IETF Logo Mail Archive

[IPsec] #122: Integrity proposals with combined algorithms

Tero Kivinen <kivinen@iki.fi> Tue, 24 November 2009 14:08 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90ED73A6784 for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 06:08:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UEwgrlskcW3V for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 06:08:20 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id EF3EC3A67F2 for <ipsec@ietf.org>; Tue, 24 Nov 2009 06:08:19 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nAOE8EQu001896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Nov 2009 16:08:14 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nAOE8DMI002902; Tue, 24 Nov 2009 16:08:13 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19211.59597.904754.490768@fireball.kivinen.iki.fi>
Date: Tue, 24 Nov 2009 16:08:13 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240846c730da1a07f5@[10.20.30.158]>
References: <p06240846c730da1a07f5@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 12 min
X-Total-Time: 12 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] #122: Integrity proposals with combined algorithms
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 14:08:21 -0000

Paul Hoffman writes:
> The 4th paragraph of section 3.3 says "If an algorithm that combines
> encryption and integrity protection is proposed, it MUST be proposed
> as an encryption algorithm and an integrity protection algorithm
> MUST NOT be proposed." This means that an integrity protection
> algorithm can only be proposed with a Transform ID equal to NONE,
> given that a few paragraphs above, it says: "Combined-mode ciphers
> include both integrity and encryption in a single encryption
> algorithm, and are not allowed to be offered with a separate
> integrity algorithm other than "none"." We should thus make this
> clear in the 4th paragraph. 

I interpreted the text "integrity protection algorithm MUST NOT be
proposed" to mean that there is no transform type 3 (Integrity
algorithm) at all in the proposal, i.e. it is left out completely.

Accepting proposal having transform type 3 (Integrity algorithm) with
value 0 (none) is ok, but I think we should prefer for not including
it at all, as it makes packets shorter.

I agree that the text earlier would indicate that you send "NONE", but
RFC5282 says:

  This document updates [RFC4306] to require that when an
  authenticated encryption algorithm is selected as the encryption
  algorithm for any SA (IKE or ESP), an integrity algorithm MUST NOT
  be selected for that SA. This document further updates [RFC4306] to
  require that if all of the encryption algorithms in any proposal are
  authenticated encryption algorithms, then the proposal MUST NOT
  propose any integrity transforms.

where I read the "MUST NOT propose any ingerity tranforms" to also
include integrity transform for value 0 (NONE).

So I would change the section 3.3 text where it says

			      Combined-mode ciphers include both
   integrity and encryption in a single encryption algorithm, and are
   not allowed to be offered with a separate integrity algorithm other
   than "none".

to say

			      Combined-mode ciphers include both
   integrity and encryption in a single encryption algorithm, and are
   not allowed to be offered with a separate integrity algorithm.

to align with the RFC5282. 

Also note that the [AEAD] reference to the RFC5116 in IKEv2bis is
wrong, it should point to the RFC5282, which defines how AEAD modes
are used in IKE (all those references refer to IKEv2 used of AEAD).

> HOWEVER, in section 3.3.2, in the table for transform types, it says:
>    Integrity Algorithm (INTEG)     3       IKE*, AH, optional in ESP
>   (*) Negotiating an integrity algorithm is mandatory for the
>   Encrypted payload format specified in this document. For example,
>   [AEAD] specifies additional formats based on authenticated
>   encryption, in which a separate integrity algorithm is not
>   negotiated.
> The second sentence seems wrong. Proposed rewording:
>   For example,
>   [AEAD] specifies additional formats based on authenticated
>   encryption, in which the integrity algorithm is an inherent
>   part of the combined algorithm; in this case, the
>   integrity algorithm is specified as "none".

When you fix the reference from RFC5116 to RFC5282, then you notice
that NONE is not allowed, thus the original text was correct and your
new text is incorrect, as NONE cannot be proposed or accepted. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email