Re: [IPsec] Comments to the g-ikev2
Tero Kivinen <kivinen@iki.fi> Sat, 15 January 2022 17:24 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4B963A0912; Sat, 15 Jan 2022 09:24:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.814
X-Spam-Level:
X-Spam-Status: No, score=-2.814 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bv_seFf9Camg; Sat, 15 Jan 2022 09:24:38 -0800 (PST)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C57E3A090F; Sat, 15 Jan 2022 09:24:37 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id D524F1B002F7; Sat, 15 Jan 2022 19:24:33 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1642267474; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qGSqr7qvhlHkvua6aBIZyAhmyleMMeNyzLzs5cLbrbU=; b=Rq54Za8SDCz12o2kDm2y97kZ+1ECo+DEUi8plSnz29c9FcjrOAMYQ50bmYF++jo4vAHLEq G/JRj2PDC515NH6HiIkuVoz1iU5kpuDPKk6cPUz3x19qsdGYpTcb1NrD3vGEV0yFuOv8kN L80lSBeFv36LhD7QZQ8hwyE97eUrOachabLc/4DEMw7A/DJ8PAAYl9o/qpiS9ZDczT9Q71 oBx0zK8gCUtpVwu4cvyoU/QdNikOdoR3EgAP4e7SmDGHyt8p7BV0uJ3YGVS8stWcIaImY6 GF4lTCxOppTvavGwgmVDc+fICRWuNgTMI9tvjToX6LSIGJHCFs0EBgHYyRnwLA==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 562D025C12E5; Sat, 15 Jan 2022 19:24:33 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25059.849.299801.984109@fireball.acr.fi>
Date: Sat, 15 Jan 2022 19:24:33 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svan@elvis.ru>
Cc: ipsec@ietf.org, draft-ietf-ipsecme-g-ikev2@ietf.org
In-Reply-To: <057b01d80950$854ba330$8fe2e990$@elvis.ru>
References: <25052.46852.971778.754673@fireball.acr.fi> <057b01d80950$854ba330$8fe2e990$@elvis.ru>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 33 min
X-Total-Time: 160 min
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1642267474; a=rsa-sha256; cv=none; b=CnNDA4a0AEm7zF6xDT2XAEb16oPXbvabMI8jOWs+7I8Fk2voiEAsprLFsWDAq8Uthlnm1+ 528gtb+4w+8eQBQVb2G6Q6QPHiBSlbWcqVTTxmo+SOFNAOb+zDBIck/48/WNWfZiI7RpeC iWoKQ6qZBWh7oWWkJVx41w51JSoN3o0reyXFTVcbm5eaIWGmhxUZbXRRBBK/q007e/Imk6 5k0a440C0YUoRdb0MWSDAM+f6JUPyICGhigbWzkJwjgayWJ0ndWIAYF0vKiDBYXgFhaFjJ MFC1jHcmJeno0v83YfdsZXrkUtQRbUK5l9J9ajCPy3cL8DMsIwGIXmb9QJ0+cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1642267474; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qGSqr7qvhlHkvua6aBIZyAhmyleMMeNyzLzs5cLbrbU=; b=VBXO4UNmIcqxT0I7e4bXuwTmg4PwgheGBfKaw0xmarHf0fu8qI7TSACkT3MCY/yMcxyzi5 Je6+SMPJxX8+axcvudUYkFij1Xq4Y25xuYtO8kn8XTUK9SkiFIBRjfXEpeYRES0gg6lYZD 0eMBRZ501bwoVxNHjmEIr0Qvz8G1Uizpb8yr0hSMp5yD2YbCRoiSzTSoPf74t4KL9Yt3+M c7CdP7Abftq6kYwkXBb6pANeTmjC/p6H57MS7eQwtC4LDJi6s7BzVVz/Ig8S+PZKHMldA6 M6+nZ0tyYbJR0qEtxrOO+APYG4Cd6X6993nAkATg5i8SPUOT65HRDqMGGPN/Ag==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/VXFMOjCGyp6LlO6nrQxWYUePPvI>
Subject: Re: [IPsec] Comments to the g-ikev2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jan 2022 17:24:41 -0000
Valery Smyslov writes: > > The section 1.4.3/1.4.4 mostly already hints to that, but 1.4.1 is > > more vague about it. > > We can make this more explicit by writing that > GSA_AUTH is a variant of IKE_AUTH with different exchange type > and slightly different properties and that G-IKEv2 implicitly inherits > any extension defined in IKEv2 for use while IKE SA is being established > (this includes, for example using IKE_INTERMEDIATE) unless > an extension explicitly states the opposite. Now, after some time of thinking about this I think we should exactly that, i.e., explain that GSA_AUTH is exactly same as IKE_AUTH except it does not have payloads for creating IPsec unicast SA, but will add payloads for creating multicast SAs. I.e., add text to the 1.4.1 which explicitly says that. > I think eliminating GSA_AUTH completely is also an option, but > in this case some indication of the purpose of the IKE SA being created > should be introduced, since there may be different