Re: [IPsec] Teaser for pitch talk at IETF 108
Michael Rossberg <michael.rossberg@tu-ilmenau.de> Wed, 29 July 2020 16:10 UTC
Return-Path: <michael.rossberg@tu-ilmenau.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51AC03A0BE3 for <ipsec@ietfa.amsl.com>; Wed, 29 Jul 2020 09:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GmpRJrjqPTDa for <ipsec@ietfa.amsl.com>; Wed, 29 Jul 2020 09:10:40 -0700 (PDT)
Received: from smail.rz.tu-ilmenau.de (smail.rz.tu-ilmenau.de [141.24.186.67]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F1E13A0BE7 for <ipsec@ietf.org>; Wed, 29 Jul 2020 09:10:23 -0700 (PDT)
Received: from [192.168.2.166] (unknown [93.253.126.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smail.rz.tu-ilmenau.de (Postfix) with ESMTPSA id 612F7580060; Wed, 29 Jul 2020 18:10:21 +0200 (CEST)
Content-Type: multipart/signed; boundary="Apple-Mail=_B946AE02-0EC5-4085-8D3C-B40B05BCCFC5"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
In-Reply-To: <24353.30727.115426.454334@fireball.acr.fi>
Date: Wed, 29 Jul 2020 18:10:20 +0200
Cc: Steffen Klassert <steffen.klassert@secunet.com>, Valery Smyslov <smyslov.ietf@gmail.com>, ipsec@ietf.org
Message-Id: <BF92F70B-C62D-4CB2-829B-B2B6808709F9@tu-ilmenau.de>
References: <023E45E1-B1AA-4042-A8E3-DD7457235BC7@tu-ilmenau.de> <0fd501d664b6$fcc8c590$f65a50b0$@gmail.com> <20200729100457.GD20687@gauss3.secunet.de> <24353.30727.115426.454334@fireball.acr.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/StCeA0RvmJU2U1o3wXU3g94MqPk>
Subject: Re: [IPsec] Teaser for pitch talk at IETF 108
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 16:10:42 -0000
>> We have already the option to send the high sequence number bits >> when a combined mode algorithm is used. >> >> RFC 4303, Section 2.2.1. says: >> >> If a combined mode algorithm is employed, the algorithm choice determines >> whether the high-order ESN bits are transmitted or are included implicitly >> in the computation. > > We do not have any algorithms that use that feature, and we do not > have option to negotiate it in IKEv2. > > We could add new value for transform type 5 (Extended Sequence > Numbers) to say that we use extended sequence number, and that we > actually transmit the full extended sequence number. That would already help for the case. >> We could just give multicast the same option if it wants to use >> replay protection. > > As others have already pointed out earlier, with multicast the upper > layer must make care of replays and dropped packets themselves in any > case, so doing that also on the IPsec level does not really provide > that much more security. I mean if the multicast protocol run over UDP > over IPsec simply has internal sequence number inside the UDP, which > will then be authenticated by the IPsec that should be good enough for > replay protection. > > There is issue that in that case attacker could do Denial of Service > attack against the IPsec, by replaying packets, and then the IPsec > gateway would decrypt and forward them. Like pointed out in the answer to Valery’s mail. There are possibly more issues, as attackers are able to generate new traffic, they can use for cryptanalysis (see https://www.aircrack-ng.org/doku.php?id=arp-request_reinjection). Having anti-replay guarantees is just a reliable foundation. IMHO the case of applications being responsible holds just as well for unicast applications. TCP takes care of that, still no-one honestly discusses removing replay checks for high volume unicast SAs. > When using multicast you already need to use SPI, and destination > address as your SAD lookup (RFC4303, section 2.1), i.e. use option 2 > there. On the other hand you could use the SPI, destination address, > and source address to find the replay window and largest sequence > number used if you want to do anti-replay protection on multicast SAs > so that each sender has separate replay windows. This still requires to know all possible senders beforehand. Also the SAs will still need to agree on an IV subspace and sending an explicit IV per packet. >>> And about security. In order to have IV combined with >>> ESN and sub-windows identifiers this proposal removes secret >>> salt from the nonce. This may have impact on security. >>> I'm not a cryptographer, but I believe the impact is not negligible. >>> On the last CFRG session a draft draft-wood-cfrg-aead-limits was >>> discussed that calculates limits of data to be safely encrypted >>> by various AEAD ciphers. The authors claimed that having >>> secret salt in the nonce increases this limits in case of multi-user >>> attacks and that the results in the draft are calculated >>> for this case. If plain AEAD ciphers (with no secret salt) are used >>> the limits are lower. >> >> A secret salt in the nonce would be a new requirement anyway. >> I've checked RFC 4106 (ESP for GCM) and RFC 7634 (ESP for >> ChaCha20-Poly1305), both don't require a secret salt. > > It is true that they do not need secret salt, but they do have > unpredictable salt, which is created by the key derivation step. My > understanding was that this proposal did get rid of that salt too: Like written already: An unpredictable value of 32bit size is of no real value from a crypto point of view. One could simply guess the value and have a realistic chance of being right after a couple of thousand tries. I believe it is only in the standard, as with 64 bit sequence numbers there where 32 bits left; needing to be filled.
- [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] Teaser for pitch talk at IETF 108 Yoav Nir
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Yoav Nir
- Re: [IPsec] Teaser for pitch talk at IETF 108 William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Michael Richardson
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Steffen Klassert
- Re: [IPsec] Teaser for pitch talk at IETF 108 Tero Kivinen
- Re: [IPsec] Teaser for pitch talk at IETF 108 Steffen Klassert
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] Teaser for pitch talk at IETF 108 Tero Kivinen
- Re: [IPsec] Teaser for pitch talk at IETF 108 Michael Rossberg
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] Teaser for pitch talk at IETF 108 Tero Kivinen
- Re: [IPsec] Teaser for pitch talk at IETF 108 Valery Smyslov
- Re: [IPsec] Teaser for pitch talk at IETF 108 Scott Fluhrer (sfluhrer)
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Michael Rossberg
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Michael Rossberg
- Re: [IPsec] multiple windows need multiple SPIs William Allen Simpson
- Re: [IPsec] multiple windows need multiple SPIs Yoav Nir
- Re: [IPsec] multiple windows need multiple SPIs Valery Smyslov