IETF Logo Mail Archive

Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)

Yoav Nir <ynir.ietf@gmail.com> Mon, 26 January 2015 17:11 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C29A1A7D84 for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 09:11:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7c7uorittTQ6 for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 09:11:38 -0800 (PST)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BE281A7022 for <ipsec@ietf.org>; Mon, 26 Jan 2015 09:11:38 -0800 (PST)
Received: by mail-wi0-f175.google.com with SMTP id fb4so11504008wid.2 for <ipsec@ietf.org>; Mon, 26 Jan 2015 09:11:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=10g4kxSjqThophdqNzfYPlLDcnGJ40lRYxW8sIiH2L8=; b=e2CmgrrlyQxeKDFYYMZcXhdJIWLbgZczkK/SpmAwliHV61wpoQ041vFHQnG3gn6v38 gWg+1I/tPGCggYL3SQtnC6Js6zBrmAUoL6gvpdFDuz5fDSA207tcNMzn3atDdKAydSYp rNQB9Cj54JkbLDbCLqjyuJxUvopt8F044EUq0sQNm5/AvU9mmyJ2fCaFzUdWSnXx41Sv ADlQ1fa5F/jJPCRL1aiLfRiiGUP1YcrQhN5qrr0v5lt4oWNACCxzfE28ZQJ+gRaehKNM CdxSLq/fdlC7L1KmGSot6/z434K+muOV7oB2b8Fc9fQgJ4gTNA1QSh9SABOO4ePAtgB4 IiAQ==
X-Received: by 10.180.20.177 with SMTP id o17mr24819596wie.64.1422292296727; Mon, 26 Jan 2015 09:11:36 -0800 (PST)
Received: from yoavs-mbp.mshome.net ([176.12.156.169]) by mx.google.com with ESMTPSA id lq5sm15100266wjb.35.2015.01.26.09.11.35 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 26 Jan 2015 09:11:36 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <21702.23584.557958.684640@fireball.kivinen.iki.fi>
Date: Mon, 26 Jan 2015 19:11:32 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <D578AFFA-43CB-4699-907D-B6D4199DDBE9@gmail.com>
References: <alpine.LFD.2.10.1501131139150.13941@bofh.nohats.ca> <038B7179C6EB4C5BB2A110AD37541204@buildpc> <21694.26453.977101.952972@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1501201009460.16777@bofh.nohats.ca> <21702.23584.557958.684640@fireball.kivinen.iki.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/Ty4fXbBrJ06UFN7YjeywrM0E6f4>
Cc: IPsecME WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Paul Wouters <paul@nohats.ca>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth (fwd)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2015 17:11:40 -0000

> On Jan 26, 2015, at 5:24 PM, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> Paul Wouters writes:
>>>> I think it is a server's policy issue. It can always restrict
>>>> the number of IPsec SAs from a single peer
>>>> by using NO_ADDITIONAL_SAS notification.
>>>> The document should not impose any restrictions here, IMHO.
>>> 
>>> Agree. Implementations might also have different limits depending
>>> whether the other end is authenticated or unauthenticated, i.e.
>>> unauthenticated clients might only be able to create for example 10
>>> Child SAs, and authenticated clients can create 1000 Child SAs... And
>>> btw child SAs are quite cheap, so the limit does not need to be 1 and
>>> 3... :)
>> 
>> But what's the point? Just to protect th per-port IPsec SA's with
>> more PFS in CREATE_CHILD_SA ?
> 
> For some reason people wnat to turn on PFS on TLS, so that NSA cannot
> break all the http-connections by just stealing that one key from the
> server.

This is an unfortunate naming issue. PFS in IKE vs PFS in TLS are very different beasts.

PFS in TLS is for protecting against a future compromise of the long-term private key associated with the server certificate. RSA keying protects the pre-master secret with the public key, requiring only the private key to decipher. So a future compromise of the (long-term) private key allows the attacker to decrypt your connection (very useful for debugging in wireshark)

PFS in IKE protects you against a future compromise of the ephemeral SK_d. Unlike the certificate private key, SK_d is generated during IKE, and is deleted at the expiration of the IKE SA. For a software-only implementation there is no reason to believe that the SK_d is any easier to steal than the traffic keys. Configurations tend to give IKE SAs a longer lifetime than the child SAs, but that is not required by the protocol.

PFS in TLS makes enough sense that UTA is recommending it for all TLS connections and the TLS working group is requiring it for the next version of TLS.  The thing that this group calls PFS is far less important, and doesn’t always justify the cost.

Yoav

v2.23.0 | Report a Bug | By Email