Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis-11
"Valery Smyslov" <svanru@gmail.com> Tue, 13 September 2016 18:56 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6ECF12B025 for <ipsec@ietfa.amsl.com>; Tue, 13 Sep 2016 11:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kekh5ELWsYJd for <ipsec@ietfa.amsl.com>; Tue, 13 Sep 2016 11:56:22 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C28E12B4E0 for <ipsec@ietf.org>; Tue, 13 Sep 2016 11:56:19 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id h127so117522216lfh.0 for <ipsec@ietf.org>; Tue, 13 Sep 2016 11:56:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=+wjEKjuSjyyTvniJ7+xgKOkW9e9BIcHlbOCG8zFLtfA=; b=rQRY1vlcXDN+4ddiTfpLGnpIjLJXYIszLweQclugGFU3dXWyUe5sGjtQTQg9EkS2fw GUwGwFkP5J4cqf+MzYhpOkXDprOLLBwAY6MJpi8dzZWFZ1pVt76yy/FPKVLhBFQ0vTTb UujK7twmAR2hEumJc8bcxEUeI7MT9qBGBBb44O+EScXOC/TYlwC08Zwxe1UU49WRjWmz QR+IjEEYWiUYojgMCWAw0YAozqqmhfkPInbnq0ro3oG6mFnPJyofVjB0t260u1fWsHSl Qiwt1a4t58dGNMZsEiHySER5O84gIxGFL3o1vlmFPsCqcDXWfr1A3vIaGXNo3QfPRGu6 MGWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=+wjEKjuSjyyTvniJ7+xgKOkW9e9BIcHlbOCG8zFLtfA=; b=HYUCglfVZarat/UsaCGxqt2MOzxeqlj8E1XWRPa2OVlTMLatwPUEiwM//3bXy1gd0X oIOUOxQoxLrCh+mxityCM1QTHcuW9zwfnHvX8m4sfSrTEj8l0f5jnRrfhzbsqpiHESNy 9DbkKnylQ5nErJpokRsHMBJKNXTE2SFr5fHbtevIK4sq6K3LObPP7OH2euVCMCpMFXZp t0CpJp9OicmwYSbT8cK05j3jAQ1hKYUWRnIKiSm7vBGiqgqHfOjJLcecyOIw0WClQ816 1H8wcSP4G9Z7HQwZQq8k213uPk4FFWWGlh4EFwh0uUj/lbg2cwiKDYhZudyi1g8fez3y ye2w==
X-Gm-Message-State: AE9vXwPN18r/z4IQivzvr4lJR00LaSDW5OLkFsEWHqh44Wgc6CaJS8ewCvaiXmuKQt9+lA==
X-Received: by 10.46.71.84 with SMTP id u81mr8259491lja.19.1473792977735; Tue, 13 Sep 2016 11:56:17 -0700 (PDT)
Received: from chichi (ppp83-237-167-213.pppoe.mtu-net.ru. [83.237.167.213]) by smtp.gmail.com with ESMTPSA id s3sm4171824lja.49.2016.09.13.11.56.15 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 13 Sep 2016 11:56:16 -0700 (PDT)
Message-ID: <841E948BC5B542BEBB0D53E5A2D064FA@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Wouters <paul@nohats.ca>
References: <MWHPR09MB14403260340F6DBF4DADCD8DF0E40@MWHPR09MB1440.namprd09.prod.outlook.com> <08AB2EF60E5C4A9C8950483676619B4C@buildpc> <alpine.LRH.2.20.1609131126100.10788@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1609131126100.10788@bofh.nohats.ca>
Date: Tue, 13 Sep 2016 21:56:12 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/2tGg-nxsFE5iOpubiO1QOTOCSa4>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis-11
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 18:56:23 -0000
Hi Paul, > We have kept key lengths out of the tables on purpose. It matches the > tables at IANA that also do not list separate items for different key > lengths. Would "This requirement" instead of "This requirement level" > make that more clear? If you don't want to add key length column to the table, (what I think is a preferred way) then I suggest to add some words to corresponding paras that will reiterate: "these requirements are for those key sizes". >> And the comment (IoT) brings even more confusion. It states that >> "only 128-bit keys are at MUST level", while the line it refers to >> (ENCR_AES_CCM_8) indicates SHOULD level. > > That is an error. It should read "only 128-bit keys are at the SHOULD level" OK. And again I think it should be reiterated in the text below the table (besides the comment). > Note that I was hoping the (1) and (IoT) comments would appear similarly > indented so it becomes a little more clear and was planning to ask the > RFC Editor to ensure that. I was thinking of complaining about their current appearance (idented would be definitely better), but then I decided that it is a feature of xml2rfc. But you are right that RFC Editor can make them more better-looking. >> ENCR_AES_CBC is raised from SHOULD+ in [RFC4307] to MUST. It is the >> only shared mandatory-to-implement algorithm with RFC4307 and as a >> result it is necessary for interoperability with IKEv2 implementation >> compatible with RFC4307. >> >> However, it is not exactly true. The comment (1) indicates that both >> AES-128-CBC and AEC-256-CBC are now MUST, while in RFC4307 AES-256-CBC wasn't >> mentioned at all, so it definitely wasn't SHOULD+. >> So, this statement is true for AES-128-CBC and not true for AES-256-CBC. > > It is only because you do not want to see ENCR_AES_CBC without a key > size. We are talking about updating IANA entries, and the IANA entries > are not separate for keysize. We are talking about updating RFC4307 and it does include key size for AES-CBC (Section 3.1.1): For confidentiality, implementations MUST- implement 3DES-CBC and SHOULD+ implement AES-128-CBC. For integrity, HMAC-SHA1 MUST