Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis-11
"Valery Smyslov" <svanru@gmail.com> Tue, 13 September 2016 12:34 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BF212B39C for <ipsec@ietfa.amsl.com>; Tue, 13 Sep 2016 05:34:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.491
X-Spam-Level:
X-Spam-Status: No, score=-1.491 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZPifFSmc4ME for <ipsec@ietfa.amsl.com>; Tue, 13 Sep 2016 05:34:46 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 787F812B396 for <ipsec@ietf.org>; Tue, 13 Sep 2016 05:34:43 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id u14so108813030lfd.1 for <ipsec@ietf.org>; Tue, 13 Sep 2016 05:34:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-transfer-encoding; bh=Mh+osDW5AwYZzKjfxz1HZaPamn6H5bw1b/bFjR+adcU=; b=M0OE0yp41SFqpNjKXjJAKOzFQJhyAQdB1pjcZcekPy3ORRNW0Cm0bKoWZsU253SgOo D5jdC1gJBcyvbpa/331rtH17GIaCStrH+9n/b76bjX9nIwAUnAAF5q31Kp1hFtQx7Trd eCcp2A2W/I4n1ixNTu5kAqQJfRFRqHT2pJqscHTY9M5Es9HvO96hOROqQo2c5ZYrfs6+ AnL9L4LMWMXo68FOqxMqPjhUUxX4bvOsQ3aQTSJGyzPBK8lx+1pDKnKCMWSwJphwmsIu zzdquV+nFg/6lWSNL8JKfpSTo0mx9sczNzmfk0zu+gAElTMv6dEUCNxhuU6ZZGceKjl6 Vz8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:references:subject:date :mime-version:content-transfer-encoding; bh=Mh+osDW5AwYZzKjfxz1HZaPamn6H5bw1b/bFjR+adcU=; b=DIuq465267re2so9IUlzGyqV1oHlvnyeb+KoZjdkBxYmYiDZkfp18KLVnLlBv1KXp6 P6YsvjADBTegth0n1S5FJhRcNvxVcBujITBVF6JM0BGQongc5ziv7HjtmuIR/bSGTqbR VQw2nDDTon1GSLJuDms/ZBD/DiTtIbnp1MnTeCuc7vHSUNEBJokBHWkF02vLvIVoW3EB 4dWLVxUbj5eOGr0bDFeE0CUf2wZ+FKW9J7Rf9nbVPHDolTcKh08+FDsepHSQzj0c7lfJ hHHJYsljJ5Y14NRflO5y3nJTiSHuxnDlcf2ZD6T1w14JHXiELx1q6+nzpT9MuT8jEnAJ m2vg==
X-Gm-Message-State: AE9vXwN2zCllboPcg2bqxwWbwUIM6ltEeclzbR1ok/kQpGrpWIC3pVHu/LMIsuPubiN+xA==
X-Received: by 10.25.39.15 with SMTP id n15mr7521427lfn.91.1473770081190; Tue, 13 Sep 2016 05:34:41 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id 184sm3934363lfz.22.2016.09.13.05.34.40 for <ipsec@ietf.org> (version=TLS1 cipher=DES-CBC3-SHA bits=112/168); Tue, 13 Sep 2016 05:34:40 -0700 (PDT)
Message-ID: <08AB2EF60E5C4A9C8950483676619B4C@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: IPsecME WG <ipsec@ietf.org>
References: <MWHPR09MB14403260340F6DBF4DADCD8DF0E40@MWHPR09MB1440.namprd09.prod.outlook.com>
Date: Tue, 13 Sep 2016 15:34:35 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Adjpm2NNnc0aECxHEWzOSPaxuog>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis-11
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 12:34:49 -0000
Hi,
here is my review of draft-ietf-ipsecme-rfc4307bis-13.
I didn't participate in the recent discussions,
so I'm acting here more or less like "fresh" reader.
Overall, I think that the document is in a good shape, however some
additional polishing is required to improve its clarity and eliminate
possible sources of confusion.
Section 3.1
It is not clear from the table and subsequent comments what key length
for AES corresponds to what requirement levels. Well, it is clear, that
192-bit AES is MAY, however I'm a bit confused abouth other key lengthes.
Does the comment (1) mean that both AES-128-CBC and AES-256-CBC are MUST
and both AES-128-GCM_16 and AES-256-GCM_16 are SHOULD?
Could it be made more clear, e.g. by including key length in the table?
