Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
"Tobias Guggemos" <guggemos@nm.ifi.lmu.de> Tue, 19 March 2019 17:28 UTC
Return-Path: <guggemos@nm.ifi.lmu.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E023B131562 for <ipsec@ietfa.amsl.com>; Tue, 19 Mar 2019 10:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jznyKFgG_Zsu for <ipsec@ietfa.amsl.com>; Tue, 19 Mar 2019 10:28:51 -0700 (PDT)
Received: from acheron.ifi.lmu.de (acheron.ifi.lmu.de [IPv6:2001:4ca0:4000:1:129:187:214:135]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF58128B36 for <ipsec@ietf.org>; Tue, 19 Mar 2019 10:28:42 -0700 (PDT)
Received: from DESKTOP58DFL8T (ObiWan2.nm.ifi.lmu.de [141.84.218.130]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: guggemos) by acheron.ifi.lmu.de (Postfix) with ESMTPSA id A68273600C4; Tue, 19 Mar 2019 18:28:40 +0100 (CET)
From: Tobias Guggemos <guggemos@nm.ifi.lmu.de>
To: 'Valery Smyslov' <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>, ipsec@ietf.org
References: <23688.31062.426962.985107@fireball.acr.fi> <01c701d4da41$3c61f890$b525e9b0$@gmail.com> <6454f07af680410e918431971f3489f2@XCH-ALN-010.cisco.com> <001e01d4ddac$5502d770$ff088650$@nm.ifi.lmu.de> <059301d4de2d$faa5a000$eff0e000$@gmail.com>
In-Reply-To: <059301d4de2d$faa5a000$eff0e000$@gmail.com>
Date: Tue, 19 Mar 2019 18:28:40 +0100
MIME-Version: 1.0
Message-ID: <000a01d4de79$31d3cc00$957b6400$@nm.ifi.lmu.de>
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHU2U0s6M7rbXuBv0SBwRv3SEEfn6YKvxmAgACvtICABiKNQIABBzyAgABckXA=
Content-Language: de
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha256"; boundary="=-=24Cjxmfapt+igW=-="
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/1uCMwgb8y1h_EqMUgPs7DlFAkl0>
Subject: Re: [IPsec] WG adoptation call for draft-smyslov-ipsecme-ikev2-aux-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 17:28:58 -0000
> > Hi Tobias, > > > Hey all, > > we have implemented the draft and found a few issues. > > Glad to know. We can do an interoperability testing, I guess :-) Would be great :-) > > > Overall, the separation of IKE_INTERMEDIATE and the > > draft-tjhai-ipsecme-hybrid-qske-ikev2-03 is not clear in some points. > > > > I personally like the idea of having a document on how to add a "pre-auth" > > exchange to IKEv2, however we’ve found that the two documents depend > > quite strongly on each other, which we found a bit of an implementation > issue: > > The idea is that hybrid-qske document depends on ikev2-aux document and > not vice versa. > If this failed in your opinion, that must be fixed. My opinion is, that IKE_INTERMEDIATE should not mention PQKE at all, if it is meant to be a framework document which is "just" there to define the message. I know that the main motivation for IKE_INTERMEDIATE is PQKE, but I don't feel that we're at a point where we can actually say for sure that this is the one and only way for PQKE and, thus, I'd prefer IKE_INTERMEDIATE to be completely independent of any Key Exchange related stuff! > > > 1. The draft does not say anything about payloads to be carried in the > > IKE_INTERMEDIATE message (except SK payload), which means it could > > either transfer "any payload" or "no payload". > > True. > > > >From a security perspective, I'd assume "no payload", which means the > > >draft > > specifies how to send an empty SK payload between IKE_INIT and > > IKE_AUTH, where "empty" means encrypted padding. > > You are right that the draft doesn't imply any requirements on the content of > SK payloads, so sending empty SK payload is allowed. This is OK, since, e.g. > the response to some payload in request message can be empty (just to > complete exchange). > > > So basically, we have a (standard-track RFC) document describing a > > message which cannot (I'd almost say MUST NOT) be implemented without > > the requirement to implement an additional document describing the > payload. > > Yes. And the draft explicitly says: > > The content of the INTERMEDIATE exchange messages depends on the > data > being transferred and will be defined by specifications utilizing > this exchange. > > Should I add some normative language here to make this even more explicit? > For example: > > The content of the INTERMEDIATE exchange messages depends on the > data > being transferred and MUST be defined by specifications utilizing > this exchange. > > Note, that it's a common case with any framework documents - the draft > describes only very basic things that must not depend on the content of the > SK payload - how to negotiate INTERMEDIATE exchanges, how to > authenticate them, how to handle errors etc. You can implement this draft > alone, but it's useless per its own. I'm not an expert in this kind of (framework) documents at all. My question is, is an empty IKE_INTERMEDIATE a potential security issue? If there is a chance that this is a potential thread (and I fear it'll be impossible to proof the opposite), my feeling is that the document should say that IKE_INTERMEDIATE MUST NOT be supported without the support of at least one document defining the payload. That would actually remove the necessity to NOTIFY the support of IKE_INTERMEDIATE, as any exchange utilizing IKE_INTERMEDIATE (e.g. PQKE) would directly infer the necessity to implement IKE_INTERMEDIATE with a detailed description of the allowed payload. However, I'm happy to learn if (and why) this is not security thread at all =) > > > 2. On the other hand, IKE_INTERMEDIATE describes how to use previously > > exchanged keys in order to secure (encrypt) the IKE_INTERMEDIATE traffic. > > If IKE_INTERMEDIATE is there to describe the messages and not the key > > exchange, I think the document should only say that the current key in > > the IKE SA should be used. > > Sorry, but in my reading the draft