[IPsec] My shepherd review to draft-ietf-ipsecme-ikev2-multiple-ke
Tero Kivinen <kivinen@iki.fi> Sat, 04 June 2022 17:36 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F764C1595E6; Sat, 4 Jun 2022 10:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ZIMeFB4FrRm; Sat, 4 Jun 2022 10:36:03 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3782C157B5E; Sat, 4 Jun 2022 10:35:58 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 535321B00228; Sat, 4 Jun 2022 20:35:54 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1654364154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ErUkX/STN8CX2uQinHEZLAQQ+EoVOyDpBitms30Ykd4=; b=uJBBCS0mJHg0N4Npk+FZxXGKa0VPxSo9snTYODLvEIHIqbSPEITQTtjferq/lsnfoU1aL6 7p42uz03qiIxaW3y3KvyH6yBzG7CDTDRPrpeaZzLu1k7F6xsskAYDLfTi5iMsXRTFiCg7u HHqPlcIsK/MEx2mdCKyrVGysn4C+DDnjDlREOeIqMgePY103dEmMokDblpWwkd08AFENyn EfTUsMlUPYQk/FOsX4oAahkIXl/BEoeUrDuV2urpQjTLeMTjZ9wmR0C8Sfb/nIC1XPbh41 qb8GotDevjccJx1oHB5kBWiWgrvvnmFFDwv820w6QN9Q3/m4l7gQgiLMjggs4w==
Received: by fireball.acr.fi (Postfix, from userid 15204) id BABA825C12DC; Sat, 4 Jun 2022 20:35:53 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25243.38905.695894.645904@fireball.acr.fi>
Date: Sat, 04 Jun 2022 20:35:53 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: draft-ietf-ipsecme-ikev2-multiple-ke@ietf.org
CC: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 55 min
X-Total-Time: 80 min
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1654364154; a=rsa-sha256; cv=none; b=T/GTZInoYaz9cyfhlX4pFK/eCcfesBP5iapFih4u4wy5k15/CKL1pCBCnQ6IroC8PL8+Lv 6wf8CZb43zIV2/n5Hhk5y6Dd1t+t6AMZaqeT03qExVDNIJQH2/DSXgDSnNpFSn1k2WItly Qow8Tsd1lm52KOhWFGX75hgzqnHXbSYFFCsjL9ejGVmdaBaQ0jHvXjYGGOBoYhHpV1lGP9 TUiPxxF6Y8ZgO2vXmprW3Lbm2oydrxK3KoTg+aoChm0+r7rPivxQBPCJ7LwenR75uvQoUi cckmQ1VxT6sLgmYMcfQZ0INpRoj57plZU4qdEIRt8sn7UKXzCYGck/39siwzrA==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1654364154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ErUkX/STN8CX2uQinHEZLAQQ+EoVOyDpBitms30Ykd4=; b=jhiPYtSHtF8OtT6IOpWeUTQV9PSv1Q4SV5YhHE7ydlvCdx0DZvy3W6Ax8fxrZ+cSsoxy0X ZyDM09J+E5wvmlipA8EmdGf1T85lpEdMfOcMoNaqsnhukZ7Hsq4Q1I4x8NR/6mTWj54iKn VJsHzn+PiXcMfS9qbBydGrbD8Sph+Sxz0Axv6V7wexa7OPQoAImyNiM4GolC4Vp4F9vbbi v1vdQf8b2ubuRJoxMhy168BV85nLrdoMRyECxzicm9pCfU+/sE4QJNC2R1aYryTS4b4zwt HF7ww8iqPNGLNnz9VDWi4A1MrSdqwEQ+IOvAK3afNy81vZrcCr0CJOiNDDb8IQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/E_TWyBUj6Yy55kRRlXET9kFWe0Y>
Subject: [IPsec] My shepherd review to draft-ietf-ipsecme-ikev2-multiple-ke
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2022 17:36:08 -0000
In section 1.2 the text is describing the protocol in bit too much historic point of view, it could benefit from more direct approach. For example changing: Some post-quantum key exchange payloads may have sizes larger than the standard maximum transmission unit (MTU) size, and therefore there could be issues with fragmentation at the IP layer. IKE does allow transmission over TCP where fragmentation is not an issue [RFC8229]; however, we believe that a UDP-based solution will be required too. IKE does have a mechanism to handle fragmentation within UDP [RFC7383], however that is only applicable to messages exchanged after the IKE_SA_INIT exchange. To use this mechanism, this specification relies on the IKE_INTERMEDIATE exchange as outlined in [I-D.ietf-ipsecme-ikev2-intermediate]. to something like Some post-quantum key exchange payloads may have