IETF Logo Mail Archive

Re: [Hipsec] Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Fri, 21 February 2020 13:35 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F0912085C for <hipsec@ietfa.amsl.com>; Fri, 21 Feb 2020 05:35:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiKaJuNI6yrc for <hipsec@ietfa.amsl.com>; Fri, 21 Feb 2020 05:35:26 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60418120859 for <hipsec@ietf.org>; Fri, 21 Feb 2020 05:35:26 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id o15so2213358ljg.6 for <hipsec@ietf.org>; Fri, 21 Feb 2020 05:35:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=psmj4wcFkGZKvBWv/eLayYKvubvc1JM09BmLl6MgigE=; b=n6J9bNQuTEBGMp0t19l6EYCtU7OTaMX+CIs6G8Tfy/uupfGETDN1OkqAGYhxMgKrH4 1G5BQ/FI+/p16vEDWviSj7I/hFPlidORVE+4bl0UT3UyGd5zqrQ+qETNbi9/9UzQyfkB sBPk8mvkQrseYfeF5UEQ1bs0c+BwAmasaRPxYfo1Zgot6uHZyZU6Sz4O+CaUdQLON2WO oZ8ZcU/cER7IyOD1EtnpISJTH2AXE7dfPJhGJ/6/r3rIEllFzPN5k6EGSTBtBefY93Nu HZptuVjxmp0AglogTwRc8VPBw3d9Ilz2n8iMYMIZP1xmL24UZHuvB1YZB4iuXfvrNPb1 F3iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=psmj4wcFkGZKvBWv/eLayYKvubvc1JM09BmLl6MgigE=; b=nxGpN7svxnjKUK1JTpCw3oiDySi8fMRCf1aFDghqNFbQ8lK0lE5hsKckmCFckDfnP3 6p2d92wuDvINifqdE53LkAs40TsQndPgrTNBcRQ+CglsNP+QPlZrfTY23mJRD24YcQlN S/fHQ4qikg4DVsMMp4vDgQz78k4Gp7T2Dk5qw21P+LL7gMA/AGMoY2RiWRFIpRAs6UJ4 h7nWX74gYG9hqIGQSSpDu6FfeEQYNHtdEqNddXeeGFzbWpycZL0ErNu7ctqzEl7mhqGy uZR8/musuBC/bWkeVukYd/o/4lZfb1teuDOjYxJiGVzi659UxeJnzxcVdT+4IBBfKplU fC9A==
X-Gm-Message-State: APjAAAWL57jLIkwvrUQH+sHF4H7jP5rApD+6iQ3Jvfqx/y3eH5Lg9Ssq 4L7yDdqicj0YkENOLb0KQf9eSp0SbjUxbNAXNTK/Rg==
X-Google-Smtp-Source: APXvYqykhfDgDeOmkZ0NIA6kaW+L+j7EA0yCRMaW1/dLd7LMBPdz8AUw3FwFjN3WYaH03SbL/WiGQ0ZGz+Vcg+bwNoY=
X-Received: by 2002:a2e:9b12:: with SMTP id u18mr22324875lji.274.1582292124446; Fri, 21 Feb 2020 05:35:24 -0800 (PST)
MIME-Version: 1.0
References: <152546246777.11589.13288594519409569524.idtracker@ietfa.amsl.com> <a657ffe0-3574-850e-3b8d-9b21f6f8825b@ericsson.com> <CABcZeBO3gLUZevW0zTN6RHiuYBY+7d-4DefSNBA3FzhXFWfGQw@mail.gmail.com> <47c0cdb7980fa6b9d85d71de926d24ea50a90930.camel@ericsson.com> <CABcZeBOVzKyd1Q6uYi66AFEazhW5OSOwYMBnUqGvjHRk4+0DtA@mail.gmail.com> <20b7460348acc2f3d958ab8ed66a70b49448289a.camel@ericsson.com> <CABcZeBNVBEATYW6-OKK8C0dJ=NzvhRp2N2xmStgNWqTYqQ7-xQ@mail.gmail.com> <82ded3745fe403d24c3866845f5f202f182f9d1e.camel@ericsson.com> <CABcZeBM2Tm5EuF=htBBD0qyYpKarvvgE_LbTKU8n9oBQVPZdsA@mail.gmail.com> <5df6df66bf1d1fdd28d94dfdbf85b17e0f9f4cb2.camel@ericsson.com>
In-Reply-To: <5df6df66bf1d1fdd28d94dfdbf85b17e0f9f4cb2.camel@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 21 Feb 2020 05:34:47 -0800
Message-ID: <CABcZeBO2LDoB39-7EZo9kk-RGL96Bi4gJ1nwpXxGxwFEsyeuKQ@mail.gmail.com>
To: Miika Komu <miika.komu@ericsson.com>
Cc: "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000002c616059f1618bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/A7JkHFWK17zJiLtosqIyf1lj2xI>
Subject: Re: [Hipsec] Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 13:35:32 -0000

Typically in security protocols we look for demonstrations of this. What is
your argument for why it cannot?

