IETF Logo Mail Archive

Re: [IPsec] Proposed method to achieve quantum resistant IKEv2

Tero Kivinen <kivinen@iki.fi> Wed, 09 August 2017 10:08 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C1CA126C22 for <ipsec@ietfa.amsl.com>; Wed, 9 Aug 2017 03:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eU9l2m5djdvM for <ipsec@ietfa.amsl.com>; Wed, 9 Aug 2017 03:08:17 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98F07124234 for <ipsec@ietf.org>; Wed, 9 Aug 2017 03:08:16 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v79A8DX7029748 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 9 Aug 2017 13:08:13 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v79A8DGD015160; Wed, 9 Aug 2017 13:08:13 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <22922.57101.227283.113155@fireball.acr.fi>
Date: Wed, 09 Aug 2017 13:08:13 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Cen Jung Tjhai <CJT@post-quantum.com>
Cc: Valery Smyslov <svanru@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <1501968567726.89885@post-quantum.com>
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 24 min
X-Total-Time: 25 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/5885Tavv9NmN4h4D3kuSl-2y_KU>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 10:08:18 -0000

Cen Jung Tjhai writes:
>>And I think if the IKE_SA_INIT messages grow too large with QSKE,
>>then it’s better to develop generic fragmentation mechanism for
>>IKE_SA_INIT, rather than making it specific for fragmenting QSKE
>>blobs. Generic mechanism would allow to reuse it in case we’ll have
>>to include other large payloads in initial messages.
>
> Yes, while a generic mechanism would allow it to be reused, it
> sounds like a different draft all together. It could result in a
> very complex change in the protocol. Furthermore, we would like to
> support QSKE blob that is larger than 64KB in size, hence we
> fragment it in that way. 

Actually I think it would be better NOT to change IKE_SA_INIT at all,
but instead add new exchange between the IKE_SA_INIT and IKE_AUTH.

I.e., lets have following exchange:

Initiator                         Responder
   -------------------------------------------------------------------
   HDR(IKE_SA_INIT, MID=0), SAi1, KEi,
       Ni, N(IKEV2_FRAGMENTATION_SUPPORTED),
       N(PRE_AUTH_SUPPORTED)  -->

                                <--  HDR(IKE_SA_INIT, MID=0), SAr1, KEr, Nr,
				         N(IKEV2_FRAGMENTATION_SUPPORTED)
                                     	 N(PRE_AUTH_NEEDED), [CERTREQ]

   HDR(PRE_AUTH, MID=1),
       SKF(NextPld=PLD1, Frag#=1, TotalFrags=m)
       {...} -->
   HDR(PRE_AUTH, MID=1),
       SKF(NextPld=0, Frag#=2, TotalFrags=m)
       {...} -->
   ...
   HDR(PRE_AUTH, MID=1),
       SKF(NextPld=0, Frag#=m, TotalFrags=m)
       {...} -->

				<-- HDR(PRE_AUTH, MID=1),
				        SKF(NextPld=PLD1, Frag#=1,
					    TotalFrags=m)
			                {...}
				<-- HDR(PRE_AUTH, MID=1),
				        SKF(NextPld=0, Frag#=2,
					    TotalFrags=m)
			                {...}
                            ...
				<-- HDR(PRE_AUTH, MID=1),
				        SKF(NextPld=0, Frag#=m,
					    TotalFrags=m)
			                {...}

   HDR(IKE_AUTH, MID=2),
       SK {IDi, [CERT,] [CERTREQ,]
           [IDr,] AUTH, SAi2,
           TSi, TSr}  -->

                                <--  HDR(IKE_AUTH, MID=2),
				         SK {IDr, [CERT,] AUTH,
                                             SAr2, TSi, TSr}

I.e., we run normal IKE_SA_INIT with message ID of 0. It negotiates
the fragmentation (IKEV2_FRAGMENTATION_SUPPORTED), so all further
exchanges after IKE_SA_INIT can use fragmentation.

Then we do another exchange before the IKE_AUTH, i.e. we do PRE_AUTH
exchange before IKE_AUTH using message id 1 (or even message ids 2, 3,
4, etc, as many as are needed). This step does the large blob exchange
neede for the IKE_AUTH. As these are normal fragmented IKEv2 message,
i.e. there is request and there is reply. What goes in there is
most likely using some new payload number to transfer the QSKE data in
both directions.

Note, that IKEv2 messages are limited to 4GB in size, and one payload
inside IKEv2 message is limited to 64kB in size, so if larger than 64k
objects need to be transmitted, it can be transmitted using exactly
one IKEv2 message, having multiple payloads in it. On the other hand
as fragments are not individually acknowledged, we do not want to
transfer too big messages using it, so it might be better to allow
multiple PRE_AUTH message exchanges before moving to the IKE_AUTH.
This means that the PRE_AUTH exchange most likely needs to have some
way of telling the other end when it is done, and when to move to
IKE_AUTH.

IKE_AUTH then would be just normal IKE_AUTH.

The fact whether we need the PRE_AUTH exchange can be negotiated in
the IKE_SA_INIT, either using transform types in SA payload, or using
the notify payloads.

Also if we split data to less than 64k chunks anyways, it might also
be better not to use IKEv2 fragmentation, but instead just send
several PRE_AUTH exchanges instead.

Note, that the PRE_AUTH happening between IKE_SA_INIT and IKE_AUTH
would be encrypted, and MACed, but it WILL NOT be authenticated, i.e.,
we have not yet authenticated the other peer, and we will not include
those octets to the AUTH payload calculations, so they will not be
authenticated in AUTH phase, like the IKE_SA_INIT contents will be
authenticated.

I think this kind of step between IKE_SA_INIT and IKE_AUTH might be
easiest and most generic way of transferring the QSKE data. We will be
transferring large amount of data anyways, so trying to put it part of
IKE_SA_INIT is not useful, and trying to play around with cookies, and
IKE_SA_INIT modifications is just adding complexity. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email