Re: [IPsec] RFC4869 bis submitted

Scott C Moonen <smoonen@us.ibm.com> Thu, 12 November 2009 19:41 UTC

Return-Path: <smoonen@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61FAC3A67D4; Thu, 12 Nov 2009 11:41:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level:
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRl2-DbYMUZw; Thu, 12 Nov 2009 11:41:45 -0800 (PST)
Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by core3.amsl.com (Postfix) with ESMTP id B39333A691F; Thu, 12 Nov 2009 11:41:45 -0800 (PST)
Received: from d03relay02.boulder.ibm.com (d03relay02.boulder.ibm.com [9.17.195.227]) by e34.co.us.ibm.com (8.14.3/8.13.1) with ESMTP id nACJb4c9025964; Thu, 12 Nov 2009 12:37:04 -0700
Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85]) by d03relay02.boulder.ibm.com (8.13.8/8.13.8/NCO v9.1) with ESMTP id nACJg14O238056; Thu, 12 Nov 2009 12:42:02 -0700
Received: from d03av05.boulder.ibm.com (loopback [127.0.0.1]) by d03av05.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nACJg1PN030255; Thu, 12 Nov 2009 12:42:01 -0700
Received: from d03nm118.boulder.ibm.com (d03nm118.boulder.ibm.com [9.17.195.144]) by d03av05.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id nACJg1GS030250; Thu, 12 Nov 2009 12:42:01 -0700
In-Reply-To: <20091111205238.GK101633@sun.com>
References: <D22B261D1FA3CD48B0414DF484E43D3211B49B@celebration.infosec.tycho.ncsc.mil> <006FEB08D9C6444AB014105C9AEB133FB36A4EBFB3@il-ex01.ad.checkpoint.com> <20091111205238.GK101633@sun.com>
To: Dan McDonald <danmcd@sun.com>
MIME-Version: 1.0
X-KeepSent: A9EE68F0:EBDA9158-8525766C:006A268C; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.0.2 HF623 January 16, 2009
From: Scott C Moonen <smoonen@us.ibm.com>
X-MIMETrack: S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 11/12/2009 02:41:42 PM, Serialize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 11/12/2009 02:41:42 PM, Serialize complete at 11/12/2009 02:41:42 PM, S/MIME Sign failed at 11/12/2009 02:41:42 PM: The cryptographic key was not found, Serialize by Router on D03NM118/03/M/IBM(Release 8.5.1HF41 | October 22, 2009) at 11/12/2009 12:42:01, Serialize complete at 11/12/2009 12:42:01
Message-ID: <OFA9EE68F0.EBDA9158-ON8525766C.006A268C-8525766C.006C3706@us.ibm.com>
Date: Thu, 12 Nov 2009 14:42:00 -0500
Content-Type: multipart/alternative; boundary="=_alternative 006C306D8525766C_="
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, ipsec-bounces@ietf.org, Yoav Nir <ynir@checkpoint.com>, "Law, Laurie" <lelaw@tycho.ncsc.mil>
Subject: Re: [IPsec] RFC4869 bis submitted
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 19:41:47 -0000

> > While the algorithms and DH groups are subject to configuration in the 
UI
> > and negotiation in IKE, the algorithm used to sign the certificates is
> > outside the IKE implementation. You usually have a certificate that 
you
> > need to use, and it's the CA's decision whether this is signed with 
RSA,
> > DSA or ECDSA. There's even some ambiguity, because it's not 
necessarily
> > true, that the public key in the certificate is for the same 
algorithms
> > used to sign the certificate.
> 
> I strongly agree with Yoav here.

I strongly agree with Yoav and Dan on decoupling the authentication method 
from the suite.  This places an unnatural configuration burden on an IKE 
implementation.  It is proper to configure one's choice of certificate -- 
but it is not natural to configure the certificate's authentication 
algorithm independently of simply choosing the desired certificate or CA.

> Many IKEv1's have Phase 2 PFS as an on/off switch.  It would be nice if 
you
> picked one for these (either always-on or always-off).

How would such an implementation handle RFC 4308?  Our own implementation 
supports sending offers with and without PFS, but it does seem odd to me 
that these RFCs would punt on the decision to use PFS.  There are valid 
reasons for either approach (CPU cost versus key independence).  I suppose 
we could create separate versions of the suites with and without PFS, but 
it's probably ok for the suites to simply be "opinionated".  I guess that 
means we'd go with PFS=on.


Scott Moonen (smoonen@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://www.linkedin.com/in/smoonen



From:
Dan McDonald <danmcd@sun.com>;
To:
Yoav Nir <ynir@checkpoint.com>;
Cc:
"ipsec@ietf.org"; <ipsec@ietf.org>;, "Law, Laurie" <lelaw@tycho.ncsc.mil>;
Date:
11/11/2009 03:54 PM
Subject:
Re: [IPsec] RFC4869 bis submitted



On Wed, Nov 11, 2009 at 10:07:31PM +0200, Yoav Nir wrote:
> While the algorithms and DH groups are subject to configuration in the 
UI
> and negotiation in IKE, the algorithm used to sign the certificates is
> outside the IKE implementation. You usually have a certificate that you
> need to use, and it's the CA's decision whether this is signed with RSA,
> DSA or ECDSA. There's even some ambiguity, because it's not necessarily
> true, that the public key in the certificate is for the same algorithms
> used to sign the certificate.

I strongly agree with Yoav here.

Especially given certificate operations are much rarer in IKEv2 (given 
their
SAs last indefinitely long), would 2048-bit RSA or 4096-bit RSA certs be
unreasonable?  I understand the cert-chain issues with weak hashes, but 
those
do not come directly into play during the IKE exchange.  (Imagine 
self-signed
certs for IKE, e.g.)

> The UI suites RFC that defined VPN-A and VPN-B did not mandate RSA or
> DSA. I don't see why 4869 or 4869-bis should. I don't think it's part of
> the algorithm configuration.

Also --> the new bis document talks about IKEv1's Phase 2 Diffie-Hellman 
as a
MAY without saying it.  I quote:

  Rekeying of Phase 2 (for IKEv1) or the CREATE_CHILD_SA (for IKEv2)
  MUST be supported by both parties in this suite.  The initiator of
  this exchange MAY include a new Diffie-Hellman key; if it is
  included, it MUST use the 256-bit random ECP group.  If the
  initiator of the exchange includes a Diffie-Hellman key, the
  responder MUST include a Diffie-Hellman key, and it MUST use the
  256-bit random ECP group.

Many IKEv1's have Phase 2 PFS as an on/off switch.  It would be nice if 
you
picked one for these (either always-on or always-off).

Dan
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec