Re: [IPsec] draft-fluhrer-qr-ikev2-01

2016-02-25 Thread Tero Kivinen
Valery Smyslov writes: > > And what information do you think is there that is really worth of > > protecting? > > If we are talking about the original IKEv2 as specified in the RFC > 7296, then there are not much sensitive data inside the IKE SA - > mostly identities, traffic selectors and configu

[IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Tero Kivinen
I as an IANA expert got request from 3gpp to allocate new configuration attribute called TIMEOUT_PERIOD_FOR_LIVENESS_CHECK for IKEv2. This is used to set the timeout after which the UE will do liveness check with other end if no cryptographically protected IKEv2 or IPSec messages are not received.

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Paul Wouters
On Thu, 25 Feb 2016, Tero Kivinen wrote: I as an IANA expert got request from 3gpp to allocate new configuration attribute called TIMEOUT_PERIOD_FOR_LIVENESS_CHECK for IKEv2. This is used to set the timeout after which the UE will do liveness check with other end if no cryptographically protecte

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Valery Smyslov
Hi, I as an IANA expert got request from 3gpp to allocate new configuration attribute called TIMEOUT_PERIOD_FOR_LIVENESS_CHECK for IKEv2. This is used to set the timeout after which the UE will do liveness check with other end if no cryptographically protected IKEv2 or IPSec messages are not rec

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Tero Kivinen
Paul Wouters writes: > On Thu, 25 Feb 2016, Tero Kivinen wrote: > > > I as an IANA expert got request from 3gpp to allocate new > > configuration attribute called TIMEOUT_PERIOD_FOR_LIVENESS_CHECK for > > IKEv2. This is used to set the timeout after which the UE will do > > liveness check with oth

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Tero Kivinen
Valery Smyslov writes: > > I am thinking of saying "go ahead" for IANA for this allocation even > > when this do change the IKEv2 bit, as I think there are > > implementations using same interpretation out there, and I think this > > configuration attribute is mostly harmless. If we would have done

Re: [IPsec] draft-fluhrer-qr-ikev2-01

2016-02-25 Thread Valery Smyslov
It is a pity if QC protection mechanism won't work for these IKEv2 variants (as in your proposal). It wont. They are separate protocols, and they need to specify how they are going to make their protocol QC resistant. Which has nothing to do with this discussion, as G-IKEv2 is not IKEv2, nor

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Paul Wouters
On Thu, 25 Feb 2016, Tero Kivinen wrote: It is notify from the server to client. I.e. client sends empty TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in the CFG_REQUEST and server will send value in seconds inside its TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in CFG_REPLY. I.e. the server asks client to use follow

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Ivo Sedlacek
Hello, > > I am confused. Is this a notify of the server to the client, or a > > configuration item by the server instructing client behaviour? > > It is notify from the server to client. I.e. client sends empty > TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in the CFG_REQUEST and > server will send valu

Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

2016-02-25 Thread Ivo Sedlacek
Hello, In case you are interested in detailed procedures of the 3GPP specification, I have copied them at the end of this mail. > > I am confused. Is this a notify of the server to the client, or a > > configuration item by the server instructing client behaviour? > > It is notify from th

Re: [IPsec] draft-fluhrer-qr-ikev2-01

2016-02-25 Thread Scott Fluhrer (sfluhrer)
> -Original Message- > From: Tero Kivinen [mailto:kivi...@iki.fi] > Sent: Thursday, February 25, 2016 7:43 AM > To: Valery Smyslov > Cc: Scott Fluhrer (sfluhrer); ipsec@ietf.org > Subject: Re: [IPsec] draft-fluhrer-qr-ikev2-01 > > Valery Smyslov writes: > > > And what information do you

Re: [IPsec] Textual changes to the DDoS draft

2016-02-25 Thread Waltermire, David A.
I haven't seen any additional feedback on the DDoS draft this week based on Yoav's note about the PR [1]. It also looks like the discussion on chaining puzzles has wrapped up with no changes needed to the draft [2]. Unless there is any additional concerns with these issues, I believe we are rea

Re: [IPsec] Textual changes to the DDoS draft

2016-02-25 Thread Yoav Nir
> On 26 Feb 2016, at 2:03 AM, Waltermire, David A. > wrote: > > I haven’t seen any additional feedback on the DDoS draft this week based on > Yoav’s note about the PR [1]. It also looks like the discussion on chaining > puzzles has wrapped up with no changes needed to the draft [2]. Oh. My i

Re: [IPsec] Textual changes to the DDoS draft

2016-02-25 Thread Valery Smyslov
That was also my impression. And the draft is already being edited to include multiple puzzles. Valery. - Original Message - From: Yoav Nir To: Waltermire, David A. Cc: ipsec@ietf.org WG Sent: Friday, February 26, 2016 8:43 AM Subject: Re: [IPsec] Textual changes to the DD