Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns
David Schinazi <dschinazi@apple.com> Fri, 16 February 2018 19:51 UTC
Return-Path: <dschinazi@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 986CE128896 for <ipsec@ietfa.amsl.com>; Fri, 16 Feb 2018 11:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Uhyfqpggk7i for <ipsec@ietfa.amsl.com>; Fri, 16 Feb 2018 11:51:31 -0800 (PST)
Received: from mail-in24.apple.com (mail-out24.apple.com [17.171.2.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABCE71200C1 for <ipsec@ietf.org>; Fri, 16 Feb 2018 11:51:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1518810690; x=2382724290; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=A8mXm+4FZQd7zE6WiKN63Wg8Xc9AZndr3s73pj0c2ys=; b=qKvnETHOZlsDtB5RhH4ctNi6nSlO621j8nL/HKBH/2xYYr9Kc0B72Un8pv3ZuFq4 kp2kyMI8/XE6W+Xtv+qwVp0RrpaMxTaQjFQjYXCD18aHA48m0TQydjRGIUIR4RjV w3/2q2aocCjCj1J0rYRooVoxlzrGIxGHVfRjktvHWFa68oQZjXIjocNCWnczk02Z lmvi1KNiqgUbD5WhV9ut7LTy99E40tHlxW/+7IQODK4k8nrF+K8VDSyiNzP2cQ8o YUVKCJZX/daihbuLRqChZ2bM9dQ2gQ5d3y/JuZOmFkGe9x0qIpYrr+pKW0X9PB3Q Oqo8a73U0/h66FGw2AuO/w==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in24.apple.com (Apple Secure Mail Relay) with SMTP id 5A.79.10828.246378A5; Fri, 16 Feb 2018 11:51:30 -0800 (PST)
X-AuditID: 11ab0218-d2dff70000002a4c-16-5a87364115bb
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by relay5.apple.com (Apple SCV relay) with SMTP id 6B.7B.23499.146378A5; Fri, 16 Feb 2018 11:51:29 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_5S709Pulq8D7azXNJiukLQ)"
Received: from [17.234.68.209] (unknown [17.234.68.209]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.2.20180130 64bit (built Jan 30 2018)) with ESMTPSA id <0P4900MWZDTS0Q70@nwk-mmpp-sz10.apple.com>; Fri, 16 Feb 2018 11:51:29 -0800 (PST)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <E18B8487-FC1A-4D84-9ADF-67C59990B498@apple.com>
Date: Fri, 16 Feb 2018 11:51:28 -0800
In-reply-to: <97670585-978A-4E58-AC8A-833EB8790754@gmail.com>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
To: Yoav Nir <ynir.ietf@gmail.com>
References: <23175.8000.242283.548415@fireball.acr.fi> <97670585-978A-4E58-AC8A-833EB8790754@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrDLMWRmVeSWpSXmKPExsUi2FAYoetk1h5lsH+1msX+LS/YLI6ef85m sfTYByYHZo+ds+6yeyxZ8pPJ4/DXhSwBzFFcNimpOZllqUX6dglcGS/Ohxbs9q+48aqPpYHx i3MXIweHhICJRPvn5C5GLg4hgTVMEgdfrmDtYuQEi9/dcYUdInGIUeL5pOXMIAleAUGJH5Pv sYDYzAJhEltaVzFCFE1kkvjxqhUsISwgLdF14S4ryAY2AS2JA2uMIHptJFq2vIMq8ZOY0XeK HcRmEVCVeLm9nQ3E5hSwlXhxvZEZYr6hRN+SH4wgtoiAksThK1/B4kICmRI9u19BHaokMf37 bTaQGyQElrBJfJp3lmkCo9AsJLfOQnLrLKCTmAXUJaZMyYUIa0s8eXeBFcJWk1j4exETsvgC RrZVjMK5iZk5upl5RiZ6iQUFOal6yfm5mxhB0bGaSWIH45fXhocYBTgYlXh4HzxuixJiTSwr rsw9xCjNwaIkznv1eWOUkEB6YklqdmpqQWpRfFFpTmrxIUYmDk6pBkZ9o8U5qu7ClXETos/9 vPBJ5v5CriC+LcevfuJfenQ5X/3Dy/v3/5BYsPtuUX/qBvvKns1XTl/i+r7t4mWpPgNv1R9f 58drFCx6f2ymgke35csdc1bPk9qyz+9zx7MrsT8X/t3Q9kBtjevjL/Vvu8J+Rjsl7DT+crvy l3Hl86gAsdY3W5tdPObkKLEUZyQaajEXFScCANkGl0NvAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrPLMWRmVeSWpSXmKPExsUi2FBcpeto1h5lcPaqjsX+LS/YLI6ef85m sfTYByYHZo+ds+6yeyxZ8pPJ4/DXhSwBzFFcNimpOZllqUX6dglcGS/Ohxbs9q+48aqPpYHx i3MXIyeHhICJxN0dV9i7GLk4hAQOMUo8n7ScGSTBKyAo8WPyPRYQm1kgTGJL6ypGiKKJTBI/ XrWCJYQFpCW6Ltxl7WLk4GAT0JI4sMYIotdGomXLO6gSP4kZfafYQWwWAVWJl9vb2UBsTgFb iRfXG5kh5htK9C35wQhiiwgoSRy+8hUsLiSQKdGz+xUrxKFKEtO/32abwMg/C8l5s5CcNwvo CmYBdYkpU3IhwtoST95dYIWw1SQW/l7EhCy+gJFtFaNAUWpOYqWpXmJBQU6qXnJ+7iZGcDAX Ruxg/L/M6hCjAAejEg/vg8dtUUKsiWXFlbnAMOJgVhLhZTBpjxLiTUmsrEotyo8vKs1JLT7E KM3BoiTO+zS4JUpIID2xJDU7NbUgtQgmy8TBKdXAuODlm3KD+d+WNJWKl4Srp2+ZH1G+UJcz 3OFLw1Up6VvHrE2+XUgWvlo42f3Nvdt/WaZ7XUs50yaas0rg0UrXOR93revzeyvPKOeS+Ijv +tHQNXslmF4eflv1+Ifazzq9+lbpNzvbY3e4f354uvwFw4TrmR7GxbrbXss0bNvGHsky2yiZ K8BCQYmlOCPRUIu5qDgRAN9ifW5iAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/52BqGSzeGUNWBzovAjakaanKkZA>
