01 >version. We believe Jeff submitted the -02 document on June 3. There >has been no announcement of this draft which leads us to believe something >happened in the middle of ID's handling of this document. > >Thanks for looking into this, >Barb and Ted > From owner-ipsec@lists.tislabs.com Sat Jun 7 01:53:06 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h578r2AF076837; Sat, 7 Jun 2003 01:53:06 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id EAA19616 Sat, 7 Jun 2003 04:21:37 -0400 (EDT) Date: Sat, 7 Jun 2003 10:27:30 +0200 From: Markus Friedl To: ipsec@lists.tislabs.com Subject: IKEv2 and NAT/T Message-ID: <20030607082730.GA25456@faui02> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Tue, Jun 03, 2003 at 11:14:14AM -0400, Charlie_Kaufman@notesdev.ibm.com wrote: > Just to let people know, I posted a revised IKEv2 draft incorporating > the recent comments. Hello, since IKEv2 includes support for NAT/T, I'd like to know how IKEv2 is affected by the IPR/patent claims that exist for several NAT traversal methods. Does anyone have pointers about the nature of these IPR claims and what exactily is affected by these claims. Encapsulating ESP in UDP seems very trivial, so I doubt that this is all the patents are about. Any help appreciated. thanks, -markus From owner-ipsec@lists.tislabs.com Sat Jun 7 18:00:54 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5810rAF038245; Sat, 7 Jun 2003 18:00:53 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA22740 Sat, 7 Jun 2003 20:25:37 -0400 (EDT) Message-Id: <4.3.2.7.2.20030606162749.04395f00@mira-sjc5-4.cisco.com> X-Sender: byfraser@mira-sjc5-4.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 06 Jun 2003 18:30:50 -0700 To: John Shriver From: Barbara Fraser Subject: draft-ietf-ipsec-doi-tc-mib-07.txt and friends Cc: tytso@mit.edu, byfraser@cisco.com, angelos@cs.columbia.edu, Bert Wijnen , "Hilarie Orman, Purple Streak Development" , Luis Sanchez , "C. M. Heard" , Russ Housley , Paul Hoffman / VPNC , ipsec@lists.tislabs.com Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_39173268==_.ALT" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --=====================_39173268==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hi John, Ted and I have been, once again, digging back into the status of 5 of the MIB documents and would like to see us once and for all get these documents put to bed. We've seen and read the thread concerning draft-ietf-ipsec-doi-tc-mib-07.txt. Everything seems to have come to a halt after Mike Heard posted his summary MIB doctor comments on April 28. This document is referenced in the an IPSP document so we need to somehow resolve the issues surrounding it, which is why there is such a wide distribution on this message. First question is, are you willing to continue to work on this document as the editor? Second, it seems there has been some difference of opinion between you and Mike. One comment made was that some of the difficulties arose from this document being looked at in isolation of the other related documents. This brings me to a question. Every time Ted and I have asked if anyone is implementing these MIBs, there has been total silence leading us to believe nobody is implementing them. Paul Hoffman has kindly resubmitted draft-ietf-ipsec-ike-monitor-mib-04.txt, draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and draft-ietf-ipsec-monitor-mib-06.txt for us in the new format, and if he, or someone else is willing to take them on, we could continue to progress all of them. If that's what folks want to do. On the other hand, we could also choose to progress only the document that Hilary's group needs and drop the other three due to lack of interest/implementation. It's also fair to remind folks that these are all IKEv1 MIB docs. All this boils down to the following: 1. Are you willing to continue to edit draft-ietf-ipsec-doi-tc-mib-07.txt? 2. We need to come to agreement on what changes are needed, that is we must address the MIB doctor comments. 3. Are we going to continue to support draft-ietf-ipsec-ike-monitor-mib-04.txt, draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and draft-ietf-ipsec-monitor-mib-06.txt? If so, who's willing to take on the document editor job? And, more importantly, how do we decide what changes are needed to them. I feel like we're living in Ground Day with these MIB docs. We keep living the same thing over and over. Let's please get to the end :-) thanks, Barb and Ted --=====================_39173268==_.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi John,

Ted and I have been, once again, digging back into the status of 5 of the MIB documents and would like to see us once and for all get these documents put to bed. We've seen and read the thread concerning draft-ietf-ipsec-doi-tc-mib-07.txt. Everything seems to have come to a halt after Mike Heard posted his summary MIB doctor comments on April 28. This document is referenced in the an IPSP document so we need to somehow resolve the issues surrounding it, which is why there is such a wide distribution on this message. First question is, are you willing to continue to work on this document as the editor? Second, it seems there has been some difference of opinion between you and Mike. One comment made was that some of the difficulties arose from this document being looked at in isolation of the other related documents. This brings me to a question. Every time Ted and I have asked if anyone is implementing these MIBs, there has been total silence leading us to believe nobody is implementing them. Paul Hoffman has kindly resubmitted draft-ietf-ipsec-ike-monitor-mib-04.txt, draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and draft-ietf-ipsec-monitor-mib-06.txt for us in the new format, and if he, or someone else is willing to take them on, we could continue to progress all of them. If that's what folks want to do. On the other hand, we could also choose to progress only the document that Hilary's group needs and drop the other three due to lack of interest/implementation. It's also fair to remind folks that these are all IKEv1 MIB docs.

All this boils down to the following:
1. Are you willing to continue to edit draft-ietf-ipsec-doi-tc-mib-07.txt?
2. We need to come to agreement on what changes are needed, that is we must address the MIB doctor comments.
3. Are we going to continue to support draft-ietf-ipsec-ike-monitor-mib-04.txt, draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and draft-ietf-ipsec-monitor-mib-06.txt? If so, who's willing to take on the document editor job? And, more importantly, how do we decide what changes are needed to them.

I feel like we're living in Ground Day with these MIB docs. We keep living the same thing over and over. Let's please get to the end=20 :-)