currently says exactly this: > > The keys SK_e[i/r] and SK_a[i/r] for the Encrypted payload in the > INTERMEDIATE exchanges are computed in a standard fashion, as defined > in the Section 2.14 of [RFC7296]. Every subsequent INTERMEDIATE > exchange uses the most recently calculated keys before this exchange > is started. The first INTERMEDIATE exchange always uses SK_e[i/r] > and SK_a[i/r] keys that were computed as result the IKE_SA_INIT > exchange. If this INTERMEDIATE exchange performs additional key > exchange resulting in the update of SK_e[i/r] and SK_a[i/r], then > these updated keys are used for encryption and authentication of next > INTERMEDIATE exchange, otherwise the current keys are used, and so > on. > > In my reading this text says exactly what you want it to say. > It doesn't give any hints how the keys are calculated - it says: > "use most recently calculated keys". So, if keys are not recalculated after > each INTERMEDIATE exchange, then SK_* from IKE_SA_INIT are always > used, otherwise the result of recalculation is used. > > How do you think the text can be improved to make this more clear? I'd completely remove the second part and only write: The keys SK_e[i/r] and SK_a[i/r] for the Encrypted payload in the INTERMEDIATE exchanges are computed in a standard fashion, as defined in the Section 2.14 of [RFC7296]. Every subsequent INTERMEDIATE exchange uses the most recently calculated keys before this exchange is started. > > > I'm not 100% sure if especially point 1 is an actual issue for an IETF > > document and if so how to solve it. > > One idea would be to define a (maybe informational/experimental) > > document like "how to add an additional pre-auth exchange in IKEv2", > > which can then be used by e.g. > > draft-tjhai-ipsecme-hybrid-qske-ikev2-03 to define the actual exchange. > > Standards Track RFC generally cannot have Normative reference to lower > grade RFCs, like Informational or Experimental (there are exceptions, but it's > a generic rule). So I think that INTERMEDIATE document must be Standards > Track. The idea about using not standard track would be, that any document using the IKE_INTERMEDIATE needs to define the actual message. I don't like this idea too much, but it would at least be clean that any message is defined completely by any future document. > > > Another idea would be to define a list of allowed payloads (e.g. by > > IANA registry). > > I'd rather to avoid this, as new payloads may appear in future. If we had an IANA registry for every payload allowed in IKE_INTERMEDIATE, that could easily be updated by future documents by registering a new value. I don't say this is the only way to go, but I feel it's cleaner than just saying it could be anything. I'd actually prefer what I mentioned above, not allowing IKE_INTERMEDIATE to be implemented without another document defining the actual payload. In any case, if we can discuss/change that after adoption, I'm completely fine and support adoption. > > > If the WG thinks that this is not an issue or can be solved after > > adoption, we support adoption and we were about to show and discuss > > some details on that (and other PQKE related stuff) in a presentation in > Prague. > > We just wanted to raise awareness and get a discussion on this > > (potential) issue before the adoption call ends. > > Thank you, > Valery. > > > > > Regards > > Tobias > > > > > -----Ursprüngliche Nachricht----- > > > Von: IPsec <ipsec-bounces@ietf.org> Im Auftrag von Panos Kampanakis > > > (pkampana) > > > Gesendet: Donnerstag, 14. März 2019 20:07 > > > An: 'Tero Kivinen' <kivinen@iki.fi>; ipsec@ietf.org > > > Betreff: Re: [IPsec] WG adoptation call for > > draft-smyslov-ipsecme-ikev2-aux- > > > 02 > > > > > > +1 on adopting this draft. > > > > > > -----Original Message----- > > > From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Valery Smyslov > > > Sent: Thursday, March 14, 2019 4:38 AM > > > To: 'Tero Kivinen' <kivinen@iki.fi>; ipsec@ietf.org > > > Subject: Re: [IPsec] WG adoptation call for > > draft-smyslov-ipsecme-ikev2-aux- > > > 02 > > > > > > Hi, > > > > > > as author of the document I (obviously) support its adoption. > > > It's a building block for QSKE solution (at least how the WG sees it > > > now) > > so I > > > think we should adopt it. > > > > > > Regards, > > > Valery. > > > > > > > This document has been stable for some time, and I think it is > > > > ready to go forward. Because of that I will start one week long WG > > > > adoptation call for this draft which will expire end of next week > > > > (2019-03-22). > > > > > > > > If you have any reasons why this should not be adopted as WG > > > > document, send email to the list as soon as possible. > > > > -- > > > > kivinen@iki.fi > > > > > > > > _______________________________________________ > > > > IPsec mailing list > > > > IPsec@ietf.org > > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > > _______________________________________________ > > > IPsec mailing list > > > IPsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > > _______________________________________________ > > > IPsec mailing list > > > IPsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] WG adoptation call for draft-smyslov-ipse… Tero Kivinen
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Panos Kampanakis (pkampana)
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Paul Wouters
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Andreas Steffen
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Paul Wouters
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Valery Smyslov
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Heider
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos
- Re: [IPsec] WG adoptation call for draft-smyslov-… Tobias Guggemos