policies > at GCKS for IKEv2 and G-IKEv2 clients. I think if we can share everything between IKE_AUTH and GSA_AUTH and we are carefull with how we defined future extesions we should probably keep the GSA_AUTH, as it does save one round trip... > > I assume that in section 1.4.5.1. GSA_REKEY the text: > > > > If implicit authentication is used, then AUTH_KEY MUST > > NOT be sent to GMs. > > > > is trying to say that AUTH_KEY MUST NOT be sent to the GMs using > > GSA_REKEY, it was sent during the GSA_AUTH or GSA_REGISTRATION to each > > member separately, and will not be changed during the lifetime of the > > multicast flow. > > No. If implicit authentication of GSA_REKEY messages is used, then > they are authenticated by the fact that GMs verify their ICV. > Since we assume that only GCKS (and other GMs in the group) > knows the current SK_a, we implicitly authenticate it (no origin > authentication is provided as with any symmetric key authentication). > In this case no keys dedicated only for authentication > (these keys are conveyed in the AUTH_KEY attribute during GM registration) > are needed. Ok. The next question is we most likely want to make sure that one Rekey SA can't update the AUTH_KEY for another rekey SA? I.e., the SPIs inside the SA payload must match this Rekey SA if it contains AUTH_KEY payloads to upda the authentication key of this rekey SA? Or do we disallow multicast AUTH_KEY completely? We must not allow one shared key rekey SA to update another rekey sa using public key signatures, but we might want to allow GCKS to update its public key by sending new AUTH_KEY for this rekey SA. Do we have some text somewhere that explictly allows/forbids that. I assume we disallow changing authentication method using GSA_REKEY, i.e., there is no way for moving from implicit authentication (or shared key authentication) to public key signatures? As there is no origin authentication in implicit authentication or shared key authentication we do not want to use them to update the rekey sa to public key signatures. > > I would actually explictly forbid using shared key authentication in > > the AUTH payload of the GSA_REKEY, and only allow digital signature > > methods. > > This idea is worth to think about. Implicit authentication appeared > only in recent version of the draft and explicit one was left over > not to break things. But you are right that there is no much value > in using it. One possible reason is that in this case authentication > key may be long lived and specifically generated with the desired > security properties, while with implicit authentication keys are > usually auto-generated and are changed with every rekey. Don't know > how much this matters. I would asume auto-generated keys are most likely much more secure than shared keys used by the adminstrators.... > system administers may have better control over the key used for > authentication. I mean that this key may be generated with some > desired security properties, that may differ from those of SK_a used > for implicit authentication. There is already pairwise authentication key used in the GSA_AUTH, and not sure if there is any reason to have another long lived authentication shared key for specific SAs, explictly one that is shared with lots of clients. > > In section 1.4.5.3 the text talks about the SPI value equal to zero, > > but I think it is trying to say that the SPI Size field is zero and > > SPI field is empty. > > No, it is not a typo, the text explicitly use zero SPI to indicate > that all SAs for the particular protocol are deleted. I agree that > it is possible to change the way to indicate this by sending > zero-length SPI. This would save few bytes, but the question is - > how it is handled in the code? In IKEv2 zero length SPI (along with > zero