IETF Logo Mail Archive

Re: [IPsec] Proposed method to achieve quantum resistant IKEv2

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 09 August 2017 18:00 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8361132463 for <ipsec@ietfa.amsl.com>; Wed, 9 Aug 2017 11:00:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YAyXYVQvrKN for <ipsec@ietfa.amsl.com>; Wed, 9 Aug 2017 11:00:33 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F2EF1321BF for <ipsec@ietf.org>; Wed, 9 Aug 2017 11:00:33 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 21A472009E for <ipsec@ietf.org>; Wed, 9 Aug 2017 14:02:48 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6A6BF80717 for <ipsec@ietf.org>; Wed, 9 Aug 2017 14:00:32 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <22922.57101.227283.113155@fireball.acr.fi>
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> <22922.57101.227283.113155@fireball.acr.fi>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 09 Aug 2017 14:00:32 -0400
Message-ID: <7769.1502301632@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AISC38X9YbTaqkC346ahWTsc1Uk>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 18:00:36 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    > Actually I think it would be better NOT to change IKE_SA_INIT at all,
    > but instead add new exchange between the IKE_SA_INIT and IKE_AUTH.

I agree.  All of the DoS (cookie, etc.) defense and switch to TCP, and
detection of NAT-T, etc. is in the IKE_SA_INIT, and so doing any kind of
framentation in IKE_SA_INIT is a bad idea.

    > Then we do another exchange before the IKE_AUTH, i.e. we do PRE_AUTH
    > exchange before IKE_AUTH using message id 1 (or even message ids 2, 3,
    > 4, etc, as many as are needed). This step does the large blob exchange

Agreed.

    > PRE_AUTH message exchanges before moving to the IKE_AUTH.  This means
    > that the PRE_AUTH exchange most likely needs to have some way of
    > telling the other end when it is done, and when to move to IKE_AUTH.

    > IKE_AUTH then would be just normal IKE_AUTH.

The initiator will know when it is done, won't it? Can't it just move to
IKE_AUTH when it knows it is done?

Is the size of QSKE blob that the responder has to return to initiator likely
to be either unknown to the initator or very different than the
initiator->responder direction?

    > The fact whether we need the PRE_AUTH exchange can be negotiated in the
    > IKE_SA_INIT, either using transform types in SA payload, or using the
    > notify payloads.

Agreed.  I think it needs to be a new transform type.

    > Also if we split data to less than 64k chunks anyways, it might also be
    > better not to use IKEv2 fragmentation, but instead just send several
    > PRE_AUTH exchanges instead.

How big are the blobs?  Your text seems to imply they might very big.

    > Note, that the PRE_AUTH happening between IKE_SA_INIT and IKE_AUTH
    > would be encrypted, and MACed, but it WILL NOT be authenticated, i.e.,
    > we have not yet authenticated the other peer, and we will not include
    > those octets to the AUTH payload calculations, so they will not be
    > authenticated in AUTH phase, like the IKE_SA_INIT contents will be
    > authenticated.

Why couldn't we include those octets in the AUTH phase?

BTW, I don't like the name "PRE_AUTH", I think it should be something like
"AUTH_OBJECTS" or "AUTH_ARTIFACTS".

    > I think this kind of step between IKE_SA_INIT and IKE_AUTH might be
    > easiest and most generic way of transferring the QSKE data. We will be
    > transferring large amount of data anyways, so trying to put it part of
    > IKE_SA_INIT is not useful, and trying to play around with cookies, and
    > IKE_SA_INIT modifications is just adding complexity.

I agree strongly.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email