Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)
Paul Wouters <paul@nohats.ca> Mon, 26 January 2015 15:56 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C551A89A8 for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 07:56:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NevrnPUvVjjh for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 07:56:08 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5181A9126 for <ipsec@ietf.org>; Mon, 26 Jan 2015 07:56:05 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kWFzl1WYfzCFF; Mon, 26 Jan 2015 16:56:03 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=jaHLoi55; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id F1PMQ-l0KVdv; Mon, 26 Jan 2015 16:56:02 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 26 Jan 2015 16:56:02 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 799D08008E; Mon, 26 Jan 2015 10:55:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1422287759; bh=jzOxFqld1jC6MlncESrRb/OTKIV6vaC/LGs4DiKq/yo=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=jaHLoi55Qm72O56+ECT4nJeX1MhlDIZt0pFfWuc62pPaNrd+j3GmrIN6dnVdMmhu0 sI/EV9MeV9n05Se2r7HIJ+64D5dtioeWqh1M2rsexCgAtuPJn9xARctebVATdYk/pz JYFPslvbR89Y04NMQxJNcVoYfcGGrcPjyinwCMrw=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t0QFtws6013525; Mon, 26 Jan 2015 10:55:58 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 26 Jan 2015 10:55:58 -0500
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <21702.23584.557958.684640@fireball.kivinen.iki.fi>
Message-ID: <alpine.LFD.2.10.1501261043040.27282@bofh.nohats.ca>
References: <alpine.LFD.2.10.1501131139150.13941@bofh.nohats.ca> <038B7179C6EB4C5BB2A110AD37541204@buildpc> <21694.26453.977101.952972@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1501201009460.16777@bofh.nohats.ca> <21702.23584.557958.684640@fireball.kivinen.iki.fi>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/7K3qKs-gW6ATFnGNBWM55BODjYg>
Cc: IPsecME WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2015 15:56:12 -0000
On Mon, 26 Jan 2015, Tero Kivinen wrote:
> For the same reason IKE users who already do Diffie-Hellman during the
> IEK SA creation, might want to do separate PFS for different Child
> SAs, just to make things harder for attacker. Again as we are talking
> about un-authenticated connections, NSA can just do MitM in the
> beginning, and gain all traffic, but that is active attack, which
> might get detected. Doing passive storing of the all traffic and then
> breaking Diffie-Hellman later provides better ways of staying
> undetected for them.
But you are most likely initiating IKE because you were trying to send
one kind of protocol/port, so most likely you will end up with one SA.
If you do this for every port 80 connection that closes, and build up
new SA's for each random source port you use, then you're just causing
your user unneccessary delays while they are waiting on CREATE_CHILD_SA
exchanges. It is much better for the user to get one proper IPsec SA
in. If you are concerned about passive offline breakability, bump your
modp group to modp8192.
> If we do one 1024-bit Diffie-Hellman using un-authenticated exchange,
> then they can break that one 1024-bit Diffie-Hellman and get all
> traffic protected by each Child SA. If we do PFS for each Child SA
> then they need first to break the IKE SA Diffie-Helman and then for
> each traffic flow second one...
It's better to make everything unbreakable by a higher modp group than
to hope that only part of your traffic got broken :P
> There are people who want this kind of feature.
Yes and people want to use different modp groups for IKE and IPsec SA, and
different PRFs from INTEGs, and different size GCM/CCM tags and different
SHA2 length. Those were all useless knobs we should have never created.
> Thats why this draft
> should not have any text restricting per-flow SAs...
I still have not seen a single valid use case for this. I do have
described how this feature would cause issues during active attacks.
> It might have comment saying that because clients are
> un-authenticated, there might be need for tighter resource limits than
> for authenticated clients.
And this new swiss army knife has the auto-rotating circular hack saw.
Please only use responsibly.
>> It will only cause interop failures. The client will not pick a
>> host-to-host but picks say port 80 only. Then it wants port 443 and
>> gets NO_ADDITIONAL_SAS. Then it needs to drop the port 80 SA and
>> restart everything to get the full range single SA.
>
> Why should that cause interop failures? This is all standard RFC7296
> stuff already. We are not changing anything here related to this.
Yes. Nothing should ever cause interop failures if everyone followed
the RFCs properly :P Welcome to the real world Neo :)
>> If you are not authenticated, what is the point in splitting up the
>> traffic in different IPsec SA's per protocol or port?
>
> Causing more work for the passive monitoring people breaking your
> multiple 1024-bit Diffie-Hellmans, instead of just breaking one.
That modp1024 is too weak! Use modp8192. That's much safer. What's
your next use case?
> And
> you might use shorter Diffe-Hellman groups for performance reasons
> than with authneticated use cases.
So 200 PFS CREATE_CHILD_SA requestions of 1024 is less resources than
1 modp8192 initial exchange?
>> The only use case I have heard of that could apply, is the use case
>> of being mandated to NOT encrypt something for auditing purposes. But
>> traffic selectors really suck for "everything but sip and smtp and pop
>> and imap" :P
>
> Yes, usually traffic selectors are either per IP, or per-flow.
> Anything else are usually just silly... And for most normal
> authenticated use cases per-flow SAs are not really that useful, but
> we still have them in RFC7296, and I do not see any reason why they
> should be removed in this document.
We are talking about two things here:
1) IP ranges
2) protocol and port ranges
1) is dangerous because unauthenticated peers cannot be trusted to make
any claims about IPs that are not themselves.
2) we discussed in the previous email and above here :P
Paul
- [IPsec] WG Last Call on "The NULL Authentication … Paul Hoffman
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Hoffman
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Valery Smyslov
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Tero Kivinen
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Sean Turner
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Graham Bartlett (grbartle)
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Koning
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Valery Smyslov
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Tero Kivinen
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yoav Nir