[ippm] draft-ietf-ippm-ipsec-01 review
John Mattsson <john.mattsson@ericsson.com> Tue, 22 October 2013 21:37 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B67E11E82A5 for <ippm@ietfa.amsl.com>; Tue, 22 Oct 2013 14:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.418
X-Spam-Level:
X-Spam-Status: No, score=-6.418 tagged_above=-999 required=5 tests=[AWL=-0.769, BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d+RDpwcHq91s for <ippm@ietfa.amsl.com>; Tue, 22 Oct 2013 14:37:16 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id D55FA11E827A for <ippm@ietf.org>; Tue, 22 Oct 2013 14:36:59 -0700 (PDT)
X-AuditID: c1b4fb2d-b7f738e000003ee3-d4-5266efe66514
Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id D0.2B.16099.6EFE6625; Tue, 22 Oct 2013 23:36:38 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.88]) by ESESSHC024.ericsson.se ([153.88.183.90]) with mapi id 14.02.0328.009; Tue, 22 Oct 2013 23:36:38 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: draft-ietf-ippm-ipsec-01 review
Thread-Index: Ac7PbUm7fxHy7g5dSjWMtSxLJHcnNg==
Date: Tue, 22 Oct 2013 21:36:37 +0000
Message-ID: <CAAB765F71FCD344B6BABC031C19EC490D54AF@ESESSMB307.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDLMWRmVeSWpSXmKPExsUyM+Jvje6z92lBBl+aTCx6HrxjdmD0WLLk J1MAYxSXTUpqTmZZapG+XQJXRscmuYIPLhUzPh5kamD8bt7FyMkhIWAisWtzFwuELSZx4d56 ti5GDg4hgcOMEs/ruxi5gMzFjBJNk9+B1bAJGEjM3dPABmKLCChLtHz7wwhiCwtoSHy48IYJ Iq4rcX3JYVYIW0/i6IfbYPUsAqoSm7f2gtXzCnhLTDj+BSzOCLT3+6k1YL3MAuISt57MZ4K4 R0BiyZ7zzBC2qMTLx/9YIWwlicYlT1gh6vUkbkydwgZha0ssW/iaGWK+oMTJmU9YJjAKz0Iy dhaSlllIWmYhaVnAyLKKkT03MTMnvdxwEyMwhA9u+a27g/HUOZFDjNIcLErivB/eOgcJCaQn lqRmp6YWpBbFF5XmpBYfYmTi4JRqYCw1NM9b3LGm+/wBrRTPIHP9Ms3zAbPi3AuYipiDpc2c 7i+xE3ynzrbiteC0Hv9nNk0Sz3gnp/502nhDXPt+V9mDHVmfDwhf5hLXE+uw3C1wPlTsVMYp Rum9HD09b/8b8EzUuVl4bdPj12FqvefuPJsmsjni4umDC1/PX+L51K4+eWnkJCcTcyWW4oxE Qy3mouJEAD/C8r8vAgAA
Subject: [ippm] draft-ietf-ippm-ipsec-01 review
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ippm>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 21:37:22 -0000
Hi, I reviewed draft-ietf-ippm-ipsec-01, I think the issue is important, and I think the document is a good start. I do however have some the doubts regarding the suggested solution to extract keying material from IPsec. Here are my comments and suggestions. Best Regards John Comments on draft-ietf-ippm-ipsec-01 --------------------------------------------- In general I think the abstract and Introduction could be clearer in what the problems and use cases are and what the document tries to achieve. E.g. do the document want to measure the performance of IPsec or use IPsec for protection, or both. What are the problems, if any, of just sending O/TWAMP over the existing IPsec tunnel? - [Abstract] "it extends the applicability of O/TWAMP to networks that have already deployed IPsec" "Unfortunately, however, standard IP performance measurement security mechanisms cannot be readily used with IPsec." This gives the idea that you cannot use O/TWAMP with IPsec, but this is of course not true. You can e.g. send O/TWAMP over IPsec, and depending on the IPsec security policy database (SPD) you can send O/TWAMP outside of the IPsec tunnel. - [Section 1] "In particular, we note that it is not necessary to use distinct keys in OWAMP-Control and OWAMP-Test layers. One key for encryption and another for authentication is sufficient for both Control and Test layers. This obviates the need to generate two keys for each layer and reduces the complexity of O/TWAMP protocols in an IPsec environment. This observation comes from the fact that separate session keys in the OWAMP-Control and OWAMP-Test layers were designed for preventing reflection attacks when employing the current mechanism." I assume O/TWAMP uses different keys as is it bad security design to use the same key for two different purposes. Using the same key twice may leads a number of security problems - It easily causes so called "two-time pads" were the confidentiality is totally compromised. - For some algorithms the integrity may be compromised. - If one use of the keys has a cryptographic weakness so than an attacker can recover the key, the attacker has the use that key to attack both uses of the key. - It gives an attacker twice as much material (protected traffic) to work with. I therefore strongly recommends against using the same key twice unless you must, and in this case we do not. - [Section 3.1] The Server-Start message with Server-IV is missing from the text. Suggestion: "In the authenticated and encrypted modes, all further communication is encrypted using the AES Session-key and authenticated with the HMAC Session-key. After receiving Set-Up-Response the server responds with a Server-Start message containing Server-IV. The client encrypts everything it transmits through the just-established O/TWAMP-Control connection using stream encryption with Client-IV as the IV." - [Section 4] I think "IPsec SA" is old terminology for IKE(v1), all occurrences should be changed to "Child SA". - [Section 4] "Therefore, even if the peers choose to opt for the unauthenticated mode, IPsec integrity protection is extended to O/TWAMP. I think the document would be improved by discussing this and other options: O/TWAMP unauthenticated over existing Child SA with integrity. O/TWAMP unauthenticated