RE: [Ipsec] Clarification on EAP MSK usage in IKEv2
Lakshminath Dondeti <ldondeti@qualcomm.com> Mon, 02 October 2006 16:49 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GUQzC-0006TV-66; Mon, 02 Oct 2006 12:49:46 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GUQzA-0006TP-Or for ipsec@ietf.org; Mon, 02 Oct 2006 12:49:44 -0400
Received: from ithilien.qualcomm.com ([129.46.51.59]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GUQz9-0005NT-95 for ipsec@ietf.org; Mon, 02 Oct 2006 12:49:44 -0400
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by ithilien.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id k92Gnecm001590 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 2 Oct 2006 09:49:42 -0700
Received: from LDONDETI.qualcomm.com (ldondeti.na.qualcomm.com [129.46.173.20]) by neophyte.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id k92GnbXC020627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 2 Oct 2006 09:49:39 -0700 (PDT)
Message-Id: <7.0.1.0.2.20061002093151.06e92190@qualcomm.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Mon, 02 Oct 2006 09:49:31 -0700
To: Pasi Eronen <pasi.eronen@nokia.com>, "'ext Narayanan, Vidya'" <vidyan@qualcomm.com>, ipsec@ietf.org
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: RE: [Ipsec] Clarification on EAP MSK usage in IKEv2
In-Reply-To: <000001c6e5fa$f1a624e0$f39cb70a@NOE.Nokia.com>
References: <C24CB51D5AA800449982D9BCB90325131A2EE0@NAEX13.na.qualcomm.com> <000001c6e5fa$f1a624e0$f39cb70a@NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1a1bf7677bfe77d8af1ebe0e91045c5b
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
At 01:15 AM 10/2/2006, Pasi Eronen wrote:
>Vidya Narayanan wrote:
> >
> > All,
> > RFC4306, in section 2.16, states:
> >
> > "For EAP methods that create a shared key as a side effect of
> > authentication, that shared key MUST be used by both the
> > initiator and responder to generate AUTH payloads in messages 7
> > and 8 using the syntax for shared secrets specified in section
> > 2.15. The shared key from EAP is the field from the EAP
> > specification named MSK. The shared key generated during an IKE
> > exchange MUST NOT be used for any other purpose."
> >
> > This seems to be a bit ambiguous in what constitutes "other
> > purposes". For instance, let's consider two entities A & B
> > running IKEv2-EAP and establishing an IKE_SA between themselves,
> > using the MSK for authentication of the IKE_SA. If A & B were to
> > subsequently run IKEv2 again and establish another IKE_SA, could
> > the same MSK be then used for authentication here as well?
> >
> > In other words, it seems confusing whether "other purposes" also
> > means "for other IKEv2 runs between the same initiator and responder".
>
>I believe the intent was that MSK is used once to calculate/verify
>the AUTH payload, and not used for anything else afterwards.
>
> > If we drew an analogy from the MSK usage on other EAP lower
> > layers (e.g., IEEE 802.11i), the same MSK can be used to re-key
> > TSKs between the same peer and authenticator until expiry of that
> > MSK. By the same argument, I don't see a reason why the MSK
> > cannot be used again for the authentication of a subsequent
> > IKE_SA between the IKEv2 initiator and responder. I can see some
> > exceptions (e.g., where the IKEv2 entity acting as the EAP peer
> > actually wishes to use different identity/credentials for the two
> > exchanges, requiring a separate EAP run for those), but, in
> > general, it seems like we should be able to use the same MSK for
> > the multiple exchanges.
> >
> > One potential concern is perhaps due to the fact that the MSK is
> > used directly in the generation of the AUTH payload and if the
> > multiple IKEv2 runs used different prf's for generating the AUTH
> > payload, that could result in a bad use of the MSK. But, if the
> > same algorithm is used in the multiple runs, is there still
> > something to be concerned about? And, would it be a violation of
> > RFC4306?
> >
> > I'd appreciate any clarification on the above. Also, if someone
> > can provide clarity on what implementations do (e.g., is the MSK
> > deleted after authenticating the IKE_SA or is it cached for a
> > certain duration, etc.), that would be very helpful.
>
>Currently, it makes no sense to cache the MSK, since RFC4306 does
>not include any functionality that would use it (e.g. establishing
>another IKE_SA using the same MSK).
>
>So I guess you're asking that if someone would write an Intenet-
>Draft "establishing multiple IKE_SAs without re-running EAP" (or
>something), would that be an acceptable extension to RFC4306, or
>un unacceptable violation of the "MUST NOT be used..." requirement?
>
>That's a difficult question. I think such a draft could be written
>in a way that would be reasonable secure (and would not be
>very long document, except maybe the security considerations
>text), but being somehow "secure" has not usually been a sufficient
>criterion for being an acceptable use of EAP :-)
I am curious about the security implications here. Let's dig a bit
further. From the first IKEv2-EAP exchange, the Responder would have
received an MSK and a lifetime. The EAP keying draft says the
following about that lifetime:
IKEv2 as specified in [RFC4306] does
not cache EAP keying material or parameters; once IKEv2
authentication completes it is assumed that EAP keying material and
parameters are discarded. The Session-Timeout attribute is
therefore interpreted as a limit on the VPN session time, rather
than an indication of the MSK key lifetime.
I am sure saving the MSK for re-use as a PSK makes sense, if the VPN
session happens to drop due to non-security reasons and the two
parties need to authenticate each other. What security issues do you
see here, Pasi? I can think of some, but the lifetime parameter is
very effective here. As long as the resultant IPsec SAs are deleted
by the IPsec GW pursuant to the Session-Timeout rules, I don't see a
problem. Sure, we need further specification (and an edit of the
eap-keying draft), but that can be done.
thanks,
Lakshminath
>Best regards,
>Pasi
>
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Clarification on EAP MSK usage in IKEv2 Narayanan, Vidya
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Pasi Eronen
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Lakshminath Dondeti
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Narayanan, Vidya
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Pasi.Eronen
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Pasi.Eronen