IETF Logo Mail Archive

Re: [IPsec] IPsec with QKD

Tony Putman <t-ietf@putwet.me.uk> Wed, 12 November 2014 00:03 UTC

Return-Path: <t-ietf@putwet.me.uk>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFDE1A8709 for <ipsec@ietfa.amsl.com>; Tue, 11 Nov 2014 16:03:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.3
X-Spam-Level: *
X-Spam-Status: No, score=1.3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_12=0.6, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fw4SuWIFFmw for <ipsec@ietfa.amsl.com>; Tue, 11 Nov 2014 16:03:25 -0800 (PST)
Received: from avasout01.plus.net (avasout01.plus.net [84.93.230.227]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D9021A70E2 for <ipsec@ietf.org>; Tue, 11 Nov 2014 16:03:24 -0800 (PST)
Received: from [192.168.1.2] ([80.229.245.222]) by avasout01 with smtp id EQ3J1p0034odrNw01Q3KSK; Wed, 12 Nov 2014 00:03:23 +0000
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=IfMJWAaa c=1 sm=1 tr=0 a=ZDAw9H2lLuf1cmfnewsGHg==:117 a=ZDAw9H2lLuf1cmfnewsGHg==:17 a=0Bzu9jTXAAAA:8 a=rkJuIV0pGx0A:10 a=N659UExz7-8A:10 a=apiPipScAAAA:8 a=XFt7pEl5zbGBE4Fr1RYA:9 a=WfTz583jRwJVuY2s:21 a=QskQkIOqPBXeExGu:21 a=pILNOxqGKmIA:10
X-AUTH: putwet+t-ietf:2500
Message-ID: <5462A3C5.8050601@putwet.me.uk>
Date: Wed, 12 Nov 2014 00:03:17 +0000
From: Tony Putman <t-ietf@putwet.me.uk>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Rodney Van Meter <rdv@sfc.wide.ad.jp>
References: <14BE57EA00BC0C469E17B5AD698FE67783D07A82@FR711WXCHMBA03.zeu.alcatel-lucent.com>
In-Reply-To: <14BE57EA00BC0C469E17B5AD698FE67783D07A82@FR711WXCHMBA03.zeu.alcatel-lucent.com>
X-Forwarded-Message-Id: <14BE57EA00BC0C469E17B5AD698FE67783D07A82@FR711WXCHMBA03.zeu.alcatel-lucent.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/O_Sb5H9WfcXGuMD3xB_JZJBXces
Cc: ipsec <ipsec@ietf.org>, Shota Nagayama <kurosagi@sfc.wide.ad.jp>, Shigeya Suzuki <shigeya@wide.ad.jp>
Subject: Re: [IPsec] IPsec with QKD
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 00:03:27 -0000

Rod,

I read your draft with interest and have a number of comments and
questions.  I've not been around long enough to remember previous
discussions on this (and couldn't find anything after a cursory search
in archives), so please forgive me if I'm rehashing previous arguments.

The QKD keys (and other similar out-of-band keys) are associated with
key agreement, so it makes sense to me to reuse the KE payload.  This
would allow standard notifications and negotiations to take place.  It
also means that you don't need to define a new payload and tranform,
only get IDs assigned to cover OOB key sharing; the way the key
information is packed into the structure also needs to be defined.

Possibly the above was suggested previously and rejected.  If so, I
would suggest producing a new payload which has exactly the same
structure and behaviour as the KE payload.  In other words:

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Payload  |C|  RESERVED   |         Payload Length        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Key Exchange Method Num    |           RESERVED            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        QKD Device ID                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                            Key ID                             ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

It's not clear to me how the actual key is used.  Your draft says that
the KE and Nonce payloads are not needed, so I assume that you propose
that the key be used directly as SKEYSEED.  I suggest instead that the
Nonces are retained, and that the key simply replaces the g^ir factor;
that is (for the IKE SA):

SKEYSEED = prf(Ni | Nr, QKD key)

You have said that keys MUST NOT be reused.  This seems overly
restrictive to me, and opens you to denial of service attacks.  An
attacker would be able to very quickly exhaust your keys if each
IKE_SA_INIT exchange used up a key, whether or not the subsequent
authentication phase succeeded.  Provided you make use of the nonces as
I suggest above, you could allow reuse of keys which were part of a
failed exchange (up to a limit): the encrypted part of the subsequent
IKE_AUTH message would use different keys each time.  Since we are in
any case making assumptions about the security of the IPsec ciphers,
this seems to leak very little information about the QKD key.

I don't understand the fallback concept.  I would have thought that this
could be negotiated at the time that rekeying (or creating a new Child
SA) was needed.  In other words, the end which initiates the rekey can
use a QKD KE payload, and may include SAs with a DH transform
(equivalent to Diffie-Hellman fallback) or no KE transform (equivalent
to Continue fallback).  If the initiator is simply making a suggestion
that a fallback transform would be acceptable, so as to save QKD keys,
then I suggest using a Notify payload instead of defining a new one.

In section 3.1.3, you define a new transform type.  As I say above, this
is not needed if there is general acceptance to define a new KE
Transform Id for QKD; if there is not, then I agree this is necessary.
However, you should not define the new Transform Id(s) here: that should
also be left to IANA.  It is not clear to me how PAK-DH provides any
meaningful additional security, but if you wish to include it in this
document then you need to define clearly how it applies to IKEv2:
RFC5683 is very general and more specific information will be needed here.

Lastly, something which seems to be missing is a discussion and
specification of QKD key size.  Is this assumed to be implicit in the
Key ID?  It seems to me that this would be a parameter which needs
negotiation.  As such, I would expect to see multiple Transform IDs for
QKD, each representing a different key size.  It may be possible to do
this using an attribute instead, but I think that this would complicate
negotiation (e.g. the INVALID_KE_PAYLOAD indicates which transform it
prefers, and this doesn't have space for an attribute).

Regards,
Tony

v2.23.0 | Report a Bug | By Email