sizes larger than the standard maximum transmission unit (MTU) size, and therefore there could be issues with fragmentation at the IP layer. To allow using those larger payload sizes this mechanism relies on the IKE_INTERMEDIATE exchange as specified in [I-D.ietf-ipsecme-ikev2-intermediate]. I.e., as the current protocol as specified here always uses the IKE_INTERMEDIATE, there is no point of explaining the issue with IKE_SA_INIT not being able to be fragmented, or whether we use TCP or not. Those do not really matter. Also I think the I-D.ietf-ipsecme-ikev2-intermediate actually do specify the protocol, not just outline it :-) The text after that do explain that we use RFC7383 fragmentation etc to allow those larger messages to go through. -- Also in section 1.2 change "discussed" in: A short term solution to make IKEv2 key exchange quantum secure is to use post-quantum pre- shared keys as discussed in [RFC8784]. ^^^^^^^^^ to "specified", or "described" etc. I think RFC8784 does bit more than just discuss about post-quantum pre-shared keys.... -- In section 1.2 change "draft" to "specification" in: This draft does not attempt to address key exchanges with KE payloads longer than 64k; -- In section 2 remove "proposed" in: The design of the proposed extension is driven by the following criteria: -- In section 2 change "ECDH" to "(EC)DH": Hybrid. Currently, there does not exist a post-quantum key exchange that is trusted at the level that ECDH is trusted against conventional (non-quantum) adversaries. The current IKEv2 have both normal DH and ECDH, and I think we still consider both of them to be trusted, and we do use term "(EC)DH" elsewhere in the draft. Actually we also use "DH or ECDH" and "DH and ECDH" quite a lot, so we could harmonize all of them to "(EC)DH" through out the draft. -- In section 3.1 change "the proposed framework" to "this specification" in: In order to be able to use IKE fragmentation [RFC7383] for those key exchanges that may have long public keys, the proposed framework utilizes the IKE_INTERMEDIATE exchange defined in [I-D.ietf-ipsecme-ikev2-intermediate]. -- In section 3.2.1: If the responder selected NONE for some Additional Key Exchange types (provided they were proposed by the initiator), then the corresponding IKE_INTERMEDIATE exchanges should not take place. The IKE_INTERMEDIATE exchanges MUST only be performed for Additional Key Exchange types containing non-NONE responders choices. The "should not take place" in first sentence and "MUST only be performed" in second sentence are contradictionary. I think changing the first sentence so that instead of saying "should not take place" to "MUST NOT take place" is correct, but then we say same thing twice... Also perhaps we should also said that if initiator jumps over some additional key exchange (like in example we have AKE2, AKE3, and AKE5, but no AKE4), then the corresponding IKE_INTERMEDIATE exchange is also omitted (the second "MUST only" sentence do cover this as if we do not have AKE4, we can't have non-NONE value there, but do we want to mention this case explictly?). The end of that paragraph seems to have something missing: It means that if the initiator includes NONE in all Additional Key Exchange transforms and the responder selects this value for all of them, then no IKE_INTERMEDIATE exchanges will take place between the peers. perform additional key exchanges will take place (note that they