[IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
Roman Danyliw <rdd@cert.org> Fri, 30 September 2022 22:19 UTC
Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB7FC14CF14 for <ipsec@ietfa.amsl.com>; Fri, 30 Sep 2022 15:19:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bdzbLBIyDqP for <ipsec@ietfa.amsl.com>; Fri, 30 Sep 2022 15:19:47 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0091.outbound.protection.office365.us [23.103.208.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E74C14F727 for <ipsec@ietf.org>; Fri, 30 Sep 2022 15:19:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=IwBigQpsl0Q1C9XvwMrSIVlSrlsTjnZYZhvRVzyo4ptBb2c2cOY9vr8hPMACqJxiyi+sp6fMTNswhP8YiHswqTUtKPbeOKENyG2+P9DUrLk+RzFJPKyWoZcZ2jNX1YrujCSNyZaCy3oHMHjIxz4dRTXY+xJ1+ZKlCuPLRAIFQ1S5wCKTPW7KRQNd9kECCxrL5kPUNCKwuhV6C4y5VNmaNTifOcqCyM8TpZEvFEF8wlI/iwb8YeQ6NCYxZyxfSGCAS50FdM+ggu+9f2oCnIB3ZTXVhISraVC3RFxoK1P8NByoO03JkeqIAC8xB33VewJrqhj1FWhXEW/DJ1BptIjJyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/SZd/N5XMQlBIFx+qvCbb5j1heZJO2bqMyZpHpN/XCw=; b=GnrKLXqU0BUlyfZKf3ljWVgNc492ZTNCEnx6Jk/zmwrB1e8TDmFbMgzO6o89Qrthe4oSpQmF+QLHxL05+TOyvUuYK1JycZymKH1zbIT0ctWJ6rtobmjNAKvhNtrZtKXpnezuqT9D1E1Qfni2ivvbQqgdMPyUq57i8hCc58he+Y57vy6BaRIfJlwd11gbRAuDxMcMdPZGdZ3OXyIE8cX/sSxEzZAToLWeRdavUc0PPv3cchYCjMef2sxXYeuk5QF5enEXstKZYCqf1VQn0cbbIiE3QkJ8ysabzhQzXsOER0+0ErXWyRsAH6qDhKI7rsw7FQQuVqnRYEJgo3tD2r6rdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/SZd/N5XMQlBIFx+qvCbb5j1heZJO2bqMyZpHpN/XCw=; b=jqVDMUcraFBaEajPEXb3c64z2BY8qC6Z+zQtzMIZpkElZKkD9HzdVmq17da2zzy8KDxyWMQ91pXanWSgGkRL2mzf3PIJxwP/ZV6XakkBIGBk+OeZqSy/xG8Burwd3kVv/LuNgx3vhsX2uAQL/gt8j2YeBvwBj3n5jBA4L71h9dY=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1494.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:178::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.14; Fri, 30 Sep 2022 22:19:43 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0b6:8a8:ce34:f450]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0b6:8a8:ce34:f450%4]) with mapi id 15.20.5654.029; Fri, 30 Sep 2022 22:19:43 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
Thread-Index: AdjVFve8l6i95Y8RTMyDGHjJmSSKlw==
Date: Fri, 30 Sep 2022 22:19:43 +0000
Message-ID: <BN2P110MB1107D456BF345148FADD88CFDC569@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1494:EE_
x-ms-office365-filtering-correlation-id: b9bbc587-6fd4-4a9f-c409-08daa331e00b
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: X8WKLvvsv7qxnG4REOyNbqTE/Yyxx0ZCoDTOZAL8uRaSA7TArxNi/pxSifdPTkABWTTmOOTYzXc2RvvNMahcQRjDm9ikGAOVr63fu/6nFEm7vIGsyCBurm463BCJZcRvxoP+VlIpWuGMkd0Rj3rptF8TS/quYOaritqWkL4FIrYQQPgDSeMgyNL//SuGgZNxMUwtSxvIFF/TM6Qb0u/cHJSjvvoD0RE8C/qmbv3fHqn0p4pIwBw2Y9shXuHdiQLZwoWWBAuFJB2++RGEJv776SYzsw2ueNvvlefOC0FsCEUvAntIY6sYXrtMXtNNLrPBuQc2rZFiebWsUlN2OgP4Gc5Ov2wwGwB/ispa8aKpB5u51w1dmOhpxOKHojrGMyStBO6Tp1rdaovtEDDQLdSmWNZqmwBNEOf2w2y1+YIYH2Od7G84YRIv+CA4Y9U7/a0F/5wY0UGvNpSnQa6K7SZj+4MQcSc6hXv/hV/i8B6tnvq8JYSrqm15fwCasp8wQTI7Jhds/vct1w39X7WqXvP+G9kkQe4Q6cQXXcyGD/q90i3udGTVaHjtljsmQ1hyUgM5nUzmnhs37mCf1oX9zCVd0MGnhdh/V3O/qOAMQ2Gk+rKDT7o5NR5ErHUgXx90sjoDeg9ibQbwgwpXWL6cw/lK2CYEjOu4zqbCTJljXDGuoagcQAG9QGrlhB1o++3k0CWUq/CcPtl+2kOLvotwBCHhNQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(71200400001)(966005)(498600001)(38100700002)(83380400001)(82960400001)(55016003)(122000001)(5660300002)(38070700005)(52536014)(33656002)(66556008)(64756008)(66476007)(86362001)(66946007)(9686003)(6506007)(26005)(66446008)(76116006)(7696005)(8676002)(6916009)(186003)(2906002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0gkL6MB4CbmjBSGa+kXOZQrXj8Y5v/BObHtBbS6A32zgPSzbIJgAsNnLFmw4682Zqr3gSL1HlZWcg+ZBSLpyU61aDdsiHp9f5/8OnDoOLF2SsDZYLuqLyyClu1mM9KqiFobkAZVeSfLMqtlsTFYClbE9U4VGwQB023KxPx3ywV5KLTC4IGN7nupElLFjlYNlVa+WfLuwaI2odu5rPG7DQKO9QqF2ELA9Engkn8bp+cjxg7rnn5y4GvMeGcyt5AebrM3btTn9fu4DSYtp0UeYWXgd/76pQYnar9IozjpJghF/RQpxqM0CuuTdBgB42pYHGj4Khx2epZu3J5d0b1Cd5CnG7fWKB+qswfzJH6Rs1uD7KgxclDQGQ3RDkNa1HKh2J3uVurSdRSDrWjGTheZZW9yT/o6wqJ/NyMRL9nNdyZs=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b9bbc587-6fd4-4a9f-c409-08daa331e00b
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Sep 2022 22:19:43.3626 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1494
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3taFVdgJ2xEwqoQEA1ExzsuXrGM>
Subject: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 22:19:53 -0000
