IETF Logo Mail Archive

Re: [IPsec] Disabling replay protection

Benjamin Schwartz <ietf@bemasc.net> Tue, 21 February 2023 17:45 UTC

Return-Path: <benjamin.m.schwartz@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84420C15C509 for <ipsec@ietfa.amsl.com>; Tue, 21 Feb 2023 09:45:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3e7JoJ2S9xi for <ipsec@ietfa.amsl.com>; Tue, 21 Feb 2023 09:45:41 -0800 (PST)
Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F86C15170B for <ipsec@ietf.org>; Tue, 21 Feb 2023 09:45:41 -0800 (PST)
Received: by mail-il1-f178.google.com with SMTP id z3so2127047ilm.0 for <ipsec@ietf.org>; Tue, 21 Feb 2023 09:45:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LlcIMCV/qw9twJxXC/Hd/RuGGbC9cSIbVdl2b8IekSI=; b=oNJ/kSVam5Y5a1LvOwx+RjHAR5QNIN/g2OF/8SBOVnoYeflRvCDip7JXyhxQZy6Xpv jcH2lIzoLagzzwQGEDvTPDbLExjLiin4xjzJf9RE+p3FSiclpovL+xlZGysSMJsi//iF AauQDCU8j1Clr8JYj3GjYq0e4DLEjXhvfBxh8cad1t1a4a+xwZlSwB2ckmahUXYDrcfe TuAzJbcTd4x+eLuU+kWlvSJquKXCRtmftVEoyx5Xua7xkQLQWvkQj6DffuwyRIme+EbC cjQ09e/cHdR3jrMTgJBT8hYmzpvE438r5L8pnH0ZtiVLQJbwD9JivQuGwSDsgvey/alU nb+g==
X-Gm-Message-State: AO0yUKUBEoQyzw12zViHP9SjtMgdwvW8MolsqzwNCV1+A0wrKBPHinxR SE3HILgxN1NBJFk2FmhN3isJkPy3kso=
X-Google-Smtp-Source: AK7set+hSHKT2NhFiJK8Fw37yf+rv3zybQLBKExfLhEgzbwFLSAJNpMK4DJSswWyWdpcjXG/xJRfcA==
X-Received: by 2002:a92:cda4:0:b0:315:3948:1c5a with SMTP id g4-20020a92cda4000000b0031539481c5amr5972124ild.15.1677001540737; Tue, 21 Feb 2023 09:45:40 -0800 (PST)
Received: from mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50]) by smtp.gmail.com with ESMTPSA id r18-20020a02c6d2000000b003adab954c5asm131614jan.153.2023.02.21.09.45.39 for <ipsec@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 Feb 2023 09:45:40 -0800 (PST)
Received: by mail-io1-f50.google.com with SMTP id w3so2462792iom.5 for <ipsec@ietf.org>; Tue, 21 Feb 2023 09:45:39 -0800 (PST)
X-Received: by 2002:a5e:9419:0:b0:730:1:27f3 with SMTP id q25-20020a5e9419000000b00730000127f3mr4561434ioj.23.1677001539717; Tue, 21 Feb 2023 09:45:39 -0800 (PST)
MIME-Version: 1.0
References: <CAJF-iTQo_=e7oox+yktegB6jWKWzSQ1vTDEgg8bGKM-bZrf8sA@mail.gmail.com> <25587.34761.722694.67704@fireball.acr.fi> <22616.1676930313@localhost>
In-Reply-To: <22616.1676930313@localhost>
From: Benjamin Schwartz <ietf@bemasc.net>
Date: Tue, 21 Feb 2023 12:45:27 -0500
X-Gmail-Original-Message-ID: <CAJF-iTTiKm+4mKPbFY0Ex5okd0tonkDhEMyxpTTvSwgG=hbktw@mail.gmail.com>
Message-ID: <CAJF-iTTiKm+4mKPbFY0Ex5okd0tonkDhEMyxpTTvSwgG=hbktw@mail.gmail.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000100ffa05f5395971"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/9q2XtGPRpmPLoVWCLgrO-LSCSNc>
Subject: Re: [IPsec] Disabling replay protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 17:45:45 -0000

On Mon, Feb 20, 2023 at 4:58 PM Michael Richardson <mcr@sandelman.ca> wrote:

> Tero Kivinen <kivinen@iki.fi> wrote:
>     > I mean what should other end do if the other end says he will not
>     > do anti-replay checks?
>
> Not send unique relay values in the ESP.
>

Yes but mostly for AH.  My goal is related to draft-xu-risav, which would
benefit from the ability to repeat sequence numbers in AH when replay
protection is not required.

Reusing sequence numbers is extremely unsafe in ESP.  Most notably, AES-GCM
fails entirely and **leaks the shared secret** if a nonce is ever reused
[1].  However, if the sender knows that the receiver is not enforcing
replay protection, and ESN is disabled, then the sender can use sequence
numbers out of order, which might be helpful for multi-sender situations.
(This is a subset of draft-ponchon-ipsecme-anti-replay-subspaces, which I
also think is worth pursuing in some fashion.)

--Ben Schwartz

[1] https://eprint.iacr.org/2016/475.pdf

v2.23.0 | Report a Bug | By Email