IETF Logo Mail Archive

[IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06

Roman Danyliw <rdd@cert.org> Fri, 30 September 2022 22:19 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB7FC14CF14 for <ipsec@ietfa.amsl.com>; Fri, 30 Sep 2022 15:19:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bdzbLBIyDqP for <ipsec@ietfa.amsl.com>; Fri, 30 Sep 2022 15:19:47 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0091.outbound.protection.office365.us [23.103.208.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E74C14F727 for <ipsec@ietf.org>; Fri, 30 Sep 2022 15:19:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=IwBigQpsl0Q1C9XvwMrSIVlSrlsTjnZYZhvRVzyo4ptBb2c2cOY9vr8hPMACqJxiyi+sp6fMTNswhP8YiHswqTUtKPbeOKENyG2+P9DUrLk+RzFJPKyWoZcZ2jNX1YrujCSNyZaCy3oHMHjIxz4dRTXY+xJ1+ZKlCuPLRAIFQ1S5wCKTPW7KRQNd9kECCxrL5kPUNCKwuhV6C4y5VNmaNTifOcqCyM8TpZEvFEF8wlI/iwb8YeQ6NCYxZyxfSGCAS50FdM+ggu+9f2oCnIB3ZTXVhISraVC3RFxoK1P8NByoO03JkeqIAC8xB33VewJrqhj1FWhXEW/DJ1BptIjJyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/SZd/N5XMQlBIFx+qvCbb5j1heZJO2bqMyZpHpN/XCw=; b=GnrKLXqU0BUlyfZKf3ljWVgNc492ZTNCEnx6Jk/zmwrB1e8TDmFbMgzO6o89Qrthe4oSpQmF+QLHxL05+TOyvUuYK1JycZymKH1zbIT0ctWJ6rtobmjNAKvhNtrZtKXpnezuqT9D1E1Qfni2ivvbQqgdMPyUq57i8hCc58he+Y57vy6BaRIfJlwd11gbRAuDxMcMdPZGdZ3OXyIE8cX/sSxEzZAToLWeRdavUc0PPv3cchYCjMef2sxXYeuk5QF5enEXstKZYCqf1VQn0cbbIiE3QkJ8ysabzhQzXsOER0+0ErXWyRsAH6qDhKI7rsw7FQQuVqnRYEJgo3tD2r6rdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/SZd/N5XMQlBIFx+qvCbb5j1heZJO2bqMyZpHpN/XCw=; b=jqVDMUcraFBaEajPEXb3c64z2BY8qC6Z+zQtzMIZpkElZKkD9HzdVmq17da2zzy8KDxyWMQ91pXanWSgGkRL2mzf3PIJxwP/ZV6XakkBIGBk+OeZqSy/xG8Burwd3kVv/LuNgx3vhsX2uAQL/gt8j2YeBvwBj3n5jBA4L71h9dY=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1494.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:178::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.14; Fri, 30 Sep 2022 22:19:43 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0b6:8a8:ce34:f450]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0b6:8a8:ce34:f450%4]) with mapi id 15.20.5654.029; Fri, 30 Sep 2022 22:19:43 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
Thread-Index: AdjVFve8l6i95Y8RTMyDGHjJmSSKlw==
Date: Fri, 30 Sep 2022 22:19:43 +0000
Message-ID: <BN2P110MB1107D456BF345148FADD88CFDC569@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1494:EE_
x-ms-office365-filtering-correlation-id: b9bbc587-6fd4-4a9f-c409-08daa331e00b
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: X8WKLvvsv7qxnG4REOyNbqTE/Yyxx0ZCoDTOZAL8uRaSA7TArxNi/pxSifdPTkABWTTmOOTYzXc2RvvNMahcQRjDm9ikGAOVr63fu/6nFEm7vIGsyCBurm463BCJZcRvxoP+VlIpWuGMkd0Rj3rptF8TS/quYOaritqWkL4FIrYQQPgDSeMgyNL//SuGgZNxMUwtSxvIFF/TM6Qb0u/cHJSjvvoD0RE8C/qmbv3fHqn0p4pIwBw2Y9shXuHdiQLZwoWWBAuFJB2++RGEJv776SYzsw2ueNvvlefOC0FsCEUvAntIY6sYXrtMXtNNLrPBuQc2rZFiebWsUlN2OgP4Gc5Ov2wwGwB/ispa8aKpB5u51w1dmOhpxOKHojrGMyStBO6Tp1rdaovtEDDQLdSmWNZqmwBNEOf2w2y1+YIYH2Od7G84YRIv+CA4Y9U7/a0F/5wY0UGvNpSnQa6K7SZj+4MQcSc6hXv/hV/i8B6tnvq8JYSrqm15fwCasp8wQTI7Jhds/vct1w39X7WqXvP+G9kkQe4Q6cQXXcyGD/q90i3udGTVaHjtljsmQ1hyUgM5nUzmnhs37mCf1oX9zCVd0MGnhdh/V3O/qOAMQ2Gk+rKDT7o5NR5ErHUgXx90sjoDeg9ibQbwgwpXWL6cw/lK2CYEjOu4zqbCTJljXDGuoagcQAG9QGrlhB1o++3k0CWUq/CcPtl+2kOLvotwBCHhNQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(71200400001)(966005)(498600001)(38100700002)(83380400001)(82960400001)(55016003)(122000001)(5660300002)(38070700005)(52536014)(33656002)(66556008)(64756008)(66476007)(86362001)(66946007)(9686003)(6506007)(26005)(66446008)(76116006)(7696005)(8676002)(6916009)(186003)(2906002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0gkL6MB4CbmjBSGa+kXOZQrXj8Y5v/BObHtBbS6A32zgPSzbIJgAsNnLFmw4682Zqr3gSL1HlZWcg+ZBSLpyU61aDdsiHp9f5/8OnDoOLF2SsDZYLuqLyyClu1mM9KqiFobkAZVeSfLMqtlsTFYClbE9U4VGwQB023KxPx3ywV5KLTC4IGN7nupElLFjlYNlVa+WfLuwaI2odu5rPG7DQKO9QqF2ELA9Engkn8bp+cjxg7rnn5y4GvMeGcyt5AebrM3btTn9fu4DSYtp0UeYWXgd/76pQYnar9IozjpJghF/RQpxqM0CuuTdBgB42pYHGj4Khx2epZu3J5d0b1Cd5CnG7fWKB+qswfzJH6Rs1uD7KgxclDQGQ3RDkNa1HKh2J3uVurSdRSDrWjGTheZZW9yT/o6wqJ/NyMRL9nNdyZs=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b9bbc587-6fd4-4a9f-c409-08daa331e00b
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Sep 2022 22:19:43.3626 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1494
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3taFVdgJ2xEwqoQEA1ExzsuXrGM>
Subject: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 22:19:53 -0000

