IETF Logo Mail Archive

Re: [IPsec] Roman Danyliw's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 08 January 2020 17:07 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ADB312089F; Wed, 8 Jan 2020 09:07:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=dQBizgtR; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=QfWOxfDJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJdlnIZjCsXy; Wed, 8 Jan 2020 09:07:17 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4BCA120885; Wed, 8 Jan 2020 09:07:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13929; q=dns/txt; s=iport; t=1578503236; x=1579712836; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=FcDlAAIi6V9VvLThUA0tcn3iIQV6brIcQYiCpmWZypo=; b=dQBizgtRYl0c2XqhIWmw/0p/mREbCBDe6q5h+pU5PptzFH5RNCE6e9yB ZWA2uBZxiHXgi49uaolQTlmrFhKRqpkIY9o+4mg+piSelcGtntVX1/boa mJ8DlDL1zvL18tc6Haf5/3Lfv3R3qTo9dJJukMxdQL5NWnzGNGNEnqrIk Q=;
X-Files: smime.p7s : 4024
IronPort-PHdr: 9a23:dtdajBBO4ZlW8mrDXNlxUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qs03kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuNP3jajQzGs1qX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CnBQDGChZe/4kNJK1mHAEBAQEBBwEBEQEEBAEBgXyBVFAFbCstIAQLKoQJg0YDiwaCX5gNgUKBEANUAgcBAQEJAwEBGAsKAgEBhEACgWokOBMCAw0BAQQBAQECAQUEbYULBiYMhV4BAQEBAgEBARARHQEBLAQHAQQHBAIBBgIRBAEBKwICAiULHQgCBAENBQgGFIMBgXlNAw4RDwECDJAVkGQCgTiIYXWBMoJ+AQEFgTUBAwQMQYMMGIIFBwMGgTaBU4d9gkkagUE/gRFHgkw+gmQBAQEBAQGBLAESASEVG4JeMoIsjVUvgkKeZQqCNoNhgjiBHY8HgkeHfpAdjlWIV5IRAgQCBAUCDgEBBYFpIjcwWBEIcBU7gmxQGA2GEYcBOIM7hRSFP3QBgSeNIYIyAQE
X-IronPort-AV: E=Sophos;i="5.69,410,1571702400"; d="p7s'?scan'208";a="420173373"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Jan 2020 17:07:15 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 008H7FkM026906 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 8 Jan 2020 17:07:15 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 8 Jan 2020 11:07:14 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 8 Jan 2020 11:07:14 -0600
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 8 Jan 2020 12:07:14 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U7SkKYu8eDSnxF7vKtO1/jc65qHzQpdUk42ZkX11POsgnfttruZzefcNkExSWSm6yeK1CUBojL817tbkoVbM6IYZLZOyQH1RypS6kkGbOyVO0VPL66gLSaejJsI0jT2QIiEHPFBOwnY9QMUpPARX76K0iiLgRmlH9hef3yb1bUfHPSI03e1ExAtdtHA9SqVTsGHY5jH+camkdl/vz9AD5oC20G1yyA0lN6aLcSJJ7ozoLV+/LcqZpycTVbPRwqn3wk3oieQIRIGwg9p2ODoxfqBsbZCQy5kgLsaPfJvZL41ZbYVTEIFNUGLGzn8wBQcjAw2A9B6HxhdEJpMywMpW+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sJV6hcE7OOXn0WPW3wlqkPG8msbDwjMN2vO0j0yYpZA=; b=CpLW7R9TNi1ZI7PFbw8EtCnl2CQtVInfL55bWUbFAu6LfK5OsF4B5cF5rB+gBDERf0dAa3QYg1MJhlhsVaCbNosq61vre8VnJGie8KL9OHWiaVilbfRJUH7cfI/xwS9YYA0l2SQi7IJC7ERGAWXpikuENlGdfCyUJnVREoKke4STMsly8DwqUpB9bFYto7m5pnwKB0QDraHJ20u+YJFN4zp7npcJ2FyUmaF54io1tJ/13RoZ+w/lIZ/NU+K0h2M/9t00to53EJttVb8LodSh3dPEG427QB8oo7UE+BUpHdfUozsstp0f7GacmLNg5W4aW3r5uFRPdcTzxUEcT9aPXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sJV6hcE7OOXn0WPW3wlqkPG8msbDwjMN2vO0j0yYpZA=; b=QfWOxfDJvYh/7u1jykTqANDsOk0xWmWzieDQPDqP8ssVOA0QdCjL9QrTyzBEFZgCBc6RsDVVNnLl5kKKx32rslw5iZkHC2Ne3jRSlBBx0N9L1aq9PZmzFM4JNdDa9vEAGGteh890R0V1jqJ/AzkDIGf9sluSjWLm4Vj+9owHcyg=