thanks,
Barb and Ted --=====================_39173268==_.ALT-- From owner-ipsec@lists.tislabs.com Sat Jun 7 18:00:59 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5810uAF038255; Sat, 7 Jun 2003 18:00:59 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA22752 Sat, 7 Jun 2003 20:28:38 -0400 (EDT) Cc: David Blaker , ipsec@lists.tislabs.com Message-ID: <3EE10F4A.7000303@bell-labs.com> Date: Fri, 06 Jun 2003 18:01:46 -0400 From: Uri Blumenthal Organization: Lucent Tehcnologies / Bell Labs User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en, zh-cn, ru, de, he MIME-Version: 1.0 To: "Theodore Ts'o" Original-CC: David Blaker , ipsec@lists.tislabs.com Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ References: <49B96FCC784BC54F9675A6B558C3464ED7C15F@mail.netoctave.com> <20030606195203.GB4070@think> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk I'd volunteer, since I've been working on the thing (on and off) for a while now. But as the discussion demonstrated, it's not as simple - if you want to use that PRF in IKEv2. Theodore Ts'o wrote: > On Wed, Jun 04, 2003 at 12:47:57PM -0400, David Blaker wrote: > >>Although I have seen discussions of using AES for a PRF function on >>the IPSec mailing list, I am unaware of a formal definition that is >>documented in a draft. draft-ietf-ipsec-ciph-aes-cbs-05.txt makes no >>mention of a prf function, as far as I can tell. If PRF_AES128_CBC >>is to be either a SHOULD or a SHOULD+, then someone first needs to >>define it somewhere. Would one of the proposers of this algorithm please >>provide a draft? > > > Good catch. It appears that ikev2-algorithms-01 is in error: > PRF_AES128_CBC is not defined in draft-ietf-ipsec-aes-cbc-05, and I > don't see any drafts where it is defined. So we need to modify > ikev2-algorithms to point at a (currently non-existent) I-D, and we > need to find a volunteer to quickly gin up an I-D which defines > PRF_AES128_CBC. > > Barbara and I believe that this shouldn't hold up the IETF last call > for draft-ietf-ipsec-algorithms, since writing up this PRF AES I-D > should be something that can be done quickly, however, with the > dangling reference the algorithms document will stall when it hits the > RFC editor, so we will need to plug this reference quickly. From owner-ipsec@lists.tislabs.com Sat Jun 7 18:04:05 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h58144AF038387; Sat, 7 Jun 2003 18:04:04 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA22753 Sat, 7 Jun 2003 20:28:44 -0400 (EDT) Date: Fri, 6 Jun 2003 22:42:44 +0200 From: Markus Friedl To: ipsec@lists.tislabs.com Subject: Re: New IKEv2 draft -08 Message-ID: <20030606204244.GA31195@folly> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Tue, Jun 03, 2003 at 11:14:14AM -0400, Charlie_Kaufman@notesdev.ibm.com wrote: > Just to let people know, I posted a revised IKEv2 draft incorporating > the recent comments. Hello, since IKEv2 includes support for NAT/T, I'd like to know how IKEv2 is affected by the IPR/patent claims that exist for several NAT traversal methods. Does anyone have pointers about the nature of these IPR claims and what exactily is affected by these claims. Encapsulating ESP in UDP seems very trivial, so I doubt that this is all the patents are about. Any help appreciated. thanks, -markus From owner-ipsec@lists.tislabs.com Sun Jun 8 15:19:41 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h58MJeAF017353; Sun, 8 Jun 2003 15:19:40 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA25838 Sun, 8 Jun 2003 17:45:28 -0400 (EDT) Message-ID: <3EE3AD34.5090600@trpz.com> Date: Sun, 08 Jun 2003 14:40:04 -0700 From: Abraham Shacham User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Barbara Fraser , ipsec@lists.tislabs.com CC: tytso@mit.edu, ippcp Subject: IPComp editorial comments (Re: Working Group Last Call IKEv2) References: <4.3.2.7.2.20030603102719.050c84c8@mira-sjc5-4.cisco.com> In-Reply-To: <4.3.2.7.2.20030603102719.050c84c8@mira-sjc5-4.cisco.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Attached please find the IPComp editorial comments for IKEv2, including in RFC editor format. Regards, avram shacham@trpz.com shacham@shacham.net (*) Footnote to the bored reader of this repeated message: The I-D is in wg last call, so at the most a single repeat is due -- during ietf last call ;-< Barbara Fraser wrote: > Hi, > > This is a working group last call for comments on the IKEv2 draft, > draft-ietf-ipsec-ikev2-08.txt, for progression to Proposed Standard: > > This last call will expire in three weeks on June 23, 2003. > > thanks, > Barb and Ted > > > -------- Original Message -------- > Subject: IKEv2-05: IPComp (editorial) comments > Date: Mon, 03 Mar 2003 00:21:59 -0800 > From: Abraham Shacham > To: IP Security List > CC: ippcp > > > s/IPcomp/IPComp/ > s/RFC 2393/RFC 3173/ > > In page 54: > > The Transform IDs currently defined are: > Name Number Defined In > RESERVED 0 > IPCOMP_OUI 1 > IPCOMP_DEFLATE 2 (RFC2394) > IPCOMP_LZS 3 (RFC2395) > > Following RFC-3051, add: > > IPCOMP_LZJH 4 (RFC3051) > > > > Thanks, > avram > === the above comments in RFC editor format === page 2: Old: 2.22 IPcomp.................................................34 New: 2.22 IPComp.................................................34 page 4: Old: match fashion. IKE can also negotiate use of IPcomp [RFC2393] in connection with an ESP and/or AH SA. We call the IKE SA an "IKE_SA". New: match fashion. IKE can also negotiate use of IPComp [RFC3173] in connection with an ESP and/or AH SA. We call the IKE SA an "IKE_SA". page 11: Old: SAs are nested, as when data (and IP headers if in tunnel mode) are encapsulated first with IPcomp, then with ESP, and finally with AH between the same pair of endpoints, all of the SAs MUST be deleted New: SAs are nested, as when data (and IP headers if in tunnel mode) are encapsulated first with IPComp, then with ESP, and finally with AH between the same pair of endpoints, all of the SAs MUST be deleted page 34: Old: 2.22 IPcomp New: 2.22 IPComp Old: implementations of this specification MUST NOT accept an IPcomp algorithm that was not proposed, MUST NOT accept more than one, and New: implementations of this specification MUST NOT accept an IPComp algorithm that was not proposed, MUST NOT accept more than one, and Old: A side effect of separating the negotiation of IPcomp from cryptographic parameters is that it is not possible to propose New: A side effect of separating the negotiation of IPComp from cryptographic parameters is that it is not possible to propose pp 65, 66: Old: IPCOMP_SUPPORTED 24581 This notification may only be included in a message containing an SA payload negotiating a CHILD_SA and indicates a willingness by its sender to use IPcomp on this SA. The data associated with this notification includes a two octet IPcomp CPI followed by a one octet transform ID optionally followed by attributes whose length and format is defined by that transform ID. A message proposing an SA may contain multiple IPCOMP_SUPPORTED notifications to indicate multiple supported algorithms. A message accepting an SA may contain at most one. The transform IDs currently defined are: NAME NUMBER DEFINED IN ----------- ------ ----------- RESERVED 0 IPCOMP_OUI 1 IPCOMP_DEFLATE 2 RFC 2394 IPCOMP_LZS 3 RFC 2395 values 4-240 are reserved to IANA. Values 241-255 are for private use among mutually consenting parties. New: IPCOMP_SUPPORTED 24581 This notification may only be included in a message containing an SA payload negotiating a CHILD_SA and indicates a willingness by its sender to use IPComp on this SA. The data associated with this notification includes a two octet IPComp CPI followed by a one octet transform ID optionally followed by attributes whose length and format is defined by that transform ID. A message proposing an SA may contain multiple IPCOMP_SUPPORTED notifications to indicate multiple supported algorithms. A message accepting an SA may contain at most one. The transform IDs currently defined are: NAME NUMBER DEFINED IN ----------- ------ ----------- RESERVED 0 IPCOMP_OUI 1 IPCOMP_DEFLATE 2 RFC 2394 IPCOMP_LZS 3 RFC 2395 IPCOMP_LZJH 4 RFC 3051 values 5-240 are reserved to IANA. Values 241-255 are for private use among mutually consenting parties. page 83: Old: IPcomp Transform IDs New: IPComp Transform IDs page 85: Old: [IPCOMP] Shacham, A., Monsour, R., Pereira, R., and Thomas, M., "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. New: [IPCOMP] Shacham, A., Monsour, R., Pereira, R., and Thomas, M., "IP Payload Compression Protocol (IPComp)", RFC 3173, September 2001. === eom === From owner-ipsec@lists.tislabs.com Mon Jun 9 07:10:15 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59EADAF082359; Mon, 9 Jun 2003 07:10:14 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA28372 Mon, 9 Jun 2003 09:32:46 -0400 (EDT) Message-Id: <200306091145.HAA28659@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec@lists.tislabs.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-ikev2-algorithms-02.txt Date: Mon, 09 Jun 2003 07:45:35 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Cryptographic Algorithms for use in the Internet Key Exchange Version 2 Author(s) : J. Schiller Filename : draft-ietf-ipsec-ikev2-algorithms-02.txt Pages : 6 Date : 2003-6-6 The IPSec series of protocols makes use of various cryptographic algorithms in order to provide security services. The Internet Key Exchange (IKE [RFC2409] and IKEv2 [IKEv2]) provide a mechanism to negotiate which algorithms should be used in any even association. However to ensure interoperability between disparate implementations it is necessary to specify a set of mandatory to implement algorithms to ensure at least one algorithm that all implementations will have available. This document defines the current set of mandatory to implement algorithms for use of IKEv2 as well as specifying algorithms that should be implemented because they made be promoted to mandatory at some future time. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-ikev2-algorithms-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-6-6133209.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-ikev2-algorithms-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-6-6133209.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec@lists.tislabs.com Mon Jun 9 07:10:19 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59EAJAF082381; Mon, 9 Jun 2003 07:10:19 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA28378 Mon, 9 Jun 2003 09:38:50 -0400 (EDT) Message-ID: <3EE487F1.5F3D173B@ietf.org> Date: Mon, 09 Jun 2003 09:13:21 -0400 From: Natalia Syracuse X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Barbara Fraser CC: Internet-Drafts@ietf.org, jis@mit.edu, tytso@mit.edu, ipsec@lists.tislabs.com, angelos@cs.columbia.edu Subject: Re: Problem with draft-ietf-ipsec-ikev2-algorithms-02.txt References: <4.3.2.7.2.20030606121942.04ed4dc0@mira-sjc5-4.cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk ftp://ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt. It has been received on June 6th. It has been announced on June 9th. http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt Natalia Syracuse Barbara Fraser wrote: > > Hi, > > Re: draft-ietf-ipsec-ikev2-algorithms-02.txt > > Ted and I were looking for this draft and noticed that the link for the -02 > document on the IPsec wg page is broken. When we checked the ftp site, > there were no copies of this document at all, even the earlier -01 > version. We believe Jeff submitted the -02 document on June 3. There has > been no announcement of this draft which leads us to believe something > happened in the middle of ID's handling of this document. > > Thanks for looking into this, > Barb and Ted From owner-ipsec@lists.tislabs.com Mon Jun 9 07:44:57 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59EiuAF084634; Mon, 9 Jun 2003 07:44:57 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA28549 Mon, 9 Jun 2003 10:16:23 -0400 (EDT) From: "Yoav Nir" To: Subject: RE: I-D ACTION:draft-ietf-ipsec-ikev2-algorithms-02.txt Date: Mon, 9 Jun 2003 17:20:51 +0200 Message-ID: <000e01c32e9a$b6ffbb00$292e1dc2@YnirNew> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal In-Reply-To: <200306091145.HAA28659@ietf.org> Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi all, I still see no reference to AES with 192 or 256 bits. Either we have different names and numbers (such as "ENCR_AES_256_CBC") or else we use the keylength attribute of the transform payload. In that case, I think the encryption method name should be changed to "ENCR_AES_CBC". Having only "ENCR_AES_128_CBC" does not make sense. Yoav -----Original Message----- From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Internet-Drafts@ietf.org Sent: Monday, June 09, 2003 1:46 PM To: IETF-Announce: Cc: ipsec@lists.tislabs.com Subject: I-D ACTION:draft-ietf-ipsec-ikev2-algorithms-02.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Cryptographic Algorithms for use in the Internet Key Exchange Version 2 Author(s) : J. Schiller Filename : draft-ietf-ipsec-ikev2-algorithms-02.txt Pages : 6 Date : 2003-6-6 The IPSec series of protocols makes use of various cryptographic algorithms in order to provide security services. The Internet Key Exchange (IKE [RFC2409] and IKEv2 [IKEv2]) provide a mechanism to negotiate which algorithms should be used in any even association. However to ensure interoperability between disparate implementations it is necessary to specify a set of mandatory to implement algorithms to ensure at least one algorithm that all implementations will have available. This document defines the current set of mandatory to implement algorithms for use of IKEv2 as well as specifying algorithms that should be implemented because they made be promoted to mandatory at some future time. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-ikev2-algorithms-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-ikev2-algorithms-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. From owner-ipsec@lists.tislabs.com Mon Jun 9 08:32:14 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59FWCAF088914; Mon, 9 Jun 2003 08:32:13 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA28741 Mon, 9 Jun 2003 11:00:41 -0400 (EDT) Message-Id: <200306091506.h59F65of003913@givry.rennes.enst-bretagne.fr> From: Francis Dupont To: Barbara Fraser cc: ipsec@lists.tislabs.com, tytso@mit.edu Subject: Re: Working Group Last Call IKEv2 In-reply-to: Your message of Tue, 03 Jun 2003 10:32:01 PDT. <4.3.2.7.2.20030603102719.050c84c8@mira-sjc5-4.cisco.com> Date: Mon, 09 Jun 2003 17:06:05 +0200 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr Sender: owner-ipsec@lists.tislabs.com Precedence: bulk In your previous mail you wrote: I have some concerns about the current draft (08), here are the minor concerns: - in section 2.1 (retransmission) we should stress the "messages" are IKE messages, i.e., for instance one can restransmit a request using a different address in the transport header. I propose a very simple improvement, change: For every pair of messages, the Initiator is responsible for to For every pair of IKE messages, the Initiator is responsible for so the reader can refer to section 3 where IKE messages are defined. - nowhere the rule for sending response (reverse the transport stuff) is fully explained. I propose to complete section 2.11 (agility): ... An implementation MUST accept incoming connection requests even if not received from UDP port 500 or 4500, and MUST respond to the address and port from which the request was received. becomes: ... An implementation MUST accept incoming requests even if not received from UDP port 500 or 4500, and MUST respond to the address and port from which the request was received, and from the address and port to which the request was received. note that I suppressed the word "connection" as this stands for every requests. - when CHILD_SAs rekeyed with a CREATE_CHILD_SA using PFS are usable? In IKEv1 these synchro issues are handled by the infamous commit bit and the third message of quick mode... IMHO the companion draft (draft-ietf-ipsec-ikev2-tutorial-xx.txt) should give some hints. BTW I'd like to get the opinion from other implementors because the simplest solution (wait for an initiator->responder packet) is not always available... This can be an occasion to explain what SA to use in rekeying, the new one or the old one until it expires? Regards Francis.Dupont@enst-bretagne.fr From owner-ipsec@lists.tislabs.com Mon Jun 9 09:06:29 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59G6OAF090464; Mon, 9 Jun 2003 09:06:29 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA28993 Mon, 9 Jun 2003 11:35:40 -0400 (EDT) Message-Id: <200306091541.h59Ff3of003997@givry.rennes.enst-bretagne.fr> From: Francis Dupont To: Barbara Fraser cc: ipsec@lists.tislabs.com, tytso@mit.edu Subject: Re: Working Group Last Call IKEv2 In-reply-to: Your message of Tue, 03 Jun 2003 10:32:01 PDT. <4.3.2.7.2.20030603102719.050c84c8@mira-sjc5-4.cisco.com> Date: Mon, 09 Jun 2003 17:41:03 +0200 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr Sender: owner-ipsec@lists.tislabs.com Precedence: bulk In your previous mail you wrote: I have some concerns about the current draft (08), here are the major concerns: - the NAT traversal facility is clearly unfinished: what is the decision about this: postpone this to another draft, give up all missing stuff, something else? Two examples of missing stuff: * the encapsulation of ESP of UDP 4500 * the implicit peer address update mechanism - the peer addresses (the addresses IKE runs over, cf 2.11) are not protected, this makes IKEv2 usable to launch DoS attacks by modifying addresses in IP headers of some packets. Initial CHILD_SA establishment can be made safe if NAT detection (i.e., NAT_DETECTION_{SOURCE,DESTINATION}_IP) is mandatory for all implementations (I can't see any problem with this and the proposed modification to the draft is very simple: put the relevant statement some lines before or after its current position). If this is accepted, we have two ways to protect the addresses of peers which are not behind a NAT: * always use the peer address of the IKE_SA_INIT messages as the address of the endpoint in any derived SA (i.e., "lock" it, the idea is from Tero Kivinen). * introduce a new notification to specify the proper peer address(es). This idea (mine) gives a better support to SCTP and similar cases but needs more work/time. Regards Francis.Dupont@enst-bretagne.fr From owner-ipsec@lists.tislabs.com Mon Jun 9 09:26:58 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59GQuAF090906; Mon, 9 Jun 2003 09:26:57 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA29164 Mon, 9 Jun 2003 12:00:38 -0400 (EDT) Message-Id: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr> From: Francis Dupont To: ipsec@lists.tislabs.com Subject: issue with "per-interface SAD/SPD" Date: Mon, 09 Jun 2003 18:06:02 +0200 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr Sender: owner-ipsec@lists.tislabs.com Precedence: bulk The RFC 2401 mandates (section 4.4, page 13) separate inbound and outbound databases (SAD and SPD) for each IPsec-enabled interface. This doesn't work in a dynamic environment where for instance dynamic routing makes the arrival of a packet for an address of a node possible on more than one interface in a long term, or where the peer is a mobile node. The problem exists at least in SAD lookup for incoming traffic and for SPD matching in IKE... IMHO the simplest (so the best :-) solution is to introduce an interface selector: the "firewall" properties are kept but a SPD entry can be "shared" between some interfaces. How this will be handled in the revision of RFC 2401? Regards Francis.Dupont@enst-bretagne.fr From owner-ipsec@lists.tislabs.com Mon Jun 9 10:09:01 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59H91AF091640; Mon, 9 Jun 2003 10:09:01 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA29347 Mon, 9 Jun 2003 12:39:48 -0400 (EDT) Message-ID: <3EE4BA34.5010308@isi.edu> Date: Mon, 09 Jun 2003 09:47:48 -0700 From: Joe Touch User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Francis Dupont CC: ipsec@lists.tislabs.com Subject: Re: issue with "per-interface SAD/SPD" References: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr> In-Reply-To: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Francis Dupont wrote: > The RFC 2401 mandates (section 4.4, page 13) separate inbound and > outbound databases (SAD and SPD) for each IPsec-enabled interface. > This doesn't work in a dynamic environment where for instance dynamic > routing makes the arrival of a packet for an address of a node possible > on more than one interface in a long term, or where the peer is a mobile > node. > The problem exists at least in SAD lookup for incoming traffic and for > SPD matching in IKE... IMHO the simplest (so the best :-) solution is > to introduce an interface selector: the "firewall" properties are kept > but a SPD entry can be "shared" between some interfaces. > How this will be handled in the revision of RFC 2401? > > Regards > > Francis.Dupont@enst-bretagne.fr FYI, we addressed this sort of issue in draft-touch-ipsec-vpn-05.txt, which was submitted independently as an Informational in April. Introducing an interface selector is insufficient; the selector needs to indicate the next-hop IP address and interface, as both are required for IP forwarding. The details of this issue, and simpler alternatives are discussed in the draft. Joe From owner-ipsec@lists.tislabs.com Mon Jun 9 12:37:41 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59JbeAF001741; Mon, 9 Jun 2003 12:37:40 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA29939 Mon, 9 Jun 2003 15:05:39 -0400 (EDT) Date: Mon, 9 Jun 2003 13:11:27 -0600 Message-Id: <200306091911.h59JBRS09976@localhost.localdomain> From: "The Purple Streak, Hilarie Orman" To: jshriver+ietf@sockeye.com Cc: byfraser@cisco.com, ipsec@lists.tislabs.com, paul.hoffman@vpnc.org, housley@vigilsec.com, heard@pobox.com, lsanchez@xapiens.com, bwijnen@lucent.com, angelos@cs.columbia.edu, tytso@mit.edu, wes@hardakers.net In-reply-to: Yourmessage <3EE490E7.8080101@sockeye.com> Subject: Re: draft-ietf-ipsec-doi-tc-mib-07.txt and friends Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Wes Hardaker has had implementations that use this, and he has made similar changes to his IPSP MIB document in order to appease the MIB powers. You and Wes should coordinate changes and resubmit ASAP. Hilarie > Date: Mon, 09 Jun 2003 09:51:35 -0400 > From: John Shriver > Organization: Sockeye Networks > > Hi John, > > > > Ted and I have been, once again, digging back into the status of 5 of > > the MIB documents and would like to see us once and for all get these > > documents put to bed. We've seen and read the thread concerning > > draft-ietf-ipsec-doi-tc-mib-07.txt. Everything seems to have come to a > > halt after Mike Heard posted his summary MIB doctor comments on April > > 28. This document is referenced in the an IPSP document so we need to > > somehow resolve the issues surrounding it, which is why there is such a > > wide distribution on this message. First question is, are you willing > > to continue to work on this document as the editor? > Absolutely. The problem is that we lack a consensus on what to do about > Mike Heard's comments. Honestly, nobody but Mike and I appear to give a > darn, at least on the IPsec mailing list! Even if I do decide to agree > with the change from enumerations to simple typedefs, is an agreement of > two people out of the entire IPsec list really a consensus? Maybe it > is, in the absence of any dissenting opinion! > Myself, I think the MIB is far more useful if we ignore Mike's comments. > But, realistically, it would _never_ get through last call, and it > would be futile to proceeed in that direction. > > Second, it seems > > there has been some difference of opinion between you and Mike. One > > comment made was that some of the difficulties arose from this document > > being looked at in isolation of the other related documents. This brings > > me to a question. Every time Ted and I have asked if anyone is > > implementing these MIBs, there has been total silence leading us to > > believe nobody is implementing them. > I suspect that nobody is implementing the related MIBs. I may remember > one vendor implementing the drafts, but I wouldn't be surprised if > they've been swept away by the dot-com meltdown of the last two years. > > Paul Hoffman has kindly resubmitted > > draft-ietf-ipsec-ike-monitor-mib-04.txt, > > draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and > > draft-ietf-ipsec-monitor-mib-06.txt for us in the new format, and if he, > > or someone else is willing to take them on, we could continue to > > progress all of them. > I think that IKEv2 is rendering much of the content of these MIBs as > obsolete. Plus the competiting IPsec Flow Monitoring MIB effort from > Cisco & Tivoli people, which has the advantadge of being implemented. > (You can't get through the standards track without implementations...) > Hopefully the folks authoring the Flow Monitoring MIB will continue to > pick up some of the good points from the earlier set of MIBs, I will > concede that later versions were improved. But I've seen little > standards effort there, they may have decided to abandon the standards > track, and just publish the MIBs under their trees? > > If that's what folks want to do. On the other > > hand, we could also choose to progress only the document that Hilary's > > group needs and drop the other three due to lack of > > interest/implementation. It's also fair to remind folks that these are > > all IKEv1 MIB docs. > > > > All this boils down to the following: > > 1. Are you willing to continue to edit draft-ietf-ipsec-doi-tc-mib-07.txt? > Yes. > > 2. We need to come to agreement on what changes are needed, that is we > > must address the MIB doctor comments. > Well, I can make the changes from enumerations to simple typedefs. The > real question is whether the IPSP folks are still interested in using > this MIB if it doesn't have the enumerations in it. To me, that was the > primary value of the MIB, and why I convinced Tim to let me do it. He > was just exporting the variables as INTEGERs, which I found unfriendly. > At least with any of the tools inheriting from the CMU ones, the > enumerations are much more useful. > So, IPSP folks (you are on the CC: list, right?), do you still want this > MIB without the enumerations? If so, I'll make Mike's changes, and ship > it out again. > > 3. Are we going to continue to support > > draft-ietf-ipsec-ike-monitor-mib-04.txt, > > draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and > > draft-ietf-ipsec-monitor-mib-06.txt? > I think we can let them die, unless someone someone is wanting them. > > If so, who's willing to take on the > > document editor job? And, more importantly, how do we decide what > > changes are needed to them. > > > > I feel like we're living in Groundhog Day with these MIB docs. We keep > > living the same thing over and over. Let's please get to the end :-) > Yeah, it would have been _easier_ if there had been some controversy, > rather than stunning silence all the way... > > > > thanks, > > Barb and Ted From owner-ipsec@lists.tislabs.com Mon Jun 9 15:39:48 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59MdjAF007754; Mon, 9 Jun 2003 15:39:48 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA00402 Mon, 9 Jun 2003 18:10:55 -0400 (EDT) Date: Tue, 10 Jun 2003 01:16:47 +0300 (IDT) From: Hugo Krawczyk To: Uri Blumenthal cc: "Theodore Ts'o" , David Blaker , IPsec WG Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ In-Reply-To: <3EE10F4A.7000303@bell-labs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Fri, 6 Jun 2003, Uri Blumenthal wrote: > I'd volunteer, since I've been working on the thing (on and off) > for a while now. But as the discussion demonstrated, it's not as > simple - if you want to use that PRF in IKEv2. Uri, I see no need for further I-D's. As I said in a recent message all is needed is a pointer to the AES-XCBC-MAC draft for the definition of what ikev2 calls PRF_AES128_CBC. All other issues regarding the use of prf are taken care by the ikev2 draft itself. In particular, the draft completely specifies the use of prf's whether with variable length key (such as HMAC-SHA) or fixed length key (such as aes128-cbc). The only prf's that are defined as MUST NOT USE are those whose output is shorter than the key itself (such as 3DES). All other discussions regarding prf use in ikev2 were resolved and reflected in the ikev2 draft. Hugo > > > Theodore Ts'o wrote: > > On Wed, Jun 04, 2003 at 12:47:57PM -0400, David Blaker wrote: > > > >>Although I have seen discussions of using AES for a PRF function on > >>the IPSec mailing list, I am unaware of a formal definition that is > >>documented in a draft. draft-ietf-ipsec-ciph-aes-cbs-05.txt makes no > >>mention of a prf function, as far as I can tell. If PRF_AES128_CBC > >>is to be either a SHOULD or a SHOULD+, then someone first needs to > >>define it somewhere. Would one of the proposers of this algorithm please > >>provide a draft? > > > > > > Good catch. It appears that ikev2-algorithms-01 is in error: > > PRF_AES128_CBC is not defined in draft-ietf-ipsec-aes-cbc-05, and I > > don't see any drafts where it is defined. So we need to modify > > ikev2-algorithms to point at a (currently non-existent) I-D, and we > > need to find a volunteer to quickly gin up an I-D which defines > > PRF_AES128_CBC. > > > > Barbara and I believe that this shouldn't hold up the IETF last call > > for draft-ietf-ipsec-algorithms, since writing up this PRF AES I-D > > should be something that can be done quickly, however, with the > > dangling reference the algorithms document will stall when it hits the > > RFC editor, so we will need to plug this reference quickly. > From owner-ipsec@lists.tislabs.com Mon Jun 9 16:44:21 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h59NiKAF010431; Mon, 9 Jun 2003 16:44:20 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id TAA00640 Mon, 9 Jun 2003 19:14:27 -0400 (EDT) Date: Tue, 10 Jun 2003 02:20:33 +0300 (IDT) From: Hugo Krawczyk To: Uri Blumenthal cc: IPsec WG Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ In-Reply-To: <3EE5100E.3020608@bell-labs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Mon, 9 Jun 2003, Uri Blumenthal wrote: > Hugo Krawczyk wrote: > >>I'd volunteer, since I've been working on the thing (on and off) > >>for a while now. But as the discussion demonstrated, it's not as > >>simple - if you want to use that PRF in IKEv2. > > > > I see no need for further I-D's. As I said in a recent message all is > > needed is a pointer to the AES-XCBC-MAC draft for the definition of what > > ikev2 calls PRF_AES128_CBC. All other issues regarding the use of prf are > > taken care by the ikev2 draft itself. > > Respectfully disagree. care to explain? > > > In particular, the draft completely > > specifies the use of prf's whether with variable length key (such as > > HMAC-SHA) or fixed length key (such as aes128-cbc). > > Except for how to construct a pure AES-based PRF. what do you mean by "pure AES-based PRF"? Isnt AES-XCBC a pure AES-based prf? Hugo From owner-ipsec@lists.tislabs.com Mon Jun 9 18:12:51 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5A1CoAF013552; Mon, 9 Jun 2003 18:12:50 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA00938 Mon, 9 Jun 2003 20:42:59 -0400 (EDT) Message-ID: <3EE52B65.803@airespace.com> Date: Mon, 09 Jun 2003 17:50:45 -0700 From: "Scott G. Kelly" Organization: Airespace User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 CC: ipsec@lists.tislabs.com Subject: Identity protection [Re: Working Group Last Call IKEv2] References: <4.3.2.7.2.20030603102719.050c84c8@mira-sjc5-4.cisco.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 10 Jun 2003 00:48:28.0888 (UTC) FILETIME=[02185580:01C32EEA] Sender: owner-ipsec@lists.tislabs.com Precedence: bulk I want to formally raise the issue of identity protection once again, now that we are in last call. This has been referred to by Hannes and Hugo in recent posts, and was discussed previously here. I don't think anyone will disagree that identity protection is useful in remote access scenarios for a number of reasons. In such cases, the identity of the SGW might often be obvious based on its use of a fixed IP address, but the identity of the initiator need not be. In weighing the usefulness of adding identity protection, we might consider how difficult it is to see the packets en route against what benefit an attacker might derive from knowledge of the identity, and also against the cost of securing this information. In many remote access scenarios, gaining access to packets containing identities is not a simple thing - the cost to the attacker is not insignificant. And the derived information does not provide a direct advantage - it is only one piece of the puzzle, and in general, significantly more work is required to take advantage of it. I think that for these reasons, some folks may feel that this protecting the intiator identity is not that important. Wireless network access is very much like remote access, and IPsec is sometimes used to secure such access. However, note that in a large number of wlan deployment scenarios, gaining access to the packets containing the identity is often straightforward, or even trivial. That is, the cost is significantly less than in the wired case. This changes the cost-benefit analysis considerably. For this reason, I think we should reconsider this. I think identity protection is a *very* important feature, and that IKEv2 should support it. Scott Barbara Fraser wrote: > Hi, > > This is a working group last call for comments on the IKEv2 draft, > draft-ietf-ipsec-ikev2-08.txt, for progression to Proposed Standard: > > This last call will expire in three weeks on June 23, 2003. > > thanks, > Barb and Ted > From owner-ipsec@lists.tislabs.com Mon Jun 9 21:13:05 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5A4D4AF018061; Mon, 9 Jun 2003 21:13:05 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA01424 Mon, 9 Jun 2003 23:43:37 -0400 (EDT) Mime-Version: 1.0 X-Sender: kseo@po2.bbn.com Message-Id: In-Reply-To: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr> References: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr> Date: Mon, 9 Jun 2003 23:49:39 -0400 To: Francis Dupont From: Karen Seo Subject: Re: issue with "per-interface SAD/SPD" Cc: ipsec@lists.tislabs.