IETF Logo Mail Archive

Re: [IPsec] vendor support of RFC7427

"Valery Smyslov" <svanru@gmail.com> Wed, 21 June 2017 07:01 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD17126DFB for <ipsec@ietfa.amsl.com>; Wed, 21 Jun 2017 00:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j_ykUBWlv2M7 for <ipsec@ietfa.amsl.com>; Wed, 21 Jun 2017 00:01:26 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4CFC126C3D for <ipsec@ietf.org>; Wed, 21 Jun 2017 00:01:25 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id h22so7932523lfk.3 for <ipsec@ietf.org>; Wed, 21 Jun 2017 00:01:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=/c3TEVCQfZ3d2U3tH6LsfXG2IVo+MJLaQ6h+Gas3r5I=; b=n+Qp8k44TCvp8oIlggIc1GpmlJ7KpKFQwxO+c+wKy5wAQT7RVwLKucxO3u0AsQgNEa t0Q+xs/zGvbxrsaLm/FHzq44EjkI6mHNSuTv1S/ZpcgSaEqe7bjwo2B3LCg+0j5xdhOn r/KFvQBlBQMWbu3XSpiYx1trY330f5JIejIfjs+lCmpE2Wv65Pe6hfXf02WjS8xSuq+b FTbOYtqppVZ3U7Y9c6XVT4zR2e0jFYzC3acM6YF+1OxtcAUmbM7XiFwOBEVucCBcztqD xU/e9RBNn4EfxLq9jIFSfEel+GBYRxCYq8k9Ps/W2mBt2lRlWb+b+IgOz04f5x3ERpi4 q5sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=/c3TEVCQfZ3d2U3tH6LsfXG2IVo+MJLaQ6h+Gas3r5I=; b=DJ/9+WU2vfxv271j8eWqPjoS+H2Djh/Mo6FEuJDvtRg3+Fx8apoXS1/jfLdj+BTAQf k6wXz3UB/kjqnJ6vrniiUfPyiDkDwP779hzj0xcirJqMxjj+94GaOnDN4LkiIFOafQ30 sHww4MQBF+vkxazwGoqXnHNdELJrp6kwNyjmvNXMje8KX7ayvUYmNlAlacPzIPxblooo 513dF7Eb94mB+oPN+Jq6ke+04Xhzps0LBR1FOw+kza5c2XBKlon62o5VUGAF7k/8PtDW IQFrDg4RKbZIrGBt0BKft2q6PcPWioLRGE5TNGTpio8TyXAWKqlnqeo/YrLhXFR18Q/v ykHg==
X-Gm-Message-State: AKS2vOx8+ey9lXRdn4lPw9lP4swY0NiFgTbiaeKpfOXo/NHuu0zDhI4O wcqCPX7OF2eJqERi
X-Received: by 10.46.88.86 with SMTP id x22mr9503316ljd.106.1498028483528; Wed, 21 Jun 2017 00:01:23 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g88sm4558328lfh.17.2017.06.21.00.01.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 21 Jun 2017 00:01:22 -0700 (PDT)
From: Valery Smyslov <svanru@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>, 'Sahana Prasad' <sahana.prasad07@gmail.com>
Cc: 'IPsecME WG' <ipsec@ietf.org>
References: <876523B00C3F9D47BFD2B654D63DBF92BEAA73FA@US70UWXCHMBA05.zam.alcatel-lucent.com> <2FBB5ECC7B8043F2B4E1A6141B3D4FE1@buildpc> <alpine.LRH.2.21.1706201321020.5686@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1706201321020.5686@bofh.nohats.ca>
Date: Wed, 21 Jun 2017 10:01:23 +0300
Message-ID: <01df01d2ea5c$3205afd0$96110f70$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJTe0RxQFhX5rnP0h9T8vu9aUAHgwHfQdM2AaM8+LGhEZdR4A==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QeF0w0uyddtK3yeYHZVgsDj5-Fk>
Subject: Re: [IPsec] vendor support of RFC7427
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2017 07:01:28 -0000

Hi Paul, 

> Valery,
> 
> I forgot if we reached any consensus or ideas on the 7427 issue you
> brought up in Seoul. Sahana has started work on implementing 7427
> for libreswan and during this process we came up with a few questions.

My impression was that most of participants considered the problem 
insignificant. But I wouldn't call this a consensus.

> Has there been any discussion about using a hash algorithm that
> is different from the one used to sign the CERT (if certificates are
> used) ? It seems to not make much sense and lead to false sense of
> security if the signature uses SHA2 but the CERT is trusted based on
> a SHA1 signature. So, in a way sending more then one hash algorithm
> seems to only make sense for raw public keys, not with certificates?

I don't think so. The responder usually doesn't know which certificate
the initiator will use in IKE_AUTH, so it has to announce support for
all supported hashes.

> Is it implied that when using SHA2, one twiches the RSA algorithm
> variant? If so, how does one know that the old variant is supported?
> (I guess that's the issue you brought up in the link below)

Yes. The IKE peer can announce which hash algorithms it supports,
but it cannot announce which signature formats it supports.
For example, with RSA we have at least two widely used - RSA-PKCS1 and RSA-PSS.
We did meet a situation when one product supported RSA-PSS in 
certificates, but didn't support it in IKE AUTH, so that we received
AUTHENTICATION_FAILED if we used RSA-PSS. As initiator we can
retry with RSA-PKCS1 (however it is ugly), but as responder we cannot, 
so the connection just failed. If there were means to announce 
support for particular signature formats, then we would have used 
this format (RSA-PKCS1 in the example above) and the connection 
would succeed.

I guess similar problem can arise in the future with other signatures - 
we now see  some new signature schemes emerging (EdDSA, XMSS etc.).

> Another issue we have in our implementation, is that we don't know which
> hash algorithms we allow when needing to send an IKE_INIT response. In
> theory, our server could have two connections loaded, one using RSA-SHA1
> and one using ECDSA-SHA2. These connections can only be selected
> when we receive the IKE_AUTH packet. So our implementation picks one
> (sort of randomly) and when processing IKE_AUTH it can "switch" to the
> other connection. But we already have to commit to a hash algorithm
> in the IKE_INIT reply. And if we are sending ALL the hash algorithms that
> we support/implement, then we run the risk of the peer expecting to be
> able to use some hash algorithm, but we don't allow it per configuration
> for that specific connection (eg the SHA2 one on the RSA-SHA1 connection)
> and there is no way to signal that other then AUTHENTICATION_FAILED.

This is even a more fundamental problem with IKEv2 - the responder cannot have
per-peer policy (e.g. if server's policy states, that IKE SA with client alice@example.com
must be secured with AES and IKE SA with client carol@example.com must be secured 
with Chacha20, and both clients send both algorithms in IKE_SA_INIT, then the server
in general cannot enforce this policy, because it must select a single algorithm before it 
figures out who the client is). It seems that the only solution is to have a global policy for IKE. 
So, in your particular example the server should announce both hashes (assuming both 
are strong enough).

Regards,
Valery.

> Paul
> 
> > Subject: Re: [IPsec] vendor support of RFC7427
> 
> > Hi,
> >
> > we (ELVIS-PLUS) support RFC7427 for over a year and we are interoperable with Strongswan.
> >
> > However, see my message about some interoperability problems:
> > https://www.ietf.org/mail-archive/web/ipsec/current/msg10840.html
> >
> > This issue is scheduled for discussion on ipsecme meeting in Seoul.
> >
> > Regards,
> > Valery Smyslov.

v2.23.0 | Report a Bug | By Email