Received: from DM6PR11MB2555.namprd11.prod.outlook.com (20.176.98.161) by DM6PR11MB3674.namprd11.prod.outlook.com (20.178.231.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2602.13; Wed, 8 Jan 2020 17:07:12 +0000
Received: from DM6PR11MB2555.namprd11.prod.outlook.com ([fe80::9d2c:809e:a5ac:efd2]) by DM6PR11MB2555.namprd11.prod.outlook.com ([fe80::9d2c:809e:a5ac:efd2%6]) with mapi id 15.20.2623.008; Wed, 8 Jan 2020 17:07:12 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "david.waltermire@nist.gov" <david.waltermire@nist.gov>, "draft-ietf-ipsecme-qr-ikev2@ietf.org" <draft-ietf-ipsecme-qr-ikev2@ietf.org>
Thread-Topic: [IPsec] Roman Danyliw's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
Thread-Index: AQHVxiasGIY8ZJ1kkEu+aQGbZOljnafg10KAgAARmNA=
Date: Wed, 08 Jan 2020 17:07:12 +0000
Message-ID: <DM6PR11MB25556E43B8712336031FD936C93E0@DM6PR11MB2555.namprd11.prod.outlook.com>
References: <157848972183.22539.2744332616397571958.idtracker@ietfa.amsl.com> <00ec01d5c631$c8b5ea40$5a21bec0$@gmail.com>
In-Reply-To: <00ec01d5c631$c8b5ea40$5a21bec0$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:2090:1009:8115:d592:a8c6:2a7a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 06f49d5d-eab7-4bba-41ab-08d7945d346c
x-ms-traffictypediagnostic: DM6PR11MB3674:
x-microsoft-antispam-prvs: <DM6PR11MB36740FAA29CAC17B2C180A4DC93E0@DM6PR11MB3674.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(136003)(376002)(39860400002)(346002)(13464003)(189003)(199004)(186003)(7696005)(478600001)(52536014)(66446008)(66946007)(66616009)(64756008)(66556008)(2906002)(8676002)(966005)(81156014)(5660300002)(8936002)(4326008)(71200400001)(76116006)(81166006)(66476007)(33656002)(6506007)(53546011)(316002)(110136005)(9686003)(54906003)(55016002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3674; H:DM6PR11MB2555.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3dVzriEVSWZnmYG2vQX6VTFrbJ6u4S+Uw9ffoT+0nxor72qiA14i9NMKObFJWl3hiGgwx2frt64OPNaxASPHetinCeG6J94QeXAd72HRr2Owawd9tPHGsrBNtUxs5Dfhmst1Wqpr0wYcuChMHTLAxTLx1+BAxEIJwlJJ71fGcJx3yNG9LalAo3BGg+p457R5LRKSFZAFaY1XLYintjCgiq3/kQtUgq0LjH5vePHcA7P/qly3GuspLDZnRNaeMkYPHohqaBIMYw5R4PXEhtl4CRLWdjJV+xIMgMebaHSAKbxyrlo7OlX+i/5pSmAibxvEuP9lDLlRyLx3L2AAtKi3Y0pKnXg3SybTBxN6fitpbSdX4in1W+aFyOLlMqfLQat5sgjSH0ZAR4XSTPhYttcanRaqBxRLTr0Gr3Gw4KWTkR0V8hntrrsFNgUvv4fG0z5id66daKT8qrhI8PMA5QhbSrJlZ1N1a4F3qjqy4JHUmmEVsPlOpBczdCisyY24kLie7kza/r8en4gVfKbREjOyJVXdd8kj7+j+Elfn2KcRT+nZi6HhM8//r7Ek6hk3rx7J
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0014_01D5C61C.2837FF00"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 06f49d5d-eab7-4bba-41ab-08d7945d346c
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2020 17:07:12.7164 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6Cpd1gVq+fXDUvqhWTkzT+ZD64AwlffzS1rwsvxhlV7KDy+4QjVm0uH7DUrGm96ioCG04xeiFGZ9ODuW3D9rfA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3674
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AGOIV1SV5UEu597pnzuL2dm1l-w>
Subject: Re: [IPsec] Roman Danyliw's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 17:07:20 -0000