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Francis, I see your point but am not sure how Steve (Kent) would propose to address this. He's on vacation until 6/17. So I just wanted to let you know that we'll get back to you as soon as he returns (and has a chance to plow through his email backlog :-).) Karen >The RFC 2401 mandates (section 4.4, page 13) separate inbound and >outbound databases (SAD and SPD) for each IPsec-enabled interface. >This doesn't work in a dynamic environment where for instance dynamic >routing makes the arrival of a packet for an address of a node possible >on more than one interface in a long term, or where the peer is a mobile >node. >The problem exists at least in SAD lookup for incoming traffic and for >SPD matching in IKE... IMHO the simplest (so the best :-) solution is >to introduce an interface selector: the "firewall" properties are kept >but a SPD entry can be "shared" between some interfaces. >How this will be handled in the revision of RFC 2401? > >Regards > >Francis.Dupont@enst-bretagne.fr From owner-ipsec@lists.tislabs.com Tue Jun 10 10:22:11 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHMAAF085008; Tue, 10 Jun 2003 10:22:11 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03687 Tue, 10 Jun 2003 12:39:25 -0400 (EDT) Date: Tue, 10 Jun 2003 19:45:33 +0300 (IDT) From: Hugo Krawczyk To: Uri Blumenthal cc: IPsec WG Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ In-Reply-To: <3EE53648.3090608@bell-labs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk OK. I see now what you mean. Your phrasing of the question via "pure AES-based prf" confused me. What you are actually asking is whether the uses of prf in IKE are "provably secure" on the sole assumption that the prf function is a pseudorandom function (or, to be more precise, a function randomly chosen from a family of pseudorandom functions) under the standard definition of such functions. There are two answers to this question: yes and no. More specifically: the function "prf" in IKE has several uses: (1) to derive SKEYSEED from the DH value g^ir (2) to derive further keys (Ka, Kd, Ke, for the IKE-SA and KEYMAT for the ipsec algorithms) from SKEYSEED (3) as an integrity algorithm for the IKE-SA (including the essential MAC on the signer's identity in the SIGMA design) and for the CHILD-SA. Uses (2) and (3) (and, in general, the use of prf+) are provably secure on the sole assumption that prf is a pseudorandom function. Use (1) is the one you are referrinfg to below, and the answr to it is NO. That is, if all you assume on prf is that it is a pseudorandom function then you cannot conclude that SKEYSEED is indistinguishable from random. Indeed, I can show a family of pseudorandom functions (especially constructed to serve as a counter-example) under which SKEYSEED is distinguishable from random. The reason for this, as you note, is the use of a prf with random but non-secret key. This is a heuristic use of prf that I introduced for use in IKEv1 and about which I wrote several times (during the last 6 years) to this list. The idea is to use the prf family with random-but-known keys as a universal hash (UH) family and then to apply the so-called "leftover hash lemma". The right (in the sense of provability) design would have been to use an explicit UH function for this. However, I did not think that the introduction of a completely new transform to IKE would have been warmly welcome (to say the least). Moreover, this is one of the places where I personally believe that the engineering considerations outweigh the pure analytic considerations. Basically, I believe that any reasonable prf family will have enough statistical strength as to serve as a good replacement for UH for the sake of "extracting the computational randomness" from a DH key. I can only wish this to be the "weakest link" in all the cryptography of ike. Note, btw, that while we need SKEYSEED to be indistinguishable from random, ,the "distinguishing game" here is far more restricted for the attacker than in classic uses of prf's: in particular, the attacker never gets to see the output SKEYSEED of the prf but (at most) the output of prf(SKEYSEED,...). If you want a more academic analytical point of view, then one can phrase an explicit assumption on the prf family that will ensure the security of its use in (1). This, with the DDH assumption on the DH group used in IKE, will give you the required analytical assurance. While these assumptions on prf do not hold for all pseudorandom families, I expect them to occur in specific families such as AES (as long, of course, as no new serious cryptanalytical weaknesses on AES are discovered). I will not add more here about the technicalities involving these assumptions since this would get far more technical andacademic than this list deserves. Moreover, the full analytical details are still "work in progress" that will hopefully be published in the not-too-far future. One last thing on this issue: I do not believe (in particular based on the counter-examples I mentioned above) that one will be able to come with a use of prf's for "extracting randomness" a la UH which will be based SOLELY on the pseudorandomness assumption. I will be happy (and surprised) to see this done. Finally, regarding the "belt and suspenders" approach you mention below, there is a simple way to realize it in ike: when deriving SKEYSEED, XOR to the result of the prf the n upper bits of the DH value (n being the output length of prf). If these DH bits are distributed uniformly (as more or less expected via DDH) then you have "provable security". I have not suggested that in the past since it seems to me really unnecessary (moreover, since the DH value is not really uniformly distributed in the strings of length |p| then even if DDH holds this is not a purely provable condition). BTW, note that in ike's standarized DH groups the DDH assumption does NOT hold, since the generator is NOT of prime order. There is more to be said about this but again this is not the right technical forum for it. Hugo PS: Your feelings (expressed below) that using SHA1 directly or HMAC make the use of the prf in ike better justified is, in my opinion, incorrect. All the above reservations on the analytical strength of this use apply equaly to these other functions (not just to block ciphers). In particular, it is NOT the case that in SHA1 or HMAC the positioning of the key vs input is immaterial (not even if you assume the compression functions to behave as idealized "random oracles"). In some sense the main contribution of HMAC is in telling you how to position these bits to get provable guarantees. On Mon, 9 Jun 2003, Uri Blumenthal wrote: > Hugo Krawczyk wrote: > >>> I see no need for further I-D's. As I said in a recent message all > >>> is needed is a pointer to the AES-XCBC-MAC draft for the definition > >>> of what ikev2 calls PRF_AES128_CBC. All other issues regarding the > >>> use of prf are taken care by the ikev2 draft itself. > >> > >> Respectfully disagree. > > > > care to explain? > > Of course. > > First - a fundamental question. The draft (page 26, section 2.14) uses > Ni | Nr as a key to PRF, and g^ir as data. I understand that for an > essentially keyless function like SHA1 (and HMAC) it doesn't really > matter in what sequence to grok the inputs. However when you use a > keyed algorithm (such as AES), then doesn't it matter what data > (and of what randomness and secrecy) you use as a key, and > what - as a plaintext to crunch? > > Second, as far as I know, all the security proofs around block > ciphers are assuming that the key is secret. If one is using > AES-XCBC-MAC as PRF, following section 2.14 (page 26), then > the key is known. What kind of security proofs are you > getting? How secure is XCBC-MAC with a known key? > > Third, in our public discussion with David Wagner and Ran Canetti, > David mentioned the "belt and suspenders" approach: a semi-provable > PRF, based on the assumption that as long as EITHER Decisional > Diffie-Hellman holds OR hmac behaves as a random oracle - the > PRF constructed of hmac is secure. What assumptions are > taken with AES-XCBC-MAC used as PRF? > > > >>> In particular, the draft completely specifies the use of prf's > >>> whether with variable length key (such as HMAC-SHA) or fixed > >>> length key (such as aes128-cbc). > >> > >> Except for how to construct a pure AES-based PRF. > > > > what do you mean by "pure AES-based PRF"? Isnt AES-XCBC > > a pure AES-based prf? > > In my understanding, it is "pure AES-based", but under the > assumptions I see in the draft - not necessarily a PRF due > to its key being publicly known. > > > Uri. > > From owner-ipsec@lists.tislabs.com Tue Jun 10 10:22:15 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHMBAF085014; Tue, 10 Jun 2003 10:22:15 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03713 Tue, 10 Jun 2003 12:46:29 -0400 (EDT) Date: Tue, 10 Jun 2003 19:52:37 +0300 (IDT) From: Hugo Krawczyk To: Tschofenig Hannes cc: "'ipsec@lists.tislabs.com'" Subject: RE: Question regarding user identity confidentiality In-Reply-To: <2A8DB02E3018D411901B009027FD3A3F036760C2@mchp905a.mch.sbs.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk You are right that the solution you propose achieves user's id protection, and that it is trivial to specify this solution given the current text. However, it is also true that this adds a round-trip to the protocol. It seemed from the discussion in the past on this issue that people did not consider this as a justified trade-off between privacy and communication latency. In any case, I believe that the WG made a decision here. One that I do not like but certainly not one that can be blamed on people not paying attention. If you want to support the review of this issue during last call you should support Scott Kelly's recent motion in this regard. (Having said the above, I am quite sure that if this issue would have brought to a "show of hands" in an ipsec meeting there would have been majority to the identity protection measure -- provided that someone presented the options and their trade-offs in that same meeting). Hugo On Tue, 10 Jun 2003, Tschofenig Hannes wrote: > hi hugo, > > thank you for your quick response. > > > Hannes, > > > > You are late to this party... > > i know. sorry about it. > > > This issue has been discussed in a couple of threads in this list > > (the last of which took place in March and carried the subject > > "Do ipsec vendors care about privacy?"). > > i roughly followed the discussions. i will, however, look at them again. > > to provide the required protection only a single sentence needs to be > changed - no modification to ikev2 itself. > > the following sentence in section 3.16 should be changed (particularly the > should not part): > > "Note that since IKE passes an indication of initiator identity in message 3 > of the protocol, EAP based prompts for Identity SHOULD NOT be used." > > if user identity conf. is required then the initiator would not provide its > user identity with message 3. instead the eap-request/identity is > transmitted by the responder in message 4. message 4 authenticates the > responder to the initiator. the identity of the client is subsequently > provided with message 5 as part of the eap-response/identity message. > > using this procedure the client is can enable user identity confidentiality > only if required. > > what do you think? > > ciao > hannes > > > > This represented my failed attempt to get the WG to decide on > > what seems > > as the obvious requirement to protect the user's id in the > > EAP exchange. > > Even the "provocative" subject of the thread (and the > > positive answer to > > that question given by several ipsec vendors) was > > insufficient to market > > the idea. If you read the thread you'll see some people claiming that > > doing so would add significant complexity to the protocol. I > > do not agree. > > I have the feeling that a silent majority would have supported this, > > but that's how silent majorities work, they remain silent... :) > > > > Hugo > > > > > > > > On Fri, 6 Jun 2003, Tschofenig Hannes wrote: > > > > > hi all, > > > > > > i have read the ikev2 tuturial and ikev2 and i have a > > question about the > > > user identity confidentiality: > > > > > > before secure legacy authentication was added to ikev2 i > > agreed with the > > > selected user id confidentiality approach where the identity of the > > > initiator is revealed first. at that time it is was > > difficult to assume a > > > client-server architecture (i.e. which entity starts ike) > > and therefore > > > which entity has to be protected. > > > > > > for remote access solutions using secure legacy > > authentication (by using > > > eap) things are a little bit different. > > > > > > with eap you have the following message flow (taken from > > section 3.16 of > > > [draft-ietf-ipsec-ikev2-08.txt]): > > > > > > Initiator Responder > > > ----------- ----------- > > > HDR, SAi1, KEi, Ni --> > > > > > > <-- HDR, SAr1, KEr, > > Nr, [CERTREQ] > > > > > > HDR, SK {IDi, [CERTREQ,] [IDr,] > > > SAi2, TSi, TSr} --> > > > > > > <-- HDR, SK {IDr, [CERT,] AUTH, > > > EAP } > > > > > > HDR, SK {EAP, [AUTH] } --> > > > > > > The draft says "By including an IDi payload but not an AUTH > > payload, the > > > initiator has declared an identity but has not proven it." > > (message 3) > > > > > > Section 3.16 additionally says: "Note that since IKE passes > > an indication of > > > initiator identity in message 3 of the protocol, EAP based > > prompts for > > > Identity SHOULD NOT be used." > > > > > > To me this seems that protection of the user identity > > against an active > > > attack cannot be provided for eap methods (except if > > tunneled methods are > > > used). this seems to have some disadvantages for remote > > access solutions > > > where you have a client-server relationship. > > > > > > possible solutions are: > > > > > > a) ignore user id conf. > > > b) suggest to use a tunneled method within ikev2/eap when > > user identity > > > confidentiality is required. this clearly has a performance > > disadvantage > > > since you create two tunnels (for server to client > > authentication) in > > > addition to the eap method for client to server authentication. > > > c) change the handling for secure legacy auth. and let the responder > > > authenticate to the initiator first > > > d) others? > > > > > > am i wrong with my observations? > > > > > > ciao > > > hannes > > > > > > > > From owner-ipsec@lists.tislabs.com Tue Jun 10 10:26:25 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHQLAF085088; Tue, 10 Jun 2003 10:26:24 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03790 Tue, 10 Jun 2003 12:55:58 -0400 (EDT) Date: 9 Jun 2003 13:37:48 -0000 Message-ID: <20030609133748.30437.qmail@webmail7.rediffmail.com> MIME-Version: 1.0 From: "praveen kumar vemula" Reply-To: "praveen kumar vemula" To: ipsec@lists.tislabs.com Subject: IPSec NAT Pass thorugh .. Content-type: text/plain; format=flowed Content-Disposition: inline Sender: owner-ipsec@lists.tislabs.com Precedence: bulk hi all, i doing study on IPSec NAT pass though . in IPSec automatic key negotiation using IKE ( Main mode) , negotiating packets will be carrying peers IP Address. when it has to pass through NAT , surely it will fail at the other end, as ip address get translated . (please correct if my understanding is wrong) so, for SA estabilishment in main mode we have to use identification other than ip address, like domain name , email id .. is there any free softwares, or well known vendors have implemnation with this . i tired using windows 2000, looks like it not supporting .. any inputs for this mail will be great helpful .. thanks in advance , Praveen ___________________________________________________ Impress your clients! Send mail from me @ mycompany.com . Just Rs.1499/year. Click http://www.rediffmailpro.com to know more. From owner-ipsec@lists.tislabs.com Tue Jun 10 10:26:59 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHQwAF085108; Tue, 10 Jun 2003 10:26:58 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03797 Tue, 10 Jun 2003 12:56:58 -0400 (EDT) Message-ID: <3EE490E7.8080101@sockeye.com> Date: Mon, 09 Jun 2003 09:51:35 -0400 From: John Shriver Organization: Sockeye Networks User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Barbara Fraser CC: John Shriver , tytso@mit.edu, angelos@cs.columbia.edu, Bert Wijnen , "Hilarie Orman, Purple Streak Development" , Luis Sanchez , "C. M. Heard" , Russ Housley , Paul Hoffman / VPNC , ipsec@lists.tislabs.com Subject: Re: draft-ietf-ipsec-doi-tc-mib-07.txt and friends References: <4.3.2.7.2.20030606162749.04395f00@mira-sjc5-4.cisco.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Barbara Fraser wrote: > Hi John, > > Ted and I have been, once again, digging back into the status of 5 of > the MIB documents and would like to see us once and for all get these > documents put to bed. We've seen and read the thread concerning > draft-ietf-ipsec-doi-tc-mib-07.txt. Everything seems to have come to a > halt after Mike Heard posted his summary MIB doctor comments on April > 28. This document is referenced in the an IPSP document so we need to > somehow resolve the issues surrounding it, which is why there is such a > wide distribution on this message. First question is, are you willing > to continue to work on this document as the editor? Absolutely. The problem is that we lack a consensus on what to do about Mike Heard's comments. Honestly, nobody but Mike and I appear to give a darn, at least on the IPsec mailing list! Even if I do decide to agree with the change from enumerations to simple typedefs, is an agreement of two people out of the entire IPsec list really a consensus? Maybe it is, in the absence of any dissenting opinion! Myself, I think the MIB is far more useful if we ignore Mike's comments. But, realistically, it would _never_ get through last call, and it would be futile to proceeed in that direction. > Second, it seems > there has been some difference of opinion between you and Mike. One > comment made was that some of the difficulties arose from this document > being looked at in isolation of the other related documents. This brings > me to a question. Every time Ted and I have asked if anyone is > implementing these MIBs, there has been total silence leading us to > believe nobody is implementing them. I suspect that nobody is implementing the related MIBs. I may remember one vendor implementing the drafts, but I wouldn't be surprised if they've been swept away by the dot-com meltdown of the last two years. > Paul Hoffman has kindly resubmitted > draft-ietf-ipsec-ike-monitor-mib-04.txt, > draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and > draft-ietf-ipsec-monitor-mib-06.txt for us in the new format, and if he, > or someone else is willing to take them on, we could continue to > progress all of them. I think that IKEv2 is rendering much of the content of these MIBs as obsolete. Plus the competiting IPsec Flow Monitoring MIB effort from Cisco & Tivoli people, which has the advantadge of being implemented. (You can't get through the standards track without implementations...) Hopefully the folks authoring the Flow Monitoring MIB will continue to pick up some of the good points from the earlier set of MIBs, I will concede that later versions were improved. But I've seen little standards effort there, they may have decided to abandon the standards track, and just publish the MIBs under their trees? > If that's what folks want to do. On the other > hand, we could also choose to progress only the document that Hilary's > group needs and drop the other three due to lack of > interest/implementation. It's also fair to remind folks that these are > all IKEv1 MIB docs. > > All this boils down to the following: > 1. Are you willing to continue to edit draft-ietf-ipsec-doi-tc-mib-07.txt? Yes. > 2. We need to come to agreement on what changes are needed, that is we > must address the MIB doctor comments. Well, I can make the changes from enumerations to simple typedefs. The real question is whether the IPSP folks are still interested in using this MIB if it doesn't have the enumerations in it. To me, that was the primary value of the MIB, and why I convinced Tim to let me do it. He was just exporting the variables as INTEGERs, which I found unfriendly. At least with any of the tools inheriting from the CMU ones, the enumerations are much more useful. So, IPSP folks (you are on the CC: list, right?), do you still want this MIB without the enumerations? If so, I'll make Mike's changes, and ship it out again. > 3. Are we going to continue to support > draft-ietf-ipsec-ike-monitor-mib-04.txt, > draft-ietf-ipsec-isakmp-di-mon-mib-05.txt, and > draft-ietf-ipsec-monitor-mib-06.txt? I think we can let them die, unless someone someone is wanting them. > If so, who's willing to take on the > document editor job? And, more importantly, how do we decide what > changes are needed to them. > > I feel like we're living in Groundhog Day with these MIB docs. We keep > living the same thing over and over. Let's please get to the end :-) Yeah, it would have been _easier_ if there had been some controversy, rather than stunning silence all the way... > > thanks, > Barb and Ted From owner-ipsec@lists.tislabs.com Tue Jun 10 10:28:22 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHSLAF085184; Tue, 10 Jun 2003 10:28:22 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03806 Tue, 10 Jun 2003 12:57:59 -0400 (EDT) Cc: "Theodore Ts'o" , David Blaker , IPsec WG Message-ID: <3EE5100E.3020608@bell-labs.com> Date: Mon, 09 Jun 2003 18:54:06 -0400 From: Uri Blumenthal Organization: Lucent Tehcnologies / Bell Labs User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en, zh-cn, ru, de, he MIME-Version: 1.0 To: Hugo Krawczyk Original-CC: "Theodore Ts'o" , David Blaker , IPsec WG Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hugo Krawczyk wrote: >>I'd volunteer, since I've been working on the thing (on and off) >>for a while now. But as the discussion demonstrated, it's not as >>simple - if you want to use that PRF in IKEv2. > > I see no need for further I-D's. As I said in a recent message all is > needed is a pointer to the AES-XCBC-MAC draft for the definition of what > ikev2 calls PRF_AES128_CBC. All other issues regarding the use of prf are > taken care by the ikev2 draft itself. Respectfully disagree. > In particular, the draft completely > specifies the use of prf's whether with variable length key (such as > HMAC-SHA) or fixed length key (such as aes128-cbc). Except for how to construct a pure AES-based PRF. I understand that HMAC is good, but for some application is may be preferred to stay within one algorithm (AES). From owner-ipsec@lists.tislabs.com Tue Jun 10 10:36:24 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHaNAF085418; Tue, 10 Jun 2003 10:36:23 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03833 Tue, 10 Jun 2003 12:59:02 -0400 (EDT) Cc: IPsec WG Message-ID: <3EE53648.3090608@bell-labs.com> Date: Mon, 09 Jun 2003 21:37:12 -0400 From: Uri Blumenthal Organization: Lucent Tehcnologies / Bell Labs User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en, zh-cn, ru, de, he MIME-Version: 1.0 To: Hugo Krawczyk Original-CC: IPsec WG Subject: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+ References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hugo Krawczyk wrote: >>> I see no need for further I-D's. As I said in a recent message all >>> is needed is a pointer to the AES-XCBC-MAC draft for the definition >>> of what ikev2 calls PRF_AES128_CBC. All other issues regarding the >>> use of prf are taken care by the ikev2 draft itself. >> >> Respectfully disagree. > > care to explain? Of course. First - a fundamental question. The draft (page 26, section 2.14) uses Ni | Nr as a key to PRF, and g^ir as data. I understand that for an essentially keyless function like SHA1 (and HMAC) it doesn't really matter in what sequence to grok the inputs. However when you use a keyed algorithm (such as AES), then doesn't it matter what data (and of what randomness and secrecy) you use as a key, and what - as a plaintext to crunch? Second, as far as I know, all the security proofs around block ciphers are assuming that the key is secret. If one is using AES-XCBC-MAC as PRF, following section 2.14 (page 26), then the key is known. What kind of security proofs are you getting? How secure is XCBC-MAC with a known key? Third, in our public discussion with David Wagner and Ran Canetti, David mentioned the "belt and suspenders" approach: a semi-provable PRF, based on the assumption that as long as EITHER Decisional Diffie-Hellman holds OR hmac behaves as a random oracle - the PRF constructed of hmac is secure. What assumptions are taken with AES-XCBC-MAC used as PRF? >>> In particular, the draft completely specifies the use of prf's >>> whether with variable length key (such as HMAC-SHA) or fixed >>> length key (such as aes128-cbc). >> >> Except for how to construct a pure AES-based PRF. > > what do you mean by "pure AES-based PRF"? Isnt AES-XCBC > a pure AES-based prf? In my understanding, it is "pure AES-based", but under the assumptions I see in the draft - not necessarily a PRF due to its key being publicly known. Uri. From owner-ipsec@lists.tislabs.com Tue Jun 10 10:36:31 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHaUAF085432; Tue, 10 Jun 2003 10:36:31 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA03832 Tue, 10 Jun 2003 12:59:00 -0400 (EDT) Message-ID: <3EE53750.7000801@bell-labs.com> Date: Mon, 09 Jun 2003 21:41:36 -0400 From: Uri Blumenthal Organization: Lucent Tehcnologies / Bell Labs User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en, zh-cn, ru, de, he MIME-Version: 1.0 To: IPsec WG Subject: ikev2-08 last nit Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Folks, Here's a nit I stumbled upon. Page 24 section 2.10 says that nonces must be at least 128 bits in size and at least half the size of the key of the negotiated PRF. That's fine. But on page 60, last paragraph before section 3.10, it says that the length of the nonce must be between 8 and 256 octets. So are nonces of 64 bits allowed (as per page 60) or forbidden (as per page 24)? The fix probably is to change the text on page 60 to "between 16 and 256 octets". Regards, Uri. From owner-ipsec@lists.tislabs.com Tue Jun 10 10:38:07 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHc4AF085479; Tue, 10 Jun 2003 10:38:06 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA03845 Tue, 10 Jun 2003 13:00:01 -0400 (EDT) Message-ID: <2A8DB02E3018D411901B009027FD3A3F036760C2@mchp905a.mch.sbs.de> From: Tschofenig Hannes To: "'Hugo Krawczyk'" Cc: "'ipsec@lists.tislabs.com'" Subject: RE: Question regarding user identity confidentiality Date: Tue, 10 Jun 2003 16:13:20 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk hi hugo, thank you for your quick response. > Hannes, > > You are late to this party... i know. sorry about it. > This issue has been discussed in a couple of threads in this list > (the last of which took place in March and carried the subject > "Do ipsec vendors care about privacy?"). i roughly followed the discussions. i will, however, look at them again. to provide the required protection only a single sentence needs to be changed - no modification to ikev2 itself. the following sentence in section 3.16 should be changed (particularly the should not part): "Note that since IKE passes an indication of initiator identity in message 3 of the protocol, EAP based prompts for Identity SHOULD NOT be used." if user identity conf. is required then the initiator would not provide its user identity with message 3. instead the eap-request/identity is transmitted by the responder in message 4. message 4 authenticates the responder to the initiator. the identity of the client is subsequently provided with message 5 as part of the eap-response/identity message. using this procedure the client is can enable user identity confidentiality only if required. what do you think? ciao hannes > This represented my failed attempt to get the WG to decide on > what seems > as the obvious requirement to protect the user's id in the > EAP exchange. > Even the "provocative" subject of the thread (and the > positive answer to > that question given by several ipsec vendors) was > insufficient to market > the idea. If you read the thread you'll see some people claiming that > doing so would add significant complexity to the protocol. I > do not agree. > I have the feeling that a silent majority would have supported this, > but that's how silent majorities work, they remain silent... :) > > Hugo > > > > On Fri, 6 Jun 2003, Tschofenig Hannes wrote: > > > hi all, > > > > i have read the ikev2 tuturial and ikev2 and i have a > question about the > > user identity confidentiality: > > > > before secure legacy authentication was added to ikev2 i > agreed with the > > selected user id confidentiality approach where the identity of the > > initiator is revealed first. at that time it is was > difficult to assume a > > client-server architecture (i.e. which entity starts ike) > and therefore > > which entity has to be protected. > > > > for remote access solutions using secure legacy > authentication (by using > > eap) things are a little bit different. > > > > with eap you have the following message flow (taken from > section 3.16 of > > [draft-ietf-ipsec-ikev2-08.txt]): > > > > Initiator Responder > > ----------- ----------- > > HDR, SAi1, KEi, Ni --> > > > > <-- HDR, SAr1, KEr, > Nr, [CERTREQ] > > > > HDR, SK {IDi, [CERTREQ,] [IDr,] > > SAi2, TSi, TSr} --> > > > > <-- HDR, SK {IDr, [CERT,] AUTH, > > EAP } > > > > HDR, SK {EAP, [AUTH] } --> > > > > The draft says "By including an IDi payload but not an AUTH > payload, the > > initiator has declared an identity but has not proven it." > (message 3) > > > > Section 3.16 additionally says: "Note that since IKE passes > an indication of > > initiator identity in message 3 of the protocol, EAP based > prompts for > > Identity SHOULD NOT be used." > > > > To me this seems that protection of the user identity > against an active > > attack cannot be provided for eap methods (except if > tunneled methods are > > used). this seems to have some disadvantages for remote > access solutions > > where you have a client-server relationship. > > > > possible solutions are: > > > > a) ignore user id conf. > > b) suggest to use a tunneled method within ikev2/eap when > user identity > > confidentiality is required. this clearly has a performance > disadvantage > > since you create two tunnels (for server to client > authentication) in > > addition to the eap method for client to server authentication. > > c) change the handling for secure legacy auth. and let the responder > > authenticate to the initiator first > > d) others? > > > > am i wrong with my observations? > > > > ciao > > hannes > > > > From owner-ipsec@lists.tislabs.com Tue Jun 10 10:50:21 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5AHoHAF085713; Tue, 10 Jun 2003 10:50:20 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA03942 Tue, 10 Jun 2003 13:13:13 -0400 (EDT) Message-Id: <200306101718.h5AHIeof007555@givry.rennes.enst-bretagne.fr> From: Francis Dupont To: Joe Touch cc: ipsec@lists.tislabs.com Subject: Re: issue with "per-interface SAD/SPD" In-reply-to: Your message of Mon, 09 Jun 2003 09:47:48 PDT. <3EE4BA34.5010308@isi.edu> Date: Tue, 10 Jun 2003 19:18:40 +0200 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr Sender: owner-ipsec@lists.tislabs.com Precedence: bulk In your previous mail you wrote: FYI, we addressed this sort of issue in draft-touch-ipsec-vpn-05.txt, which was submitted independently as an Informational in April. => this is a very nice news! Introducing an interface selector is insufficient; the selector needs to indicate the next-hop IP address and interface, as both are required for IP forwarding. The details of this issue, and simpler alternatives are discussed in the draft. => the problem I tried to address is a bit different: for instance in Mobile IPv6 only the packets with a Mobility Header must be protected, so a transport interface over the IP-in-IP tunnel is too much... In fact, my message was mainly for the 2401bis authors, as the "per interface" stuff is clearly inadapted. Thanks Francis.Dupont@enst-bretagne.fr From owner-ipsec@lists.tislabs.com Tue Jun 10 20:37:09 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5B3b4rb003743; Tue, 10 Jun 2003 20:37:09 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA06349 Tue, 10 Jun 2003 23:03:30 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 10 Jun 2003 20:09:30 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Editorial: Use of | instead of , for concatenation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi again. In section 2.14 of draft-ietf-ipsec-ikev2, it says: SKEYSEED and its derivatives are computed as follows: SKEYSEED = prf(Ni | Nr, g^ir) {SK_d, SK_ai, SK_ar, SK_ei, SK_er} = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) (indicating that the quantities SK_d, SK_ai, SK_ar, SK_ei, and SK_er are taken in order from the generated bits of the prf+). The parenthetical statement after the equations show that the list "{SK_d, SK_ai, SK_ar, SK_ei, SK_er}" is really concatenated. That list should instead be shown as "{SK_d | SK_ai | SK_ar | SK_ei | SK_er}" to make it clearer that this is not a bunch of arguments but a stream of octets. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 10 20:37:11 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5B3b9rb003755; Tue, 10 Jun 2003 20:37:11 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA06343 Tue, 10 Jun 2003 23:03:20 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 10 Jun 2003 20:09:12 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Editorial: Values for Traffic Selector Types in draft-ietf-ipsec-ikev2 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk . In section 3.13.1 of draft-ietf-ipsec-ikev2, the Traffic Selector Types are listed as: TS Type Value ------- ----- RESERVED 0 TS_IPV4_ADDR_RANGE 7 A range of IPv4 addresses, represented by two four (4) octet values. The first value is the beginning IPv4 address (inclusive) and the second value is the ending IPv4 address (inclusive). All addresses falling between the two specified addresses are considered to be within the list. TS_IPV6_ADDR_RANGE 8 A range of IPv6 addresses, represented by two sixteen (16) octet values. The first value is the beginning IPv6 address (inclusive) and the second value is the ending IPv6 address (inclusive). All addresses falling between the two specified addresses are considered to be within the list. Either the two values should be renumbered to 1 and 2, or the first line should be changed to "RESERVED 0-6". Otherwise, someone later is going to try to assign the lower-value numbers or, worse, think that they can use the other values from IKEv1. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 10 20:37:17 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5B3bGrb003769; Tue, 10 Jun 2003 20:37:16 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA06342 Tue, 10 Jun 2003 23:03:20 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 10 Jun 2003 20:05:43 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Duplication: Remove most of section 3.3.2 and all of 3.3.4 of draft-ietf-ipsec-ikev2 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi again. Most of section 3.3.2 in draft-ietf-ipsec-ikev2 (almost) duplicates the text from Jeff's algorithms document. Everything in the section after the Transform Type Values table should be removed. All of section 3.3.4 of draft-ietf-ipsec-ikev2 is now covered in Jeff's algorithms document. Thus, the whole section should be removed. (Yes, this begs the question of whether or not anyone is reading the three documents at all...) --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 10 20:38:55 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5B3csrb003803; Tue, 10 Jun 2003 20:38:54 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA06341 Tue, 10 Jun 2003 23:03:19 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 10 Jun 2003 20:01:00 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Editorial: Reservations for IKEv1 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Greetings again. In section 3.1 of draft-ietf-ipsec-ikev2, it says: Exchange Type Value RESERVED 0 Reserved for ISAKMP 1-31 Reserved for IKEv1 32-33 IKE_SA_INIT 34 IKE_AUTH 35 CREATE_CHILD_SA 36 INFORMATIONAL 37 Reserved for IKEv2+ 38-239 Reserved for private use 240-255 This is pretty confusing, because the IANA consideration section says clearly that the registries are for IKEv2 only. Further, the other tables in the document list the things that are resevered for future assignments and private use in text, not in the tables themselves. I propose that the chart be replaced with: Exchange Type Value RESERVED 0-33 IKE_SA_INIT 34 IKE_AUTH 35 CREATE_CHILD_SA 36 INFORMATIONAL 37 Exchange type values 38-239 are reserved to IANA for future assignment in IKEv2 (see section 6). Exchange type values 240-255 are for private use among mutually consenting parties. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Tue Jun 10 20:43:16 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5B3hErb003891; Tue, 10 Jun 2003 20:43:15 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA06338 Tue, 10 Jun 2003 23:03:18 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Tue, 10 Jun 2003 19:52:45 -0700 To: ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Greetings again. The tables in draft-ietf-ipsec-ikev2-algorithms have MUST, SHOULD, MUST-, SHOULD+, SHOULD- (which I have proposed removing), and MAY. The MAY designation is silly, since an implementation MAY do whatever it pleases for non-mandatory algorithms. The reason I bring this up was the proposal that DES should be demoted to SHOULD NOT. That is somewhat harsh given that there are places where DES is appropriate (low value transactions in implementations that already have DES in them). Listing DES as "MAY" gives the wrong impression. The document should be re-cast to list all the registered algorithms, but to remove "MAY" from those that do not have a stronger designation. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Wed Jun 11 05:01:19 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BC1Frb052205; Wed, 11 Jun 2003 05:01:19 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id HAA08026 Wed, 11 Jun 2003 07:31:46 -0400 (EDT) Date: Wed, 11 Jun 2003 13:36:50 +0200 From: Jean-Francois Dive To: ipsec@lists.tislabs.com Cc: jef@linuxbe.org Subject: draft-ietf-ipsec-udp-encaps-06 comments. Message-ID: <20030611113650.GD1043@gardafou.assamite.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi all, I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the first point (point (a)) but think the second point (point (b)) is totally wrong and should never be implemented as such: it is suggested that if we dont have the original source or destination ip addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header. This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling" or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to deal with this would be to go with checksum update when you have the information and no checksum at all if you dont have the information. Any comments ? Thanks, Regards, Jean-Francois Dive -- -> Jean-Francois Dive --> jef@linuxbe.org There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles - From owner-ipsec@lists.tislabs.com Wed Jun 11 06:43:15 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BDhFrb061120; Wed, 11 Jun 2003 06:43:15 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA08323 Wed, 11 Jun 2003 09:13:15 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16103.11318.799282.793338@pkoning.dev.equallogic.com> Date: Wed, 11 Jun 2003 09:18:46 -0400 From: Paul Koning To: paul.hoffman@vpnc.org Cc: ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: X-Mailer: VM 7.07 under 21.4 (patch 8) "Honest Recruiter" XEmacs Lucid Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >>>>> "Paul" == Paul Hoffman > writes: Paul> Greetings again. The tables in Paul> draft-ietf-ipsec-ikev2-algorithms have MUST, SHOULD, MUST-, Paul> SHOULD+, SHOULD- (which I have proposed removing), and MAY. The Paul> MAY designation is silly, since an implementation MAY do Paul> whatever it pleases for non-mandatory algorithms. Paul> The reason I bring this up was the proposal that DES should be Paul> demoted to SHOULD NOT. That is somewhat harsh given that there Paul> are places where DES is appropriate (low value transactions in Paul> implementations that already have DES in them). Listing DES as Paul> "MAY" gives the wrong impression. So what is wrong with "SHOULD NOT"? Two points. First, "SHOULD NOT" permits the implementation to do the thing being discouraged, but it explicitly warns that one must first consider whether it's wise to do so. I think that is exactly the correct message for DES. Second, what implementation already has DES that doesn't also have 3DES? I'm hard pressed to think of any. In a software implementation, 3DES is of course quite slow, but if so, the sensible answer is AES, which is faster than either. In a hardware implementation, you're stuck with what's in the chip, but if so, you have 3DES. paul From owner-ipsec@lists.tislabs.com Wed Jun 11 06:51:12 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BDpBrb061685; Wed, 11 Jun 2003 06:51:11 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA08371 Wed, 11 Jun 2003 09:27:40 -0400 (EDT) Message-ID: <3EE72FB1.1040507@f-secure.com> Date: Wed, 11 Jun 2003 16:33:37 +0300 From: Ari Huttunen Organization: F-Secure Corporation User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jean-Francois Dive CC: ipsec@lists.tislabs.com Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments. References: <20030611113650.GD1043@gardafou.assamite.eu.