IETF Logo Mail Archive

Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue

"Graham Bartlett (grbartle)" <grbartle@cisco.com> Mon, 21 August 2017 09:46 UTC

Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0741413219B for <ipsec@ietfa.amsl.com>; Mon, 21 Aug 2017 02:46:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTGTDAtQTmSN for <ipsec@ietfa.amsl.com>; Mon, 21 Aug 2017 02:46:04 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C31AD13240D for <ipsec@ietf.org>; Mon, 21 Aug 2017 02:46:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11660; q=dns/txt; s=iport; t=1503308763; x=1504518363; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=xMhfKvr1lzz/LwSbXqok5ACpjr87PhpQyxffapej0ig=; b=ZEvh6rPpKCoq1+QfHDdPbgLrjnRu/OyREjfDtFmxCTxyAsT7Np5pp87u uhq9NqVH9Zt4RT603U9B2RNxdfq1d2lBYsW7SXwtnT0lIbXZs7ujZdDi1 QeL49uOb4m/raCuajUr8jpGgK7c/VeEPUsTpZ8tY+DLzrQWTUqR+ZN+qI o=;
X-Files: smime.p7s : 4557
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AzAQClqppZ/5RdJa1dGQEBAQEBAQEBAQEBBwEBAQEBg1pkgRUHg3CKG5AUgUyBGZUnghIHGguFGwIjg1k/GAECAQEBAQEBAWsohRkCAQMBASFLCxACAQhCAgICJQslAgQBDQUOiiMQryGCJotVAQEBAQEBAQEBAQEBAQEBAQEBAQEBDgoFgyiCAoFMgWMrC4I9NIUKgnwwgjEFiX6HGY84AoQwgiGNb5Jelh8BHziBCncVSRIBhQMBBReBZ3aIHweBK4EPAQEB
X-IronPort-AV: E=Sophos;i="5.41,408,1498521600"; d="p7s'?scan'208";a="472821516"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Aug 2017 09:46:02 +0000
Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v7L9k2sF008250 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 21 Aug 2017 09:46:02 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 21 Aug 2017 04:46:02 -0500
Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Mon, 21 Aug 2017 04:46:02 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
CC: Vukasin Karadzic <vukasin.karadzic@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Thread-Index: AQHTFv7XJ5jltk7mwUuzxiRaE15dYKKO+zAA
Date: Mon, 21 Aug 2017 09:46:02 +0000
Message-ID: <91469627-49D0-47FF-8D8D-082179BF671A@cisco.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.142.74]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3586157162_1068384987"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IUsSQUv0fUfRDri5_HsxLLI2c2s>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 09:46:06 -0000

Hi Paul

I’m a bit late to the party, but thought I’d chip in if it helps..

With regards to ‘If the responder has some connections that require a PPK and some connections that require NO PPK, then it has to flip a coin on whether or not to send
the PPK_SUPPORT notify and if it guessed wrong’

If you follow the logic below (I sent the following to Scott back in the day) with the GW (or responder) being configured with the PPK’s for the initiators first, then the initiators being configured and ONLY sending the PPK supported when it has a key for the peer you should be ok.

cheers

I would like to propose the following;
- Step 0 is "never use PPKs" (this is the existing IKE standard)

- Logic 1 is “if we are initiator only advertise PPK notify if we have a PPK for the peer”

- Step 1 is "if we're the initiator, then use PPKs if the responder signaled support for it"

    - Step 2 is "insist on PPKs if the peer support it (in both the initiator and the responder roles)"

So for a remote access VPN GW, you would configure the GW first and then each client. The GW will only respond with the PPK notify if the client had included the PPK notify. Once the client has the PPK it will include the PPK notify and pass authentication.

Likewise for Hub and Spoke, the same principle.

The issue I would foresee is something like DMVPN or a partial/full mesh, but my logic mitigates any issues.. the Hub has the PPK and Spoke 1 has the PPK.. The Spoke1 – Hub SA is protected by the PPK. If Spoke2 did not have a PPK and connected to the Hub, the Spoke2 – Hub is not PPK protected, then Spoke1 connected to Spoke2, because of the logic (“if we are initiator only advertise PPK notify if we have a PPK for the peer”) Spoke1 would not advertise the PPK notify and hence we get over this limitation.


Now where this falls down is if there’s a shared key, so in the example above is all spokes used a shared key and one of the spokes didn’t have it – then the logic would fail.


On 17/08/2017, 03:16, "IPsec on behalf of Paul Wouters" <ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote:

    
    Hi,
    
    Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2
    for libreswan and stumbled upon a problem. The relevant text:
    
        When the initiator receives this reply, it checks whether the
        responder included the PPK_SUPPORT notify.  If the responder did not,
        then the initiator MUST either proceed with the standard IKE
        negotiation (without using a PPK), or abort the exchange (for
        example, because the initiator has the PPK marked as mandatory).  If
        the responder did include the PPK_SUPPORT notify, then it selects a
        PPK, along with its identifier PPK_id.  Then, it computes this
        modification of the standard IKE key derivation:
    
    A responder answering an IKE_INIT containing PPK_SUPPORT needs to
    reply without knowing for which connection this IKE_INIT will be.
    
    The responder has not yet received the initiator's ID. If the responder
    has some connections that require a PPK and some connections that
    require NO PPK, then it has to flip a coin on whether or not to send
    the PPK_SUPPORT notify and if it guessed wrong, the AUTH payload on
    the initiator will be wrong. Sending the notify commits to using a PPK
    because the initiator uses it as input to the AUTH payload.
    
    So this table from the RFC is incomplete:
    
        This table summarizes the above logic by the responder
    
      Received PPK_SUPPORT  Have PPK   PPK Mandatory    Action
      ------------------------------------------------------------------
           No                  No          *            Standard IKE protocol
           No                 Yes         No            Standard IKE protocol
           No                 Yes        Yes            Abort negotiation
          Yes                  No          *            Standard IKE protocol
          Yes                 Yes          *            Include PPK_SUPPORT
    
    Basically, we are in the case where "Have PPK" is not yet known.
    
    
    One way of solving this could be to allow PPK_SUPPORT to have some
    notify data, which could for instance be a hash of the connection/group
    name used by the responder. Another option is to use the PPK as one
    of the inputs to some hash algorithm as PPK_SUPPORT data, so the
    responder can go through its list of PPKs to match it back to a
    connection/group. But we would need to be sure that this does not
    open up the PPK to attacks (classic and quantum)
    
    Paul
    
    _______________________________________________
    IPsec mailing list
    IPsec@ietf.org
    https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email