IETF Logo Mail Archive

Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Thu, 17 August 2017 22:44 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8951323B6 for <ipsec@ietfa.amsl.com>; Thu, 17 Aug 2017 15:44:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ia5Bw2ahXhKT for <ipsec@ietfa.amsl.com>; Thu, 17 Aug 2017 15:44:24 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6BD1323AA for <ipsec@ietf.org>; Thu, 17 Aug 2017 15:44:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3836; q=dns/txt; s=iport; t=1503009864; x=1504219464; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=6jZQl8FV7362aefhZmO0uYnqpqmGO+nDYiB6R/nbKr8=; b=kLUJjvhetamb+hpk8at+33HW9GjAomxG5bGHXdWvwjCbfYZpjQOkc3Qw J//bsaOK+dnRxpTsLpm4XFcgEK7B9qDDkSUNL5nIXFCtQhuD4VIbb/8Kf jga0gV3OQTFgJZ3Jz6z6DaLZOyrTbCdTjeWhiSo6UoFNlDJHva9RBTkAw w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CeAQBgG5ZZ/4ENJK1dGQEBAQEBAQEBAQEBBwEBAQEBgy8rZIEVB54dgW53h0GNY4ISIQuFGwKEWEAXAQIBAQEBAQEBayiFGAEBAQEDAQE4NAsMBAIBCBEEAQEfCQchBgsUCQgCBAENBQiIEgGBfQMVEKwLhzkNhCABAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMoggKBTIFjgnM0gleIEAWJfocXjng8Ao9KhG2SZYw2iWYBIAE2P0t3FUmFFgEcgWd2h2MHgSuBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.41,390,1498521600"; d="scan'208";a="471135396"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2017 22:44:23 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v7HMiNA6015838 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Aug 2017 22:44:23 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 17 Aug 2017 17:44:22 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Thu, 17 Aug 2017 17:44:22 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
CC: Vukasin Karadzic <vukasin.karadzic@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Thread-Index: AQHTFv7XjuMkEWgpNEmBeMtf53kCNqKJFIsg
Date: Thu, 17 Aug 2017 22:44:22 +0000
Message-ID: <da14cff8a01045c492d3cda03e96422b@XCH-ALN-010.cisco.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.108.5]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/RVYCV326RF-3SMYv6F0l9zxPcA8>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 22:44:26 -0000

Good point Paul. The issue will also hold for an initiator. The initiator might have PPK enabled with other peers but not have a PPK_id configured for a responder after he gets her IKE_INIT response with N(PPK_SUPPORT) included. Practically the N(PPK_SUPPORT) is dictated by a global PPK support configuration on the initiator and responder, but that does not mean a PPK is configured for all their peers.

As Tero and Scott suggested, for the shake of simplicity it makes sense to tighten the text with normative language to make it clear to an implementer. For an initiator with PPK enabled but no PPK_id, regular IKE should be included in the initiators IKE_AUTH message. For the responder, imo a failure should occur after the initiator's IKE_AUTH if a PPK_id doesn't exist and PPK is enabled in the responder. And optionally the responder could add the initiator in a no_PPK_supported local cache.  

Rgs,
Panos


-----Original Message-----
From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Paul Wouters
Sent: Wednesday, August 16, 2017 10:16 PM
To: ipsec@ietf.org WG <ipsec@ietf.org>
Cc: Vukasin Karadzic <vukasin.karadzic@gmail.com>; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Subject: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue


Hi,

Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for libreswan and stumbled upon a problem. The relevant text:

    When the initiator receives this reply, it checks whether the
    responder included the PPK_SUPPORT notify.  If the responder did not,
    then the initiator MUST either proceed with the standard IKE
    negotiation (without using a PPK), or abort the exchange (for
    example, because the initiator has the PPK marked as mandatory).  If
    the responder did include the PPK_SUPPORT notify, then it selects a
    PPK, along with its identifier PPK_id.  Then, it computes this
    modification of the standard IKE key derivation:

A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply without knowing for which connection this IKE_INIT will be.

The responder has not yet received the initiator's ID. If the responder has some connections that require a PPK and some connections that require NO PPK, then it has to flip a coin on whether or not to send the PPK_SUPPORT notify and if it guessed wrong, the AUTH payload on the initiator will be wrong. Sending the notify commits to using a PPK because the initiator uses it as input to the AUTH payload.

So this table from the RFC is incomplete:

    This table summarizes the above logic by the responder

  Received PPK_SUPPORT  Have PPK   PPK Mandatory    Action
  ------------------------------------------------------------------
       No                  No          *            Standard IKE protocol
       No                 Yes         No            Standard IKE protocol
       No                 Yes        Yes            Abort negotiation
      Yes                  No          *            Standard IKE protocol
      Yes                 Yes          *            Include PPK_SUPPORT

Basically, we are in the case where "Have PPK" is not yet known.


One way of solving this could be to allow PPK_SUPPORT to have some notify data, which could for instance be a hash of the connection/group name used by the responder. Another option is to use the PPK as one of the inputs to some hash algorithm as PPK_SUPPORT data, so the responder can go through its list of PPKs to match it back to a connection/group. But we would need to be sure that this does not open up the PPK to attacks (classic and quantum)

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email