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 11 Jun 2003 13:33:37.0830 (UTC) FILETIME=[105EB460:01C3301E] Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Jean-Francois Dive wrote: > Hi all, > > I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been > overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the > procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the > first point (point (a)) but think the second point (point (b)) is totally wrong and should never be > implemented as such: it is suggested that if we dont have the original source or destination ip > addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header. > This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling" > or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to > deal with this would be to go with checksum update when you have the information and no checksum > at all if you dont have the information. > > Any comments ? You wouldn't use ESP without authentication, would you? In transport mode there's no chance that the packet contents accidentally changed if the packet is authenticated. It wouldn't pass authentication checking. Ari -- I play it cool and dig all jive, that's the reason I stay alive. My motto as I live and learn, is dig and be dug in return. Ari Huttunen phone: +358 9 2520 0700 Software Architect fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F(ully)-Secure products: Securing the Mobile Enterprise From owner-ipsec@lists.tislabs.com Wed Jun 11 07:06:10 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BE65rb062982; Wed, 11 Jun 2003 07:06:10 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA08401 Wed, 11 Jun 2003 09:40:27 -0400 (EDT) From: "Yoav Nir" To: "'Paul Koning'" , Cc: Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: Wed, 11 Jun 2003 16:44:27 +0200 Message-ID: <000401c33027$f5ca27b0$292e1dc2@YnirNew> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <16103.11318.799282.793338@pkoning.dev.equallogic.com> Sender: owner-ipsec@lists.tislabs.com Precedence: bulk So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"? I think those should be at least as discouraged as DES. -----Original Message----- From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning Sent: Wednesday, June 11, 2003 3:19 PM To: paul.hoffman@vpnc.org Cc: ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms >>>>> "Paul" == Paul Hoffman > writes: Paul> Greetings again. The tables in Paul> draft-ietf-ipsec-ikev2-algorithms have MUST, SHOULD, MUST-, Paul> SHOULD+, SHOULD- (which I have proposed removing), and MAY. The Paul> MAY designation is silly, since an implementation MAY do Paul> whatever it pleases for non-mandatory algorithms. Paul> The reason I bring this up was the proposal that DES should be Paul> demoted to SHOULD NOT. That is somewhat harsh given that there Paul> are places where DES is appropriate (low value transactions in Paul> implementations that already have DES in them). Listing DES as Paul> "MAY" gives the wrong impression. So what is wrong with "SHOULD NOT"? Two points. First, "SHOULD NOT" permits the implementation to do the thing being discouraged, but it explicitly warns that one must first consider whether it's wise to do so. I think that is exactly the correct message for DES. Second, what implementation already has DES that doesn't also have 3DES? I'm hard pressed to think of any. In a software implementation, 3DES is of course quite slow, but if so, the sensible answer is AES, which is faster than either. In a hardware implementation, you're stuck with what's in the chip, but if so, you have 3DES. paul From owner-ipsec@lists.tislabs.com Wed Jun 11 07:11:53 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BEBqrb063261; Wed, 11 Jun 2003 07:11:53 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA08449 Wed, 11 Jun 2003 09:48:21 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16103.13425.642338.266792@pkoning.dev.equallogic.com> Date: Wed, 11 Jun 2003 09:53:53 -0400 From: Paul Koning To: ynir@CheckPoint.com Cc: paul.hoffman@vpnc.org, ipsec@lists.tislabs.com Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> <000401c33027$f5ca27b0$292e1dc2@YnirNew> X-Mailer: VM 7.07 under 21.4 (patch 8) "Honest Recruiter" XEmacs Lucid Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >>>>> "Yoav" == Yoav Nir writes: Yoav> So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"? Yoav> I think those should be at least as discouraged as DES. Why? DES is known to be weak (inadequate key size), while the others are (unless I missed something recent) not substantially weaker than exhaustive search of their key. Then again, RC4 shouldn't be in there at all since there is no spec for the use of RC4 in IPsec. Blowfish and IDEA are questionable for the same reason, although there the generic CBC spec arguably can be used. paul From owner-ipsec@lists.tislabs.com Wed Jun 11 07:48:56 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BEmtrb064975; Wed, 11 Jun 2003 07:48:55 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA08604 Wed, 11 Jun 2003 10:22:04 -0400 (EDT) From: "Yoav Nir" To: Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: Wed, 11 Jun 2003 17:26:34 +0200 Message-ID: <000501c3302d$d863da30$292e1dc2@YnirNew> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <16103.13425.642338.266792@pkoning.dev.equallogic.com> Sender: owner-ipsec@lists.tislabs.com Precedence: bulk DES may be too weak for some applications, but it is a widely used standard. It is up to the user to decide whether DES is strong enough for their application or not. We wish the standards to ensure interoperability, and that means AES, 3DES and DES because these are widely implemented. Blowfish and IDEA are relatively rare, and have not received the scrutiny that DES and AES have. That's why they should be discouraged. Not because they are weak, but because we don't know for sure how weak they are. I agree though, that the argument for DES is no longer as strong as it was a few years ago, when you had to support DES (and a DES-only license) to export an encryption product out of the US. -----Original Message----- From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning Sent: Wednesday, June 11, 2003 3:54 PM To: ynir@CheckPoint.com Cc: paul.hoffman@vpnc.org; ipsec@lists.tislabs.com Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms >>>>> "Yoav" == Yoav Nir writes: Yoav> So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"? Yoav> I think those should be at least as discouraged as DES. Why? DES is known to be weak (inadequate key size), while the others are (unless I missed something recent) not substantially weaker than exhaustive search of their key. Then again, RC4 shouldn't be in there at all since there is no spec for the use of RC4 in IPsec. Blowfish and IDEA are questionable for the same reason, although there the generic CBC spec arguably can be used. paul From owner-ipsec@lists.tislabs.com Wed Jun 11 07:48:58 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BEmvrb064986; Wed, 11 Jun 2003 07:48:58 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA08595 Wed, 11 Jun 2003 10:21:03 -0400 (EDT) Date: Wed, 11 Jun 2003 16:25:38 +0200 From: Jean-Francois Dive To: Ari Huttunen Cc: Jean-Francois Dive , ipsec@lists.tislabs.com Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments. Message-ID: <20030611142538.GE1043@gardafou.assamite.eu.org> References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3EE72FB1.1040507@f-secure.com> User-Agent: Mutt/1.5.3i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote: > Jean-Francois Dive wrote: > >Hi all, > > > >I am actually busy with implementing NAT-T in IKEv1 context and found > >something which may have been > >overlooked (or that i missed the discussion on this list). In section > >3.1.2, the author talk about the > >procedure to follow for udp encpasulated transport mode NAT decapsulation. > >I totally agress with the first point (point (a)) but think the second > >point (point (b)) is totally wrong and should never be implemented as > >such: it is suggested that if we dont have the original source or > >destination ip addresses, the TCP/UDP checksum of the packet should be > >recomputed to match the NAT'ed ip pseudo header. This cant happen as it > >would make corrupted packets appears as proper packets, the checksum > >"mangling" > >or update beeing right as a wrong checksum at the start would remain > >wrong. The only proper way to deal with this would be to go with checksum > >update when you have the information and no checksum at all if you dont > >have the information. > >Any comments ? > > You wouldn't use ESP without authentication, would you? In transport > mode there's no chance that the packet contents accidentally changed > if the packet is authenticated. It wouldn't pass authentication checking. consider the following: - packet is xmt'ed from a station. - hope trough a dodgy router which corrupt it. - Go trough the the ipsec gateway, get UDPinESP'ed. - Go trough a NAT gateway. - Arrive in the ipsec gateway, the issue raise, the authenticated content never changed on the path. > > Ari > > -- > I play it cool and dig all jive, > that's the reason I stay alive. > My motto as I live and learn, > is dig and be dug in return. > > Ari Huttunen phone: +358 9 2520 0700 > Software Architect fax : +358 9 2520 5001 > > F-Secure Corporation http://www.F-Secure.com > > F(ully)-Secure products: Securing the Mobile Enterprise -- -> Jean-Francois Dive --> jef@linuxbe.org There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles - From owner-ipsec@lists.tislabs.com Wed Jun 11 08:36:32 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BFaWrb067018; Wed, 11 Jun 2003 08:36:32 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA08874 Wed, 11 Jun 2003 11:08:15 -0400 (EDT) Date: Wed, 11 Jun 2003 11:14:12 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: SHOULD NOT DES (was RE: Editorial: Use of MAY...) In-Reply-To: <000501c3302d$d863da30$292e1dc2@YnirNew> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, 11 Jun 2003, Yoav Nir wrote: > DES may be too weak for some applications, but it is a widely used standard. As is sending passwords in clear with no encryption at all. Just because it is widely used doesn't mean it is good enough for us to recommend it for use in IPsec. "Neglect of duty does not cease, by repetition, to be neglect of duty." -- Napoleon > It is up to the user to decide whether DES is strong enough for their > application or not. Correct, and it is up to us to indicate wise choices for the bulk of applications. "SHOULD NOT" is precisely the right wording here -- it specifies something that is typically unwise but may be necessary in unusual circumstances. IPsec has long suffered from an unwillingness to make decisions and give specific recommendations, even when the technical issues were clear-cut. It is time to be a bit more decisive. > We wish the standards to ensure interoperability... And security. Which DES no longer delivers very well. The FreeS/WAN project dropped single-DES support over four years ago, at management insistence. This caused surprisingly few interoperability problems. (There were one or two.) I think it is now quite safe to say that DES-only environments involve either obsolete software or specialized requirements -- a perfect case for SHOULD NOT. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 11 08:39:26 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BFdPrb067702; Wed, 11 Jun 2003 08:39:25 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA08861 Wed, 11 Jun 2003 11:06:43 -0400 (EDT) Date: Wed, 11 Jun 2003 17:11:42 +0200 From: Jean-Francois Dive To: Jean-Francois Dive Cc: Ari Huttunen , ipsec@lists.tislabs.com Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments. Message-ID: <20030611151142.GG1043@gardafou.assamite.eu.org> References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com> <20030611142538.GE1043@gardafou.assamite.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030611142538.GE1043@gardafou.assamite.eu.org> User-Agent: Mutt/1.5.3i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, Jun 11, 2003 at 04:25:38PM +0200, Jean-Francois Dive wrote: > On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote: > > Jean-Francois Dive wrote: > > >Hi all, > > > > > >I am actually busy with implementing NAT-T in IKEv1 context and found > > >something which may have been > > >overlooked (or that i missed the discussion on this list). In section > > >3.1.2, the author talk about the > > >procedure to follow for udp encpasulated transport mode NAT decapsulation. > > >I totally agress with the first point (point (a)) but think the second > > >point (point (b)) is totally wrong and should never be implemented as > > >such: it is suggested that if we dont have the original source or > > >destination ip addresses, the TCP/UDP checksum of the packet should be > > >recomputed to match the NAT'ed ip pseudo header. This cant happen as it > > >would make corrupted packets appears as proper packets, the checksum > > >"mangling" > > >or update beeing right as a wrong checksum at the start would remain > > >wrong. The only proper way to deal with this would be to go with checksum > > >update when you have the information and no checksum at all if you dont > > >have the information. > > >Any comments ? > > > > You wouldn't use ESP without authentication, would you? In transport > > mode there's no chance that the packet contents accidentally changed > > if the packet is authenticated. It wouldn't pass authentication checking. > > consider the following: > - packet is xmt'ed from a station. > - hope trough a dodgy router which corrupt it. > - Go trough the the ipsec gateway, get UDPinESP'ed. > - Go trough a NAT gateway. > - Arrive in the ipsec gateway, the issue raise, the authenticated > content never changed on the path. ok, something slept away from my mind when coding this thing, we are in transport mode so this is hardly going to happen.... > > > > > > Ari > > > > -- > > I play it cool and dig all jive, > > that's the reason I stay alive. > > My motto as I live and learn, > > is dig and be dug in return. > > > > Ari Huttunen phone: +358 9 2520 0700 > > Software Architect fax : +358 9 2520 5001 > > > > F-Secure Corporation http://www.F-Secure.com > > > > F(ully)-Secure products: Securing the Mobile Enterprise > From owner-ipsec@lists.tislabs.com Wed Jun 11 09:18:24 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BGINrb073077; Wed, 11 Jun 2003 09:18:24 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA09195 Wed, 11 Jun 2003 11:49:02 -0400 (EDT) Message-Id: <200306111554.h5BFsXq3001831@thunk.east.sun.com> From: Bill Sommerfeld To: Henry Spencer cc: IP Security List Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) In-Reply-To: Your message of "Wed, 11 Jun 2003 11:14:12 EDT." Reply-to: sommerfeld@east.sun.com Date: Wed, 11 Jun 2003 11:54:33 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk > The FreeS/WAN project dropped single-DES support over four years ago, at > management insistence. This caused surprisingly few interoperability > problems. (There were one or two.) I think it is now quite safe to say > that DES-only environments involve either obsolete software or specialized > requirements -- a perfect case for SHOULD NOT. It appears that the US government agrees with your management on this point. section 12 of FIPS 46-3 (issued in 1999) says, in part: Single DES (i.e., DES) will be permitted for legacy systems only. New procurements to support legacy systems should, where feasible, use Triple DES products running in the single DES configuration. Since there is no installed base of IKEv2 to interoperate with, this FIPS would appear to prohibit use of single-DES with IKEv2 for government use. One more vote for SHOULD NOT. - Bill From owner-ipsec@lists.tislabs.com Wed Jun 11 09:22:38 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BGMcrb073230; Wed, 11 Jun 2003 09:22:38 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA09227 Wed, 11 Jun 2003 11:52:18 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16103.20863.459623.479274@pkoning.dev.equallogic.com> Date: Wed, 11 Jun 2003 11:57:51 -0400 From: Paul Koning To: ynir@CheckPoint.com Cc: ipsec@lists.tislabs.com Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <16103.13425.642338.266792@pkoning.dev.equallogic.com> <000501c3302d$d863da30$292e1dc2@YnirNew> X-Mailer: VM 7.07 under 21.4 (patch 8) "Honest Recruiter" XEmacs Lucid Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >>>>> "Yoav" == Yoav Nir writes: Yoav> DES may be too weak for some applications, but it is a widely Yoav> used standard. It is up to the user to decide whether DES is Yoav> strong enough for their application or not. We wish the Yoav> standards to ensure interoperability, and that means AES, 3DES Yoav> and DES because these are widely implemented. There are lots of RFCs that say SHOULD NOT or MUST NOT for security weaknesses. Just because you can argue "the customer should decide whether xyz is strong enough" doesn't justify a MAY there -- and I don't think it does here, either. Yoav> Blowfish and IDEA are relatively rare, and have not received Yoav> the scrutiny that DES and AES have. That's why they should be Yoav> discouraged. Not because they are weak, but because we don't Yoav> know for sure how weak they are. Ok, then the simple answer is to remove them entirely from the spec, because they aren't really specified explicitly anyway for IPsec and probably not implemented anywhere anyway. paul From owner-ipsec@lists.tislabs.com Wed Jun 11 09:36:35 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BGaZrb073743; Wed, 11 Jun 2003 09:36:35 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA09389 Wed, 11 Jun 2003 12:11:57 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: <16103.13425.642338.266792@pkoning.dev.equallogic.com> References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> <000401c33027$f5ca27b0$292e1dc2@YnirNew> <16103.13425.642338.266792@pkoning.dev.equallogic.com> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Wed, 11 Jun 2003 09:17:47 -0700 To: Paul Koning , ynir@CheckPoint.com From: Paul Hoffman / VPNC Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Cc: ipsec@lists.tislabs.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk At 9:53 AM -0400 6/11/03, Paul Koning wrote: > >>>>> "Yoav" == Yoav Nir writes: > > Yoav> So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"? > Yoav> I think those should be at least as discouraged as DES. > >Why? DES is known to be weak (inadequate key size), while the others >are (unless I missed something recent) not substantially weaker than >exhaustive search of their key. Any algorithm with a variable key size could be considerably weaker than DES. Unless you are going to start listing key sizes and giving each size a rating, saying SHOULD NOT for DES but MAY for some other algorithm that can use 40-bit keys is silly. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Wed Jun 11 09:37:07 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BGb5rb073786; Wed, 11 Jun 2003 09:37:06 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA09365 Wed, 11 Jun 2003 12:10:17 -0400 (EDT) In-Reply-To: <20030611142538.GE1043@gardafou.assamite.eu.org> References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com> <20030611142538.GE1043@gardafou.assamite.eu.org> Mime-Version: 1.0 (Apple Message framework v574) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <09AEE282-9C28-11D7-B6C4-000A959D832C@apple.com> Content-Transfer-Encoding: 7bit Cc: Ari Huttunen , ipsec@lists.tislabs.com From: Joshua Graessley Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments. Date: Wed, 11 Jun 2003 09:16:20 -0700 To: Jean-Francois Dive X-Mailer: Apple Mail (2.574) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wednesday, June 11, 2003, at 7:25, Jean-Francois Dive wrote: > On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote: >> Jean-Francois Dive wrote: >>> Hi all, >>> >>> I am actually busy with implementing NAT-T in IKEv1 context and found >>> something which may have been >>> overlooked (or that i missed the discussion on this list). In section >>> 3.1.2, the author talk about the >>> procedure to follow for udp encpasulated transport mode NAT >>> decapsulation. >>> I totally agress with the first point (point (a)) but think the >>> second >>> point (point (b)) is totally wrong and should never be implemented as >>> such: it is suggested that if we dont have the original source or >>> destination ip addresses, the TCP/UDP checksum of the packet should >>> be >>> recomputed to match the NAT'ed ip pseudo header. This cant happen as >>> it >>> would make corrupted packets appears as proper packets, the checksum >>> "mangling" >>> or update beeing right as a wrong checksum at the start would remain >>> wrong. The only proper way to deal with this would be to go with >>> checksum >>> update when you have the information and no checksum at all if you >>> dont >>> have the information. >>> Any comments ? >> >> You wouldn't use ESP without authentication, would you? In transport >> mode there's no chance that the packet contents accidentally changed >> if the packet is authenticated. It wouldn't pass authentication >> checking. > > consider the following: > - packet is xmt'ed from a station. > - hope trough a dodgy router which corrupt it. > - Go trough the the ipsec gateway, get UDPinESP'ed. > - Go trough a NAT gateway. > - Arrive in the ipsec gateway, the issue raise, the authenticated > content never changed on the path. Is transport mode commonly implemented in an IPSec gateway? Would such a gateway be configured behind a NAT a hop away from the host that originated the traffic? This seems like a very unlikely scenario that would lead to other complications. Is anyone actually implementing an ipsec gateway with NAT traversal? This can still be addressed in the gateway, the ipsec gateway could simply verify the checksum before it performs the ESP encapsulation. There's no point in wasting all the CPU power of encrypting the packet if the packet will just get dropped on the end. -josh From owner-ipsec@lists.tislabs.com Wed Jun 11 10:32:54 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BHWrrb076071; Wed, 11 Jun 2003 10:32:54 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA09689 Wed, 11 Jun 2003 12:59:12 -0400 (EDT) Date: Wed, 11 Jun 2003 13:05:10 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) In-Reply-To: <200306111554.h5BFsXq3001831@thunk.east.sun.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, 11 Jun 2003, Bill Sommerfeld wrote: > > The FreeS/WAN project dropped single-DES support over four years ago, at > > management insistence... > > It appears that the US government agrees with your management on this > point... In fact, at the time *I* disagreed with my then-management, and did my best to talk them out of it -- I thought that dropping support was premature and was going to cause us serious grief. To my considerable surprise, I was wrong. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 11 10:33:08 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BHX8rb076092; Wed, 11 Jun 2003 10:33:08 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA09720 Wed, 11 Jun 2003 13:02:10 -0400 (EDT) Date: Wed, 11 Jun 2003 13:08:09 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms In-Reply-To: <16103.20863.459623.479274@pkoning.dev.equallogic.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, 11 Jun 2003, Paul Koning wrote: > Yoav> Blowfish and IDEA are relatively rare... [and poorly studied] > > Ok, then the simple answer is to remove them entirely from the spec, > because they aren't really specified explicitly anyway for IPsec and > probably not implemented anywhere anyway. Almost nowhere -- there was a user-contributed FreeS/WAN patch that did IDEA, Blowfish, and CAST, and some folks used it. We never adopted it as part of the official distribution, though, and I don't think that's changed since I left the project. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 11 10:35:21 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BHZJrb076195; Wed, 11 Jun 2003 10:35:20 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA09776 Wed, 11 Jun 2003 13:04:55 -0400 (EDT) X-Envelope-To: ipsec@lists.tislabs.com To: ipsec@lists.tislabs.com Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.ipsec Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: 11 Jun 2003 16:44:19 GMT Organization: University of California, Berkeley Lines: 10 Distribution: isaac Message-ID: References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> <000401c33027$f5ca27b0$292e1dc2@YnirNew> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1055349859 21719 128.32.153.211 (11 Jun 2003 16:44:19 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 11 Jun 2003 16:44:19 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Yoav Nir wrote: >So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"? I think those >should be at least as discouraged as DES. That seems about right. DES has a 56-bit key, and hence is a poor choice for deployment in new systems. Blowfish and IDEA are believed to be much stronger. RC4, on the hand, shouldn't be there. Are you sure that RC4 is a "MAY" in the IPSec RFCs? If so, that should be fixed. From owner-ipsec@lists.tislabs.com Wed Jun 11 10:36:46 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BHakrb076281; Wed, 11 Jun 2003 10:36:46 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA09708 Wed, 11 Jun 2003 13:00:32 -0400 (EDT) To: ipsec@lists.tislabs.com cc: byfraser@cisco.com Subject: LAST CALL: IKE Crypto documents I-D's From: "Theodore Ts'o" Phone: (781) 391-3464 Message-Id: Date: Wed, 11 Jun 2003 08:06:15 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk This is a working group last call for comments on the following drafts. For progression to Proposed Standard: draft-ietf-ipsec-ikev2-algorithms-02.txt For progression to Informational: draft-ietf-ipsec-ui-suites-00.txt This last call with expire on June 23rd. - Ted and Barbara From owner-ipsec@lists.tislabs.com Wed Jun 11 10:40:51 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BHeorb076452; Wed, 11 Jun 2003 10:40:50 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA09800 Wed, 11 Jun 2003 13:08:48 -0400 (EDT) X-Envelope-To: ipsec@lists.tislabs.com To: ipsec@lists.tislabs.com Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.ipsec Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: 11 Jun 2003 16:48:13 GMT Organization: University of California, Berkeley Lines: 18 Distribution: isaac Message-ID: References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> <000401c33027$f5ca27b0$292e1dc2@YnirNew> <16103.13425.642338.266792@pkoning.dev.equallogic.com> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1055350093 21719 128.32.153.211 (11 Jun 2003 16:48:13 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 11 Jun 2003 16:48:13 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Paul Hoffman / VPNC wrote: >Any algorithm with a variable key size could be considerably weaker >than DES. Unless you are going to start listing key sizes and giving >each size a rating, saying SHOULD NOT for DES but MAY for some other >algorithm that can use 40-bit keys is silly. I don't recall a MAY requirement for any 40-bit cipher. We debated 40-bit ciphers a long time ago (remember export controls?), and we came to consensus many years ago that 40-bit ciphers have no place in IPSec. Are you saying there is a MAY requirement for a 40-bit cipher? If so, that should be fixed, but I don't believe it. In short, I don't see how your argument is relevant to whether DES is a SHOULD NOT, a MAY, or something else. By the way, what matters is not whether a cipher could support 40-bit keys, but whether, /as standardized in IPSec/, it uses 40-bit keys. There's nothing wrong with the former; but the latter is to be avoided. From owner-ipsec@lists.tislabs.com Wed Jun 11 11:03:04 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BI34rb077319; Wed, 11 Jun 2003 11:03:04 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA09973 Wed, 11 Jun 2003 13:34:34 -0400 (EDT) Message-ID: <74AB2EDFB513564CB272F5FF0E956CD201BF4D2C@exch4.rhul.ac.uk> From: Pagliusi PS To: ipsec@lists.tislabs.com Cc: Mitchell C Subject: RE: Identity protection [Re: Working Group Last Call IKEv2] Date: Wed, 11 Jun 2003 14:48:10 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Dear all, In accordance with Hannes e-mail (please see below) related to ikev2, I would like to support the idea to add active user identity confidentiality protection for the initiator (eap message handling). And Chris J. Mitchell shares the same opinion. Cheers, Paulo Pagliusi ----- Original Message ----- From: "Tschofenig Hannes" To: Sent: Wednesday, June 11, 2003 1:37 PM Subject: FW: Identity protection [Re: Working Group Last Call IKEv2] > hi all, > > i would like to draw your attention to the following issue discussed > in the ipsec mailing list. > > ikev2 is current in last call. we would like to add active user > identity confidentiality protection for the initiator (eap message > handling). > > if you think that this is a good idea then please send a posting to > the ipsec mailing supporting this idea. during our shaman wp1 > activities we concluded that this would be necessary (see jfk > analysis). > > ciao > hannes > > ps: attached you will find my simple proposal for adding support > within ikev2 which does not require any modification to the ikev2 > protocol itself. > From owner-ipsec@lists.tislabs.com Wed Jun 11 11:05:08 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BI57rb077408; Wed, 11 Jun 2003 11:05:07 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA10017 Wed, 11 Jun 2003 13:38:02 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: <200306111554.h5BFsXq3001831@thunk.east.sun.com> References: <200306111554.h5BFsXq3001831@thunk.east.sun.com> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Wed, 11 Jun 2003 10:43:10 -0700 To: sommerfeld@east.sun.com, Henry Spencer From: Paul Hoffman / VPNC Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) Cc: IP Security List Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk At 11:54 AM -0400 6/11/03, Bill Sommerfeld wrote: >One more vote for SHOULD NOT. So you think it is better to give a lower recommendation for an algorithm with a known (weak) key strength than to algorithms that could be much weaker, including zero encryption. That sure sends a clear message to implementers... --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Wed Jun 11 11:06:20 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BI6Grb077493; Wed, 11 Jun 2003 11:06:19 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA10041 Wed, 11 Jun 2003 13:38:28 -0400 (EDT) Date: Wed, 11 Jun 2003 13:44:27 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On 11 Jun 2003, David Wagner wrote: > I don't recall a MAY requirement for any 40-bit cipher. We debated > 40-bit ciphers a long time ago (remember export controls?), and we came > to consensus many years ago that 40-bit ciphers have no place in IPSec. > Are you saying there is a MAY requirement for a 40-bit cipher? If so, > that should be fixed, but I don't believe it. RFC 2451 Blowfish allows keys as short as 40 bits, as does RFC 2451 CAST. RFC 2451 IDEA does not. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 11 11:06:49 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BI6nrb077525; Wed, 11 Jun 2003 11:06:49 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA10058 Wed, 11 Jun 2003 13:40:50 -0400 (EDT) Date: Wed, 11 Jun 2003 13:46:50 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, 11 Jun 2003, Paul Hoffman / VPNC wrote: > At 11:54 AM -0400 6/11/03, Bill Sommerfeld wrote: > >One more vote for SHOULD NOT. > > So you think it is better to give a lower recommendation for an > algorithm with a known (weak) key strength than to algorithms that > could be much weaker, including zero encryption. Where, exactly, did either Bill or I say that? Please be precise. This is a gross misrepresentation of my views, and probably Bill's as well. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 11 11:18:55 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BIIsrb078145; Wed, 11 Jun 2003 11:18:55 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA10131 Wed, 11 Jun 2003 13:51:18 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> <000401c33027$f5ca27b0$292e1dc2@YnirNew> <16103.13425.642338.266792@pkoning.dev.equallogic.com> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Wed, 11 Jun 2003 10:57:15 -0700 To: daw@mozart.cs.berkeley.edu (David Wagner), ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk At 4:48 PM +0000 6/11/03, David Wagner wrote: >I don't recall a MAY requirement for any 40-bit cipher. We debated >40-bit ciphers a long time ago (remember export controls?), and we came >to consensus many years ago that 40-bit ciphers have no place in IPSec. >Are you saying there is a MAY requirement for a 40-bit cipher? If so, >that should be fixed, but I don't believe it. draft-ietf-ipsec-ikev2-algorithms-02.txt, the document under discussion, has MAY level for many encryption algorithms that have key sizes down to 40. It's pretty clear in the draft, regardless of what you believe. >By the way, what matters is not whether a cipher could support 40-bit >keys, but whether, /as standardized in IPSec/, it uses 40-bit keys. >There's nothing wrong with the former; but the latter is to be avoided. Anyone who wanted to write a replacement for RFC 2451 has had almost five years to do so; so far, no one has. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Wed Jun 11 11:42:20 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BIgJrb079218; Wed, 11 Jun 2003 11:42:20 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA10423 Wed, 11 Jun 2003 14:12:15 -0400 (EDT) Message-Id: <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 11 Jun 2003 14:18:12 -0400 To: ipsec@lists.tislabs.com From: Russ Housley Subject: Fwd: LAST CALL: IKE Crypto documents I-D's Cc: tytso@mit.edu, byfraser@cisco.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec@lists.tislabs.com Precedence: bulk I am confused here. Based on the front matter in both documents, the authors of each document appear to have Standards Track in mind. Standards Track seems reasonable to me in both cases. Russ >This is a working group last call for comments on the following drafts. > >For progression to Proposed Standard: > > draft-ietf-ipsec-ikev2-algorithms-02.txt > >For progression to Informational: > > draft-ietf-ipsec-ui-suites-00.txt > >This last call with expire on June 23rd. From owner-ipsec@lists.tislabs.com Wed Jun 11 12:18:47 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BJIkrb081902; Wed, 11 Jun 2003 12:18:46 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA10743 Wed, 11 Jun 2003 14:50:28 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: References: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Wed, 11 Jun 2003 11:56:25 -0700 To: Henry Spencer , IP Security List From: Paul Hoffman / VPNC Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk At 1:46 PM -0400 6/11/03, Henry Spencer wrote: >On Wed, 11 Jun 2003, Paul Hoffman / VPNC wrote: >> At 11:54 AM -0400 6/11/03, Bill Sommerfeld wrote: >> >One more vote for SHOULD NOT. >> >> So you think it is better to give a lower recommendation for an >> algorithm with a known (weak) key strength than to algorithms that >> could be much weaker, including zero encryption. > >Where, exactly, did either Bill or I say that? Please be precise. I only saw messages about making DES be SHOULD NOT, not any messages about making all the other variable-length ciphers SHOULD NOT. If you sent such a message and I missed it, I apologize. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Wed Jun 11 12:21:07 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BJL3rb082305; Wed, 11 Jun 2003 12:21:07 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA10800 Wed, 11 Jun 2003 14:54:39 -0400 (EDT) X-Envelope-To: ipsec@lists.tislabs.com To: ipsec@lists.tislabs.com Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.ipsec Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: 11 Jun 2003 18:34:04 GMT Organization: University of California, Berkeley Lines: 28 Distribution: isaac Message-ID: References:

NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1055356444 22752 128.32.153.211 (11 Jun 2003 18:34:04 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 11 Jun 2003 18:34:04 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Henry Spencer wrote: >On 11 Jun 2003, David Wagner wrote: >> I don't recall a MAY requirement for any 40-bit cipher. We debated >> 40-bit ciphers a long time ago (remember export controls?), and we came >> to consensus many years ago that 40-bit ciphers have no place in IPSec. >> Are you saying there is a MAY requirement for a 40-bit cipher? If so, >> that should be fixed, but I don't believe it. > >RFC 2451 Blowfish allows keys as short as 40 bits, as does RFC 2451 CAST. >RFC 2451 IDEA does not. That's different. IPSec does not have a MAY requirement for 40-bit ciphers. It has a MAY requirement for ciphers like Blowfish which can be used with 40-bit keys, but the default key size for Blowfish is 128 bits, which is adequate. With DES, not only is the default key inadequate (56 bits), that's the *only* supported key size; as a result, DES is clearly inadequate for deployment in most new systems. It's not what size keys the cipher supports that matters; it's what size keys are standardized for use in IPSEc. Maybe we should add a line to RFC2451 saying that users SHOULD NOT use key sizes shorter than the default. There's no good reason to use shorter keys. This addition would make everything consistent with a SHOULD NOT policy for DES. Will this make everyone happy? (Amusingly, RFC2451 suggests that implementors SHOULD check for weak keys. Personally, I consider *every* 40-bit key a weak key.) From owner-ipsec@lists.tislabs.com Wed Jun 11 12:33:33 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BJXWrb083080; Wed, 11 Jun 2003 12:33:32 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA10868 Wed, 11 Jun 2003 15:05:08 -0400 (EDT) X-Envelope-To: ipsec@lists.tislabs.com To: ipsec@lists.tislabs.com Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.ipsec Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: 11 Jun 2003 18:44:34 GMT Organization: University of California, Berkeley Lines: 40 Distribution: isaac Message-ID: References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1055357074 22752 128.32.153.211 (11 Jun 2003 18:44:34 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 11 Jun 2003 18:44:34 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Paul Hoffman / VPNC wrote: >draft-ietf-ipsec-ikev2-algorithms-02.txt, the document under >discussion, has MAY level for many encryption algorithms that have >key sizes down to 40. It's pretty clear in the draft, regardless of >what you believe. Ok, I didn't realize that. I'm not convinced this respects the consensus established by the working group years ago, but arguing about this might take us into a rathole from which we never recover, so let's not go there. Instead, let me just note that the situation with draft-ietf-ipsec-ikev2-algorithms-02.txt is very different from the situation with DES. DES can't go higher than 56 bits. The algorithms in draft-ietf-ipsec-ikev2-algorithms-02.txt go up to 128 bits and higher, and indeed, their default is 128 bits. So, I still think DES should be a SHOULD NOT. And, if consistency matters, there's a simple fix. Let's change draft-ietf-ipsec-ikev2-algorithms-02.txt to make clear that short keys SHOULD NOT be used, just like DES SHOULD NOT be used. I'm fine with that. I do think the DES issue is more important in practice than the draft-ietf-ipsec-ikev2-algorithms-02.txt issue. Not many implementations will use, say, Blowfish, and for those that do, it's pretty unlikely they will go out of their way to use a smaller-than-default key size. (If they do, maybe they deserve what they get.) But it is quite likely that many implementations will use DES with its 56 bit keys. As a result, I feel it is more important to fix the DES issue than to worry about Blowfish minimum key sizes. If we don't do anything, the DES failure mode could become widespread, while the Blowfish failure mode is likely to be very rare. As a result, if there is some reason we can't fix the draft-ietf-ipsec-ikev2-algorithms-02.txt minimum key size issue, we shouldn't let that stop us from fixing the DES issue. Getting security right is more important than consistency. But if we can fix the ikev2-algorithms draft, I have no objection to upping the Blowfish minimum key sizes, if that is preferable. It's not a bad idea. From owner-ipsec@lists.tislabs.com Wed Jun 11 12:53:29 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BJrQrb083850; Wed, 11 Jun 2003 12:53:29 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA11073 Wed, 11 Jun 2003 15:27:37 -0400 (EDT) Date: Wed, 11 Jun 2003 15:33:36 -0400 (EDT) From: Henry Spencer To: IP Security List Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, 11 Jun 2003, Paul Hoffman / VPNC wrote: > >> So you think it is better to give a lower recommendation for an > >> algorithm with a known (weak) key strength than to algorithms that > >> could be much weaker, including zero encryption. > >Where, exactly, did either Bill or I say that? Please be precise. > > I only saw messages about making DES be SHOULD NOT, not any messages > about making all the other variable-length ciphers SHOULD NOT. If you > sent such a message and I missed it, I apologize. You're still jumping to conclusions -- the fact that you have not heard from me about the variable-length ciphers tells you nothing about my position on them, so you cannot legitimately infer that I consider dealing with them unimportant. (And your "zero encryption" remark remains odd, because none of the RFC 2451 variable-length ciphers goes down to zero.) My position on them actually lines up closely with David Wagner's most recent message: they *are* lower priority -- not because they are better, but because they are little-used and do have at least the option of longer keys -- but it would nevertheless be good to deal with them too. Dealing properly with DES, however, is *important*. Henry Spencer henry@spsystems.net From owner-ipsec@lists.tislabs.com Wed Jun 11 12:54:44 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BJsirb083908; Wed, 11 Jun 2003 12:54:44 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA11060 Wed, 11 Jun 2003 15:24:53 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: References:

