Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)
Tero Kivinen <kivinen@iki.fi> Mon, 26 January 2015 15:24 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0122C1A9087 for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 07:24:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMj7jtxu7-CJ for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 07:24:20 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 346E31A9081 for <ipsec@ietf.org>; Mon, 26 Jan 2015 07:24:19 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t0QFOGvv026256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Jan 2015 17:24:16 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t0QFOGLY019274; Mon, 26 Jan 2015 17:24:16 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21702.23584.557958.684640@fireball.kivinen.iki.fi>
Date: Mon, 26 Jan 2015 17:24:16 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1501201009460.16777@bofh.nohats.ca>
References: <alpine.LFD.2.10.1501131139150.13941@bofh.nohats.ca> <038B7179C6EB4C5BB2A110AD37541204@buildpc> <21694.26453.977101.952972@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1501201009460.16777@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 13 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/-ihtgJsFtcd3k-vAjytXJJgCsLU>
Cc: IPsecME WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2015 15:24:22 -0000
Paul Wouters writes: > >> I think it is a server's policy issue. It can always restrict > >> the number of IPsec SAs from a single peer > >> by using NO_ADDITIONAL_SAS notification. > >> The document should not impose any restrictions here, IMHO. > > > > Agree. Implementations might also have different limits depending > > whether the other end is authenticated or unauthenticated, i.e. > > unauthenticated clients might only be able to create for example 10 > > Child SAs, and authenticated clients can create 1000 Child SAs... And > > btw child SAs are quite cheap, so the limit does not need to be 1 and > > 3... :) > > But what's the point? Just to protect th per-port IPsec SA's with > more PFS in CREATE_CHILD_SA ? For some reason people wnat to turn on PFS on TLS, so that NSA cannot break all the http-connections by just stealing that one key from the server. For the same reason IKE users who already do Diffie-Hellman during the IEK SA creation, might want to do separate PFS for different Child SAs, just to make things harder for attacker. Again as we are talking about un-authenticated connections, NSA can just do MitM in the beginning, and gain all traffic, but that is active attack, which might get detected. Doing passive storing of the all traffic and then breaking Diffie-Hellman later provides better ways of staying undetected for them. If we do one 1024-bit Diffie-Hellman using un-authenticated exchange, then they can break that one 1024-bit Diffie-Hellman and get all traffic protected by each Child SA. If we do PFS for each Child SA then they need first to break the IKE SA Diffie-Helman and then for each traffic flow second one... There are people who want this kind of feature. Thats why this draft should not have any text restricting per-flow SAs... It might have comment saying that because clients are un-authenticated, there might be need for tighter resource limits than for authenticated clients. > It will only cause interop failures. The client will not pick a > host-to-host but picks say port 80 only. Then it wants port 443 and > gets NO_ADDITIONAL_SAS. Then it needs to drop the port 80 SA and > restart everything to get the full range single SA. Why should that cause interop failures? This is all standard RFC7296 stuff already. We are not changing anything here related to this. > If you are not authenticated, what is the point in splitting up the > traffic in different IPsec SA's per protocol or port? Causing more work for the passive monitoring people breaking your multiple 1024-bit Diffie-Hellmans, instead of just breaking one. And you might use shorter Diffe-Hellman groups for performance reasons than with authneticated use cases. > The only use case I have heard of that could apply, is the use case > of being mandated to NOT encrypt something for auditing purposes. But > traffic selectors really suck for "everything but sip and smtp and pop > and imap" :P Yes, usually traffic selectors are either per IP, or per-flow. Anything else are usually just silly... And for most normal authenticated use cases per-flow SAs are not really that useful, but we still have them in RFC7296, and I do not see any reason why they should be removed in this document. The most common use cases for per-flow SAs is when you have multiuser system where different users use different IKE SAs and per-flow SAs. I have not really seen those used that much lately... -- kivinen@iki.fi
- [IPsec] WG Last Call on "The NULL Authentication … Paul Hoffman
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Hoffman
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Valery Smyslov
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Tero Kivinen
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Sean Turner
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Graham Bartlett (grbartle)
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Koning
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Valery Smyslov
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Tero Kivinen
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yoav Nir