Re: [IPsec] Draft: IKEv2/IPsec Context Definition
Daniel Migault <mglt.ietf@gmail.com> Thu, 06 March 2014 18:13 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70F941A0110 for <ipsec@ietfa.amsl.com>; Thu, 6 Mar 2014 10:13:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7DZNW-OuF51 for <ipsec@ietfa.amsl.com>; Thu, 6 Mar 2014 10:13:10 -0800 (PST)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 6F24B1A0088 for <ipsec@ietf.org>; Thu, 6 Mar 2014 10:13:10 -0800 (PST)
Received: by mail-wg0-f46.google.com with SMTP id z12so3646312wgg.29 for <ipsec@ietf.org>; Thu, 06 Mar 2014 10:13:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rp+g/AGPuUnK6B5iCjsuJkSj+1KbwXP/bKbvKUufc+Q=; b=eLl0gaMJT3/UjruRXneCOwWRegb193EMTypjWiE1Pzd67hYv9wQOUorFqNiuBWAuwa rC36XA8V3cdC6burSe8UjrsivcAFOXNL5BHzfSm72DUXuD9g98s3R/3jrj28/NkbEmy9 qIeor6wsRyi7hXL97ldpVoYqjHTfPixw79HzzVy3FeV673ca08yeRYdeNWR/qA/jkT4w T71TtLFbCQxYLXePhbPO6Pqg2jYsdBDG4xIwMnIQ6IXnfzQy7z4wHOB7v7CB8ggllZTn a8k+UJAcaJYp7FdrfBivznkOfwGolq/eArEpNDHb9PFA5qslTgoKSJrJwImYgOVrr23P yzLg==
MIME-Version: 1.0
X-Received: by 10.194.24.35 with SMTP id r3mr12345621wjf.68.1394129585978; Thu, 06 Mar 2014 10:13:05 -0800 (PST)
Received: by 10.194.171.225 with HTTP; Thu, 6 Mar 2014 10:13:05 -0800 (PST)
In-Reply-To: <CAHf5+ho1Uzr1-7gXZ_9G1CobOuBzU2gJzGcwhbXpOcp4kC3ahg@mail.gmail.com>
References: <CAHf5+hrQ52GPKsAZJF4ZyhFNXgwZJOTEm8u-KKqVbta6Bj=N1g@mail.gmail.com> <7A4D82FA3EF546E499D0A0CD18C58153@buildpc> <CAHf5+hpJB6XUWR931vPWGdbsB-UNFa4F0k-5fF=4TG88ADMPSw@mail.gmail.com> <ED58B729FCA74D5AAF1A6520FB6D836A@buildpc> <53184F65.6000201@gmail.com> <CAHf5+ho1Uzr1-7gXZ_9G1CobOuBzU2gJzGcwhbXpOcp4kC3ahg@mail.gmail.com>
Date: Thu, 06 Mar 2014 19:13:05 +0100
Message-ID: <CADZyTk=51m6GDqSXb9PY5+_VakU-GuCHJQJF4cAM-+dwaHMbVQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Daniel Palomares <daniel.palomares.ietf@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/QCYQmBAvBaKICx4DlfSgHHRJ8wg
Cc: IPsecme WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] Draft: IKEv2/IPsec Context Definition
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 18:13:13 -0000
Hi Yaron, Thanks for that useful input. I think you mention rfc6989 and [http://cacr.uwaterloo.ca/techreports/2008/cacr2008-24.pdf]. We will have a close look at them. Actually it is not a bad thing to reduce the number of ways to express keying information. BR, Daniel On Thu, Mar 6, 2014 at 6:11 PM, Daniel Palomares <daniel.palomares.ietf@gmail.com> wrote: > Hi Yaron, > > Thanks for the comments. > > Yeah, I have seen one application that implements High Availability by > sending DH secret + KE + Nonces. > Concerning the RFC that deals with the security issues resulting from this > behavior, are you talking about Yoav's RFC - IPsec Cluster Statement?. If > not, could you please tell me which RFC are you mentioning? > > So, as this is a known issue (Case #1), there is no problem to disallow it. > > Other point from previous discussions: > I just wanted to add that in the Case #3, Valery and I had some offline > discussions about it, and we found out that actually the SK_p*_old are not > used to compute Session Resumption's AUTH payload. Instead, SK_d_old is used > to compute it. This means that we actually can avoid SK_p* to be included > in the IKE_SA Context Parameters (with a Mandatory flag). If anyone thinks > SK_p* might be needed for some other exchange, please point that out through > the mailing-list. > > Thank you, > > Kind Regards, > Daniel Palomares > > > > 2014-03-06 11:35 GMT+01:00 Yaron Sheffer <yaronf.ietf@gmail.com>: > >>> Sending SK_* is enough. Nonces are used only in calculations of SKEYSEED, >>> SK_*, keymat for Child SA and AUTH payload content.Anyway, once the >>> exchange >>> is complete, the nonces, appeared in this exchange, may be discarded. >>> Actually, you have 3 choices to exchange IKEv2 keying information >>> between nodes in cluster: >>> 1. Send your private DH key, peer's KE content and nonces. In this case >>> other nodes will recalculate all keys from the very beginning. >>> 2. Send SKEYSEED and nonces. >>> 3. Send computed SK_* keys. Note. that you even may omit sending SK_p*, >>> as these >>> keys are used only during authentication (unless you implement >>> Session Resumption, >>> but it also depends on how you store the tickets - by value or by >>> reference). >>> All approaches are equally possible. There seems to be some >>> security and performance benefists for approach 3, but somebody >>> may argue. Implementation may use any of this approaches >>> and I don't think it's good to mandate the only approach, >>> Regards, >>> Valery. >>> >> >> Actually, I would suggest that we disallow (or "deprecate") option #1. >> IKEv2 explicitly allows for DH secrets to be shared between SAs (this is not >> a good idea, but people do it for performance reasons), and we even have an >> RFC to deal with the security issues resulting from this behavior. So a node >> would be sharing more than it bargained for. >> >> Thanks, >> Yaron > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Migault
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Valery Smyslov
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Valery Smyslov
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Yaron Sheffer
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Migault