over existing Child SA with encryption. O/TWAMP unauthenticated over existing Child SA with encryption and integrity. O/TWAMP unauthenticated over new Child SA with encryption and or integrity. in a separate section before the section on extracting keying material. It may very well be the case that O/TWAMP unauthenticated over the existing Child SA fulfills the user's security requirements. - [Section 3.4] "If the AH protocol is used, IP packets are transmitted in plaintext. The authentication part covers the entire packet. So all test information, such as UDP port number, and the test results will be visible to any attacker, which can intercept these test packets, and introduce errors or forge packets that may be injected during the transmission. In order to avoid this attack, the receiver must validate the integrity of these packets with the negotiated secret key." As the packeges are authenticated an attacker cannot forge or inject errors. And as the packages are not encrypted, reading the information cannot be considered an attack. I suggest deleting " to any attacker, which can intercept these test packets, and introduce errors or forge packets that may be injected during the transmission. In order to avoid this attack, the receiver must validate the integrity of these packets with the negotiated secret key. - [Section 3.4, Section 4] "If ESP is used, IP packets are encrypted" "When using ESP, all IP packets are encrypted" This is not true as ESP can be used with only integrity protection (NULL cipher). In fact, I think this is far more common than using AH. Instead of start talking about AH, I think the draft could list the three different ESP options (integrity and/or encryption) and then have a note stating that for AH have similar properties as ESP with NULL cipher. - [Section 4] >From a security perspective it would be very bad to allow extraction of SKEYSEED or KEYMAT. They could be used to passively eavesdrop on the IPsec traffic or to alter/inject messages. Even if we trust the O/TWAMP application to not be malicious, use of the same key in another application may cause security problems such as two-time pad, which completely compromises the confidentiality. A secure solution would be that the IPsec API returns a key that is derived from some of IPsec keying material. E.g. a new "KEYMAT" derived using some new random material instead of (Ni,Nr), e.g.: Shared secret = prf+( SK_d, SID ) Or a key derived from KEYMAT: Shared secret = PRF( KEYMAT, SID ) I strongly suggest removing the options that exposes the IPsec keying material, only keeping secure options, and adding text describing that it is the IPsec implementation that performs the key derivations. - [Section 4] While extracting keying material from IPsec would be nice, to my knowledge there is no standardized (or de facto standard) API to extract SKEYSEED, SK_d, KEYMAT or even SPI from an IPsec implementation. This was even one of the reasons IPsec was not chosen as the default security protocol for O/TWAMP. You could of course do it with a new proprietary implementation, but that kind of beats some of the purpose from the Abstract "gaining popularity in several deployment scenarios". Work on an IPsec API started a couple a years ago http://tools.ietf.org/html/draft-ietf-btns-ipsec-apireq-00 but died, and even that work did prohibit extraction of keying material and discouraged the extraction of SPI as the SPI might change. Has the API proposals been discussed in the ipsecme working group? - [Section 4] I think the approach in Section 4 with extracting keying material would only work with a proprietary IPsec implementation and modifications (adding new fields) to O/TWAMP. Have approaches that do not require extracting keying information been considered? If the Child SA is encrypted, a simpler approach would be to transfer the O/TWAMP shared secret in a similar manner as the O/TWAMP session key, e.g. in the KeyID field. This would just require changes to the function in the O/TWAMP that receives the shared secret, and no modifications to IPsec. At least if the Child SA is integrity protected, one approach would be to use Diffie-Hellman in O/TWAMP. This would still require new O/TWAMP fields but still be easier than the current suggestion as it does not require any changes to IPsec. A problem is still the lack of API to find out whether encryption or integrity is in use. Minor editorial comments on draft-ietf-ippm-ipsec-01 ------------------------------------------------------------------ - [s3.1] "OWAMP-Control commands" -> "O/TWAMP-Control commands" - [s4] "must be generated firstly" -> "must be generated first" - [s4] "session ID is is the" ------------------------------------------------------------------------------------ JOHN MATTSSON MSc Engineering Physics, MSc Business Administration and Economics Senior Researcher, Security Ericsson AB Security Research Färögatan 6 SE-164 80 Stockholm, Sweden Phone +46 10 71 43 501 SMS/MMS +46 76 11 53 501 john.mattsson at ericsson.com www.ericsson.com
- [ippm] draft-ietf-ippm-ipsec-01 review John Mattsson
- Re: [ippm] draft-ietf-ippm-ipsec-01 review Konstantinos Pentikousis
- Re: [ippm] draft-ietf-ippm-ipsec-01 review Zhanglijia (A)
- Re: [ippm] draft-ietf-ippm-ipsec-01 review Zhanglijia (A)
- Re: [ippm] draft-ietf-ippm-ipsec-01 review John Mattsson