be implemented. Note, that it explicitely references AES-CBC with 128 bit key length, not any other. >> Section 3.2 >> >> If an algorithm is selected as the integrity algorithm, it SHOULD >> also be used as the PRF. >> >> That requirement isn't clear for me. Where it comes from? >> How it is justified? Is the document in the position to make such restrictive >> requirement? Isn't it a local policy matter? > > It came from me, after having talked to Tero about a TAHI test suite > test case. From what I understand from Tero, historically it was not > mandated in the IKEv2 RFC to use the same algorithm, although there is > really no argument in favour of using two different algorithms. If the > algo is good enough for INTEG, it is good enough for PRF. If one algo > is not good enough for either INTEG or PRF, then it is also not good > enough for the other. > > Our implementation does not allow one to specify a PRF different from > INTEG (unless INTEG is AUTH_NONE with an AEAD ENCR) > > I believe we ended up on SHOULD instead of MUST so this could be seen > as advise, and not a hard requirement. So it does not update the IKEv2 > core RFC in that respect. > > Do you have any use case where it makes sense that PRF != INTEG ? Sure. First, not any good MAC is a good PRF (but vice versa is true). Secondly, besides cryptographic properties there are also other considerations, like performance. For example, in Russia there is a standard MAC that is based on GOST cipher with reduced number of rounds. It is very fast, but it cannot be used as PRF. Coming back from Russian quirks, I can imagine the situation when I want to use SHA2-512 for PRF (because I don't want my conversation to be hacked offline in the future), but SHA1-HMAC-96 for MAC (because ICV tags are smaller comparing to SHA2 and I'm pretty confident in HMAC SHA1 security against _real_time_ attacks). And finally, I strongly oppose including such a restriction in this document, because from my point of view it is out of scope of the document. It has nothing with defining requirement levels for algorithms. Moreover SHOULD is a pretty strong requirement... >> PRF_HMAC_SHA1 has been downgraded from MUST in RFC4307 to MUST- as >> their is an industry-wide trend to deprecate its usage. >> >> I think some more reasons should be given besides "an industry-wide trend". >> Industry usually follows standards, so it's a bit silly to refer to industry >> trends >> as a reason here. I think some words about current concerns in the security >> of SHA1 should be added (like for PRF_HMAC_MD5 below). > > How about: > > "as cryptographic attacks against SHA1 are increasing, resulting in an > industry-wide trend to deprecate its usage" OK. >> Section 3.3 >> >> AUTH_HMAC_SHA1_96 has been downgraded from MUST in RFC4307 to MUST- >> as there is an industry-wide trend to deprecate its usage. >> >> See my comment above to the similar sentence in Section 3.2 > > Same. OK. >> It has been recommended by the CRFG and others as an >> alternative to AES-CBC and AES-GCM. >> >> What "others" mean? Isn't it too vague wording for Standards Track RFC? >> Either list these "others" (at least some of them) or remove reference to >> them. > > Agreed. I will propose removing "and others". OK. >> Section 3.2 >> >> PRF_HMAC_SHA2_256 was not mentioned in RFC4307, as no SHA2 based >> transforms were mentioned. >> >> This sentence makes little sence for me. Shouldn't second "mentioned" be >> "defined at that time"? > > They might have been defined, but what matters is that the document did > not reference them. Perhaps: > > As no SHA2 based transforms were referenced in RFC4307, PRF_HMAC_SHA2_256 > was not mentioned in RFC4307. Works for me. >> AUTH_AES-XCBC is only recommended in the scope of IoT, as Internet of >> Things deployments tend to prefer AES based pseudo-random functions >> in order to avoid implementing SHA2. >> >> s/AUTH_AES-XCBC/AUTH_AES-XCBC_96 (as in IANA Registry) > > Actually, we should add this to section 9 for renaming and call it > AUTH_AES_XCBC_96. Actually, it is already called AUTH_AES_XCBC_96 in the IANA registry. I wanted to point that it is erroneously called AUTH_AES-XCBC in this paragraph. >> Section 3.4 >> >> Group 19 or 256-bit random ECP group was not specified in RFC4307, as >> this group were not specified at that time. >> >> >> See my comment above about similar sentence in Section 3.2 > > The second "specified" here could be changed to "define" ? OK. > Paul Regards, Valery.
- [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis-11 Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Tero Kivinen
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Waltermire, David A. (Fed)