Hi! I performed an AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06. Thanks for the work on this document. Per the shepherd write-up: ** Question 4 Several implementors have been integral in developing this document, thus implementors have indicated interest in implementing this. There is already at least two interoperable implementations of this specification. Could these implementations be explicitly named? ** Question 5 No. The document has already been reviewed by security area people, and the cryptographic algorithms are not part of this document, but are documented separately. In addition reviews from cryptographers have already been received to the basic protocol. With no disrespect intended to the expertise of the authors, what is the process used by the WG to review the robustness of the cryptographic mechanisms? Was there an independent assessment beyond those on the author team? Did the Crypto Panel have an independent look? Now to the document: ** Section 1.2. Editorial. OLD ... is not limited to addressing the threat of quantum computer only. NEW ... is not limited to only addressing the threat of a quantum computer. ** Section 2. Design Criteria #3 A passive attacker can eavesdrop on IPsec communication today and decrypt it once a quantum computer is available in the future. This is a very serious attack for which we do not have a solution. Isn't this the same thing as design criteria #1? ** Section 2 Federal Information Processing Standards (FIPS) compliance. IPsec is widely used in Federal Information Systems and FIPS certification is an important requirement. However, algorithms that are believed to be post-quantum are not FIPS compliant yet. Still, the goal is that the overall hybrid post-quantum IKEv2 design can be FIPS compliant. What kind of coordination was done to ensure that this design is FIPS compliant? Do we have a read if it is? Are multiple classic (EC)DH key exchanges FIPS compliant? ** Section 3.1 We assume that new Transform Type 4 identifiers will be assigned later to the various post-quantum key exchanges. -- Please add reference to such as "[IANA-Type4-ID] https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8" -- s/assigned later to the/assigned later for/ ** Section 3.1. To be more specific, this document renames Transform Type 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renames a field in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange Method". The corresponding IANA registry is also renamed from "Diffie-Hellman Group Transform IDs" to "Key Exchange Method Transform IDs". Why repeat what is already spelled out more clearly in Section 4? ** Section 3.1. Note that this document assumes, that each key exchange method requires one round trip and consumes exactly one IKE_INTERMEDIATE exchange. This assumption is valid for all classic key exchange methods defined so far and for all post-quantum methods currently known. Is ensuring that a chosen algorithm fits into a single exchange now an additional criterial for the DE for adding anything into the Type 4 ID registry? If so, should this be stated? ** Section 3.1. Typo. s/splitted/split/ ** Section 3.2. Editorial. Colloquial language. s/the initiator is happy with/the initiator starts/ ** Section 3.2. Editorial. OLD In this case, the initiator performs the IKE_SA_INIT as usual, inserting a preferred key exchange (which is possibly a post-quantum algorithm) as the listed Transform Type 4, and including the initiator KE payload. NEW In this case, the initiator performs the IKE_SA_INIT for a single key exchange using a Transform Type 4 (possibly with a post-quantum algorithm), and including the initiator KE payload. ** Section 3.2.1. s/uses the protocol listed below./uses the protocol behavior listed below./ ** Section 3.2.1. What is the basis for the design choice allow up to 8 (1 in the IKE_SA_INIT + 7 via the AKE) key exchanges? I don't have an intuition on why 7 is "just right". ** Section 3.2.1. However, for the Additional Key Exchange types, the responder's choice MUST NOT contain duplicated algorithms, except for the transform ID of NONE. If an initiator gets are response with such duplicates, what error or follow-up action should be taken? In reverse, what happens if an initiator sends a responder a combination of Additional Key Exchange which are duplicates? ** Section 3.2.1. Why is there a need to support non-consecutive Additional Key Exchange transforms? ** Section 3.2.1. Editorial. For clarity, recommend narrating the figure above. OLD In this example, the initiator proposes to perform initial