Re: [IPsec] secdir review of draft-ietf-lwig-minimal-esp-03
David Mandelberg <david@mandelberg.org> Thu, 01 April 2021 02:17 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F9E3A0E68 for <ipsec@ietfa.amsl.com>; Wed, 31 Mar 2021 19:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mandelberg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmHTKmFy_2BA for <ipsec@ietfa.amsl.com>; Wed, 31 Mar 2021 19:17:53 -0700 (PDT)
Received: from mail-qt1-x863.google.com (mail-qt1-x863.google.com [IPv6:2607:f8b0:4864:20::863]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 652283A0E6C for <ipsec@ietf.org>; Wed, 31 Mar 2021 19:17:53 -0700 (PDT)
Received: by mail-qt1-x863.google.com with SMTP id i19so483421qtv.7 for <ipsec@ietf.org>; Wed, 31 Mar 2021 19:17:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:to:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=tMxLR7NYhfXDxuZEVGj153ZKGkhssDbYAm77VUdJl54=; b=oMT3bdNPmOoP+Ubs1FXgvdLpnAwVdTEDPVQkOOehwGuHXNaObNEN3RSTdKOIMdSApa +Ele3pjgAgy/apbqJQVkNz4YMCwY5Ko0AlhgaHfWp3KVYUEWetQKFID0SLocezTentU4 jXpCBIjzgPpCW1MeWX2UQCL+MQGEHesP15oJLPi4xNk8dq86Xp2jGqIx406IRhSxNEbr 8uqMoC/DY52pzTdc/aWT4B99HnE+QGTlRnqCPY6V5H5x/pBQsd8793vlnQqcPZ98ScOc mxacBDHi/GcyRlYYUJ/h9CVGzvD0QB2hJmpoiqDepkTiAGzXhqxMnk9hSNPHW8u8aCA3 0v5w==
X-Gm-Message-State: AOAM532nyzi7q0Av40EI+662BKX+bj53DXtXbSriCdaG3DVSNB3DMf0C 3hZR/M1Zkg2IAbo8CD3CDNjv+7WxfgMX3mmwrzOySokECwt4sA==
X-Google-Smtp-Source: ABdhPJwo35AinhX9ENdcyT+h6lWJPa2TiEGsPo+gtZVZhm2vHmdeArJJIHLv5PawOA9NgcLEg++kWHmy9+CV
X-Received: by 2002:ac8:4e0a:: with SMTP id c10mr5313544qtw.381.1617243470275; Wed, 31 Mar 2021 19:17:50 -0700 (PDT)
Received: from uriel.mandelberg.org (pool-74-104-157-60.bstnma.fios.verizon.net. [74.104.157.60]) by smtp-relay.gmail.com with ESMTPS id s188sm1408895qke.7.2021.03.31.19.17.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Mar 2021 19:17:50 -0700 (PDT)
X-Relaying-Domain: mandelberg.org
Received: from [10.0.2.211] (sakaar.virgo.mandelberg.org [10.0.2.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id E3D2D1C6031; Wed, 31 Mar 2021 22:17:48 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; s=202103; t=1617243468; bh=LVSOtw2Mz2iefnGFEdGo+xcasQQhc3zmxZX9uTZ4gRM=; h=Subject:To:References:From:Date:In-Reply-To:From; b=InmQc1ZV/SIchGVL8Kvx1cKcNieDJvMynWGIn+Tvc8yvyEwpT32FlV7pW6Cl8g68R TD5Gkups8pnsOken32syE2M4IVCXn5Y4CCU8JjftRIFZzNsdA/GQiZ8zoUZN7nHq0c T5ll52bZgft76XotLkxAJCAvpxHVEfHtgpauZu9hP0yH6+tlMvQ8OkbsljeAQLHqjs 3QePosBxhdyVUD1i16kP2jyeHSM9INpcLQlIrotqdMiNdBLsq1l8Me66L7mn75S/u3 PyTG09OKI0j75AMuTan7z1nscwsUeLgvOXqMFCQdP5Hz244OV3PFBSYIelJGHzVOWR 4l8a6z5ywjQcg==
To: Daniel Migault <daniel.migault@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-lwig-minimal-esp.all@ietf.org" <draft-ietf-lwig-minimal-esp.all@ietf.org>, IPsecME WG <ipsec@ietf.org>, "lwip@ietf.org" <lwip@ietf.org>
References: <91f5ebd2-b24f-ca04-eba0-60d0c9b6f401@mandelberg.org> <DM6PR15MB2379811A6726483DE59D21F1E37C9@DM6PR15MB2379.namprd15.prod.outlook.com>
From: David Mandelberg <david@mandelberg.org>
Message-ID: <884762c0-f356-c07a-0334-e52c24633dcd@mandelberg.org>
Date: Wed, 31 Mar 2021 22:17:46 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <DM6PR15MB2379811A6726483DE59D21F1E37C9@DM6PR15MB2379.namprd15.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/HQXJ4eWa8YpEwKaIqFvJ9wHbwRs>
Subject: Re: [IPsec] secdir review of draft-ietf-lwig-minimal-esp-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 02:17:58 -0000
Thanks for the updates and clarification! Op 31-03-2021 om 08:46 schreef Daniel Migault: > Hi David, > > Thanks the review. I think the text in [1] addresses your concern. I will probably publish the a new version today. Please see my responses inline. > > Yours, > Daniel > > [1] https://github.com/mglt/draft-mglt-lwig-minimal-esp/pull/1/commits/fb9393a246298e37adcf2683afa2061a40b4ed89 > > -----Original Message----- > From: David Mandelberg <david@mandelberg.org> > Sent: Saturday, March 27, 2021 5:39 PM > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-lwig-minimal-esp.all@ietf.org > Subject: secdir review of draft-ietf-lwig-minimal-esp-03 > > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > The summary of the review is Ready with nits. > > (Section 3, nit) In the paragraph that includes "However, nonrandom SPI and restricting their possible values MAY lead to privacy and security concerns" , it would be nice to add something like "(see below for more details)". When I first read that paragraph, I was about to comment that it's unclear what the privacy/security concerns are, but then it was explained a few paragraphs below. > > <mglt> > That is correct, we restructured a bit the section to clarify this by having a subsection dedicated to considerations over the generation of SPIs. > > The current section is available at [1] and is mentioned below: > [1] https://github.com/mglt/draft-mglt-lwig-minimal-esp/pull/1/commits/fb9393a246298e37adcf2683afa2061a40b4ed89 > > <section title="Considerations over SPI generation"> > > <t>SPI that are not randomly generated over 32 bits MAY lead to privacy and security concerns. > As a result, the use of alternative designs requires careful security and privacy reviews. > This section provides some considerations upon the adoption of alternative designs. </t> > > <t>Note that SPI value is used only for inbound traffic, as such the SPI negotiated with IKEv2 <xref target="RFC7296"/> or <xref target="RFC7815"/> by a peer, is the value used by the remote peer when it sends traffic. > As SPI is only used for inbound traffic by the peer, this allows each peer to manage the set of SPIs used for its inbound traffic. > Similarly, the privacy concerns associated with the generation of nonrandom SPI is also limited to the incoming traffic.