Re: [6lo] [IPsec] Diet-ESP
Daniel Migault <mglt.ietf@gmail.com> Tue, 17 February 2015 15:48 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 753771A8A94; Tue, 17 Feb 2015 07:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97c88HYhq1mM; Tue, 17 Feb 2015 07:47:52 -0800 (PST)
Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07C7D1A8A85; Tue, 17 Feb 2015 07:47:48 -0800 (PST)
Received: by mail-wg0-f45.google.com with SMTP id k14so33612208wgh.4; Tue, 17 Feb 2015 07:47:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=F2maoaXMwY/sh3mUvMLo/BYEqNbqJMq1H9xKz1qhe08=; b=XZ58HjwCEl399OVg6RsX9wAKrDJCrXdrrJoG/uWG710NdWgtm0YnSnXnq7X/CL8xZE qrw2xvHi6xPDSB7V+7ViwjQdaTztCU0hEmWk/p5ZAbYUsjOSQZwu1Z/Ldc2Uq6TxHImo jZbzldAgcNFRzc4TlTeRqjMQBysMuZPf4igVHkeobqp9GFU9c1uJMMxuOslHMFLLHKJu kucrsQ7NnxUatX21GaHwMqPGKnQ4qgDELsew59ZLR2HOEVT8hsOlVXzFSZ24dIcPrRj3 +Y2BPx1XpZXSMyggGN7gck9naPF6uXl34w66XuTIl6PgHQvMtjNFzjl8oAGTUxPPTIQL tSHg==
MIME-Version: 1.0
X-Received: by 10.180.189.203 with SMTP id gk11mr57881479wic.32.1424188066794; Tue, 17 Feb 2015 07:47:46 -0800 (PST)
Received: by 10.194.68.39 with HTTP; Tue, 17 Feb 2015 07:47:46 -0800 (PST)
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB340420D03A28E@xmb-rcd-x04.cisco.com>
References: <CADZyTkkqjSQe1HvMhLqg1g1-bxGc3iXB8kjL81qJgieCwV6h8Q@mail.gmail.com> <A113ACFD9DF8B04F96395BDEACB340420D03A28E@xmb-rcd-x04.cisco.com>
Date: Tue, 17 Feb 2015 16:47:46 +0100
Message-ID: <CADZyTkmssqtDFfLAae19w0-rxdiiE3TopgB21LbiEE1O-mQA=g@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Content-Type: multipart/alternative; boundary="001a11c32576d09388050f4a9fa6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/jEqiCHYDPBw502Fg0SPJwoup_lY>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6lo] [IPsec] Diet-ESP
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 15:48:00 -0000
Hi Scott,
Thank you for the feed back. I agree that compressing the ICV reduces
security related to authentication. Let's call this a "weak
authentication".
I am not saying it is a valid argument, but since IPsec enables NULL
authentication too, we considered that enabling "weak authentication" would
be possible with a clear warning in the security consideration.
The reason we are looking we are looking for weak authentication is to be
able to balance authentication with bandwidth optimization. In fact,
suppose you compute the mean/median over a thousand different value, that
one or two values are corrupted may not have much impact overall, and we
may prefer to extend the life time of the mote for 5 years instead.
Regarding you comment I think the issue ou raised is more related to GCM.
-- By the way I would be interested to have a description or relevant doc
describing why ICV in GCM particularly matters. One way to address the
issue you raised would be:
- 1) mention the need for weak authentication in the requirement draft
- 2) remove ICV compression from Diet-ESP
- 3) Define encryption protocols with weak authentication with
different sizes of the ICV. For example suppose AES-MODEX has an ICV of N,
then we may need to add AES-MODEX_i with i in [0 ... N-1].
The advantage of doing so is that it avoids end user to weaken the
protocols especially when one compression is fine with one protocol but not
with the others. In that sense it looks a better design.
However, I see the following drawbacks:
- It requires to create multiple encryption protocols. Unlike
compression, implementation cannot use existing implementation of AES-MODEX.
- Negociation for hosts accepting all AES-MODEX_i with i in [0 ... N-1]
requires many SA payload in the IKEv2 negotiation. However, we may deal
with this with a AES-MODEX_ALL to indicate the responder choses its
compression.
