IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-qr-ikev2-05.txt

"Valery Smyslov" <smyslov.ietf@gmail.com> Tue, 01 January 2019 13:23 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5CC412F1A5 for <ipsec@ietfa.amsl.com>; Tue, 1 Jan 2019 05:23:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g47Jee9BjLEX for <ipsec@ietfa.amsl.com>; Tue, 1 Jan 2019 05:23:15 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E23012426A for <ipsec@ietf.org>; Tue, 1 Jan 2019 05:23:15 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id v1-v6so25153903ljd.0 for <ipsec@ietf.org>; Tue, 01 Jan 2019 05:23:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=HD/5nu8VKEvXk90ToKYHpnHQ9np28P6JgrCDOD9ayho=; b=huIXbz+MRVbPj1hJWDVlbQepzY/dR9JgqFCTYAeatdSiCMYyzYmdvE/h/mVjElzOxM 02obZvwLRSpNPepWk8WGKTFE5cUbtLFLd462KsXeaM33HDY0G2n3sr/2Ogykv+TmKWgg sZPaM47Cv/s7pKgZTQQ41OZn+tOIRx0YK+B/tWxnNpaxFWT9Bdr6Es+ZUQgXrXRv5YFp kb13eIWgZLD/SamGtS3okkoMYSQixrBqIt74Tvv0JfKvDSTchDAwWY8uIe6dQSD8/+tL 68qA7vTZuMPbwbT1Q1VhuHDqS7jPX1s9wYGAJ+80HpXnrUtc6L5ym6ErgBII0NJCt4Uv /wpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=HD/5nu8VKEvXk90ToKYHpnHQ9np28P6JgrCDOD9ayho=; b=Apc902A3Uc8p4ZN9Hwg/NGpfzRDsMTf7GyjfixQiwp8N7GZ1OUOFSN2InYerCy188Z O4mstHBDLczPF5538p/BF/OQ6LBrv5w2DqRJF0XY62VZyaf1oiUUJdOLo3+Abo8TSPs+ NNtfdD5xNF/tO/7lLMUFJnYKnB9NzFx7JriKYlpZgrSpl8L3cMbWHdzD0Y3FnGM24b2X 4C2v2fjeRJBDBc0JaoqCvkHk3QJhM5tNkseo5EgbP6W1Xs4ga4M8RmrwYY9FyWxgoIU0 Fg+O3Xc1XqBniTWaGPcvZh4rz9CM//ZRnG3XI8laEp72nppEhyuyCrvRUq/5Z69pf5rf Y6nA==
X-Gm-Message-State: AJcUukdyJwvriTRGiJok+dLL/O/C0TOyY9EAJBD6aWUrlxosv6dKVGUY ITnWt0nqebuti+OFIMPqPQM=
X-Google-Smtp-Source: ALg8bN4z4hX+RZb5FidPe46eO66rfPyp8spz/NuknAdRqvnlFGJ2/xBWImFE3CKqD8B+5bDltEf5sA==
X-Received: by 2002:a2e:2b85:: with SMTP id r5-v6mr22205112ljr.91.1546348993294; Tue, 01 Jan 2019 05:23:13 -0800 (PST)
Received: from chichi (95-27-156-51.broadband.corbina.ru. [95.27.156.51]) by smtp.gmail.com with ESMTPSA id e14-v6sm10517454ljb.31.2019.01.01.05.23.12 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 01 Jan 2019 05:23:12 -0800 (PST)
Message-ID: <523914FE74054C1CB4C095B3E7D1BB46@chichi>
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: Paul Wouters <paul@nohats.ca>, IPsecme WG <ipsec@ietf.org>
Cc: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, pkampana@cisco.com
References: <154575066894.24030.13252361041324294083@ietfa.amsl.com> <004601d49c65$23561120$6a023360$@gmail.com> <alpine.LRH.2.21.1812272300570.29618@bofh.nohats.ca> <012b01d49e79$93c68780$bb539680$@gmail.com> <alpine.LRH.2.21.1812301419280.29481@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1812301419280.29481@bofh.nohats.ca>
Date: Tue, 01 Jan 2019 16:23:02 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/9x_mNvlimh27wuP_yUi-rc-0QHQ>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-qr-ikev2-05.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jan 2019 13:23:18 -0000

Hi Paul,

first, I believe this discussion must be public, so I've added ipsec@ietf.org.

>>>    If there is IKE traffic other
>>>     than the identities that need to be protected against such an
>>>     adversary, implementations MAY rekey the initial IKE SA immediately
>>>     after negotiating it to generate a new SKEYSEED from the postquantum
>>>     SK_d.  This would reduce the amount of data available to an attacker
>>>     with a Quantum Computer.
>
> How does an immediate rekey of the IKE SA help hide some of the information,
> like TS? I think we need to be more clear. So how about:
>
>  An attacker with a Quantum Computer that can read the decrypted
>  IKE SA from the initial exchanges has access to all the
>  configuration parameters exchanged via the IKE SA including
>  all negotiated IPsec SAs information with the exception of the
>  cryptographics keys used by those IPsec SAs which are protected
>  by the PPK. IKE SA information available to such an attacker
>  includes the traffic selectors that can expose the network
>  architecture and IP address ranges that are in use. Deployments
>  that are concerned with this MUST initiate a childless IKE SA
>  [RFC6023] using PPKs and immediately rekey the IKE SA so it gains
>  PPK protection before sending any other IKE messages such as
>  CREATE_CHILD_SA or Informational exchange. If other sensitive
>  information such as third party cryptographic keys for other
>  protocols are transmited via IKE, implementations MUST rekey
>  the IKE SA before sending those payloads over IKE to ensure this
>  information is protected by the PPK.

I think that the text is OK, however I'd replace "third party cryptographic keys"
with just "cryptographic keys". In G-IKEv2 the keys transferred are not "thirs party".
But I'd rather hear more from my co-authors and the WG.

> It replaces the two old paragraphs? On the other hand, perhaps instead
> of this being hidden in the Security Considerations section, it deserves
> its own regular section?

Not sure. It was a WG's decision that the information exchanged over IKE SA is less important, 
so we can live with the ability for an attacker to recover it.
That's why the text is in the Security Considerations.

>>> What is not obvious from this text, is that it exposes information of
>>> the first IPsec SA as well, such as traffic selectors used.
>
> And actually not just the first IPsec SA, but all of them. And PFS would
> not help here.

PFS is irrelevant here.

> I wonder if we need to talk about RFC 4739 here? like:
>
>  If multiple authentication exchanges [RFC 4739] are required
>  for the IKE SA, the IKE SA MUST rekey before sending the second
>  IKE_AUTH exchange in response to the initial IKE_AUTH's ANOTHER_AUTH_FOLLOWS
>  payload to avoid exposing the second authentication form to a quantum
>  capable attacker.
>
> But this would really complicate the state machine?

You can't do it. There is a single IKE_AUTH exchange with multiple messages
(like in EAP case). You can't do any rekeys until the IKE_AUTH exchange
(which in case of RFC4739 includes multiple authentications) completes.

Regards,
Valery.

> Paul

v2.23.0 | Report a Bug | By Email