key exchange using 4096-bit MODP group followed by two mandatory additional key exchanges using PQ_KEM_1 and PQ_KEM_2 methods in any order, then followed by additional key exchange using PQ_KEM_3 method that may be omitted. NEW In this example, the initiator proposes to perform initial key exchange using 4096-bit MODP group followed by two mandatory additional key exchanges (i.e., Transform AKE2 and AKE3) using PQ_KEM_1 and PQ_KEM_2 methods in any order, then followed by additional key exchange (i.e., Transform AKE5) using PQ_KEM_3 method that may be omitted. ** Section 3.2.4. Typo. s/splitted/split/ ** Section 3.2.4. Editorial. s/Since after IKE SA/After the IKE SA/ ** Section 3.2.4. Editorial. s/is <TBA by IANA>,/ is <TBA by IANA>, and/ ** Section 3.2.4. The responder MUST handle this situation gracefully and delete the associated state if it does not receive the next expected IKE_FOLLOWUP_KE request after some reasonable period of time. Is there a guidance on the timeout value? ** Section 3.2.5. It is also possible to establish a fully post-quantum secure IKE SAs from additional key exchanges without using ... Please soften the language "fully post-quantum secure." ** Section 3.2.5 Consequently, if the peers' local policy requires that all Child SAs should be fully-protected, then the peers can avoid creating the very first Child SA by adopting [RFC6023]. -- what does "fully protected" mean here? -- If there is such a local policy, why wouldn't a quantum resistant KE be done in the initial IKE_SA_INIT? ** Section 4 -- Create sub-sections for each IANA registry being touched to help IANA parse these requests. Merge the guidance in Section 4.1 into these sections. -- Please explicitly state that [RFCXXXX] should be added as the associated reference. ** To make the request to IANA easier to process, please number the "TBAs" (i.e., TBA1, TBA2, TBA3, etc) in the inline document text. Specifically: -- Section 3.2.1. TBA for AKE1 - 7 -- Section 3.2.3. TBA for IKE_FOLLOWUP_KE -- Section 3.2.4. TBA for Notify Message Type -- Section 3.2.4. STATE_NOT_FOUND ** Section 4. This document renames Transform Type 4 defined in "Transform Type Values" registry from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)". Should the Reference value also point to this document? ** Section 5. Consider repeating the threat model voiced at the beginning of the document to contextual the subsequent text. NEW (roughly) The extension in this document is intended to mitigate two possible threats in IKEv2 - the compromise of (EC)DH key exchange using Shor's algorithm while remaining backward compatible; and the potential compromise of existing or future PQC key exchange algorithms. To address the former threat, this extension allows the establishment of a shared secret by using multiple key exchanges -- one classical and the other quantum resistant. To address the latter threat, multiple quantum resistant algorithm key exchanges cane be composed to form the shared key. ** Section 5. Is there any significance to the order of the KEs? Does 4096-bit MODP Group then PQ_KEM1 yield anything different than the reverse? Should the classic KEM come before the PQC one(s)? ** Section 5. Post-quantum authenticity may be provided by using a post-quantum digital signature and several of them have been being explored by IETF. For example, if the implementation is able to reliably track state, the hash based method, XMSS has the status of an RFC, see [RFC8391]. Currently, post-quantum authentication methods are not specified in this document, but are planned to be incorporated in due course. -- What activity in the IETF exploring PQ digital signatures? -- Is using XMSS a recommendation? -- What is the planned due course referenced here? ** Appendix A. Editorial. To be explicit, s/are purely for information purposes/are non-normative/ ** Appendix B. In the spirit of inclusive language, consider s/MitM/on-path/ Regards, Roman
- [IPsec] AD review of draft-ietf-ipsecme-ikev2-mul… Roman Danyliw
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Andreas Steffen
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Roman Danyliw
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… CJ Tjhai
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Roman Danyliw
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Roman Danyliw
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… CJ Tjhai
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2… Roman Danyliw