And the comment (IoT) brings even more confusion. It states that
"only 128-bit keys are at MUST level", while the line it refers to
(ENCR_AES_CCM_8) indicates SHOULD level. Well, I guess
that the text means that only AES-128-CCM_8 is SHOULD,
while other key lengthes are MAY, but the current text is really
confusing (yes, it is explained below in one of subsequent paras,
but I still prefer to have more clear statement).
I'd again suggest to add key length into the table so that it is indicated explicitely.
The next para after the table is inaccurate. It states:
ENCR_AES_CBC is raised from SHOULD+ in [RFC4307] to MUST. It is the
only shared mandatory-to-implement algorithm with RFC4307 and as a
result it is necessary for interoperability with IKEv2 implementation
compatible with RFC4307.
However, it is not exactly true. The comment (1) indicates that both
AES-128-CBC and AEC-256-CBC are now MUST, while in RFC4307
AES-256-CBC wasn't mentioned at all, so it definitely wasn't SHOULD+.
So, this statement is true for AES-128-CBC and not true for AES-256-CBC.
Section 3.2
If an algorithm is selected as the integrity algorithm, it SHOULD
also be used as the PRF.
That requirement isn't clear for me. Where it comes from?
How it is justified? Is the document in the position to make such
restrictive requirement? Isn't it a local policy matter?
PRF_HMAC_SHA1 has been downgraded from MUST in RFC4307 to MUST- as
their is an industry-wide trend to deprecate its usage.
I think some more reasons should be given besides "an industry-wide trend".
Industry usually follows standards, so it's a bit silly to refer to industry trends
as a reason here. I think some words about current concerns in the security
of SHA1 should be added (like for PRF_HMAC_MD5 below).
Section 3.3
AUTH_HMAC_SHA1_96 has been downgraded from MUST in RFC4307 to MUST-
as there is an industry-wide trend to deprecate its usage.
See my comment above to the similar sentence in Section 3.2
Section 4.2
| RSASSA-PSS with Empty Parameters | MUST NOT | |
| RSASSA-PSS with Default Parameters | MUST NOT | |
Well, I'm a confused with these requirements.
As far as I understand the RSASSA-PSS parameters default to
using a SHA1 for both hashAlgorithm and maskGenAlgorithm.
Isn't more clear for readers to include
| RSASSA-PSS with SHA1 | MUST NOT | |
instead of these two lines, which in their current form don't
explicitely refer to any cryptographic algorithm and force
reader to dig into RSASSA-PSS specification to just get
know that it was SHA1 meant? Or did I miss something?
Minor/editorial issues.
Abstract:
This
document does not update the algorithms used for packet encryption
using IPsec Encapsulated Security Payload (ESP).
I think AH must also be mentioned here (as RFC 7321 defines algorithms for both).
Section 3.1
Algorithms that are not AEAD MUST be used in conjunction with an
integrity algorithms in Section 3.3.
should be:
Algorithms that are not AEAD MUST be used in conjunction with
integrity algorithms described in Section 3.3.
In the sentence
It has been recommended by the CRFG and others as an
alternative to AES-CBC and AES-GCM.
What "others" mean? Isn't it too vague wording for Standards Track RFC?
Either list these "others" (at least some of them) or remove reference to them.
Section 3.2
PRF_HMAC_SHA2_256 was not mentioned in RFC4307, as no SHA2 based
transforms were mentioned.
This sentence makes little sence for me. Shouldn't second "mentioned" be "defined at that time"?
Later:
PRF_HMAC_SHA2_256 MUST be implemented in
order to replace SHA1 and PRF_HMAC_SHA1.
We are talking about PRFs here, so why SHA1 is mentioned?
If you are talking about general desire to get rid of SHA1-based
transforms, then the sentence should be more explicit abot that.
Section 3.3
AUTH_HMAC_SHA2_256_128 was not mentioned in RFC4307, as no SHA2 based
transforms were mentioned.
See my comment above about similar sentence in Section 3.2
AUTH_AES-XCBC is only recommended in the scope of IoT, as Internet of
Things deployments tend to prefer AES based pseudo-random functions
in order to avoid implementing SHA2.
s/AUTH_AES-XCBC/AUTH_AES-XCBC_96 (as in IANA Registry)
Section 3.4
Group 19 or 256-bit random ECP group was not specified in RFC4307, as
this group were not specified at that time.
See my comment above about similar sentence in Section 3.2
Regards,
Valery.
- [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis-11 Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Tero Kivinen
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-rfc4307bis… Waltermire, David A. (Fed)