</t> > > <t>When alternate designs are considered, it is likely that the number of possible SPIs will be limited. > This limit should both consider the number of inbound SAs - possibly per IP addresses - as well as the ability for the node to rekey. > SPI can typically be used to proceed to clean key update and the SPI value may be used to indicate which key is being used. > This can typically be implemented by a SPI being encoded with the Security Association Database (SAD) entry on a subset of bytes (for example 3 bytes), while the remaining byte is left to indicate the rekey index. > </t> > > > <t>The use of a smaller number of SPIs across communications comes with privacy and security concerns. > Typically some specific values or subset of SPI values may reveal the models or manufacturer of the node implementing ESP. > This may raise some privacy issues as an observer is likely to be able to determine the constrained devices of the network. > In some cases, these nodes may host a very limited number of applications - typically a single application - in which case the SPI would provide some information related to the application of the user. > In addition, the device or application may be associated with some vulnerabilities, in which case specific SPI values may be used by an attacker to discover vulnerabilities. > </t> > > <t> > While the use of randomly generated SPI may reduce the leakage or privacy or security related information by ESP itself, these information may also be leaked otherwise and a privacy analysis should consider at least the type of information as well the traffic pattern. > Typically, temperature sensors, wind sensors, used outdoors do not leak privacy sensitive information and mosty of its traffic is expected to be outbound traffic. > When used indoors, a sensor that reports every minute an encrypted status of the door (closed or opened) leaks truly little privacy sensitive information outside the local network. </t> > > > > </section> > </mglt> > > (Section 4) Am I understanding correctly, that the last paragraph is giving the option of resetting the Sequence Number when rekeying? Does IPSec try to prevent eavesdroppers from determining when rekeying happens? (I really don't know that much about IPSec.) If it does, then resetting the SN could leak that information, if not then there's nothing to leak. > > <mglt> > No. The last sentence of the section intended to prevent implementers to only consider the SN to define the life time of their SA. If implementer choose to use ESN for that purpose, it might be a good indication that a re-key mechanism is needed. > > The current text has been updated to clarify this by the following text: > > """ > Note that the limit of messages being sent is primarily determined by the security associated with the key rather than the SN. > The security of all data protected under a given key decreases slightly with each message and a node MUST ensure the limit is not reached - even though the SN would permit it. > Estimation of the maximum number of packets to be sent by a node is always challenging and as such should be considered cautiously as nodes could be online for much more time than expected. > Even for constrained devices, it is RECOMMENDED to implement some rekey mechanisms (see <xref target="sec-security-considerations"/>). > """ > > Regarding IPsec, a rekey leads to the creation of a new SA, so if you do not want to leak the information you may create the new SA in advance and only use it later. However, the creation is performed via an IKEv2 exchange which is not a very busy channel. As a result, exchanges performed on this channel are potential rekey exchanges. As result, it seems to me a bit hard to hide when a rekey occurs. > SN do not have to be reset to 0. The only requirement is to increase these SN for each packet. On the other hand, this make it possible to maintain the SN number keep growing while SPI and keys are updated... until you reach the end. > > If you need to keep the same SPI, you may delete the SA first before starting a new negotiation, this would enable you to re-use the same SPI. > </mglt> >
- Re: [IPsec] secdir review of draft-ietf-lwig-mini… Daniel Migault
- Re: [IPsec] secdir review of draft-ietf-lwig-mini… David Mandelberg