Re: [Hipsec] Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)

Miika Komu <miika.komu@ericsson.com> Fri, 21 February 2020 12:25 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EFF120227; Fri, 21 Feb 2020 04:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G98Qfxa19j6E; Fri, 21 Feb 2020 04:25:44 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150059.outbound.protection.outlook.com [40.107.15.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3B05120114; Fri, 21 Feb 2020 04:25:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cyEkmNUSdM33WShoQhGK+MEnNOoV5aQ18Fy2Lfuh97ewQ16D3MUShIREemQX2vLY4YYdSY4iEnKI2kFfE66qEN6zsLoN/+sVQ0QnQjENu36RVvUix5ekCVbUajai9Cnu+uORKsAKyRa3NqAI898c3z5tvPF4xrlQk+KPKCd65YwAaouJC7hc6+JUZeIhaJqjDqmhJ3IsvwBVWjf63sRV9av56qomDP1BqbfN6GOIzcEJDQGq0oyGXKsne9QHefNZrT2ijlU7usac+IAPTdvGbdyb5VPFacrRImxSaMcvMT5YDAjAiRn0teLizIBkgpjwLm3Gc8T9MW9C+o/2vE+dJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fC434Zg9ReCoNZ7avKJveEFwsuSu96205TrK3znbzfA=; b=AFsHE5uSeuDZtqSML0OwMZck5wRS38f5Ai+WGrBe4jOgyclJyUA+3vrg2qz7befPvtfUVvZ91Wx18yrnBhArV0zmmT6Qn3EL1o2H/pcBib2uI1iKBQ++6TiSlYcCNFl5me3ZcUL7xhZ+GzHjYFwDuZQsd8xSDx0EUVerUzfrWhhk4wjiB77AlpSakoy1LJhmi6BURLq2PYlli6zWtm1C/eXxsYwDYquSjwX5srHKgGmdWtLxn/Op09telhrBFgTzrx/ui7VkD77pUDofI1Be+e/xY6mVQlmtBAFmIuE4jqI5N1puxewZV2os9OZjZ6K0CpUi+xYq9x+FyKyPipTC+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fC434Zg9ReCoNZ7avKJveEFwsuSu96205TrK3znbzfA=; b=KjeQft58Z1aSyiLHvJl6Pj4xzGcqt3KwYvtm5QKReka8rmhn/t9QjaSeDBaN6RlLphbGJIz6RiKPmSNg0OCgLLOjtb91CbNkGs/XxGMwqLw9oAKVcgt41vkn2lOwS9RCOn8oQjCC5RcrTs5i26KFeknapAOW9w7niH0TL6xtFWg=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (52.134.81.144) by AM0PR07MB6098.eurprd07.prod.outlook.com (20.178.112.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.9; Fri, 21 Feb 2020 12:25:41 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::790c:4b51:77d2:7767]) by AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::790c:4b51:77d2:7767%5]) with mapi id 15.20.2750.016; Fri, 21 Feb 2020 12:25:41 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "ekr@rtfm.com" <ekr@rtfm.com>
CC: "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
Thread-Index: AQHT497tUmBXmn8MOU+Q++wdbIVom6VF/FUAgE08J4CCk9E3AIAAA4SAgACfMACAAHlIgIAAGiSAgAAWWQCAAUYlgA==
Date: Fri, 21 Feb 2020 12:25:41 +0000
Message-ID: <5df6df66bf1d1fdd28d94dfdbf85b17e0f9f4cb2.camel@ericsson.com>
References: <152546246777.11589.13288594519409569524.idtracker@ietfa.amsl.com> <a657ffe0-3574-850e-3b8d-9b21f6f8825b@ericsson.com> <CABcZeBO3gLUZevW0zTN6RHiuYBY+7d-4DefSNBA3FzhXFWfGQw@mail.gmail.com> <47c0cdb7980fa6b9d85d71de926d24ea50a90930.camel@ericsson.com> <CABcZeBOVzKyd1Q6uYi66AFEazhW5OSOwYMBnUqGvjHRk4+0DtA@mail.gmail.com> <20b7460348acc2f3d958ab8ed66a70b49448289a.camel@ericsson.com> <CABcZeBNVBEATYW6-OKK8C0dJ=NzvhRp2N2xmStgNWqTYqQ7-xQ@mail.gmail.com> <82ded3745fe403d24c3866845f5f202f182f9d1e.camel@ericsson.com> <CABcZeBM2Tm5EuF=htBBD0qyYpKarvvgE_LbTKU8n9oBQVPZdsA@mail.gmail.com>
In-Reply-To: <CABcZeBM2Tm5EuF=htBBD0qyYpKarvvgE_LbTKU8n9oBQVPZdsA@mail.gmail.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6581e497-b3d5-4d6d-4fd7-08d7b6c92aba
x-ms-traffictypediagnostic: AM0PR07MB6098:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR07MB6098974F227337CEE5D3BCFCFC120@AM0PR07MB6098.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0320B28BE1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(366004)(396003)(136003)(39860400002)(189003)(199004)(81156014)(5660300002)(36756003)(66446008)(186003)(76116006)(53546011)(26005)(8676002)(6506007)(4326008)(66946007)(44832011)(54906003)(81166006)(2616005)(86362001)(66476007)(64756008)(8936002)(66556008)(6486002)(6916009)(2906002)(6512007)(316002)(71200400001)(478600001)(99106002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6098; H:AM0PR07MB3876.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9c6iVQhgOv3KeyYLKa7wOH8Yrl/dPAPa2oQnX+EQyOK6jha511KzimaIpPpm7+Dp/oEpBFl62DHFCxAtStvSQwIc0y2SGpICzHXN8yGrXwEaXU41VtigRbMx1pqGe3rwLKmKuECQyiVi1i/SuZK4ILhwmPQCyESoBTjourSwQR/A8Ez3Aowka2ijvVdKUgCUwz9XaQ9aQxWXQO1gvX/b84m8b70Dcs7Crfn/AWsO/MpxCHZLz76fZps3j8AAGkBqObhOwikGzX8M+8Ch9nYNOpm43/6zxNV6yKow9fzOcL8o9Bji8BDbqgFmGeWew/f6H5bknwHJD7e9vIN0JIP0JUZ6zgviajNx1aQD3EckHLnXk787rgnVN0UUqB3a6tGKS7PhDWa2qj084pDITxoU71nXlKPx230LlIQM7p++Zn8ZTCew7CFEijgMxV8aMYNDB0E611FL/0P60I95NYVXokYCyZG6Cj+kEbezpgj0J9SFEEIoosyF2Wfwz8bPqrTj
x-ms-exchange-antispam-messagedata: JvK4qZjCrVh0Uq50OZoZ2S8v8yIsVnxUsZ6cvXJCg3rfvzzLHOwbUA5Csp3/cJH2E92WIr/wzXaOF1Y5ba5sFwAWyITsFvZERbh6NKj0yp02PMDwmKKSVY+eqvs1D4Twx96f4HXNJya5rDNR2xIa+A==
Content-Type: text/plain; charset="utf-8"
Content-ID: <AB9C949F3BAE5543BA009A5C51CC0C04@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6581e497-b3d5-4d6d-4fd7-08d7b6c92aba
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2020 12:25:41.6460 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2e9OuhwmMa6sz5v7oGIsRQTq2Y2ichzD9jviOORJja3b5me19TucT6bDWafFCk+uN+iV1L3xjX9ZIPJe76N90w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6098
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/SByspxHm9Y2IGQynzpDF4IPIhEs>
Subject: Re: [Hipsec] Eric Rescorla's Discuss on draft-ietf-hip-native-nat-traversal-28: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 12:25:47 -0000