X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Wed, 11 Jun 2003 12:30:44 -0700 To: daw@mozart.cs.berkeley.edu (David Wagner), ipsec@lists.tislabs.com From: Paul Hoffman / VPNC Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk At 6:34 PM +0000 6/11/03, David Wagner wrote: >It's not what size keys the cipher supports that matters; it's what size >keys are standardized for use in IPSEc. Exactly right. >Maybe we should add a line to RFC2451 saying that users SHOULD NOT >use key sizes shorter than the default. There's no good reason to use >shorter keys. This addition would make everything consistent with a >SHOULD NOT policy for DES. Will this make everyone happy? It would certainly make me happier. That way, we would not be having different recommendations for IKEv1 than what we have for IKEv2. Actually, a complete revision to RFC 2451 would be nice, including removing algorithms for which there are not stable references. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Wed Jun 11 13:01:28 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BK1Srb084191; Wed, 11 Jun 2003 13:01:28 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA11105 Wed, 11 Jun 2003 15:33:05 -0400 (EDT) Date: Wed, 11 Jun 2003 10:39:05 -0400 From: "Theodore Ts'o" To: Russ Housley Cc: ipsec@lists.tislabs.com, byfraser@cisco.com Subject: Re: Fwd: LAST CALL: IKE Crypto documents I-D's Message-ID: <20030611143905.GB2575@think> References: <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> User-Agent: Mutt/1.5.4i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Wed, Jun 11, 2003 at 02:18:12PM -0400, Russ Housley wrote: > I am confused here. Based on the front matter in both documents, the > authors of each document appear to have Standards Track in mind. Standards > Track seems reasonable to me in both cases. Well, maybe we need to have a discussion the working group and the AD's about this question. The reason why Barbara and I thought Informational track would be more appropriate for draft-ietf-ipsec-ui-suites is because it doesn't actually impose any MUST's on the protocol, as defined as bits-on-the-wire. So with no impliciations on bits-on-the-wire, what "at least two interoperable implementations" means is an interesting question indeed. On the other hand, there the IETF advanced the GSSAPI specifications as Proposed Standard even though there little to no protocol implication. That might argue that the ui-suites I-D should be a Proposed Standard, and we'll simply leave the headache of what "interoperable implementations" mean to the IESG in that case. All of this being said, neither Barbara nor I have any strong feelings on this matter, so we are certainly open to any strong sense from the wg, or direction from the AD's. - Ted From owner-ipsec@lists.tislabs.com Wed Jun 11 14:40:18 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BLeFrb089082; Wed, 11 Jun 2003 14:40:17 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA11707 Wed, 11 Jun 2003 17:11:57 -0400 (EDT) Message-Id: <200306112117.h5BLH0of012114@givry.rennes.enst-bretagne.fr> From: Francis Dupont To: "Theodore Ts'o" cc: Russ Housley , ipsec@lists.tislabs.com, byfraser@cisco.com Subject: Re: Fwd: LAST CALL: IKE Crypto documents I-D's In-reply-to: Your message of Wed, 11 Jun 2003 10:39:05 EDT. <20030611143905.GB2575@think> Date: Wed, 11 Jun 2003 23:17:00 +0200 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr Sender: owner-ipsec@lists.tislabs.com Precedence: bulk In your previous mail you wrote: > Standards Track seems reasonable to me in both cases. All of this being said, neither Barbara nor I have any strong feelings on this matter, so we are certainly open to any strong sense from the wg, or direction from the AD's. => why not a BCP? Thanks Francis.Dupont@enst-bretagne.fr From owner-ipsec@lists.tislabs.com Wed Jun 11 14:40:21 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BLeKrb089093; Wed, 11 Jun 2003 14:40:20 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA11722 Wed, 11 Jun 2003 17:12:47 -0400 (EDT) Message-Id: <5.2.0.9.2.20030611171254.03d82698@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 11 Jun 2003 17:18:33 -0400 To: "Theodore Ts'o" From: Russ Housley Subject: Re: Fwd: LAST CALL: IKE Crypto documents I-D's Cc: ipsec@lists.tislabs.com, byfraser@cisco.com In-Reply-To: <20030611143905.GB2575@think> References: <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Ted: > > I am confused here. Based on the front matter in both documents, the > > authors of each document appear to have Standards Track in > mind. Standards > > Track seems reasonable to me in both cases. > >Well, maybe we need to have a discussion the working group and the >AD's about this question. The reason why Barbara and I thought >Informational track would be more appropriate for >draft-ietf-ipsec-ui-suites is because it doesn't actually impose any >MUST's on the protocol, as defined as bits-on-the-wire. It does impact interoperability. If the same string is used by two different vendors to mean different collections of algorithms, then the protocol negations will probably fail in a reasonable way to people that look at the actual packets. However, two administrators will say that the boxes are configured in the same way, but they fail to interoperate. >So with no impliciations on bits-on-the-wire, what "at least two >interoperable implementations" means is an interesting question >indeed. > >On the other hand, there the IETF advanced the GSSAPI specifications >as Proposed Standard even though there little to no protocol >implication. That might argue that the ui-suites I-D should be a >Proposed Standard, and we'll simply leave the headache of what >"interoperable implementations" mean to the IESG in that case. > >All of this being said, neither Barbara nor I have any strong feelings >on this matter, so we are certainly open to any strong sense from the >wg, or direction from the AD's. I understand your points. I will discuss with the rest of the IESG and report back. We happen to have a telechat scheduled for tomorrow, Russ From owner-ipsec@lists.tislabs.com Wed Jun 11 14:57:23 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BLvMrb089962; Wed, 11 Jun 2003 14:57:23 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA11837 Wed, 11 Jun 2003 17:30:20 -0400 (EDT) Message-Id: <200306112135.h5BLZoq3002115@thunk.east.sun.com> From: Bill Sommerfeld To: Henry Spencer cc: IP Security List Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) In-Reply-To: Your message of "Wed, 11 Jun 2003 15:33:36 EDT." Reply-to: sommerfeld@east.sun.com Date: Wed, 11 Jun 2003 17:35:50 -0400 Sender: owner-ipsec@lists.tislabs.com Precedence: bulk > You're still jumping to conclusions -- the fact that you have not heard > from me about the variable-length ciphers tells you nothing about my > position on them, so you cannot legitimately infer that I consider dealing > with them unimportant. (And your "zero encryption" remark remains odd, > because none of the RFC 2451 variable-length ciphers goes down to > zero.) And the null cipher for ESP is qualitatively different; it's an alternative to AH for applications where privacy is clearly not required. > My position on them actually lines up closely with David Wagner's most > recent message: they *are* lower priority -- not because they are better, > but because they are little-used and do have at least the option of longer > keys -- but it would nevertheless be good to deal with them too. Dealing > properly with DES, however, is *important*. And, for the record, "What Henry Said". - Bill From owner-ipsec@lists.tislabs.com Wed Jun 11 14:57:27 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BLvMrb089961; Wed, 11 Jun 2003 14:57:27 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA11849 Wed, 11 Jun 2003 17:31:07 -0400 (EDT) Date: Wed, 11 Jun 2003 23:35:41 +0200 From: Tobias Poppe To: Bill Sommerfeld Cc: IP Security List Subject: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...) Message-ID: <20030611213541.GA4201@stud.uni-karlsruhe.de> References: <200306111554.h5BFsXq3001831@thunk.east.sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200306111554.h5BFsXq3001831@thunk.east.sun.com> User-Agent: Mutt/1.4.1i Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Hi, On Wed, Jun 11, 2003 at 11:54:33AM -0400, Bill Sommerfeld wrote: > > The FreeS/WAN project dropped single-DES support over four years ago, at > > management insistence. This caused surprisingly few interoperability > > problems. (There were one or two.) I think it is now quite safe to say > > that DES-only environments involve either obsolete software or specialized > > requirements -- a perfect case for SHOULD NOT. > > One more vote for SHOULD NOT. One more vote for SHOULD NOT. Single-DES should be treated like NULL cipher. It has been broken. People will start laughting at you if this goes into the RFC any different than SHOULD NOT. > - Bill -tp p.s. I actually know people who are already 'amused' that this topic requires such an extensive discussion. p.s.s.: History taught us that the 'we let it up to the user to decide'-attitude does not work in the real world. From jkathleengsfif27gln3er@msn.com Wed Jun 11 15:23:03 2003 Received: from hotmail.com (bay3-dav136.bay3.hotmail.com [65.54.169.166]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5BMN3rb090791 for ; Wed, 11 Jun 2003 15:23:03 -0700 (PDT) (envelope-from jkathleengsfif27gln3er@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 11 Jun 2003 15:23:00 -0700 Received: from 66.207.70.2 by bay3-dav136.bay3.hotmail.com with DAV; Wed, 11 Jun 2003 22:22:59 +0000 X-Originating-IP: [66.207.70.2] X-Originating-Email: [jkathleengsfif27gln3er@msn.com] To: "Ptomey Derflinger" Subject: Elude Expensive Septic Repairs From: "Goble Lio" Organization: Lj7O321DFG3RVlQ2s3WvJIEk2nKsw4qH Importance: Normal X-Originating-Ip: [3.6.851.6] Content-Type: multipart/alternative; boundary="F07jt66IBHQ5pw57Wt4tl33A6X32GUhQCTnF0ytTPX03Mv28k05mA07uxfBJn1IY3" Content-Transfer-Encoding: 7bit Message-ID: X-OriginalArrivalTime: 11 Jun 2003 22:23:00.0287 (UTC) FILETIME=[044504F0:01C33068] Date: 11 Jun 2003 15:23:00 -0700 --F07jt66IBHQ5pw57Wt4tl33A6X32GUhQCTnF0ytTPX03Mv28k05mA07uxfBJn1IY3 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset="US-ASCII" Dramatically Increase The Life And Effectiveness of Your Septic System.

Try SPC Septic Cleaner For Free By Clicking Here

You'll keep your septic system free flowing as SPC breaks down large waste materials into smaller
particles and liquids so that they pass quickly through your septic system.

Visit our site and try it for free.

To Take Yourself Off our list here
--F07jt66IBHQ5pw57Wt4tl33A6X32GUhQCTnF0ytTPX03Mv28k05mA07uxfBJn1IY3-- From owner-ipsec@lists.tislabs.com Wed Jun 11 18:49:53 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5C1nmrb097132; Wed, 11 Jun 2003 18:49:52 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id VAA12918 Wed, 11 Jun 2003 21:11:45 -0400 (EDT) Date: Wed, 11 Jun 2003 21:16:25 -0400 (EDT) From: "Catherine A. Meadows" Message-Id: <200306120116.h5C1GPXT014125@itd.nrl.navy.mil> To: ipsec@lists.tislabs.com Subject: question about IKE on IPv4 and IPv6 Cc: meadows@itd.nrl.navy.mil X-Sun-Charset: US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk I've got a question about IKE that came up here today. It is: is there any way that a node running IPv6 sest up an IKE SA with a node IPv4? What about the same question for IKEv2? In either case, are there any implementations out there that do this? Thanks in advance, Cathy Meadows From owner-ipsec@lists.tislabs.com Thu Jun 12 02:40:05 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5C9e5rb043012; Thu, 12 Jun 2003 02:40:05 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id FAA14612 Thu, 12 Jun 2003 05:00:09 -0400 (EDT) From: "Yoav Nir" To: "'Paul Hoffman / VPNC'" , "'David Wagner'" , Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Date: Thu, 12 Jun 2003 12:04:05 +0200 Message-ID: <003101c330c9$f57681d0$292e1dc2@YnirNew> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Me too. With a statement that keys weaker than a certain level (say, 128 bits although 96 is probably enough) SHOULD NOT be used, I can live with DES being demoted to a SHOULD NOT. Still, I think that DES fits better with the definition of MAY: "One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item." -----Original Message----- From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Hoffman / VPNC Sent: Wednesday, June 11, 2003 9:31 PM To: David Wagner; ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms At 6:34 PM +0000 6/11/03, David Wagner wrote: >It's not what size keys the cipher supports that matters; it's what size >keys are standardized for use in IPSEc. Exactly right. >Maybe we should add a line to RFC2451 saying that users SHOULD NOT >use key sizes shorter than the default. There's no good reason to use >shorter keys. This addition would make everything consistent with a >SHOULD NOT policy for DES. Will this make everyone happy? It would certainly make me happier. That way, we would not be having different recommendations for IKEv1 than what we have for IKEv2. Actually, a complete revision to RFC 2451 would be nice, including removing algorithms for which there are not stable references. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Thu Jun 12 06:48:02 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CDm2rb057165; Thu, 12 Jun 2003 06:48:02 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA15357 Thu, 12 Jun 2003 09:16:31 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16104.35977.651000.712505@gargle.gargle.HOWL> Date: Thu, 12 Jun 2003 10:22:01 -0400 From: Paul Koning To: ynir@CheckPoint.com Cc: paul.hoffman@vpnc.org, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <003101c330c9$f57681d0$292e1dc2@YnirNew> X-Mailer: VM 7.07 under 21.4 (patch 10) "Military Intelligence (Windows)" XEmacs Lucid Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >>>>> "Yoav" == Yoav Nir writes: Yoav> Me too. With a statement that keys weaker than a certain level Yoav> (say, 128 bits although 96 is probably enough) SHOULD NOT be Yoav> used, I can live with DES being demoted to a SHOULD NOT. 96 is probably enough but it's not a common keysize, so 128 makes sense. Yoav> Still, I think that DES fits better with the definition of MAY: Yoav> "One vendor may choose to include the item because a particular Yoav> marketplace requires it or because the vendor feels that it Yoav> enhances the product while another vendor may omit the same Yoav> item." But "MAY" is neutral, it expresses no value judgement about the choice. "SHOULD NOT" also allows the vendor to choose but clearly recommends that you don't implement it. That's the messsage I'd like to see for short-key ciphers. paul From owner-ipsec@lists.tislabs.com Thu Jun 12 07:36:06 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CEa6rb062154; Thu, 12 Jun 2003 07:36:06 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA15512 Thu, 12 Jun 2003 10:08:41 -0400 (EDT) Message-Id: <4.3.2.7.2.20030611151310.02bf0b00@mira-sjc5-4.cisco.com> X-Sender: byfraser@mira-sjc5-4.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 11 Jun 2003 15:16:01 -0700 To: Russ Housley From: Barbara Fraser Subject: Re: Fwd: LAST CALL: IKE Crypto documents I-D's Cc: "Theodore Ts'o" , ipsec@lists.tislabs.com In-Reply-To: <5.2.0.9.2.20030611171254.03d82698@mail.binhost.com> References: <20030611143905.GB2575@think> <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> <5.2.0.9.2.20030611141434.01fcb268@mail.binhost.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_28649565==_.ALT" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk --=====================_28649565==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hi, Thanks for taking this process question to the IESG. Ted and I would like to urge the working group to focus on the technical content of these drafts. That's where the energy needs to be spent. thanks, Barb We'll deal with the appropriate handling of these documents as a At 02:18 PM 6/11/2003, Russ Housley wrote: >Ted: > >> > I am confused here. Based on the front matter in both documents, the >> > authors of each document appear to have Standards Track in >> mind. Standards >> > Track seems reasonable to me in both cases. >> >>Well, maybe we need to have a discussion the working group and the >>AD's about this question. The reason why Barbara and I thought >>Informational track would be more appropriate for >>draft-ietf-ipsec-ui-suites is because it doesn't actually impose any >>MUST's on the protocol, as defined as bits-on-the-wire. > >It does impact interoperability. If the same string is used by two >different vendors to mean different collections of algorithms, then the >protocol negations will probably fail in a reasonable way to people that >look at the actual packets. However, two administrators will say that the >boxes are configured in the same way, but they fail to interoperate. > >>So with no impliciations on bits-on-the-wire, what "at least two >>interoperable implementations" means is an interesting question >>indeed. >> >>On the other hand, there the IETF advanced the GSSAPI specifications >>as Proposed Standard even though there little to no protocol >>implication. That might argue that the ui-suites I-D should be a >>Proposed Standard, and we'll simply leave the headache of what >>"interoperable implementations" mean to the IESG in that case. >> >>All of this being said, neither Barbara nor I have any strong feelings >>on this matter, so we are certainly open to any strong sense from the >>wg, or direction from the AD's. > >I understand your points. I will discuss with the rest of the IESG and >report back. We happen to have a telechat scheduled for tomorrow, > >Russ --=====================_28649565==_.ALT Content-Type: text/html; charset="us-ascii" Hi,

Thanks for taking this process question to the IESG. Ted and I would like to urge the working group to focus on the technical content of these drafts. That's where the energy needs to be spent.

thanks,
Barb

We'll deal with the appropriate handling of these documents as a

At 02:18 PM 6/11/2003, Russ Housley wrote:

Ted:

> I am confused here. Based on the front matter in both documents, the
> authors of each document appear to have Standards Track in mind. Standards
> Track seems reasonable to me in both cases.

