IETF Logo Mail Archive

Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update

Tobias Brunner <tobias@strongswan.org> Mon, 24 July 2023 08:22 UTC

Return-Path: <tobias@strongswan.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46B71C151556 for <ipsec@ietfa.amsl.com>; Mon, 24 Jul 2023 01:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strongswan.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QPbumsltTsbs for <ipsec@ietfa.amsl.com>; Mon, 24 Jul 2023 01:22:17 -0700 (PDT)
Received: from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBF89C15108F for <ipsec@ietf.org>; Mon, 24 Jul 2023 01:22:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.codelabs.ch (Postfix) with ESMTP id 686955A0002; Mon, 24 Jul 2023 10:22:13 +0200 (CEST)
Received: from mail.codelabs.ch ([127.0.0.1]) by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOolyryrKM6h; Mon, 24 Jul 2023 10:22:11 +0200 (CEST)
Received: from [IPV6:2a01:8b81:5400:f500:171f:6ffe:20f2:5898] (unknown [IPv6:2a01:8b81:5400:f500:171f:6ffe:20f2:5898]) by mail.codelabs.ch (Postfix) with ESMTPSA id BBC0D5A0001; Mon, 24 Jul 2023 10:22:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=strongswan.org; s=default; t=1690186931; bh=+Px4EN17S30qPYzvkjueE6UkKwoadyBI7vL3pRWdjwI=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=CUehbkEanCRilINpSO0O7PAmk0ed4QaKcA4FTvaAMh0oqo2/Z+nIuXsQpoIWvpeXG l/sb7awLHpuKwMoQTjqcDgi7yEwjSN6zB537wHUB53EmF6Kk5HeJ3rB5a+LS9lG476 JBluezhwNt2YAlxcvCMathVf9KL1imy/QPT8jIDG7xxZ8HVZN2/kVcKzhxtMf3rkVl cqGOEGkUUtKKghVVaOLjTcbwPc3kSSQG7Jh6wohTlzTv2wW2WPUBRqYxnmpASXujAW ZaIZX0PwNnnU+vOb/XU6NZr4oCy1rTIALHRNGabML7zLHPrpD7HULZQjia2WpkYrEX VWIUfc+v33fMg==
Message-ID: <f6d53207-5895-8e27-a4fa-678fb1913621@strongswan.org>
Date: Mon, 24 Jul 2023 10:22:11 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
To: Paul Wouters <paul@nohats.ca>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
References: <85a82884-feb3-48a7-5d43-509d7ee7fddb@nohats.ca> <e16c2b8e-a33f-4c36-e2df-94eab2cd9a2f@strongswan.org> <718511a9-a593-d832-dff7-669d5c3b9e7b@nohats.ca>
Content-Language: en-US, de-CH-frami
From: Tobias Brunner <tobias@strongswan.org>
In-Reply-To: <718511a9-a593-d832-dff7-669d5c3b9e7b@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/DhGOXjbp7Wcbn4ejW5OWu6z40HE>
Subject: Re: [IPsec] draft-ietf-ipsecme-ikev2-sa-ts-payloads-opt-01 update
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2023 08:22:22 -0000

Hi Paul,

>> * maybe add "incompatible proposal" as a reason for initiating a
>>   regular Child SA rekeying of the first SA (if the KE method used
>>   for IKE is not in the Child SA proposal).
>>
>>   However, I'd honestly prefer if that was just the standardized
>>   behavior for the Child SA created with IKE_AUTH as we really don't
>>   know what KE methods the responder has in its Child SA proposal.
> 
> I would really like to avoid requiring the regular rekey method in the
> protocol. That way, some time in the far future, this could perhaps
> become the only rekey method used. If this draft has a requirement
> for the old method in it, we will never be able to get rid of the older
> one.

It already states in section 3:  "Non-optimized, regular rekey requests
MUST always be accepted."

So e.g. strongSwan always doing a regular rekeying for the first Child
SA as initiator is perfectly in line with the draft.  It's currently
just not described explicitly or the recommended or mandatory behavior.

Which could pose a problem as responder of an optimized rekeying of the
first Child SA.  It works fine in the single KE case if the method in
the KE payload is in the responder's Child SA proposal, but if not, or
if there are multiple key exchanges involved, there could be issues (see
below).

> Additionally, having a different KE for the initial Child that comes
> from the IKE KE and its Child SA rekey is already a questionable/bad
> configuration, since you are not rekeying the child under the same
> level of protection.

Not sure if that's necessarily true for the multi-KE/PQC use case.  One
might want to just protect the IKE SA with multiple big and costly key
exchanges and then only use a single, classic KE to create fresh keys
for the Child SAs (whose KE payloads are exchanged under the protection
of the quantum secure IKE SA).  That the first Child SA will have key
material derived from the "stronger" IKE keys is just an accidental
by-product of how IKEv2 is designed.