-Ekr


On Fri, Feb 21, 2020 at 4:25 AM Miika Komu <miika.komu@ericsson.com> wrote:

> Hi,
>
> to, 2020-02-20 kello 08:58 -0800, Eric Rescorla kirjoitti:
> >
> >
> > On Thu, Feb 20, 2020 at 7:38 AM Miika Komu <miika.komu@ericsson.com>
> > wrote:
> > > Hi Eric,
> > >
> > > to, 2020-02-20 kello 06:04 -0800, Eric Rescorla kirjoitti:
> > > >
> > > >
> > > > On Wed, Feb 19, 2020 at 10:50 PM Miika Komu <
> > > miika.komu@ericsson.com>
> > > > wrote:
> > > > > Hi Eric,
> > > > >
> > > > > ke, 2020-02-19 kello 13:20 -0800, Eric Rescorla kirjoitti:
> > > > > > > > > > S 5.8.
> > > > > > > > > >>
> > > > > > > > > >>    5.8.  RELAY_HMAC Parameter
> > > > > > > > > >>
> > > > > > > > > >>       As specified in Legacy ICE-HIP [RFC5770], the
> > > > > > > RELAY_HMAC
> > > > > > > > > parameter
> > > > > > > > > >>       value has the TLV type 65520.  It has the same
> > > > > > > semantics
> > > > > > > > > as RVS_HMAC
> > > > > > > > > >>       [RFC8004].
> > > > > > > > > >
> > > > > > > > > > What key is used for the HMAC?
> > > > > > > > >
> > > > > > > > > clarified this as follows:
> > > > > > > > >
> > > > > > > > > [..] It has the same semantics as RVS_HMAC as specified
> > > in
> > > > > > > section
> > > > > > > > > 4.2.1
> > > > > > > > > in [RFC8004].  Similarly as with RVS_HMAC, also
> > > RELAY_HMAC
> > > > > is
> > > > > > > is
> > > > > > > > > keyed
> > > > > > > > > with the HIP integrity key (HIP-lg or HIP-gl as
> > > specified
> > > > > in
> > > > > > > > > section 6.5
> > > > > > > > > in [RFC7401]), established during the relay
> > > registration
> > > > > > > procedure
> > > > > > > > > as
> > > > > > > > > described in Section 4.1.
> > > > > > > >
> > > > > > > > This seems like it might have potential for cross-
> > > protocol
> > > > > > > attacks on
> > > > > > > > the key. Why
> > > > > > > > is this OK>
> > > > > > >
> > > > > > > this is standard way of deriving keys in HIP. The keying
> > > > > procedure
> > > > > > > is
> > > > > > > the same as with specified in RFC8004. If there is some
> > > attack
> > > > > > > scenario, please describe it in detail?
> > > > > > > Or is there some editorial issue here?
> > > > > >
> > > > > > I'm not sure. When I read this text it appears to say that
> > > you
> > > > > should
> > > > > > be using the same key for two kinds of messages. Is that
> > > correct?
> > > > >
> > > > > the key is always specific to a Host Association, i.e., unique
> > > > > between
> > > > > a Relay Client and a Relay Server. So if there is a Rendezvous
> > > > > server
> > > > > (used with RVS_HMAC), this would be a different host and
> > > different
> > > > > Host
> > > > > Association. If the same host provides both rendezvous and
> > > relay
> > > > > service, it should be fine to reuse the same key.
> > > >
> > > > Why is that OK? Generally we try not to do this. Do you have a
> > > proof
> > > > that it is not possible to have one message mistaken for another?
> > >
> > > so I assume we are talking about the (artificial) case where a
> > > single
> > > host provides both Relay and Rendezvous service, and is
> > > communicating
> > > with a single registered Client? It's the same control channel, so
> > > I
> > > don't see any need to have different HMAC keys for different
> > > messages
> > > since it's still the same two hosts. Or maybe I misunderstood your
> > > scenario, so please elaborate?
> >
> > The concern is what's known as a "cross-protocol" attack. Is there
> > any situation in which there might be ambiguity about two message
> > types that are protected with the same key?
>
> I don't see any case where this could occur.
>

v2.23.0 | Report a Bug | By Email