[IPsec] Minutes from the IPsecME meeting in Bangkok IETF 103
Tero Kivinen <kivinen@iki.fi> Wed, 07 November 2018 11:17 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67A7129BBF for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2018 03:17:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.421
X-Spam-Level:
X-Spam-Status: No, score=-3.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JH8QUb3wHLJ for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2018 03:17:56 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19313128CF2 for <ipsec@ietf.org>; Wed, 7 Nov 2018 03:17:55 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id wA7BHrL2005825 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Wed, 7 Nov 2018 13:17:53 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id wA7BHrTC005556; Wed, 7 Nov 2018 13:17:53 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23522.51681.772148.523385@fireball.acr.fi>
Date: Wed, 07 Nov 2018 13:17:53 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 3 min
X-Total-Time: 2 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/I5Nx6Hyj1m0aEw4XBl0S_KgUCS8>
Subject: [IPsec] Minutes from the IPsecME meeting in Bangkok IETF 103
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 11:17:59 -0000
Thanks for minutes takers for taking the minutes in the etherpad. I
cleaned them up bit, and posted them to the meetings materials page:
----------------------------------------------------------------------
IETF 103 IPsecME WG meeting in Bangkok
Wednesday, November 7, 2018
13:50-15:20 Boromphimarn 4
Agenda:
- Agenda bashing, Logistics -- Chairs (5 min)
- Draft status -- Chairs (15 min)
- draft-ietf-ipsecme-eddsa -> RFC8420
- draft-ietf-ipsecme-split-dns
- draft-ietf-ipsecme-qr-ikev2
- draft-ietf-ipsecme-implicit-iv
- draft-ietf-ipsecme-ipv6-ipv4-codes
- Work items
- PSK authentication (10 min)
Paul Wouters
- IKE over TCP implementation issues (10 min)
Valery Smyslov
- draft-smyslov-ipsecme-tcp-guidelines
- IPsec Compression mode for ESP (EHC) (15 min)
- draft-mglt-ipsecme-ikev2-diet-esp-extension
- IKEv2 Notification Codes for IPv4/IPv6 Coexistence (15 min)
- draft-ietf-ipsecme-ipv6-ipv4-codes
Agenda bashing, Logistics
=========================
Slides: https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-chair-slides-02
agenda is bashed...
Draft status
============
Tero: not a whole lot done since IETF 102 ("we have been lazy").
ECDSA draft is out as RFC 8420
Paul Wouters: split dns draft is on IESG telechat
Tero: is the implicit IV draft ready? minor head nods
not much discussion on QR IKEv2 draft.
Valery Smyslov: it's ready, it's been ready since August.
Paul: we've got interop testing done, it's more than ready
Tero: still working on ipv6-ipv4 codes draft.
Anyone else have a document you want to work on? Contact the chairs.
PSK authentication
==================
Slides: https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-psks-will-always-be-weak-00
Paul Wouters
PSKs Will Always Be Weak
New dictionary attacks on IKEv1
IKEv2 PSK mode is susceptible to dictionary attack.
Information we give on use of PSKs is not really followed.
PPK draft says use PSKs with 256 bits of entropy. But we know no one
will do that.
FIPS 198 and 198-1 has recommendations but what should we do?
Users are not implementors and do not follow these recommendations.
Main attack vector in IKEv2 is weak PSKs
Do we need a new RFC to recommend minimum strength PSKs? This could
cause implementations to do something.
Dan Harkins: I like the title, yes they will always be weak. I'm not
sure about an RFC to update this. I think the problem is
that the protocol is weak, and the users must use a
stronger key to avoid weak keys. We should use a PAKE,
and write an RFC. Have a secure way to use PSKs.
Yoav: You're saying we should obsolete PSK for something better? We
don't have PAKE yet though. Easy to generate secure PSK. The
problem is the inconvenience.
Tero (as chair): PSKs are not meant to be readable by humans.
Paul: problem is we punted this to users-- "don't do stupid things."
Tero: if it's human readable then we need to use a secure PSK mode.
Then mandate some size restrictions on PSKs.
Stanislav: We should use a PAKE. CFRG is going to be discussing what
PAKE to use. The way to address the problem you describe is
to use a PAKE.
Hu: We should not obsolete PSK, it's not going away. To make it secure
we should use a PAKE.
Valery: you can't stop users from doing stupid things. PAKE is a good
option to use weak PSKs. But the framework doesn't make it
easy to implement.
