Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 09 September 2014 00:23 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 737601A02C2 for <ipsec@ietfa.amsl.com>; Mon, 8 Sep 2014 17:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTp6qTPNQw0n for <ipsec@ietfa.amsl.com>; Mon, 8 Sep 2014 17:23:28 -0700 (PDT)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27061A0266 for <ipsec@ietf.org>; Mon, 8 Sep 2014 17:23:21 -0700 (PDT)
Received: by mail-lb0-f180.google.com with SMTP id b12so1086983lbj.11 for <ipsec@ietf.org>; Mon, 08 Sep 2014 17:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=0EvlatmQw++6GsweoSU+3WmCaCLr9/h9ae38Ggtrr8Q=; b=I9gmPCBd6T93r+Bi4kQTE8H78cD2LV8S8t7vuPM9/WhayvODi3EKoRpOlhKT8oByAi VtVL6yeFtg7F153J7FJPxjxrbkmXyBxaBlwh5NAKCRwSvvsmNiMXDKA/i0QjltyTcHTO 6ceXY2/lKcaD7MzAjwxGEIgG1/Hm/vuMvxT1mpH9FShQDle4PAY4XTgyXA9KhK/wbluY wVSOstwWTkwQmctiSQxJfr/Rw1+XAcRLyfibkIesS/iQy03lYoCS9bJRcbzSgGCtYIDb Pq/9h25IfeV5PCy02qr3/+zNfzBbTmGDPUCgnY/b8ocQcBnBpKC/TVelB2augNpTwSc7 tyQg==
X-Received: by 10.152.42.231 with SMTP id r7mr32466317lal.23.1410222200137; Mon, 08 Sep 2014 17:23:20 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.16.135 with HTTP; Mon, 8 Sep 2014 17:22:50 -0700 (PDT)
In-Reply-To: <BE175F90-68B6-4731-B32E-BA9EF3F3BAD8@dell.com>
References: <540CA9B2.3090807@gmail.com> <BE175F90-68B6-4731-B32E-BA9EF3F3BAD8@dell.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 08 Sep 2014 20:22:50 -0400
X-Google-Sender-Auth: CL9JzxCZq3A34Glk82cKDXL3Hpg
Message-ID: <CADi0yUM3ESC9A1WaJJZ5QKrAeUd-wiNLFRdpRUYp5vGXir-A6Q@mail.gmail.com>
To: Paul_Koning@dell.com
Content-Type: multipart/alternative; boundary="001a11c34bc64b2b46050296f109"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/IJr0K2YHLFaLZgX7t-saq0Y_fYg
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 00:23:30 -0000
The subject line (and the comment on Bellovin attack) caught my eye. I don't follow the discussions in this list so I don't know how much the need and dangers of unauthenticated methods were discussed here. I want to point out that (and probably many did before me) that un-authentication is a very tricky option especially in a protocol that was created with mutual authentication as a core requirement and assumption. I can see potential benefits and uses but I can also see it abused and misused (the internet draft doesn't do too good a job warning about it but even if it did, people will misuse it). But requirements aside, I cannot vow for the security of IKE's key exchange in a one-way authentication mode. No one (that I know, definitely not me) designed this protocol to support one-way authentication. So the question of whether it is secure in this setting has not been investigated. Moreover, I see that the draft uses shared-key fields for the anonymous side of the communication and, I imagine, the other can use signature-based authentication. What security properties do you get from that mix-and-match authentication methods? One likely misuse of this technique is that people will use unauthenticated (or one-way) IKE and will run some other authentication on top of it (say, password based or whatever). Well, protocols do not necessarily compose securely. TLS had many failures like that (BEAST, re-negotiation, triple handshake, ...) and IPsec saw examples of that in the combinations of unauthenticated ESP and AH. IKE's cryptographic design has endured the test of time but these variations (or improvisations) endanger it. Finally, since Bellovin's attack was mentioned, I want to make sure that no one is thinking of not using the MAC authentication at the IP packet level, right? Hugo On Mon, Sep 8, 2014 at 10:54 AM, <Paul_Koning@dell.com> wrote: > > On Sep 7, 2014, at 2:53 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > > > Dear working group, > > > > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a > WG document. Please respond to this mail with a Yes or No and a short > rationale, at latest by Friday Sep. 12. > > Maybe. > > I understand and support the rationale for this draft. > > The Security Considerations seems to be inadequate. Whenever possible, > real authentication should be used. So the Security Considerations should > explicitly and strongly emphasize that, and recommend that products that > incorporate Null authentication should strive to avoid its use whenever > possible, and steer users away from its use when they can. > > A related question: does the use of Null authentication open up the > Bellovin attack? It seems that it would. If so, my answer changes to “NO”. > > paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Call for adoption: The NULL Authenticatio… Yaron Sheffer
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Graham Bartlett (grbartle)
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Yaron Sheffer
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Hugo Krawczyk
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Daniel Migault
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Graham Bartlett (grbartle)
- Re: [IPsec] Call for adoption: The NULL Authentic… Hugo Krawczyk
- Re: [IPsec] Call for adoption: The NULL Authentic… Yaron Sheffer
- [IPsec] Call for adoption: The NULL Authenticatio… Tero Kivinen
- Re: [IPsec] Call for adoption: The NULL Authentic… Michael Richardson
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters