IETF Logo Mail Archive

Re: [IPsec] WG Last Call on draft-ietf-ipsecme-rfc4307bis

Tero Kivinen <kivinen@iki.fi> Tue, 19 April 2016 11:51 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D200B12DA50 for <ipsec@ietfa.amsl.com>; Tue, 19 Apr 2016 04:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6YDsqyUCTj7 for <ipsec@ietfa.amsl.com>; Tue, 19 Apr 2016 04:51:30 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B004712DA0F for <ipsec@ietf.org>; Tue, 19 Apr 2016 04:51:29 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u3JBpQbi025742 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 19 Apr 2016 14:51:26 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u3JBpQGZ005951; Tue, 19 Apr 2016 14:51:26 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22294.7102.668482.719553@fireball.acr.fi>
Date: Tue, 19 Apr 2016 14:51:26 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <C6A65F7DC54E48DC8B37AFA86382E9F5@buildpc>
References: <325E33E7-8F06-414A-B0BB-FCBEEA8CC6C6@vpnc.org> <570AE1AD.3060001@gmail.com> <22283.40143.898294.982675@fireball.acr.fi> <1A58AF23AD5745489DD523298658A0D5@buildpc> <22292.59604.428309.798578@fireball.acr.fi> <C6A65F7DC54E48DC8B37AFA86382E9F5@buildpc>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 28 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/FVH-xpDEXQxD56MxP_p6t_KgNTM>
Cc: IPsecME WG <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] WG Last Call on draft-ietf-ipsecme-rfc4307bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 11:51:31 -0000

Valery Smyslov writes:
> No. it was different discussion. We discussed the situation 
> when peers have several private keys for different algorithms
> (say RSA and ECDSA) and the way they select the proper one.
> 
> Now consider the situation when a host has a single key pair for RSA.
> However, it can either prepare RSASSA-PKCS1-v1.5 signature
> or RSASSA-PSS signature. The problem is that the host
> doesn't know if its peer supports RSASSA-PSS or not and RFC7427 
> doen't allow peers to indicate what formats are supported - only hashes 
> are exchanged.

My original idea was that while changing to the RFC7427 everybody
would also move to the RSASSA-PSS and PKCS1-v1.5 would be obsoleted at
that point. I.e., if you implement RFC7427 you should also get the RSA
updated to the safer version.

I mean if you are using RSASSA-PKCS1-v1.5 you can use old
authentication method, the RFC7427 support is needed for RSASSA-PSS.
And RSASSA-PKCS1-v1.5 has some issues. This is described in the
RFC7427 Introduction and Security Considerations sections.

> In your draft you artificially link Digital Signature auth with
> support for RSASSA-PSS, so if you support Digital Signature
> authentication them you MUST support RSASSA-PSS. I understand that
> this is probably the only possible solution for now, but in general
> this linkage is not a good thing. If tomorrow RSASSA-PSS is updated
> and a new uncompatible RSASSA-PSSv2 is adopted, then how will the
> peers indicate that this new format is supported? We'll have a lot
> of interoperability issues...

If RSASSA-PSSv2 is done because RSASSA-PSS is found broken, then we
just mark RSASSA-PSS as MUST NOT, and move to the new version.

Anyways the reason why there is no negotiation for the private key
type or signature algorithm other than hash is that the IKE_SA_INIT
exchange needs to be kept short so adding too my negotiation stuff
there is bad idea. This was discussed when the RFC7427 was being
written.

The original idea was to support ECDSA, and RSASSA-PSS was more or
less a side-product from the final design. But it was still
side-product that people wanted to keep. We also did not allow
negotiating other parameters in the RSASSA-PSS [1].

You did propose making negotiation more complex [2] during the WGLC of
RFC7427, but as you can see from my reply [3] it would get really
complicated then. Then in the end of that discussion we didn't make
any changes to the document.

[1] https://www.ietf.org/mail-archive/web/ipsec/current/msg08027.html
[2] https://www.ietf.org/mail-archive/web/ipsec/current/msg08671.html
[3] https://www.ietf.org/mail-archive/web/ipsec/current/msg08673.html
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email