Re: [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis
Tero Kivinen <kivinen@iki.fi> Wed, 22 February 2017 14:54 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87711299ED; Wed, 22 Feb 2017 06:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3w6n3a4F0hAY; Wed, 22 Feb 2017 06:53:59 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13E651299E6; Wed, 22 Feb 2017 06:53:58 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v1MEruY2004564 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 22 Feb 2017 16:53:56 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v1MEruec007932; Wed, 22 Feb 2017 16:53:56 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22701.42500.198298.440746@fireball.acr.fi>
Date: Wed, 22 Feb 2017 16:53:56 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1702211120080.3603@bofh.nohats.ca>
References: <CAHbuEH4K1MW8BitnOtmpoHwU6ZseqwNkYQTJ_YUE6cYxH9cshg@mail.gmail.com> <alpine.LRH.2.20.1702171211350.17106@bofh.nohats.ca> <CAHbuEH4f_67DKywJNL=POTu-dF8Ewb7T0aYO6U=uxAd6ocxGKA@mail.gmail.com> <alpine.LRH.2.20.1702211120080.3603@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 22 min
X-Total-Time: 23 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/JfYgYEC093s4qoo3WYvOshKuDaE>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, draft-ietf-ipsecme-rfc7321bis@ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 14:54:01 -0000
Paul Wouters writes: > On Fri, 17 Feb 2017, Kathleen Moriarty wrote: > > >> It is actually not much a change. If you look at 7321 Section 3, it states: > >> > >> Confidentiality without authentication is not effective [DP07] > >> and therefore SHOULD NOT be used. > > > > Yes, I saw that and agree security-wise that this is a bad practice. > > But 7321 say a lot more on both ESP and AH authentication than that > > one sentence. What I am saying is that the change in this document > > requires more text to explain it. > > > > You also have the following text in that section: > > > > To provide both confidentiality and authentication, an authenticated > > encryption transform from Section 2.1 SHOULD be used in ESP, in > > conjunction with NULL authentication. > > The way I read that section is that it tries to explain AEAD ciphers > versus separate ENCR+INTEG ciphers. It is not making claims about > using encryption without authentication, just that when using an AEAD, > you do not use a separate authentication algorithm and when not using > an AEAD you do use a separate authentication. There is 3 ways of provide both confidentiality and authentication in IPsec: 1) ESP with AEAD cipher 2) ESP with non-AEAD cipher + authentication 3) ESP with non-AEAD cipher + no authentication combined with AH with authentication I.e., 1) Use combined mode cipher, i.e. AEAD cipher. In that case the AEAD ciphers is set for the encryption algorithm, and the authentication algorithm is not sent. Example of this is ENCR_AES_GCM_16 or ENCR_CHACHA20_POLY1305. 2) Use ESP with both encryption and authentication algorithm. In this case we are still using only ESP, but we have separate algorithms, for example ENCR_AES_CBC combined with AUTH_HMAC_SHA2_256_128. 3) Use ESP for confidentiality and AH for authentication. In that case the ESP is used with encryption algorithm like ENCR_AES_CBC, and without authentication algorithm, and then there is second IPsec protocol AH that will provide authentication with algorithm like AUTH_HMAC_SHA2_256_128. The first one is preferred, i.e., RFC7321 said SHOULD for AEAD algorithms, and did say MAY for 2nd option (ESP with both encryption and authentication algorithms), and said NOT RECOMMENDED for the last option. > > It's fine again with the following text: > > > > Alternatively, an ESP > > encryption transform and ESP authentication transform MAY be used > > together. It is NOT RECOMMENDED to use ESP with NULL authentication > > in conjunction with AH; some configurations of this combination of > > services have been shown to be insecure [PD10]. > > Again, the way I read it is that it (not too clearly) is trying to > explain AEAD vs non-AEAD. Again all of the above was explaining those 3 different ways of doing confidentiality + authentication. > > Then at the end of the next paragraph: > > > > Therefore, an encryption > > transform MUST NOT be used with a NULL authentication transform > > (unless the encryption transform is an authenticated encryption > > transform from Section 2.1). > > And again. They probably should have cut all the text and just left > this one paragraph in :P > > Note that this MUST NOT conflicts with the SHOULD NOT quoted above > that we promoted to MUST NOT that we are talking about here. Yes, the 7321 did say MUST NOT for confidentility only, after saying SHOULD NOT for it earlier... In the section 3 of the 7321 the second last paragraph then moves to explain other cases, i.e. where we only want to provide authentication without confidentiality, where it prefers the ESP with NULL encryption over AH, and then it says that encryption without authentication is MUST NOT, although it should point out that in addition to the AEAD case the ESP + AH is another exception to that rule... > >> The 7321 document was a bit unclear with respect to encryption algos > >> versus AEAD algos which might look like it allows a wider acceptance > >> of encryption without authentication, but really does not intend to. > > > > What I am saying is that it would be helpful to provide text to > > explain the change. > > I'm unsure what to write? 7321 should have used MUST NOT instead of > SHOULD NOT for the exact same unchanged reasons provided in 7321. > And as I pointed out above, it kind of does outside that one silly > paragraph. > > If really needed, I can do something like: > > Encryption without authentication MUST NOT be used. [RFC7321] > erroneously stated in Section 3 that this insecure practise > is a SHOULD NOT, where elsewhere in [RFC7321] it properly > stated this as MUST NOT. > > Perhaps one of my co-authors can come up with a better suggestion? Perhaps we should add bit similar text like I did earlier, i.e., explain that there is 3 ways of doing confidentiality + authentication and add some more text about them. -- kivinen@iki.fi
- [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Paul Wouters
- [IPsec] Regarding max limit of payloads to avoid … Sandeep Kampati
- [IPsec] Regarding max limit of payloads to avoid … Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-rfc73… Waltermire, David A. (Fed)