Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
"Valery Smyslov" <svanru@gmail.com> Wed, 23 August 2017 13:34 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D0C132C12 for <ipsec@ietfa.amsl.com>; Wed, 23 Aug 2017 06:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17AFUAGlA_TV for <ipsec@ietfa.amsl.com>; Wed, 23 Aug 2017 06:34:40 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DA28132518 for <ipsec@ietf.org>; Wed, 23 Aug 2017 06:34:39 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id y15so434807lfd.5 for <ipsec@ietf.org>; Wed, 23 Aug 2017 06:34:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=5M5ofUnM2In2D3zqOhQM7nu8E0q8Zogz2XlyM8hkdYk=; b=Vcfss9X7uLQGpgte9F9gSfYqnlYXZGLOtbyIwloYPTsHT9n0xMeb7jKYu+rKKX6Ws5 zuSQ49tgm898wurIL5f60f2IlyqP+nA5rxlPrtq1+G4REIV6+bEkMXa14w0roiFb4kND vvtNfZmLZ+upwECVo5W8/pOWF/9QUyrqpH5aXOrhVRoLi6dBd1S7S2M5v9os2azsFvzs 0uPoo/gUyHJ7mb57XakXWce2+QYsuDmZJIhDNj5A9ej4TqP40WZOJc1Cqkbta9CCPZo7 nB7un0R7A1VsF8sShRhAqI9rKtscvKcTIg7iBnDAFw7Y97iYX/4Eczu7kHnAzx1vIr0Y xnXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=5M5ofUnM2In2D3zqOhQM7nu8E0q8Zogz2XlyM8hkdYk=; b=Sivhtg1FBk/osNve5ohLRzoyRkdqjXrDf9bCfS9lRPns01hRktpkptN9LzaoZ0rG81 SxpncvObjQSueM3JvhjsjCWeV1E7s+aWxnNg5fp5ml8QO2dHDvcFFVYQFcKsgrMweLPf IKfH121eFEve6L/iqRoi/cfG6PGk3pzwl+3TF90V9JivvCqFkT7U8h56+/aMetQ1mqd/ BecOlvUbhR8xnHeZDeKYjprl6MZ5PLrMVlX4cowFd/gPgnllTAhp9EMckSuWPlJYlrNu dN32Toy5DKBsiGXfOJ2GgyJ5uGVwcc9wHZdVy7TjwSdRJBx0jl1ylUJeiTk4/MOrAleg r4YQ==
X-Gm-Message-State: AHYfb5jxXuNeq1Y7SlBE9MBRMV3v0Cqhlrnl0LIie6W1MXjHqDjpj6ir 02HEo+sVs4vSUf0w
X-Received: by 10.46.20.77 with SMTP id 13mr1052610lju.151.1503495277542; Wed, 23 Aug 2017 06:34:37 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id 78sm257340ljz.23.2017.08.23.06.34.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Aug 2017 06:34:36 -0700 (PDT)
From: Valery Smyslov <svanru@gmail.com>
To: "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, "'Scott Fluhrer (sfluhrer)'" <sfluhrer@cisco.com>, 'Paul Wouters' <paul@nohats.ca>, ipsec@ietf.org
Cc: 'Vukasin Karadzic' <vukasin.karadzic@gmail.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca> <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com>
In-Reply-To: <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com>
Date: Wed, 23 Aug 2017 16:34:35 +0300
Message-ID: <00f701d31c14$901b2ca0$b05185e0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFrzo/mLNHQ912KAIRbgs5wCt+pzQFW4fuSAboNkmMBqLGLp6M6udRg
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AVTxMdJnnPXJf9sibi1cXa1PMiM>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 13:34:42 -0000
Hi Panos,
> Valery,
> It is a good idea. A new optional notification that includes the auth_data as it would be calculated without the
> PPK would work. With that, the corner case of ' PPK_id configured on initiator but missing on the responder' is
> addressed. There is an additional cost of the extra notification message for every initiator that has no-
> mandatory ppk configured for the responder.
Yes, and there is also an extra cost for initiator of performing AUTH calculation (e.g. digital signature)
twice - one with SK_p' and the other with SK_p. Good news are is that it is
a) is performed by initiator only, so there is no risk of DoS attack on responder
b) is needed only if initiator is configured in "permissive" mode - when its policy allows both PPK and non-PPK
SAs with the particular responder
> In the worst case scenario the responder would need to go
> through looking up the PPK_id and if that fails then authenticate the auth_data. Even though it is slightly
> more work for the responder, I don't consider that heavy processing that would introduce attack concerns.
Exactly.
> My concerns is that we might be making it too complicated by potentially introducing two separate SK_p's.
