Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
"Graham Bartlett (grbartle)" <grbartle@cisco.com> Mon, 21 August 2017 09:46 UTC
Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0741413219B for <ipsec@ietfa.amsl.com>; Mon, 21 Aug 2017 02:46:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTGTDAtQTmSN for <ipsec@ietfa.amsl.com>; Mon, 21 Aug 2017 02:46:04 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C31AD13240D for <ipsec@ietf.org>; Mon, 21 Aug 2017 02:46:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11660; q=dns/txt; s=iport; t=1503308763; x=1504518363; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=xMhfKvr1lzz/LwSbXqok5ACpjr87PhpQyxffapej0ig=; b=ZEvh6rPpKCoq1+QfHDdPbgLrjnRu/OyREjfDtFmxCTxyAsT7Np5pp87u uhq9NqVH9Zt4RT603U9B2RNxdfq1d2lBYsW7SXwtnT0lIbXZs7ujZdDi1 QeL49uOb4m/raCuajUr8jpGgK7c/VeEPUsTpZ8tY+DLzrQWTUqR+ZN+qI o=;
X-Files: smime.p7s : 4557
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AzAQClqppZ/5RdJa1dGQEBAQEBAQEBAQEBBwEBAQEBg1pkgRUHg3CKG5AUgUyBGZUnghIHGguFGwIjg1k/GAECAQEBAQEBAWsohRkCAQMBASFLCxACAQhCAgICJQslAgQBDQUOiiMQryGCJotVAQEBAQEBAQEBAQEBAQEBAQEBAQEBDgoFgyiCAoFMgWMrC4I9NIUKgnwwgjEFiX6HGY84AoQwgiGNb5Jelh8BHziBCncVSRIBhQMBBReBZ3aIHweBK4EPAQEB
X-IronPort-AV: E=Sophos;i="5.41,408,1498521600"; d="p7s'?scan'208";a="472821516"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Aug 2017 09:46:02 +0000
Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v7L9k2sF008250 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 21 Aug 2017 09:46:02 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 21 Aug 2017 04:46:02 -0500
Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Mon, 21 Aug 2017 04:46:02 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
CC: Vukasin Karadzic <vukasin.karadzic@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Thread-Index: AQHTFv7XJ5jltk7mwUuzxiRaE15dYKKO+zAA
Date: Mon, 21 Aug 2017 09:46:02 +0000
Message-ID: <91469627-49D0-47FF-8D8D-082179BF671A@cisco.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.142.74]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3586157162_1068384987"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IUsSQUv0fUfRDri5_HsxLLI2c2s>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 09:46:06 -0000
Hi Paul I’m a bit late to the party, but thought I’d chip in if it helps.. With regards to ‘If the responder has some connections that require a PPK and some connections that require NO PPK, then it has to flip a coin on whether or not to send the PPK_SUPPORT notify and if it guessed wrong’ If you follow the logic below (I sent the following to Scott back in the day) with the GW (or responder) being configured with the PPK’s for the initiators first, then the initiators being configured and ONLY sending the PPK supported when it has a key for the peer you should be ok. cheers I would like to propose the following; - Step 0 is "never use PPKs" (this is the existing IKE standard) - Logic 1 is “if we are initiator only advertise PPK notify if we have a PPK for the peer” - Step 1 is "if we're the initiator, then use PPKs if the responder signaled support for it" - Step 2 is "insist on PPKs if the peer support it (in both the initiator and the responder roles)" So for a remote access VPN GW, you would configure the GW first and then each client. The GW will only respond with the PPK notify if the client had included the PPK notify. Once the client has the PPK it will include the PPK notify and pass authentication. Likewise for Hub and Spoke, the same principle. The issue I would foresee is something like DMVPN or a partial/full mesh, but my logic mitigates any issues.. the Hub has the PPK and Spoke 1 has the PPK.. The Spoke1 – Hub SA is protected by the PPK. If Spoke2 did not have a PPK and connected to the Hub, the Spoke2 – Hub is not PPK protected, then Spoke1 connected to Spoke2, because of the logic (“if we are initiator only advertise PPK notify if we have a PPK for the peer”) Spoke1 would not advertise the PPK notify and hence we get over this limitation. Now where this falls down is if there’s a shared key, so in the example above is all spokes used a shared key and one of the spokes didn’t have it – then the logic would fail. On 17/08/2017, 03:16, "IPsec on behalf of Paul Wouters" <ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote: Hi, Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for libreswan and stumbled upon a problem. The relevant text: When the initiator receives this reply, it checks whether the responder included the PPK_SUPPORT notify. If the responder did not, then the initiator MUST either proceed with the standard IKE negotiation (without using a PPK), or abort the exchange (for example, because the initiator has the PPK marked as mandatory). If the responder did include the PPK_SUPPORT notify, then it selects a PPK, along with its identifier PPK_id. Then, it computes this modification of the standard IKE key derivation: A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply without knowing for which connection this IKE_INIT will be. The responder has not yet received the initiator's ID. If the responder has some connections that require a PPK and some connections that require NO PPK, then it has to flip a coin on whether or not to send the PPK_SUPPORT notify and if it guessed wrong, the AUTH payload on the initiator will be wrong. Sending the notify commits to using a PPK because the initiator uses it as input to the AUTH payload. So this table from the RFC is incomplete: This table summarizes the above logic by the responder Received PPK_SUPPORT Have PPK PPK Mandatory Action ------------------------------------------------------------------ No No * Standard IKE protocol No Yes No Standard IKE protocol No Yes Yes Abort negotiation Yes No * Standard IKE protocol Yes Yes * Include PPK_SUPPORT Basically, we are in the case where "Have PPK" is not yet known. One way of solving this could be to allow PPK_SUPPORT to have some notify data, which could for instance be a hash of the connection/group name used by the responder. Another option is to use the PPK as one of the inputs to some hash algorithm as PPK_SUPPORT data, so the responder can go through its list of PPKs to match it back to a connection/group. But we would need to be sure that this does not open up the PPK to attacks (classic and quantum) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Derrell Piper
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Graham Bartlett (grbartle)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Vukasin Karadzic
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)