IETF Logo Mail Archive

Re: [6lo] [IPsec] Diet-ESP

Daniel Migault <mglt.ietf@gmail.com> Wed, 18 February 2015 03:44 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D6FD1A802C; Tue, 17 Feb 2015 19:44:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSHssa2afQkM; Tue, 17 Feb 2015 19:44:42 -0800 (PST)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38B5A1A8029; Tue, 17 Feb 2015 19:44:42 -0800 (PST)
Received: by mail-wg0-f53.google.com with SMTP id a1so23175582wgh.12; Tue, 17 Feb 2015 19:44:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wK2jZKPpDJLb2CpLWxbxf4iq9bZeIN4E7lKSEhq5Hlo=; b=jwan7hsi9zhQcmD3etf2Xokirl+h5iB76mlyHPrsUrDCLbFjxFSsessj8kD+rBlSNM l3DgLrNJy7Y+kM+7qMGRgQq/WcmXkohsffRskHbtg80mpktcNkxbnjk70vUx5OIYJvqa HjPmEFdk2Gw9CQ1229sflIhaFD3AINZfcj3Ay+zh7VLcOozs76jKEg4UaLbE0v0xVsIe Cjzg/WLS0WrUFcsUFNDFqGTQ/uia43C3ok7STIEvFh1EwVJCMgsNc/rlKCV8dv+7ubPF O83DfVVthkCwgfCwqHNBORxlFlNrpyiRyH8AE4J/ky0tQ6uUvWliBnNrMhsvy5AHf5gU 6bdg==
MIME-Version: 1.0
X-Received: by 10.180.109.193 with SMTP id hu1mr694588wib.25.1424231080981; Tue, 17 Feb 2015 19:44:40 -0800 (PST)
Received: by 10.194.68.39 with HTTP; Tue, 17 Feb 2015 19:44:40 -0800 (PST)
In-Reply-To: <54E36E1F.60203@gmx.net>
References: <CADZyTkkqjSQe1HvMhLqg1g1-bxGc3iXB8kjL81qJgieCwV6h8Q@mail.gmail.com> <54E36E1F.60203@gmx.net>
Date: Wed, 18 Feb 2015 04:44:40 +0100
Message-ID: <CADZyTkkBOfRC+TKFgta7pDZHR7LwJAB4BqZrwhwA6DjKA3dFKg@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="e89a8f3ba7eda8f7df050f54a320"
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/O7EFPF3a3wMcsCm0L8uMaVSwS2k>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6lo] [IPsec] Diet-ESP
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 03:44:47 -0000

Hi Hannes,

We designing Diet-ESP was to enable motes to secure their communications
and provide end-to-end security. This function is important for us and I
guess we are not the only one interested in this functionality.

We believe it is worth exposing how IPsec can be use to fit the IoT
constraints, regardless of what other protocols are providing.

There are probably other alternatives (like DTLS), however :
    - a) DTLS/IPsec address different use cases
    - b) no real comparison have been made possible between these security
protocols designed for IoT, and we believe IPsec is pretty efficient.

Current spec may not be perfect. However, the impact on security can
largely be under control. First of all Diet-ESP results in the combination
of ROHC ROHCoverIPsec which are already standard with deep security
reviews. Then most of the compressed fields are not security related.
Padding, Pad Len, Next Header have nothing to deal with security.

Security related fields are SN, ICV, SPI. SN and SPI are compressed means
that they have to be decompressed before applying IPsec/ESP. Because of the
compression/decompression these fields are not altered and from an
IPsec/ESP perspective compression is transparent. On the other hand,
appropriate values MUST be chosen so compression/decompression can occur.

In the case of the ICV, this value cannot be decompressed, and thus we have
to make things right. Two alternatives are proposed and I would be happy to
update the draft with the best one.

If you have specific security impacts in mind, please let us know.

BR,
Daniel


On Tue, Feb 17, 2015 at 5:36 PM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Daniel,
>
> I understand that you spend a lot of time in writing these
> specifications but, as mentioned in the past I just do not see the need
> for this type of standardization activity. Nobody I have spoken with
> asks for this functionality.
>
> If there is indeed a need for IPsec ESP use in IoT then I am not sure
> that the proposed optimizations are so useful given the impact for
> security.
>
> Ciao
> Hannes
>
> On 02/17/2015 04:08 AM, Daniel Migault wrote:
> > Please find the new version of Diet-ESP a compress IPsec/ESP for IoT. We
> > have implemented and tested Diet-ESP. Compared to the standard
> > IPsec/ESP, Diet-ESP can reduce the networking overhead added to
> > unprotected data from 100% to a few percent. I will be happy to present
> > these draft next IETF.
> >
> > Feel free to make comments!
> >
> > The drafts includes:
> >     1) draft-mglt-6lo-diet-esp-requirements
> > <http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-requirements/>:
> > lists the requirements for Diet-ESP
> >     2) draft-mglt-6lo-aes-implicit-iv
> > <http://datatracker.ietf.org/doc/draft-mglt-6lo-aes-implicit-iv/>:
> > indicates how to avoid carrying the IV in each ESP packet. It is instead
> > generated by each peers. The protocols described in the draft can be
> > used with the regular IPsec/ESP.
> >     3) draft-mglt-6lo-diet-esp
> > <http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp/> describes the
> > core Diet-ESP protocol, that is how to compress/decompress each fields
> > of the standard IPsec/ESP. Compression is discribed through a Diet-ESP
> > Context.
> >     4) draft-mglt-6lo-diet-esp-payload-compression
> > <
> http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-payload-compression/
> >:
> > describes how the clear text can be compressed before encryption. In
> > fact unless IPsec/ESP is used with NULL encryption, the data in the ESP
> > packet is encrypted. Encryption makes compression hard to perform.
> > Instead compressing before encrypting can be very efficient. This makes
> > possible to remove UDP/TPC/IP tunnel headers.
> >     5) draft-mglt-6lo-diet-esp-context-ikev2-extension
> > <
> http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-context-ikev2-extension/
> >:
> > describes how to negociate Diet-ESP with IKEv2. In fact this mostly
> > result in an agreement for the DIet-ESP Context. This exchange may then
> > be extended to Diet-HIP Exchange.
> >
> > BR,
> > Daniel
> > --
> > Daniel Migault
> > Orange Labs -- Security
> > +33 6 70 72 69 58
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >
>
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email