Subject: Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 19:51:33 -0000
Hi Yoav, responses inline. > On Feb 16, 2018, at 10:25, Yoav Nir <ynir.ietf@gmail.com> wrote: > >> On 16 Feb 2018, at 20:13, Tero Kivinen <kivinen@iki.fi> wrote: >> >> 1) It's not possible to run a server that obfuscates IKEv2/IPsec using >> TLS. >> >> Today thanks to RFC 8229 it is possible to run an IKEv2/IPsec >> server on TCP port 443 with TLS. However if a government agent >> tries to send an SA_INIT over that it will discover that this >> server runs IKEv2/IPsec, and may blacklist it. We should add a >> mechanism to IKEv2 that allows the server to only respond to >> SA_INIT from known entities (e.g. that possess a shared secret). > > That would require that within the SA_INIT request, the initiator proves possession of a shared secret and does so in a non-replayable way. Actually, replay protection is not critical here. In the TLS scenario, attackers would not be able to observe SA_INITs from trusted peers. In the privacy scenario, replaying the initiator SA_INIT will only get the SA_INIT of the responder which doesn't include IDi/IDr. One approach to solving this would be to share a secret with the IKEv2 config to all the clients and have the initiator HMAC its SA_INIT with that secret. > Wouldn’t it be better for the initiator to prove identity or group membership in the TLS handshake? As defined in RFC 8229, IKEv2 encapsulation does not rely on any security properties from TLS. I don't think we should change that. Especially in the case of TLS <= 1.2, the client certificates are not encrypted so this would defeat privacy gains. >> 2) The privacy of the initiator's identity in the presence of a man in >> the middle attacker is not protected. >> >> Today an attacker with full control of the network can receive the >> IDi/IDr sent by the initiator in the first AUTH packet. We should >> add a mechanism to IKEv2 that allows the initiator to only send >> IDi/IDr to known entities (e.g. that possess a shared secret). > > This is more feasible. I understand the issue, but the only use case where I think it’s important is remote access. It would make sense in remote access to reverse the order of authentication so that the responder identifies and authenticates first, but you’d still need the initiator to send the IDr first. Agreed, changing the order would protect the IDi but not the IDr. Thanks, David Schinazi
- Re: [IPsec] Additional charter items 4/4: Mitigat… Yoav Nir
- [IPsec] Additional charter items 4/4: Mitigating … Tero Kivinen
- Re: [IPsec] Additional charter items 4/4: Mitigat… Tero Kivinen
- Re: [IPsec] Additional charter items 4/4: Mitigat… Yoav Nir
- Re: [IPsec] Additional charter items 4/4: Mitigat… David Schinazi
- Re: [IPsec] Additional charter items 4/4: Mitigat… Paul Wouters
- Re: [IPsec] Additional charter items 4/4: Mitigat… Tero Kivinen
- Re: [IPsec] Additional charter items 4/4: Mitigat… Tommy Pauly