BR,
Daniel
On Tue, Feb 17, 2015 at 6:28 AM, Scott Fluhrer (sfluhrer) <
sfluhrer@cisco.com> wrote:
> Here’s an issue with this draft; it doesn’t meet the requirements that
> it claims. In particular, it claims that it is based on standard IPsec,
> and that its security is equivalent to IPsec (R1-R3). However, it allows
> (and, as far as I am concerned, encourages) the use of tiny ICVs; these
> tiny ICVs introduce security vulnerabilities that do not occur within sane
> configurations of IPsec (where sane includes using an integrity
> transform). In particular, using tiny ICVs with GCM is a known security
> issue.
>
>
>
> Now, it would be possible to have an encryption protocol that would not
> have issues with small ICVs (say, by using a wide block cipher); however
> this would be rather different than standard IPsec (in part because IPsec
> was never designed with these minimal bandwidth constraints); either we
> need to stay with an IPsec-based protocol (which implies a largish ICV), or
> go with something else (which would have less overhead, but doesn’t look
> that much like IPsec internally).
>
>
>
>
>
> Oh, and a minor note on the IV generation: it’s actually secure to use the
> same key you use to encrypt to encrypt the counter for the IV; you don’t
> need a separate key.
>
>
>
> *From:* IPsec [mailto:ipsec-bounces@ietf.org] *On Behalf Of *Daniel
> Migault
> *Sent:* Monday, February 16, 2015 10:08 PM
> *To:* 6lo@ietf.org
> *Cc:* ipsec@ietf.org
> *Subject:* [IPsec] Diet-ESP
>
>
>
> Please find the new version of Diet-ESP a compress IPsec/ESP for IoT. We
> have implemented and tested Diet-ESP. Compared to the standard IPsec/ESP,
> Diet-ESP can reduce the networking overhead added to unprotected data from
> 100% to a few percent. I will be happy to present these draft next IETF.
>
> Feel free to make comments!
>
> The drafts includes:
> 1) draft-mglt-6lo-diet-esp-requirements
> <http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-requirements/>:
> lists the requirements for Diet-ESP
>
> 2) draft-mglt-6lo-aes-implicit-iv
> <http://datatracker.ietf.org/doc/draft-mglt-6lo-aes-implicit-iv/>:
> indicates how to avoid carrying the IV in each ESP packet. It is instead
> generated by each peers. The protocols described in the draft can be used
> with the regular IPsec/ESP.
>
> 3) draft-mglt-6lo-diet-esp
> <http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp/> describes the
> core Diet-ESP protocol, that is how to compress/decompress each fields of
> the standard IPsec/ESP. Compression is discribed through a Diet-ESP Context.
> 4) draft-mglt-6lo-diet-esp-payload-compression
> <http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-payload-compression/>:
> describes how the clear text can be compressed before encryption. In fact
> unless IPsec/ESP is used with NULL encryption, the data in the ESP packet
> is encrypted. Encryption makes compression hard to perform. Instead
> compressing before encrypting can be very efficient. This makes possible to
> remove UDP/TPC/IP tunnel headers.
> 5) draft-mglt-6lo-diet-esp-context-ikev2-extension
> <http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-context-ikev2-extension/>:
> describes how to negociate Diet-ESP with IKEv2. In fact this mostly result
> in an agreement for the DIet-ESP Context. This exchange may then be
> extended to Diet-HIP Exchange.
>
> BR,
>
> Daniel
>
> --
>
> Daniel Migault
> Orange Labs -- Security
> +33 6 70 72 69 58
>
--
Daniel Migault
Ericsson
- [6lo] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Stephen Kent
- Re: [6lo] [IPsec] Diet-ESP Carsten Bormann
- [6lo] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Hannes Tschofenig
- Re: [6lo] [IPsec] Diet-ESP Paul_Koning
- Re: [6lo] [IPsec] Diet-ESP Scott Fluhrer (sfluhrer)
- Re: [6lo] [IPsec] Diet-ESP Scott Fluhrer (sfluhrer)
- Re: [6lo] [IPsec] Diet-ESP Paul Wouters
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Daniel Migault
- Re: [6lo] [IPsec] Diet-ESP Hannes Tschofenig
- Re: [6lo] [IPsec] Diet-ESP Paul_Koning