A different aspect of the multi-KE/PQC case is that only the IKE SA
requires a classic KE method (to avoid fragmentation during
IKE_SA_INIT), Child SAs could just be rekeyed/created using a single PQC
key exchange.  So the Child SA proposal might not contain the same
number of key exchanges or any classic KE methods but only PQC methods
that were used as additional KEs for the IKE_SA.

Another way to avoid that would be to make childless IKE SA creation
mandatory for implementations of this extension, so the first Child SA
would always have to be created with a separate CREATE_CHILD_SA
exchange.  But since the creation of a new Child SA is pretty much the
same as a classic rekeying, we could also just make the latter mandatory
for the first Child SA if it was created with IKE_AUTH and only rely on
stuff that's already specified in RFC 7296 ;)

> I dont mind doing extra work for those who want
> such questionable/bad configurations, but would not want to add it to
> proper/good configurations that do not need it.

So you're saying some configs, that are valid for regular IKEv2, will
just not work with this extension?  And we'll only know once there is
some kind of failure during the optimized rekeying?  Which can,
admittedly, already happen with regular IKEv2 with mismatched PFS
settings because we don't exchange KE methods during IKE_AUTH.  But then
at least we get a relatively clear NO_PROPOSAL_CHOSEN error immediately.
 In addition to that situation, which could occur here too (i.e.
initiator sends KE payload, responder has no KE methods in its Child SA
proposal and replies with NO_PROPOSAL_CHOSEN), we have multiple
additional ones:

 * Initiator sends a KE payload with a method that the responder has
   not in its Child SA proposal.  So it sends back an INVALID_KE_PAYLAOD
   notify (it doesn't really know what KE methods the initiator
   supports, so it has to guess the method it encodes in the notify from
   its own proposal and maybe the first KE method of the IKE_SA).  What
   is the initiator to do then?  Retry an optimized rekeying with the
   requested method (what if it's not in its proposal)?  Retry with a
   regular rekeying (preferring the requested method, but again it could
   be an unsupported method)?  Abort the rekeying?

 * Initiator has optional additional KE methods (i.e. with NONE) in its
   Child SA proposal while the responder does only have a single KE
   method configured.  Then the initiator might expect multiple key
   exchanges, because that's what the IKE proposal says and it follows
   the draft's SHOULD.  But the responder does not return an
   ADDITIONAL_KEY_EXCHANGE because it adheres to its Child SA proposal.
   What is the initiator to do then?

 * Same as above but reversed.  So the responder expects an additional
   key exchange but the initiator just follows its Child SA proposal and
   is happy with the completed single key exchange, ignores the
   ADDITIONAL_KEY_EXCHANGE notify in the response and does not initiate
   an IKE_FOLLOWUP_KE exchange.  The initiator ends up with a
   successfully rekeyed Child SA, while the responder waits and may only
   abort the incomplete rekeying after a timeout.  The initiator will
   also attempt to delete the old Child SA, which the responder might
   not be able to handle in its "waiting for IKE_FOLLOWUP_KE" state.

>>   So just blindly assuming the IKE's KE methods will be accepted seems
>>   risky (in particular if multiple key exchanges were involved in
>>   creating the IKE SA).  That IKE SA's first KE method can still be
>>   preferred in the Child SA rekeying request if it's in the initiator's
>>   proposal (i.e. use it for the KE payload and list it as first
>>   method in the SA payload).  But if there is a mismatch, it seems
>>   easier to recover during a regular rekeying than blindly trying the
>>   IKE KE method, receiving an INVALID_KE_PAYLOAD and then having to
>>   initiate a regular rekeying all over anyway (if that's even an
>>   option, the draft currently doesn't explicitly say).
> 
> I think a mismatch really means a bad configuration. You are allowing
> a single Child SA to have different KE level protections between REKEYs,
> which is definitely violating the spirit of rekey.

The only way to avoid that would be the extension either making
childless IKE SAs mandatory, or strictly prohibiting inconsistent KE
configs between IKE and Child SAs, taking away quite a bit of
flexibility IKEv2 offers.

>> * I'm still wondering why the critical bit has to be set for the
>>   OPTIMIZED_REKEY notify.  It's a regular Notify payload, so it MUST be
>>   understood by all IKEv2 implementations and setting the bit is
>>   basically redundant (the critical bit only concerns the payload type,
>>   not the contents such as the notify message type - it's also only
>>   allowed to be set in requests so making it an unconditional MUST like
>>   that violates RFC 7296 anyway).
> 
> This is a good point. It might be an argument for OPTIMIZED_REKEY not
> being a NOTIFY payload but its own new payload type. You are right that
> notify payloads cannot have the critical bit set. So if we keep this
> as notify that has to be removed. Although we will end up with a weird
> situation where we get a successfull IKE message exchange, but the
> rekey actually failed. Let's discuss at IETF-117.

Why would there be a problem with the OPTIMIZED_REKEY notify after
successfully exchanging OPTIMIZED_REKEY_SUPPORTED notifies in the
IKE_AUTH exchange?

Regards,
Tobias

v2.23.0 | Report a Bug | By Email