Well, maybe we need to have a discussion the working group and the
AD's about this question. The reason why Barbara and I thought
Informational track would be more appropriate for
draft-ietf-ipsec-ui-suites is because it doesn't actually impose any
MUST's on the protocol, as defined as bits-on-the-wire.

It does impact interoperability. If the same string is used by two different vendors to mean different collections of algorithms, then the protocol negations will probably fail in a reasonable way to people that look at the actual packets. However, two administrators will say that the boxes are configured in the same way, but they fail to interoperate.

So with no impliciations on bits-on-the-wire, what "at least two
interoperable implementations" means is an interesting question
indeed.

On the other hand, there the IETF advanced the GSSAPI specifications
as Proposed Standard even though there little to no protocol
implication. That might argue that the ui-suites I-D should be a
Proposed Standard, and we'll simply leave the headache of what
"interoperable implementations" mean to the IESG in that case.

All of this being said, neither Barbara nor I have any strong feelings
on this matter, so we are certainly open to any strong sense from the
wg, or direction from the AD's.

I understand your points. I will discuss with the rest of the IESG and report back. We happen to have a telechat scheduled for tomorrow,

Russ

--=====================_28649565==_.ALT-- From owner-ipsec@lists.tislabs.com Thu Jun 12 07:47:48 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CElkrb062715; Thu, 12 Jun 2003 07:47:47 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA15574 Thu, 12 Jun 2003 10:20:42 -0400 (EDT) X-Authentication-Warning: desire.geoffk.org: geoffk set sender to geoffk@geoffk.org using -f To: Paul Hoffman / VPNC Cc: ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <16103.11318.799282.793338@pkoning.dev.equallogic.com> <000401c33027$f5ca27b0$292e1dc2@YnirNew> <16103.13425.642338.266792@pkoning.dev.equallogic.com> From: Geoff Keating Date: 11 Jun 2003 14:44:57 -0700 In-Reply-To: Message-ID: Lines: 33 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Paul Hoffman / VPNC writes: > At 9:53 AM -0400 6/11/03, Paul Koning wrote: > > >>>>> "Yoav" == Yoav Nir writes: > > > > Yoav> So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"? > > Yoav> I think those should be at least as discouraged as DES. > > > >Why? DES is known to be weak (inadequate key size), while the others > >are (unless I missed something recent) not substantially weaker than > >exhaustive search of their key. > > Any algorithm with a variable key size could be considerably weaker > than DES. Unless you are going to start listing key sizes and giving > each size a rating, saying SHOULD NOT for DES but MAY for some other > algorithm that can use 40-bit keys is silly. It might be a good idea to have a SHOULD NOT for too-short key lengths (maybe under 'Security Considerations'), independent of algorithm. The IKE RFC, for instance, says > For this reason, a prf function whose output is less than 128 bits > (e.g., 3DES-CBC) MUST never be used with this protocol. Proposed wording is: Implementors and administrators should carefully consider what algorithms and key sizes are appropriate for each situation; as a minimum, an implementation SHOULD NOT use an algorithm with a key size of 64 bits or less in its default configuration. -- - Geoffrey Keating From owner-ipsec@lists.tislabs.com Thu Jun 12 08:22:27 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CFMQrb064046; Thu, 12 Jun 2003 08:22:26 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA15678 Thu, 12 Jun 2003 10:54:27 -0400 (EDT) From: "Yoav Nir" To: Subject: RE: LAST CALL: IKE Crypto documents I-D's Date: Thu, 12 Jun 2003 17:58:53 +0200 Message-ID: <004801c330fb$8692fb90$292e1dc2@YnirNew> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: Sender: owner-ipsec@lists.tislabs.com Precedence: bulk It's good that we're getting there, but I still think we haven't addressed the issue of AES and key sizes. The algorithms draft refers only to AES-128. We should either add AES-256 or else rename the transforms to simply "ENCR_AES_CBC" and "ENCR_AES_CTR" and use the keylength attribute to determine the specific "flavor" or AES. IMO it doesn't make sense to use "ENCR_AES_128_CBC" with a 256-bit key. -----Original Message----- From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Theodore Ts'o Sent: Wednesday, June 11, 2003 2:06 PM To: ipsec@lists.tislabs.com Cc: byfraser@cisco.com Subject: LAST CALL: IKE Crypto documents I-D's This is a working group last call for comments on the following drafts. For progression to Proposed Standard: draft-ietf-ipsec-ikev2-algorithms-02.txt For progression to Informational: draft-ietf-ipsec-ui-suites-00.txt This last call with expire on June 23rd. - Ted and Barbara From owner-ipsec@lists.tislabs.com Thu Jun 12 10:06:09 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CH68rb071459; Thu, 12 Jun 2003 10:06:09 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA16085 Thu, 12 Jun 2003 12:26:20 -0400 (EDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: In-Reply-To: <16104.35977.651000.712505@gargle.gargle.HOWL> References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Date: Thu, 12 Jun 2003 09:32:15 -0700 To: Paul Koning , ynir@CheckPoint.com From: Paul Hoffman / VPNC Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms Cc: daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk At 10:22 AM -0400 6/12/03, Paul Koning wrote: >96 is probably enough but it's not a common keysize, so 128 makes >sense. But only if you want to eliminate TripleDES, whose key size is 112 bits. No one counts the parity bits as meaningful. Yes, I'm being picky about this. As we have seen from IKEv1, sloppy wording which "everybody" understands at the time the RFC is issued becomes confusing and leads to lack of interoperability within a few short years. --Paul Hoffman, Director --VPN Consortium From owner-ipsec@lists.tislabs.com Thu Jun 12 10:57:46 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CHvkrb072919; Thu, 12 Jun 2003 10:57:46 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA16264 Thu, 12 Jun 2003 13:18:20 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16104.46887.397423.89027@pkoning.dev.equallogic.com> Date: Thu, 12 Jun 2003 13:23:51 -0400 From: Paul Koning To: paul.hoffman@vpnc.org Cc: ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL> X-Mailer: VM 7.07 under 21.4 (patch 8) "Honest Recruiter" XEmacs Lucid Sender: owner-ipsec@lists.tislabs.com Precedence: bulk >>>>> "Paul" == Paul Hoffman > writes: Paul> At 10:22 AM -0400 6/12/03, Paul Koning wrote: >> 96 is probably enough but it's not a common keysize, so 128 makes >> sense. Paul> But only if you want to eliminate TripleDES, whose key size is Paul> 112 bits. No one counts the parity bits as meaningful. Indeed, one doesn't count the parity bits. So the 3DES key length is 168 bits, because IPsec uses 3-key 3DES. Paul> Yes, I'm being picky about this. As we have seen from IKEv1, Paul> sloppy wording which "everybody" understands at the time the Paul> RFC is issued becomes confusing and leads to lack of Paul> interoperability within a few short years. Agreed. paul From owner-ipsec@lists.tislabs.com Thu Jun 12 11:32:56 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CIWsrb074728; Thu, 12 Jun 2003 11:32:56 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA16423 Thu, 12 Jun 2003 14:03:31 -0400 (EDT) To: Paul Hoffman / VPNC Cc: Paul Koning , ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL> Reply-To: EKR From: Eric Rescorla Date: 12 Jun 2003 11:15:15 -0700 In-Reply-To: Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Paul Hoffman / VPNC writes: > At 10:22 AM -0400 6/12/03, Paul Koning wrote: > >96 is probably enough but it's not a common keysize, so 128 makes > >sense. > > But only if you want to eliminate TripleDES, whose key size is 112 > bits. No one counts the parity bits as meaningful. As I understand RFC 2451, the 3DES we uses is 3-key 3DES in EDE mode, so the effective key size should be 168 bits. -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/ From owner-ipsec@lists.tislabs.com Thu Jun 12 12:28:43 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CJSgrb078082; Thu, 12 Jun 2003 12:28:42 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA16657 Thu, 12 Jun 2003 14:58:18 -0400 (EDT) Date: Thu, 12 Jun 2003 12:03:38 -0700 (PDT) From: Scott Fluhrer To: Eric Rescorla cc: Paul Hoffman / VPNC , Paul Koning , ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms In-Reply-To: Message-ID: References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Thu, 12 Jun 2003, Eric Rescorla wrote: > Paul Hoffman / VPNC writes: > > > At 10:22 AM -0400 6/12/03, Paul Koning wrote: > > >96 is probably enough but it's not a common keysize, so 128 makes > > >sense. > > > > But only if you want to eliminate TripleDES, whose key size is 112 > > bits. No one counts the parity bits as meaningful. > As I understand RFC 2451, the 3DES we uses is 3-key 3DES in > EDE mode, so the effective key size should be 168 bits. For a cryptographical standpoint, there may be 168 distinct key bits that affect the ciphertext, but it is well known that you can break 3DES with far less work than O(2**168) effort. There is a meet-in-the-middle attack that (with a lot of memory) brings the effort down to around O(2**112), which is what I assume Paul was refering to. In addition, if you have vast quantities of known plaintext encrypted with the same key, Stephan Lucks' attack becomes interesting, which reduces the effort a bit more (I don't have a solid estimate at hand). Neither of these attacks are practical given current current limitations, but one should remember that they do exist. -- scott From owner-ipsec@lists.tislabs.com Thu Jun 12 12:50:13 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CJoCrb078605; Thu, 12 Jun 2003 12:50:13 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA16691 Thu, 12 Jun 2003 15:14:47 -0400 (EDT) To: Scott Fluhrer Cc: Paul Hoffman / VPNC , Paul Koning , ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL>

Reply-To: EKR From: Eric Rescorla Date: 12 Jun 2003 12:26:28 -0700 In-Reply-To: Message-ID: Lines: 41 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Scott Fluhrer writes: > On Thu, 12 Jun 2003, Eric Rescorla wrote: > > > Paul Hoffman / VPNC writes: > > > > > At 10:22 AM -0400 6/12/03, Paul Koning wrote: > > > >96 is probably enough but it's not a common keysize, so 128 makes > > > >sense. > > > > > > But only if you want to eliminate TripleDES, whose key size is 112 > > > bits. No one counts the parity bits as meaningful. > > As I understand RFC 2451, the 3DES we uses is 3-key 3DES in > > EDE mode, so the effective key size should be 168 bits. > > For a cryptographical standpoint, there may be 168 distinct key bits that > affect the ciphertext, but it is well known that you can break 3DES with > far less work than O(2**168) effort. There is a meet-in-the-middle attack > that (with a lot of memory) brings the effort down to around O(2**112), > which is what I assume Paul was refering to. Uh, "lot" means O(2**56), no? >> In addition, if you have > vast quantities of known plaintext encrypted with the same key, Stephan > Lucks' attack becomes interesting, which reduces the effort a bit more > (I don't have a solid estimate at hand). > > Neither of these attacks are practical given current current limitations, > but one should remember that they do exist. Sure, but under practical conditions the effective key size of 3DES-EDE3 168 bits and it's conventional to refer to it this way. In the same way, it's conventional to refer to DES as having a strength of 56 bits despite the fact that if you somehow laid your hands on 2^47 chosen plaintexts the complexity of DES would be a measly O(2^47). -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/ From owner-ipsec@lists.tislabs.com Thu Jun 12 13:04:48 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CK4grb079081; Thu, 12 Jun 2003 13:04:47 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA16783 Thu, 12 Jun 2003 15:37:07 -0400 (EDT) Date: Thu, 12 Jun 2003 12:42:26 -0700 (PDT) From: Scott Fluhrer To: Eric Rescorla cc: Paul Hoffman / VPNC , Paul Koning , ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms In-Reply-To: Message-ID: References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL>

MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk On Thu, 12 Jun 2003, Eric Rescorla wrote: > Scott Fluhrer writes: > > > On Thu, 12 Jun 2003, Eric Rescorla wrote: > > > > > Paul Hoffman / VPNC writes: > > > > > > > At 10:22 AM -0400 6/12/03, Paul Koning wrote: > > > > >96 is probably enough but it's not a common keysize, so 128 makes > > > > >sense. > > > > > > > > But only if you want to eliminate TripleDES, whose key size is 112 > > > > bits. No one counts the parity bits as meaningful. > > > As I understand RFC 2451, the 3DES we uses is 3-key 3DES in > > > EDE mode, so the effective key size should be 168 bits. > > > > For a cryptographical standpoint, there may be 168 distinct key bits that > > affect the ciphertext, but it is well known that you can break 3DES with > > far less work than O(2**168) effort. There is a meet-in-the-middle attack > > that (with a lot of memory) brings the effort down to around O(2**112), > > which is what I assume Paul was refering to. > Uh, "lot" means O(2**56), no? Well, yes, but the attack scales to lesser amounts of memory. If you had only O(2**40) memory, then the attack works in O(2**128) time -- still far less than 2**168. > > >> In addition, if you have > > vast quantities of known plaintext encrypted with the same key, Stephan > > Lucks' attack becomes interesting, which reduces the effort a bit more > > (I don't have a solid estimate at hand). > > > > Neither of these attacks are practical given current current limitations, > > but one should remember that they do exist. > > Sure, but under practical conditions the effective key size of > 3DES-EDE3 168 bits Actually, as I pointed out above, even if you restrict the amount of memory an attacker has available to a reaonable amount, the strength of 3DES is still less than 168 bits. > and it's conventional to refer to it this way. Conventional, perhaps, to people who aren't too concerned with precision (although, in my experience, the estimate of 112 bits is rather more common). On the IPSec mailing list, we're supposed to be (one of the) IETF expert groups on security -- I would hope that some greater amount of precision is appropriate. > In the same way, it's conventional to refer to DES as having a strength > of 56 bits despite the fact that if you somehow laid your hands on 2^47 > chosen plaintexts the complexity of DES would be a measly O(2^47). Actually, if you're refering to linear cryptanalysis, the common result is that it takes 2^47 known plaintexts. -- scott From owner-ipsec@lists.tislabs.com Thu Jun 12 13:20:06 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CKK0rb079563; Thu, 12 Jun 2003 13:20:05 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA16849 Thu, 12 Jun 2003 15:54:10 -0400 (EDT) Date: Thu, 12 Jun 2003 23:00:28 +0300 (IDT) From: Hugo Krawczyk To: IPsec WG Subject: full version of the SIGMA paper Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@lists.tislabs.com Precedence: bulk It is now available (as postscript) via http://www.ee.technion.ac.il/~hugo/sigma.html In general, the paper tries to answer the many questions asked (and some of those never asked) regarding the design of the signature modes of IKE v1 and IKE v2. It now also includes an appendix describing the rationale for the key derivation techniques in IKE. MAY+ be you SHOULD- consider reading the paper a MUST+- :) Hugo From owner-ipsec@lists.tislabs.com Thu Jun 12 15:32:28 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CMWOrb084465; Thu, 12 Jun 2003 15:32:28 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA17307 Thu, 12 Jun 2003 17:52:14 -0400 (EDT) Cc: Scott Fluhrer , Paul Hoffman / VPNC , Paul Koning , ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms In-reply-to: Your message of "12 Jun 2003 14:59:23 PDT." X-Mailer: mh-e 6.1; nmh 1.0.4; Emacs 21.1 Date: Thu, 12 Jun 2003 15:03:54 -0700 From: Eric Rescorla Message-Id: <20030612220354.D365E73B5@sierra.rtfm.com> Sender: owner-ipsec@lists.tislabs.com Precedence: bulk Just so we're clear. > Scott Fluhrer writes: > > On Thu, 12 Jun 2003, Eric Rescorla wrote: > > > > For a cryptographical standpoint, there may be 168 distinct key bits that > > > > affect the ciphertext, but it is well known that you can break 3DES with > > > > far less work than O(2**168) effort. There is a meet-in-the-middle attack > > > > that (with a lot of memory) brings the effort down to around O(2**112), > > > > which is what I assume Paul was refering to. > > > Uh, "lot" means O(2**56), no? > > > > Well, yes, but the attack scales to lesser amounts of memory. If you > > had only O(2**40) memory, then the attack works in O(2**128) time -- > > still far less than 2**168. > And if you have O(2^336) blocks of memory then you could do in > O(1) steps. And of course, if you paid the modest O(2^336) precomputation cost. > > > In the same way, it's conventional to refer to DES as having a strength > > > of 56 bits despite the fact that if you somehow laid your hands on 2^47 > > > chosen plaintexts the complexity of DES would be a measly O(2^47). > > Actually, if you're refering to linear cryptanalysis, the common result is > > that it takes 2^47 known plaintexts. > No, I'm referring to differential. See the HAC, pag 259. > Not that it really matters. Of course, it matters in some cosmic sense, but for the current purposes, its merely "impractically large". -Ekr From owner-ipsec@lists.tislabs.com Thu Jun 12 15:33:46 2003 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5CMXjrb084483; Thu, 12 Jun 2003 15:33:45 -0700 (PDT) (envelope-from owner-ipsec@lists.tislabs.com) Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA17298 Thu, 12 Jun 2003 17:48:12 -0400 (EDT) To: Scott Fluhrer Cc: Paul Hoffman / VPNC , Paul Koning , ynir@CheckPoint.com, daw@mozart.cs.berkeley.edu, ipsec@lists.tislabs.com Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms References: <003101c330c9$f57681d0$292e1dc2@YnirNew> <16104.35977.651000.712505@gargle.gargle.HOWL>