Hi,

to, 2020-02-20 kello 08:58 -0800, Eric Rescorla kirjoitti:
> 
> 
> On Thu, Feb 20, 2020 at 7:38 AM Miika Komu <miika.komu@ericsson.com>
> wrote:
> > Hi Eric,
> > 
> > to, 2020-02-20 kello 06:04 -0800, Eric Rescorla kirjoitti:
> > > 
> > > 
> > > On Wed, Feb 19, 2020 at 10:50 PM Miika Komu <
> > miika.komu@ericsson.com>
> > > wrote:
> > > > Hi Eric,
> > > > 
> > > > ke, 2020-02-19 kello 13:20 -0800, Eric Rescorla kirjoitti:
> > > > > > > > > S 5.8.
> > > > > > > > >>    
> > > > > > > > >>    5.8.  RELAY_HMAC Parameter
> > > > > > > > >>    
> > > > > > > > >>       As specified in Legacy ICE-HIP [RFC5770], the
> > > > > > RELAY_HMAC
> > > > > > > > parameter
> > > > > > > > >>       value has the TLV type 65520.  It has the same
> > > > > > semantics
> > > > > > > > as RVS_HMAC
> > > > > > > > >>       [RFC8004].
> > > > > > > > > 
> > > > > > > > > What key is used for the HMAC?
> > > > > > > > 
> > > > > > > > clarified this as follows:
> > > > > > > > 
> > > > > > > > [..] It has the same semantics as RVS_HMAC as specified
> > in
> > > > > > section
> > > > > > > > 4.2.1 
> > > > > > > > in [RFC8004].  Similarly as with RVS_HMAC, also
> > RELAY_HMAC
> > > > is
> > > > > > is
> > > > > > > > keyed 
> > > > > > > > with the HIP integrity key (HIP-lg or HIP-gl as
> > specified
> > > > in
> > > > > > > > section 6.5 
> > > > > > > > in [RFC7401]), established during the relay
> > registration
> > > > > > procedure
> > > > > > > > as 
> > > > > > > > described in Section 4.1.
> > > > > > > 
> > > > > > > This seems like it might have potential for cross-
> > protocol
> > > > > > attacks on
> > > > > > > the key. Why
> > > > > > > is this OK>
> > > > > > 
> > > > > > this is standard way of deriving keys in HIP. The keying
> > > > procedure
> > > > > > is
> > > > > > the same as with specified in RFC8004. If there is some
> > attack
> > > > > > scenario, please describe it in detail?
> > > > > > Or is there some editorial issue here?
> > > > > 
> > > > > I'm not sure. When I read this text it appears to say that
> > you
> > > > should
> > > > > be using the same key for two kinds of messages. Is that
> > correct?
> > > > 
> > > > the key is always specific to a Host Association, i.e., unique
> > > > between
> > > > a Relay Client and a Relay Server. So if there is a Rendezvous
> > > > server
> > > > (used with RVS_HMAC), this would be a different host and
> > different
> > > > Host
> > > > Association. If the same host provides both rendezvous and
> > relay
> > > > service, it should be fine to reuse the same key.
> > > 
> > > Why is that OK? Generally we try not to do this. Do you have a
> > proof
> > > that it is not possible to have one message mistaken for another?
> > 
> > so I assume we are talking about the (artificial) case where a
> > single
> > host provides both Relay and Rendezvous service, and is
> > communicating
> > with a single registered Client? It's the same control channel, so
> > I
> > don't see any need to have different HMAC keys for different
> > messages
> > since it's still the same two hosts. Or maybe I misunderstood your
> > scenario, so please elaborate?
> 
> The concern is what's known as a "cross-protocol" attack. Is there
> any situation in which there might be ambiguity about two message
> types that are protected with the same key?

I don't see any case where this could occur.