Re: [IPsec] Teaser for pitch talk at IETF 108
Steffen Klassert <steffen.klassert@secunet.com> Wed, 29 July 2020 10:05 UTC
Return-Path: <Steffen.Klassert@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3674C3A0745 for <ipsec@ietfa.amsl.com>; Wed, 29 Jul 2020 03:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6CzKwSkEFO8 for <ipsec@ietfa.amsl.com>; Wed, 29 Jul 2020 03:05:02 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C0C43A0593 for <ipsec@ietf.org>; Wed, 29 Jul 2020 03:05:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 5C02620533; Wed, 29 Jul 2020 12:04:59 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6wf9Z-jHpIz; Wed, 29 Jul 2020 12:04:58 +0200 (CEST)
Received: from mail-essen-02.secunet.de (mail-essen-02.secunet.de [10.53.40.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id CC82020299; Wed, 29 Jul 2020 12:04:58 +0200 (CEST)
Received: from mbx-essen-01.secunet.de (10.53.40.197) by mail-essen-02.secunet.de (10.53.40.205) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 29 Jul 2020 12:04:58 +0200
Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 29 Jul 2020 12:04:58 +0200
Received: by gauss2.secunet.de (Postfix, from userid 1000) id EC5883180625; Wed, 29 Jul 2020 12:04:57 +0200 (CEST)
Date: Wed, 29 Jul 2020 12:04:57 +0200
From: Steffen Klassert <steffen.klassert@secunet.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
CC: 'Michael Rossberg' <michael.rossberg@tu-ilmenau.de>, ipsec@ietf.org
Message-ID: <20200729100457.GD20687@gauss3.secunet.de>
References: <023E45E1-B1AA-4042-A8E3-DD7457235BC7@tu-ilmenau.de> <0fd501d664b6$fcc8c590$f65a50b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0fd501d664b6$fcc8c590$f65a50b0$@gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197)
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4ZMWqksRAz38Xt2HHin85Mbl4Qk>
Subject: Re: [IPsec] Teaser for pitch talk at IETF 108
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 10:05:05 -0000
Hi Valery, a few comments inline. On Tue, Jul 28, 2020 at 11:13:33AM +0300, Valery Smyslov wrote: > Hi, > > a few thoughts about this proposal. ... > > > * 64 bit sequence counters in each header to ease protocol handling and allow for > > replay protection in multicast groups > > This would simplify replay protection logic on receiver, but will waste > 4 bytes on the wire for unicast SAs. We have already the option to send the high sequence number bits when a combined mode algorithm is used. RFC 4303, Section 2.2.1. says: If a combined mode algorithm is employed, the algorithm choice determines whether the high-order ESN bits are transmitted or are included implicitly in the computation. We could just give multicast the same option if it wants to use replay protection. > > * Removing the trailer to ease segment & fragment handling and alignment > > I was told by Linux kernel people that having trailer in ESP is a headache for them. > However, this simplification has its cost: > > 1. Ciphers that require padding cannot be used. I admit that CBC and the like > are out of fashion today, but I don't know which cipher modes will be in fashion tomorrow > and what requirement for padding they will have. > 2. No Next Header field eliminates transport mode (BTW, widely used for multicast!) > and makes it difficult to implement TFC (you can add TFC padding, but you can't send > dummy packets and you can't use IPTFS) Instead of a trailer, an (optional) encrypted header could be used for transport mode, IPTFS etc. That could be | Pad Length | Next Header | Pad to align payload | > > > * Implicit IVs in spirit of RFC 8750 removing the need for AAD > > I don't consider removing AAD is a benefit, since all the AEAD schemes I'm aware of > allow to have AAD. On the other hand, implicit IV is only applicable > to some transforms. I'm not only talking about non counter-based AEAD ciphers, > (like CBC), but even for counter-based AEAD a situation is possible when there is a need > for IV to be somehow structured and not be a plain counter (e.g if you implement key trees). Right, we should always have the option to include an explicit IV as the IV construction depends on the used algorithm. > > > Further details and benchmark results may be found in a paper preprint [1] and a > > presentation [2] we held with at the Linux IPsec Workshop. > > A few more considerations. > > It seems that performance of this proposal depends on ICV size > for the plaintext to be properly aligned. > If ICV is 16 bytes, then plaintext is ideally aligned on 32 bytes, > but if one use 12 byes ICV (e.g. ENCR_AES_GCM_12) > then the plaintext is aligned on 4 bytes, that is even worse > than ESP, where it is for most AEAD transforms aligned on 16 bytes. We could pad a 12 byes ICV up to 16 bytes, but I have to admit that this might not be the best option. > Since this proposal allows only tunnel mode, it will have > larger overhead for small packets. This is partially > compensated by having IV to be implicit... > > And about security. In order to have IV combined with > ESN and sub-windows identifiers this proposal removes secret > salt from the nonce. This may have impact on security. > I'm not a cryptographer, but I believe the impact is not negligible. > On the last CFRG session a draft draft-wood-cfrg-aead-limits was > discussed that calculates limits of data to be safely encrypted > by various AEAD ciphers. The authors claimed that having > secret salt in the nonce increases this limits in case of multi-user > attacks and that the results in the draft are calculated > for this case. If plain AEAD ciphers (with no secret salt) are used > the limits are lower. A secret salt in the nonce would be a new requirement anyway. I've checked RFC 4106 (ESP for GCM) and RFC 7634 (ESP for ChaCha20-Poly1305), both don't require a secret salt. But I'm not sure if the IV construction in this proposal would be always a good choice. As far as I understand, Sender ID is only used with multicast, so will be most likely zero on unicast. Also the replay window ID will have a lot of zero bits on unicast (given that most nodes have much less than 2^16 cpus these days). Steffen
- [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] Teaser for pitch talk at IETF 108 Yoav Nir
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Yoav Nir
- Re: [IPsec] Teaser for pitch talk at IETF 108 William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Michael Richardson
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Steffen Klassert
- Re: [IPsec] Teaser for pitch talk at IETF 108 Tero Kivinen
- Re: [IPsec] Teaser for pitch talk at IETF 108 Steffen Klassert
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] Teaser for pitch talk at IETF 108 Tero Kivinen
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] Teaser for pitch talk at IETF 108 Tero Kivinen
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Michael Rossberg
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Michael Rossberg
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Yoav Nir
- Re: [IPsec] multiple windows need multiple SPIs Valery Smyslov