still may take place for other purposes). (i.e. text starting "perform additional key exchanges" seems to be misplaced, or miss something). -- In section 3.2.5 I think the text: One such example is in G-IKEv2 protocol [I-D.ietf-ipsecme-g-ikev2] where cryptographic materials are exchanged in IKE_SA_INIT messages between group member and the group controller. is incorrect, as I do not think g-ikev2 has any cryptographic material in IKE_SA_INIT, but it do have cryptogarphic material in the GSA_AUTH, so replace IKE_SA_INIT with GSA_AUTH. -- In appendix A, indicate the "Diffie-Hellman Group Num" in KE[ir]* payloads of the examples. For example in A.2 change the line: HDR(CREATE_CHILD_SA), SK{ SAi(.. AKE*...), Ni, KEi } ---> ... Nr, KEr, to HDR(CREATE_CHILD_SA), SK{ SAi(.. AKE*...), Ni, KEi(Curve25519) } ---> ... Nr, KEr(Curve25519), and HDR(IKE_FOLLOWUP_KE), SK{ KEi(1), ---> N(ADDITIONAL_KEY_EXCHANGE)(link1) } <--- HDR(IKE_FOLLOWUP_KE), SK{ KEr(1), N(ADDITIONAL_KEY_EXCHANGE)(link2) } to HDR(IKE_FOLLOWUP_KE), SK{ KEi1(PQ_KEM_2), ---> N(ADDITIONAL_KEY_EXCHANGE)(link1) } <--- HDR(IKE_FOLLOWUP_KE), SK{ KEr1(PQ_KEM_2), N(ADDITIONAL_KEY_EXCHANGE)(link2) } and HDR(IKE_FOLLOWUP_KE), SK{ KEi(2), ---> N(ADDITIONAL_KEY_EXCHANGE)(link2) } <--- HDR(IKE_FOLLOWUP_KE), SK{ KEr(2) } to HDR(IKE_FOLLOWUP_KE), SK{ KEi2(PQ_KEM_5), ---> N(ADDITIONAL_KEY_EXCHANGE)(link2) } <--- HDR(IKE_FOLLOWUP_KE), SK{ KEr2(PQ_KEM_5) } -- In A.3 example the text: The initiator indicates, using the key exchange method NONE, that either PQ_KEM_1 or PQ_KEM_2 must be used to establish a security association. is misleading. The initiator indicates using key exchange method NONE, that selecting PQ_KEM_3 or PQ_KEM_4 is optional, but PQ_KEM_1 or PQ_KEM_2 is mandatory. Change that to: The initiator indicates, that either PQ_KEM_1 or PQ_KEM_2 must be used to establish a security association, but AKE2 is optional so responder can either selecte PQ_KEM_3, or PQ_KEM_4, or omit the both of the key exchanges by selecting NONE. -- It would be good idea to also have one exchange where everything goes correctly and we use some of the additional key exchanges also in the IKE_INTERMEDIATE exchange, i.e., same example as A.2 but with using IKE_INTERMEDIATE instead of IKE_FOLLOWUP_KE, perhaps even explain the SKEYSEED, SK_d and SK_{a,e}{i,r} key updates. -- In appendix B I think the text: payloads instead. In fact, as described above, we use the KE payload in the first IKE_SA_INIT request round and the notify payload to carry the post-quantum proposals and policies. We use one or more of the existing KE payloads to carry the hybrid public values. is misleading, as I do not think we use "and the notify payloads to carry the post-quantum proposals and policies". I would remove that part completely. -- As I think the solution we are using is not solved only by IKE_INTERMEDIATE, but also generic IKEv2 fragmentation, so the text: service (DoS) attacks. By using IKE_INTERMEDIATE to transport the large post-quantum key exchange payloads, there is no longer any issue with fragmentation. is bit misleading and perhaps changing it to: service (DoS) attacks. By using IKE_INTERMEDIATE to transport the large post-quantum key exchange payloads, and using generic IKEv2 fragmentation protocol [RFC7383] solves the issue. -- kivinen@iki.fi
- [IPsec] My shepherd review to draft-ietf-ipsecme-… Tero Kivinen
- Re: [IPsec] My shepherd review to draft-ietf-ipse… Valery Smyslov