[Anima] Tero: Re: [IPsec] Troubleshooting IPsec peer certs (was: Re: IPsec profile feedback wanted (draft autonomic control) plane)

Toerless Eckert <tte@cs.fau.de> Thu, 23 July 2020 11:53 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id F3BB63A07F0; Thu, 23 Jul 2020 04:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.118
X-Spam-Status: No, score=-1.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id TQfgix-ho3t8; Thu, 23 Jul 2020 04:53:48 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A427B3A0991; Thu, 23 Jul 2020 04:53:41 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de []) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 617EC5485D2; Thu, 23 Jul 2020 13:53:36 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 596E8440043; Thu, 23 Jul 2020 13:53:36 +0200 (CEST)
Date: Thu, 23 Jul 2020 13:53:36 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, ipsec@ietf.org, anima@ietf.org
Message-ID: <20200723115336.GA30549@faui48f.informatik.uni-erlangen.de>
References: <alpine.LRH.2.22.394.2006191126200.32638@bofh.nohats.ca> <24142.1592760359@localhost> <24309.64229.308771.733097@fireball.acr.fi> <20200626161053.GQ41244@faui48f.informatik.uni-erlangen.de> <24315.37346.143409.46224@fireball.acr.fi> <20200630202812.GF13952@faui48f.informatik.uni-erlangen.de> <24336.33964.354779.953171@fireball.acr.fi> <6871.1595023836@localhost> <24342.51918.664855.708819@fireball.acr.fi> <21070.1595343265@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <21070.1595343265@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/eTvnaaLgS-Jpnkq3SzjWKGFO5hw>
Subject: [Anima] Tero: Re: [IPsec] Troubleshooting IPsec peer certs (was: Re: IPsec profile feedback wanted (draft autonomic control) plane)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 11:53:51 -0000

On Tue, Jul 21, 2020 at 10:54:25AM -0400, Michael Richardson wrote:
>     > Sometimes the problem is that there are devices there which do not
>     > support ECDSA at all, which means you are stuck with RSA for both root
>     > and EE for all devices. With CERTREQ some parts of the network can
>     > start use full ECDSA TA and EE and still interoperate with those
>     > devices which support both and get the "coolness" factor of not using
>     > RSA at all :-)
> I think that we say that we will tolerate RSA :-)
> So you are right: there could be devices which do not do ECDSA on day one,
> and in which case, you can't switch the keys at all.

I don't think this issue applies to ACP because both RSA and ECC / ECDSA
certificates are mandatory. Please check draft-ietf-anima-autonomic-control-plane-27,
section 6.1.1. I hope this should be sufficient, if not, then any text
fixes welcome.

Remember that ACP is not only summetric (no dedicated client/servers), but
also greenfield: aka: no need to think about IN THIS REVISION OF ACP about
legacy compatibility. IF/WHEN in the future we do provide update/extensions
to ACP, THEN we may get into considerations for two generations of nodes
talking to each other.

>     > Other similar cases comes when you merge authorization domains
>     > together, i.e., two companies merge and they both had their own CAs
>     > before, and not all devices support both CAs, so you need to pick
>     > correct certificate one when talking to one or another device.
> Yes, this is an important case.

Right now, draft-ietf-anima-autonomic-control-plane-27 does only specify to still
send a certificate, even if a CERTREQ was received from the peer, and no certificate
would match the TA in the CERTREQ. We discussed how this was for diagnostics.
See section

There is nothing in the current ACP text to say whether or not to send CERTREQ
right now. Given how the ACP just provides a refinement profile in section on top of RFC8247, and given how RFC8247 does not mention CERTREQ,
that leaves is with a "MAY send CERTREQ" (i paraphrase) from RFC7296 section

The domain merge is also of interest in ACP, so we could add a stronger
requirement against CERTREQ, but given how the documents we reference
(RFC8247/RFC7296), i am a bit suspicious about doing so. If CERTREQ is
so useful in non-ACP use caes, why is there no stronger than MAY in RFC7296
or RFC8247 ? Oversight in those IKEv2 RFCs ? Or are there some downsides
coming with it ?

I don't think i will add suc a requirement in this ACP spec because it
may be necessary to make the merge case work, but it is not sufficient,
and the set of components sufficient to support that use case is is
beyond the scope of this ACP base spec.

To give a hint: We only mandate use of EST, and if i wanted to support
a merge, or in general any use case where CERTREQ was useful, then i would
need to have nodes that would have two or more certs and CERTREQ is a
way to pick one of those multiple certs. And EST to the best of my
understandig does not allow to hand out more than one cert to a single
node. At least thats what i remember from having asked the quesrtion a few
times over the last 5 years.

We can still make merge work through extension documents, even without
fixing that EST limitation itself through other extensions of ACP, but
i think we would want a discuss first whether to rater do that or fix EST.

Or someone comes around and tells me this time that EST can be somehow
tricked to provide multiple certs to a single node.

>     >> So, we've been forced to use otherName, and this will cause new code in some
>     >> of the IKEv2 daemon that we need to use :-(
>     > No, you are not forced to use anything. Your ID could be KEY_ID with
> No, the ACP document has been forced to use otherName in it's
> certificates. That's nothing to do with IPsec/IKEv2.
> But, that that's what IKEv2 will have to deal with.

Actually, the ACP text currently says to use ID_IPV6_ADDR, but given how
the name of the ACP node is now an otherName, we _could_ signal it
via ID_DER_ASN1_GN, but IMHO ID_IPV6_ADDR is better.


> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-

> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec