IETF Logo Mail Archive

Re: [IPsec] Proposed method to achieve quantum resistant IKEv2

Daniel Van Geest <Daniel.VanGeest@isara.com> Wed, 09 August 2017 18:56 UTC

Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29CD132489 for <ipsec@ietfa.amsl.com>; Wed, 9 Aug 2017 11:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVoZzZXoT2SU for <ipsec@ietfa.amsl.com>; Wed, 9 Aug 2017 11:56:32 -0700 (PDT)
Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) by ietfa.amsl.com (Postfix) with ESMTP id 8236A13248A for <ipsec@ietf.org>; Wed, 9 Aug 2017 11:56:30 -0700 (PDT)
Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip2.isaracorp.com with ESMTP; 09 Aug 2017 18:56:18 +0000
Received: from mb.isaracorp.com (2002:ac01:6e0b::ac01:6e0b) by mb.isaracorp.com (2002:ac01:6e0b::ac01:6e0b) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 9 Aug 2017 14:56:23 -0400
Received: from mb.isaracorp.com ([fe80::9056:5d62:46d0:fe1f]) by mb.isaracorp.com ([fe80::9056:5d62:46d0:fe1f%12]) with mapi id 15.00.1044.021; Wed, 9 Aug 2017 14:56:23 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "Graham Bartlett (grbartle)" <grbartle@cisco.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2
Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ8WOuAgABHkQCAAAxWgA==
Date: Wed, 09 Aug 2017 18:56:23 +0000
Message-ID: <BBE32F9A-E845-482E-8FEB-44722DE6FE60@isaracorp.com>
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <B991A75E-0473-428E-95B8-39491D0EB098@isaracorp.com> <10412.1502302334@obiwan.sandelman.ca>
In-Reply-To: <10412.1502302334@obiwan.sandelman.ca>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.25.5.201]
Content-Type: multipart/alternative; boundary="_000_BBE32F9AE845482E8FEB44722DE6FE60isaracorpcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3CMF7zbqg-5IEQzCWcAHHUPj5Xw>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 18:56:35 -0000

On Aug 9, 2017, at 2:12 PM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:
I don’t find the re-use of transform 4 in this proposal, and the
implicit combination of QS + non-QS algorithms, to be the most elegant,
though I can understand it in the context of not wanting to add a new
transform type.

So you are suggesting that the QR mechanism be a new transform type then?
I could live with that actually since it make the combinatorics easier to manage.

Yes, I’m suggesting reconsidering putting the QR key agreement algorithms in a new transform type. This is part of CJ’s & co's suggestion from the original draft, but this was rejected in Prague. Their transform type was added to the proposals in the SA payload, while I’m suggesting only using it in a new QS_SA payload. (Perhaps eventually it could migrate to the SA payload in future drafts if non-QR connections ever need to be removed from IKEv2).

The idea is to add the new transform type 6 (Q-S-Group) like CJ’s
proposal, but don’t include it in the SA payload. Rather, introduce a
new QS_SA payload which would be identical in structure to the SA
payload except that it would also include the Q-S-Group transform
type. An endpoint could configure the proposals in this payload to

I don't think we need to do this.
I think that unknown transform types will be ignored by compliant
implementations.

The reason why the original suggestion was rejected in Prague was because of backwards compatibility issues with non-compliant implementations. From experience, StrongSwan is non-compliant in this regard. If it receives a proposal with a transform type that it doesn’t understand it will pretend that the transform type isn’t there rather than rejecting the proposal and moving on to the next one. Thus it can end up responding with a proposal which the initiator didn’t suggest.

For example, if the initiator is configured to send:

ike=aes256-sha512-modp3072-newhope128,aes128-sha256-modp2048!

A non-upgraded StrongSwan will reply with:

aes256-sha512-modp3072

which from the initiator’s perspective is not one of its suggestions. The initiator will then error out and fail to establish the connection. We could define this new transform type as optional and hope that other implementations don’t behave even more poorly than this. But maybe an initiator doesn’t want to use aes256-sha512-modp3072 if it’s not talking to an upgraded responder, maybe for performance reasons it would prefer using weaker primitives with them.

Putting the QS proposals in a separate QS_SA payload would also allow an initiator to mark the payload as critical if it wants to require QS connections.

Something to keep in mind is that many QS key agreement algorithms
don’t have exactly the same message flow as Diffie Hellman. With DH,
each endpoint’s public/private keys can be generated independently of
each other. But many QS algorithms have an initiator-responder flow, so
the responder can only generate its public key once it has processed
the initiator’s public key. We just need to keep this in mind when
designing the flow of the PRE_AUTH messages. An initiator can’t send
the first chunk of a public key, and the responder reply with the first
chunk of their public key, the responder would need to process all
initiator chunks for that key first. This means the initiator would
have to send a special acknowledgement response for chunks that don’t
complete a public key rather than responding with a partial key when
receiving a partial key.

Would the initiator know how much data to expect from the responder?
If so, the initiator can just keep sending query messages to get new blocks
of data back.

I’d answer that with a tentative yes. From the algorithms I’ve seen that’s the case, though one could imagine an algorithm where some (possibly non-deterministic amount of?) padding is added for some reason or other? Regardless, even if the initiator doesn’t know the amount of data to expect, it can keep querying and the responder payload could include a terminator flag indicating it is the last chunk of data.

If we decide that we want to be able break up the QR public key payloads across multiple message exchanges, then do we have to add some mechanism for the endpoints to agree on the maximum size of each message? Declaring a chunk size as part of the spec may not be a good idea because some QR public keys are ~1.5Kb while others are >64Kb. So picking a small chunk size to avoid IKEv2 fragmentation means many message exchanges when using large key sizes, but picking large chunk sizes increases the changes of dropping IKEv2 fragments and having to retransmit entire messages.

—
Daniel Van Geest (daniel.vangeest@isara.com<mailto:daniel.vangeest@isara.com>)
https://www.isara.com/

v2.23.0 | Report a Bug | By Email