Hi!

I performed an AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06.  Thanks for the work on this document.

Per the shepherd write-up:

** Question 4

Several implementors have been integral in developing this document, thus 
implementors have indicated interest in implementing this. There is already
at least two interoperable implementations of this specification.

Could these implementations be explicitly named?

** Question 5

No. The document has already been reviewed by security area people, and 
the cryptographic algorithms are not part of this document, but are documented
separately. In addition reviews from cryptographers have already been received 
to the basic protocol.

With no disrespect intended to the expertise of the authors, what is the process used by the WG to review the robustness of the cryptographic mechanisms?  Was there an independent assessment beyond those on the author team?  Did the Crypto Panel have an independent look?

Now to the document:

** Section 1.2.  Editorial.

OLD
... is not limited to addressing the threat of
   quantum computer only.

NEW
... is not limited to only addressing the threat of a 
   quantum computer.

** Section 2.  Design Criteria #3

A passive attacker can
        eavesdrop on IPsec communication today and decrypt it once a
        quantum computer is available in the future.  This is a very
        serious attack for which we do not have a solution.  

Isn't this the same thing as design criteria #1?

** Section 2

Federal Information Processing Standards (FIPS) compliance.
        IPsec is widely used in Federal Information Systems and FIPS
        certification is an important requirement.  However, algorithms
        that are believed to be post-quantum are not FIPS compliant yet.
        Still, the goal is that the overall hybrid post-quantum IKEv2
        design can be FIPS compliant.

What kind of coordination was done to ensure that this design is FIPS compliant?  Do we have a read if it is?

Are multiple classic (EC)DH key exchanges FIPS compliant?

** Section 3.1

We assume that new Transform Type 4 identifiers will be assigned
   later to the various post-quantum key exchanges.

-- Please add reference to such as "[IANA-Type4-ID] https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8"

-- s/assigned later to the/assigned later for/

** Section 3.1.

   To be more specific,
   this document renames Transform Type 4 from "Diffie-Hellman Group
   (D-H)" to "Key Exchange Method (KE)" and renames a field in the Key
   Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange
   Method".  The corresponding IANA registry is also renamed from
   "Diffie-Hellman Group Transform IDs" to "Key Exchange Method
   Transform IDs".

Why repeat what is already spelled out more clearly in Section 4?

** Section 3.1.

   Note that this document assumes, that each key exchange method
   requires one round trip and consumes exactly one IKE_INTERMEDIATE
   exchange.  This assumption is valid for all classic key exchange
   methods defined so far and for all post-quantum methods currently
   known.  

Is ensuring that a chosen algorithm fits into a single exchange now an additional criterial for the DE for adding anything into the Type 4 ID registry?  If so, should this be stated?

** Section 3.1.  Typo. s/splitted/split/

** Section 3.2.  Editorial.  Colloquial language.  s/the initiator is happy with/the initiator starts/

** Section 3.2.  Editorial.

OLD
   In this case, the initiator performs the IKE_SA_INIT as usual,
   inserting a preferred key exchange (which is possibly a post-quantum
   algorithm) as the listed Transform Type 4, and including the
   initiator KE payload.  

