IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis

Tero Kivinen <kivinen@iki.fi> Wed, 22 February 2017 14:54 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87711299ED; Wed, 22 Feb 2017 06:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3w6n3a4F0hAY; Wed, 22 Feb 2017 06:53:59 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13E651299E6; Wed, 22 Feb 2017 06:53:58 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v1MEruY2004564 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 22 Feb 2017 16:53:56 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v1MEruec007932; Wed, 22 Feb 2017 16:53:56 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22701.42500.198298.440746@fireball.acr.fi>
Date: Wed, 22 Feb 2017 16:53:56 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1702211120080.3603@bofh.nohats.ca>
References: <CAHbuEH4K1MW8BitnOtmpoHwU6ZseqwNkYQTJ_YUE6cYxH9cshg@mail.gmail.com> <alpine.LRH.2.20.1702171211350.17106@bofh.nohats.ca> <CAHbuEH4f_67DKywJNL=POTu-dF8Ewb7T0aYO6U=uxAd6ocxGKA@mail.gmail.com> <alpine.LRH.2.20.1702211120080.3603@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 22 min
X-Total-Time: 23 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/JfYgYEC093s4qoo3WYvOshKuDaE>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, draft-ietf-ipsecme-rfc7321bis@ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 14:54:01 -0000

Paul Wouters writes:
> On Fri, 17 Feb 2017, Kathleen Moriarty wrote:
> 
> >> It is actually not much a change. If you look at 7321 Section 3, it states:
> >>
> >>         Confidentiality without authentication is not effective [DP07]
> >>         and therefore SHOULD NOT be used.
> >
> > Yes, I saw that and agree security-wise that this is a bad practice.
> > But 7321 say a lot more on both ESP and AH authentication than that
> > one sentence.  What I am saying is that the change in this document
> > requires more text to explain it.
> >
> > You also have the following text in that section:
> >
> >   To provide both confidentiality and authentication, an authenticated
> >   encryption transform from Section 2.1 SHOULD be used in ESP, in
> >   conjunction with NULL authentication.
> 
> The way I read that section is that it tries to explain AEAD ciphers
> versus separate ENCR+INTEG ciphers. It is not making claims about
> using encryption without authentication, just that when using an AEAD,
> you do not use a separate authentication algorithm and when not using
> an AEAD you do use a separate authentication.

There is 3 ways of provide both confidentiality and authentication in
IPsec:

1) ESP with AEAD cipher
2) ESP with non-AEAD cipher + authentication
3) ESP with non-AEAD cipher + no authentication combined with AH with
   authentication

I.e.,

1) Use combined mode cipher, i.e. AEAD cipher. In that case the AEAD
ciphers is set for the encryption algorithm, and the authentication
algorithm is not sent. Example of this is ENCR_AES_GCM_16 or
ENCR_CHACHA20_POLY1305. 

2) Use ESP with both encryption and authentication algorithm. In this
case we are still using only ESP, but we have separate algorithms, for
example ENCR_AES_CBC combined with AUTH_HMAC_SHA2_256_128.

3) Use ESP for confidentiality and AH for authentication. In that case
the ESP is used with encryption algorithm like ENCR_AES_CBC, and
without authentication algorithm, and then there is second IPsec
protocol AH that will provide authentication with algorithm like
AUTH_HMAC_SHA2_256_128.

The first one is preferred, i.e., RFC7321 said SHOULD for AEAD
algorithms, and did say MAY for 2nd option (ESP with both encryption
and authentication algorithms), and said NOT RECOMMENDED for the last
option.

> > It's fine again with the following text:
> >
> >   Alternatively, an ESP
> >   encryption transform and ESP authentication transform MAY be used
> >   together.  It is NOT RECOMMENDED to use ESP with NULL authentication
> >   in conjunction with AH; some configurations of this combination of
> >   services have been shown to be insecure [PD10].
> 
> Again, the way I read it is that it (not too clearly) is trying to
> explain AEAD vs non-AEAD.

Again all of the above was explaining those 3 different ways of doing
confidentiality + authentication. 

> > Then at the end of the next paragraph:
> >
> >   Therefore, an encryption
> >   transform MUST NOT be used with a NULL authentication transform
> >   (unless the encryption transform is an authenticated encryption
> >   transform from Section 2.1).
> 
> And again. They probably should have cut all the text and just left
> this one paragraph in :P
>
> Note that this MUST NOT conflicts with the SHOULD NOT quoted above
> that we promoted to MUST NOT that we are talking about here.

Yes, the 7321 did say MUST NOT for confidentility only, after saying
SHOULD NOT for it earlier...

In the section 3 of the 7321 the second last paragraph then moves to
explain other cases, i.e. where we only want to provide authentication
without confidentiality, where it prefers the ESP with NULL encryption
over AH, and then it says that encryption without authentication is
MUST NOT, although it should point out that in addition to the AEAD
case the ESP + AH is another exception to that rule... 

> >> The 7321 document was a bit unclear with respect to encryption algos
> >> versus AEAD algos which might look like it allows a wider acceptance
> >> of encryption without authentication, but really does not intend to.
> >
> > What I am saying is that it would be helpful to provide text to
> > explain the change.
> 
> I'm unsure what to write? 7321 should have used MUST NOT instead of
> SHOULD NOT for the exact same unchanged reasons provided in 7321.
> And as I pointed out above, it kind of does outside that one silly
> paragraph.
> 
> If really needed, I can do something like:
> 
>  	Encryption without authentication MUST NOT be used. [RFC7321]
>  	erroneously stated in Section 3 that this insecure practise
>  	is a SHOULD NOT, where elsewhere in [RFC7321] it properly
>  	stated this as MUST NOT.
> 
> Perhaps one of my co-authors can come up with a better suggestion?

Perhaps we should add bit similar text like I did earlier, i.e.,
explain that there is 3 ways of doing confidentiality + authentication
and add some more text about them.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email