RE: [Ipsec] Clarification on EAP MSK usage in IKEv2
"Pasi Eronen" <pasi.eronen@nokia.com> Mon, 02 October 2006 08:15 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GUIxj-00081h-1a; Mon, 02 Oct 2006 04:15:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GUIxh-0007zZ-Ja for ipsec@ietf.org; Mon, 02 Oct 2006 04:15:41 -0400
Received: from mgw-ext11.nokia.com ([131.228.20.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GUIxg-0006zB-3k for ipsec@ietf.org; Mon, 02 Oct 2006 04:15:41 -0400
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-ext11.nokia.com (Switch-3.1.10/Switch-3.1.10) with ESMTP id k928FccO020413; Mon, 2 Oct 2006 11:15:38 +0300
Received: from esebh001.NOE.Nokia.com ([172.21.138.28]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Oct 2006 11:15:38 +0300
Received: from 4FIL09356 ([10.162.83.51]) by esebh001.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Mon, 2 Oct 2006 11:15:38 +0300
From: Pasi Eronen <pasi.eronen@nokia.com>
To: "'ext Narayanan, Vidya'" <vidyan@qualcomm.com>, ipsec@ietf.org
Subject: RE: [Ipsec] Clarification on EAP MSK usage in IKEv2
Date: Mon, 02 Oct 2006 11:15:38 +0300
Message-ID: <000001c6e5fa$f1a624e0$f39cb70a@NOE.Nokia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcbkJyyPFyVUxZoaSo6+yR8iWuf/RwB0NW4w
In-Reply-To: <C24CB51D5AA800449982D9BCB90325131A2EE0@NAEX13.na.qualcomm.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-OriginalArrivalTime: 02 Oct 2006 08:15:38.0151 (UTC) FILETIME=[F16A7B70:01C6E5FA]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
Vidya Narayanan wrote: > > All, > RFC4306, in section 2.16, states: > > "For EAP methods that create a shared key as a side effect of > authentication, that shared key MUST be used by both the > initiator and responder to generate AUTH payloads in messages 7 > and 8 using the syntax for shared secrets specified in section > 2.15. The shared key from EAP is the field from the EAP > specification named MSK. The shared key generated during an IKE > exchange MUST NOT be used for any other purpose." > > This seems to be a bit ambiguous in what constitutes "other > purposes". For instance, let's consider two entities A & B > running IKEv2-EAP and establishing an IKE_SA between themselves, > using the MSK for authentication of the IKE_SA. If A & B were to > subsequently run IKEv2 again and establish another IKE_SA, could > the same MSK be then used for authentication here as well? > > In other words, it seems confusing whether "other purposes" also > means "for other IKEv2 runs between the same initiator and responder". I believe the intent was that MSK is used once to calculate/verify the AUTH payload, and not used for anything else afterwards. > If we drew an analogy from the MSK usage on other EAP lower > layers (e.g., IEEE 802.11i), the same MSK can be used to re-key > TSKs between the same peer and authenticator until expiry of that > MSK. By the same argument, I don't see a reason why the MSK > cannot be used again for the authentication of a subsequent > IKE_SA between the IKEv2 initiator and responder. I can see some > exceptions (e.g., where the IKEv2 entity acting as the EAP peer > actually wishes to use different identity/credentials for the two > exchanges, requiring a separate EAP run for those), but, in > general, it seems like we should be able to use the same MSK for > the multiple exchanges. > > One potential concern is perhaps due to the fact that the MSK is > used directly in the generation of the AUTH payload and if the > multiple IKEv2 runs used different prf's for generating the AUTH > payload, that could result in a bad use of the MSK. But, if the > same algorithm is used in the multiple runs, is there still > something to be concerned about? And, would it be a violation of > RFC4306? > > I'd appreciate any clarification on the above. Also, if someone > can provide clarity on what implementations do (e.g., is the MSK > deleted after authenticating the IKE_SA or is it cached for a > certain duration, etc.), that would be very helpful. Currently, it makes no sense to cache the MSK, since RFC4306 does not include any functionality that would use it (e.g. establishing another IKE_SA using the same MSK). So I guess you're asking that if someone would write an Intenet- Draft "establishing multiple IKE_SAs without re-running EAP" (or something), would that be an acceptable extension to RFC4306, or un unacceptable violation of the "MUST NOT be used..." requirement? That's a difficult question. I think such a draft could be written in a way that would be reasonable secure (and would not be very long document, except maybe the security considerations text), but being somehow "secure" has not usually been a sufficient criterion for being an acceptable use of EAP :-) Best regards, Pasi _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Clarification on EAP MSK usage in IKEv2 Narayanan, Vidya
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Pasi Eronen
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Lakshminath Dondeti
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Narayanan, Vidya
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Pasi.Eronen
- RE: [Ipsec] Clarification on EAP MSK usage in IKE… Pasi.Eronen