NEW
In this case, the initiator performs the IKE_SA_INIT for a single key exchange using a Transform Type 4 (possibly with a post-quantum algorithm), and including the initiator KE payload.

** Section 3.2.1.  s/uses the protocol listed below./uses the protocol behavior listed below./

** Section 3.2.1.  What is the basis for the design choice allow up to 8 (1 in the IKE_SA_INIT + 7 via the AKE) key exchanges?  I don't have an intuition on why 7 is "just right".

** Section 3.2.1.

   However, for the Additional
   Key Exchange types, the responder's choice MUST NOT contain
   duplicated algorithms, except for the transform ID of NONE.  

If an initiator gets are response with such duplicates, what error or follow-up action should be taken?  In reverse, what happens if an initiator sends a responder a combination of Additional Key Exchange which are duplicates?

** Section 3.2.1.  Why is there a need to support non-consecutive Additional Key Exchange transforms?

** Section 3.2.1.  Editorial.  For clarity, recommend narrating the figure above.

OLD

In this example, the initiator proposes to perform initial key
   exchange using 4096-bit MODP group followed by two mandatory
   additional key exchanges using PQ_KEM_1 and PQ_KEM_2 methods in any
   order, then followed by additional key exchange using PQ_KEM_3 method
   that may be omitted.

NEW
In this example, the initiator proposes to perform initial key    exchange using 4096-bit MODP group followed by two mandatory additional key exchanges (i.e., Transform AKE2 and AKE3) using PQ_KEM_1 and PQ_KEM_2 methods in any order, then followed by additional key exchange (i.e., Transform AKE5) using PQ_KEM_3 method that may be omitted.

** Section 3.2.4.  Typo. s/splitted/split/

** Section 3.2.4.  Editorial. s/Since after IKE SA/After the IKE SA/

** Section 3.2.4.  Editorial. s/is <TBA by IANA>,/ is <TBA by IANA>, and/

** Section 3.2.4.  

The responder MUST handle this
   situation gracefully and delete the associated state if it does not
   receive the next expected IKE_FOLLOWUP_KE request after some
   reasonable period of time.

Is there a guidance on the timeout value?

** Section 3.2.5.

It is also possible to establish a fully post-quantum secure IKE SAs
   from additional key exchanges without using ...

Please soften the language "fully post-quantum secure."

** Section 3.2.5

   Consequently, if the peers' local policy requires that all Child SAs
   should be fully-protected, then the peers can avoid creating the very
   first Child SA by adopting [RFC6023].  

-- what does "fully protected" mean here?
-- If there is such a local policy, why wouldn't a quantum resistant KE be done in the initial IKE_SA_INIT?

** Section 4

-- Create sub-sections for each IANA registry being touched to help IANA parse these requests.  Merge the guidance in Section 4.1 into these sections.
-- Please explicitly state that [RFCXXXX] should be added as the associated reference.

** To make the request to IANA easier to process, please number the "TBAs" (i.e., TBA1, TBA2, TBA3, etc) in the inline document text.  Specifically:  

-- Section 3.2.1. TBA for AKE1 - 7
-- Section 3.2.3.  TBA for IKE_FOLLOWUP_KE
-- Section 3.2.4.  TBA for Notify Message Type
-- Section 3.2.4.  STATE_NOT_FOUND

** Section 4.

   This document renames Transform Type 4 defined in "Transform Type
   Values" registry from "Diffie-Hellman Group (D-H)" to "Key Exchange
   Method (KE)".

Should the Reference value also point to this document?

** Section 5. Consider repeating the threat model voiced at the beginning of the document to contextual the subsequent text.  

NEW (roughly)

The extension in this document is intended to mitigate two possible threats in IKEv2 - the compromise of (EC)DH key exchange using Shor's algorithm while remaining backward compatible; and the potential compromise of existing or future PQC key exchange algorithms.  To address the former threat, this extension allows the establishment of a shared secret by using multiple key exchanges -- one classical and the other quantum resistant.  To address the latter threat, multiple quantum resistant algorithm key exchanges cane be composed to form the shared key.

** Section 5.  Is there any significance to the order of the KEs?  Does 4096-bit MODP Group then PQ_KEM1 yield anything different than the reverse?  Should the classic KEM come before the PQC one(s)?

** Section 5.

   Post-quantum authenticity
   may be provided by using a post-quantum digital signature and several
   of them have been being explored by IETF.  For example, if the
   implementation is able to reliably track state, the hash based
   method, XMSS has the status of an RFC, see [RFC8391].  Currently,
   post-quantum authentication methods are not specified in this
   document, but are planned to be incorporated in due course.

-- What activity in the IETF exploring PQ digital signatures?

-- Is using XMSS a recommendation?

-- What is the planned due course referenced here?

** Appendix A.  Editorial.  To be explicit, s/are purely for information purposes/are non-normative/

** Appendix B. In the spirit of inclusive language, consider s/MitM/on-path/

Regards,
Roman

v2.23.0 | Report a Bug | By Email