Hi Roman,

Two more comments in addition to Valery's. 

> > ** Section 1.  Per “Recent achievements in developing quantum computers …”, is there a citation?

[I-D.hoffman-c2pq] is a good citation which we use already that talks about the QC concern and Grover and Shor's algorithms. So we could cite it here as well. Now about the latest QC advancements, the latest that I know of was Google's quantum supremacy one https://www.nature.com/articles/d41586-019-03224-w But that will change with other announcements that will come a later. So, I am afraid there is no good citation here other than [I-D.hoffman-c2pq]. 

> -- The definition of quantum resistant doesn’t seem exactly precise.  

There have been four terms that can be used interchangeably. Quantum-safe used by ETSI, post-quantum used by NIST, quantum-secure, and quantum-resistant. Practically all these mean algorithms that are not susceptible to a variant of Shor's algorithm and offer adequate classical and PQ security. NIST defines it as "cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. ". I guess we could use one of the terms throughout the document. And we could rephrase the sentence 

  invulnerable to an attacker with a
  quantum computer.

to say something like 

   secure against classical attackers 
   of today or future attackers with a 
   quantum computer.

Rgs, 
Panos



-----Original Message-----
From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Valery Smyslov
Sent: Wednesday, January 08, 2020 9:42 AM
To: 'Roman Danyliw' <rdd@cert.org>; 'The IESG' <iesg@ietf.org>
Cc: ipsec@ietf.org; ipsecme-chairs@ietf.org; david.waltermire@nist.gov; draft-ietf-ipsecme-qr-ikev2@ietf.org
Subject: Re: [IPsec] Roman Danyliw's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)

Hi Roman,

> Roman Danyliw has entered the following ballot position for
> draft-ietf-ipsecme-qr-ikev2-10: No Objection
> 
> When responding, please keep the subject line intact and reply to all 
> email addresses included in the To and CC lines. (Feel free to cut 
> this introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> These are all editorial.
> 
> ** Section 1.  Per “Recent achievements in developing quantum 
> computers …”, is there a citation?

Do you mean a citation about achievements? I'm not sure it's easy to find a stable reference here, but probably Scott or David or Panos have a good one...

> ** Section 1. Per:
>    If the preshared key has
>    sufficient entropy and the PRF, encryption and authentication
>    transforms are quantum-secure, then the resulting system is believed
>    to be quantum resistant, that is, invulnerable to an attacker with a
>    quantum computer.
> 
> -- The definition of quantum resistant doesn’t seem exactly precise.  
> A quantum-resistant algorithm isn’t “invulnerable to an attacker with 
> a quantum computer”, rather isn’t it instead no easier to attack than 
> with known classical architectures?

My understanding is that it's infeasible to break such a system even with a help of quantum computer. 
Grover's algorithm still gives an attacker equipped with QC an advantage comparing with classical architectures, but proper selection of algorithms and key lengths doesn't allow him to break the system.

It was discussed a bit during AD's review of the draft:
https://mailarchive.ietf.org/arch/msg/ipsec/8AEgzGjqsDMTUy1X0IB4JWv_zlE

And probably my co-authors will give more authoritative answer here.

> -- The first clause says the underlying primitives are quantum-secure, 
> but then says that this translated into something being 
> quantum-resistant.  I found it confusing to mix both terms (which 
> sometimes are used interchangeably)

To be frank I don't feel difference here, but again I rely on my co-authors here.

> ** Section 1.  Per “This document describes a way to extend IKEv2 to 
> have a similar property; assuming that the two end systems share a 
> long secret key then the resulting exchange is quantum resistant.”, I 
> stumbled over this language a bit because I wasn’t sure which property 
> you were referencing – was it the list of things in the previous 
> paragraph’s last sentence that made it “quantum-secure”?

I believe it is a property of being "quantum-secure" (or "quantum resistant").

If we change all instances of "quantum resistant" with "quantum-secure"
in the Section 1, will the text be more clear?

> ** Section 3. Per the description of modified IKEv2 key derivation:
> 
> -- Recommend explicitly citing the relevant section:
> OLD:
> Then, it computes this modification of the standard IKEv2 key derivation:
> 
> NEW:
> Then, it computes this modification of the standard IKEv2 key 
> derivation from Section 2.14 of [RFC7296]:

OK.

> -- Recommend explaining the notation/relationship between the “prime 
> versions”
> of the sub-keys (i.e., SK_d’ and SK_pi’ and SK_pr’) in the this 
> SKEYSEED formula with the SKEYSEED formula in Section 2.14 of [RFC72196].

I'm not sure I fully understand what you mean.
I think we provide formulas of how prime and non-prime versions are correlated (i.e. how non-prime versions are computed from prime versions).
Am I missing something?

> ** Editorial Nits:
> 
> -- Section 1.  Editorial. s/this note/this document/ -- trying to be 
> consistent on how the I-D references itself.

OK, already noted by Barry.

> -- Section 4.  Editorial.  Recommended clarity:
> 
> OLD:
> This will not affect the strength against a
>    passive attacker; it would mean that an attacker with a quantum
>    computer (which is sufficiently fast to be able to break the (EC)DH
>    in real time) would not be able to perform a downgrade attack.
> 
> NEW:
> This will not alter the resistance to a passive attack as even an 
> attacker with a quantum computer (which is sufficiently fast to be 
> able to break the (EC)DH in real time) would not be able to perform a 
> downgrade attack.

No, this would change the meaning. The idea here that the second optional step of marking all PPKs as mandatory has no effect against passive attackers (because PPK is already used for all connections), instead by this step we protect ourselves against a hypothetical downgrade attack performed by active attacker. So, how about:

    This will not affect the strength against a
    passive attacker, but it would mean that an active attacker with a quantum
    computer (which is sufficiently fast to be able to break the (EC)DH
    in real time) would not be able to perform a downgrade attack.

> -- Section 5.2.3.  Typo. s/Addtionally/Additionally/
> 
> -- Section 6.  Typo. s/transmited/transmitted/

Thank you,
Valery.

> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email