State machine became more complex. But don't drop PSK mode.
Sean Turner: we screwed the PAKE thing up the first time around but
I'm not sure whether it would be fixed a second time.
We have recommendations on PSK entropy and I would help
to write a new one for IKEv2.
Tero: The problem is that if we asked for doing one PAKE today, we
would still not know what to do
Stanislav: the CFRG process is just starting. There will be a process
of identification, evaluation, and selection. Not sure of
time frame but not years.
Dan: we need a balanced PAKE because either side can initiate.
Yaron Sheffer: we need a PAKE, we need a balanced PAKE. We should
bring this input more formally into CFRG.
Tero: we should ask CFRG to pick a balanced PAKE for us to use.
ACTION ITEM FOR CHAIRS: send a note to the list on this and then
forward request to CFRG.
IKE over TCP implementation issues
==================================
(draft-smyslov-ipsecme-tcp-guidelines)
Slides: https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-clarifications-for-using-tcp-encapsulation-in-ikev2-00
Valery Smyslov
Valery: TCP encapsulation is specified in RFC 8229. Need some
optimizations though for reliability and interoperability.
Should we do a RFC8229-bis to deal with all this?
Yes, there are things to improve upon but none of these things
are critical or showstopping.
Tommy Pauly: On retransmissions: not sure why the congested issue is
red. Tunneling ESP in TCP is a far greater concern for
congestion than IKEv2.
For cookie calculation, isn't that the same for UDP
because you could be behind a NAT?
Valery: yes but it's red because cookie calculation is a local matter.
Paul: we have seen how NATs cause problems by rewriting the port
number very quickly.
Tommy: for MOBIKE, it should be identical to what you do over UDP.
Valery: possibility of not detecting a NAT
Tero: when you switch IP addresses in MOBIKE you can't recalculate.
But when you update addresses, if they don't work change again
and when the final one works then update. Should do same here.
David Skenazii: what's the benefit of doing NAT detection in TCP? We
can just throw the results on the floor.
Valery: yes it's more tolerable.
David: we can say if you use TCP then we can disregard any NAT detected.
Paul: it's a little too soon to do a bis document, need a little more
experience.
Mark McFadden: Maybe instead of doing a bis just take this work, which
is very good, and adopt it for implementation
guidelines.
Yoav: we can have a document that we work on but there's no rush to
publish, it might become a bis eventually.
Tero: we had a clarification document for IKEv2 but not sure how
useful it was to publish. Could've just been a draft. We could
do the same thing here. When we are ready we can work on a bis
document. Opinions? Hums to work on it, no hums to not. Have to
talk with ADs.
IPsec Compression mode for ESP (EHC)
====================================
(draft-mglt-ipsecme-ikev2-diet-esp-extension)
Slides: https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-esp-header-compression-ehc-00
Daniel Migault
Valery: the idea to compress is exciting but it seems complex both in
implementation and negotiation. Will not be easy to select all
theose parameters.
Is it possible to focus on the most effective options?
Daniel: we took a long time defining the rules but the implementation
should not be as long as the specification.
Paul: you keep saying this is simple and straightforward but I read
the draft and don't understand anything. There's a lot of
complexity and IPsec and IKE are already compllicated.
Yoav: how does this complain toe RFC 5756?
Daniel: there is no down stream signaling. You have rules on each
side. This is static, that is dynamic.
David: yes this is simpler than that but battery powered devices are
not just light switches, if we can improve lifetime of phones
and watches there's value.
IKEv2 Notification Codes for IPv4/IPv6 Coexistence
==================================================
(draft-ietf-ipsecme-ipv6-ipv4-codes)
Daniel Migault
Valery: too many notifications for failures. In first case (slide 1),
why not just say what you support (2nd and 3rd cases)?
Tero: if you ask for both and you get back 1 you know. But
SINGLE_AF_SUPPORTED does not help. Maybe reduce to 2.
Lorenzo: These are 3GPP error codes, right? Is it harmful to do this?
Daniel (continues with presentation, slide 2)... seems like there are
some objections to assigning 4 new codes, should reduce it.
Should we negotiate an extension?
Tero: comments saying this should be simplified. Author wants to get
draft out soon. Good to get them feedback.
Open Discussion
===============
we're done!
--
kivinen@iki.fi
- [IPsec] Minutes from the IPsecME meeting in Bangk… Tero Kivinen