> From an ops perspective, if we stated the rule that when we want to go postquantum a PPK should be
> populated on the responder first as Graham and others suggested, then the extra complication of a new
> notification can be avoided. Violation of that rule would lead to IKE_AUTH failure for that initiator only.
In general I think that if protocol allows more flexible operational conditions, then it is a good thing.
If we add this feature, then it will be completely optional for both initiator and responder
(neither initiator is required to send NO_PPK_AUTH, nor responder is required to understand it).
So, if people strictly follow transition plan, then there is no much need in this feature.
However, I suspect that in fields some folks may find these rules too restrictive under some circumstances.
So we can add a bit more flexibility in the protocol for those folks for a relatively low cost.
Regards,
Valery.
> Vukasin,
> Any thoughts from an implementer's standpoint?
>
> Panos
>
>
> -----Original Message-----
> From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Valery Smyslov
> Sent: Monday, August 21, 2017 10:25 AM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Paul Wouters' <paul@nohats.ca>; ipsec@ietf.org
> Cc: 'Vukasin Karadzic' <vukasin.karadzic@gmail.com>
> Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
>
> Hi Scott,
>
> > > then it has to flip a coin on whether or not to send the PPK_SUPPORT
> > > notify and if it guessed wrong, the AUTH payload on the initiator
> > > will be wrong. Sending the notify commits to using a PPK because the
> > > initiator uses it as input to the AUTH payload.
>
> [...]
>
> > > One way of solving this could be to allow PPK_SUPPORT to have some
> > > notify data, which could for instance be a hash of the
> > > connection/group name used by the responder.
> > > Another option is to use the PPK as one of the inputs to some hash
> > > algorithm as PPK_SUPPORT data, so the responder can go through its
> > > list of PPKs to match it back to a connection/group. But we would
> > > need to be sure that this does not open up the PPK to attacks
> > > (classic and
> > > quantum)
> >
> > That's what we did in our original proposal (actually, it was a
> > function of the PPK itself). The problems with that were:
> >
> > - If we made it a nondeterministic function (that is, include a
> > randomizer), then the server had to do a linear scan over all their known PPKs to find the matching one.
> >
> > - If we made it a deterministic function, then someone listening in
> > can trivially determine when we're reusing the same PPK
> >
> > (There's also a minor issue of "which hash function to use"; we haven't negotiated any at this time).
> >
> > A linear scan over possibly 10,000 PPKs was considered unacceptable.
> > One of our proposals even allowed the server to specify the trade-off between the above two; that was
> considered too complex.
> >
> > I'm not thrilled with Tero's answer of "lets be careful about the
> > order we upgrade things in complex networks", but I don't know how to
> > better solve it without adding lots of complexity to the protocol, potential anonymity leaks or requiring
> significant computation on the server side.
>
> One (relatively) simple solution would be the following.
>
> If initiator is configured with PPK, but at the same time its policy marks using PPK as optional, then the
> initiator can send two authenticators - one using SK_pi' and the other using SK_pi (where SK_pi = prf(PPK,
> SK_pi')). The one, computed using SK_pi (where PPK is involved) is placed in AUTH payload, and the other,
> computed using SK_pi' (without PPK) is placed in a new optional status notification NO_PPK_AUTH.
>
> Initiator Responder
> ------------------------------------------------------------------
> HDR, SK {IDi, [CERT,] [CERTREQ,]
> [IDr,] AUTH, SAi2, TSi, TSr,
> N(PPK_IDENTITY)(PPK_id),
> [N(NO_PPK_AUTH)(auth_data)] } --->
>
> When responder receives this message and cannot find the corresponding PPK based on PPK_id and is
> configured to allow PPK-less SA, it can still authenticate initiator by using the content of NO_PPK_AUTH.
> In this case the Responder replies with the IKE_AUTH response lacking PPK_IDENTITY to let the initiator know
> that AUTH payload is computed as per RFC7296 (using SK_pr', i.e. without using PPK).
>
> <--- HDR, SK {IDr, [CERT,]
> AUTH, SAr2, TSi, TSr}
>
> If the responder has the corresponding PPK, then it computes its AUTH payload using SK_pr and includes
> PPK_IDENTITY notification:
>
> <--- HDR, SK {IDr, [CERT,]
> AUTH, SAr2, TSi, TSr,
> N(PPK_IDENTITY)(PPK_id)}
>
> This solution allows peers to communicate in different settings and to enforce their own policy.
> For instance, if the initiator is configured to always use PPK, it won't include NO_PPK_AUTH at all. If responder
> is configured to always use PPK, it will just ignore NO_PPK_AUTH and return AUTHENTICATION_FAILED in case
> the proper PPK is not found.
>
> Regards,
> Valery.
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Derrell Piper
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Graham Bartlett (grbartle)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Vukasin Karadzic
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)