protocol) is traditionally associated with IKE SA, but here the > protocol field will be non-zero. It seems to me that semantically > having zero SPI (and SPI length corresponding to the protocol) looks > more appropriate. Ok. For special SPI value that indicates all possible SAs, I agree that having some reserved SPI value (like zero), makes more sense. > > Btw, can we have multiple GSA_REKEY pseudo exchange SAs? I.e., can > > GCSK send multiple Group Security Association Policy substructures, > > and send out multiple SPIs for those GSA_REKEY messages, so it can use > > use different GSA_REKEY SPIs to send key updated to only some of the > > SAs etc? > > > > I.e., one of those could use the Digital signatures and another one > > could use NULL authentication? > > Current draft doesn't allow this. It is assumed that only one Rekey SA exists > in every single period of time, but it can rekey itself over time in which > case it is replaced with a new one. I think this design was chosen > for simplicity. Ok. As I said there are so many different types of SAs there and I am not really sure their relations to each other. Clarifying that in the beginning in the terminology section may make things easier to understand. > > In section 3.7.1 the described behavior is different than what is > > defined in the RFC7296. RFC7296 sends USE_TRASPORT_MODE notification > > with protocol number 0, spi size of zero, and without SPI field. > > > > Section 3.10 of RFC7296 says: > > > > Of the notifications defined in this document, the SPI is > > included only with INVALID_SELECTORS, REKEY_SA, and > > CHILD_SA_NOT_FOUND. If the SPI field is empty, this field MUST be > > sent as zero and MUST be ignored on receipt. > > > > and as USE_TRASPORT_MODE is defined in the RFC7296 it uses this > > method, and does not include SPI. I.e., sending multiple > > USE_TRASPORT_MODE notifications as specified in the section 3.7.1 does > > not work. > > I know this, and this is where G-IKEv2 behaves differently from IKEv2 > (note, that sending Delete Payload with protocol 0 is also not allowed > in IKEv2m but is used in G-IKEv2). > > > One way to fix this is to say that if GCKS wants to use both transport > > mode and tunnel mode, it MUST use separate exchanges to do that, i.e, > > first include one GSA_INBAND_REKEY / GSA_REKEY to send information > > about tunnel mode SAs, and then do another GSA_INBAND_REKEY / > > GSA_REKEY with USE_TRASPORT_MODE notification to send transport mode > > SAs (and after doing the GSA_AUTH or GSA_REGISTRATION with tunnel or > > transport mode, it needs to do extra GSA_INBAND_REKEY for other mode). > > I think it complicates things more than redefining USE_TRANSPORT_MODE > for G-IKEv2 purposes. Alternatively we can allocate a new notify, say > USE_MCAST_TRANSPORT_MODE with a different semantics. We need to point this out much more strongly, i.e., explain that behavior is different from the RFC7296. Allocating new notify just for that might be even better, as then we do no need to "Update" 7296... > > Section 4.1. is not correct. The SK_w used to encrypt the keys inside > > the KD payloads is protected by PPK, as it is derived from the SK_d > > which is protected, thus all keying material transported in the > > initial IKE SA is protected. As such I think all of the section 4.1 > > can be removed, the mandatory or not example does not really belong to > > this document, as my understanding is that this is default RFC8784 > > behavior. > > I think you are correct. This section was written before the way > keys are transported in the SA was completely redesigned and SK_w > keys were introduced. Since then I didn't revise it and overlooked that > the protection against QC is now achieved "for free". My bad. > > I don't think the section should be removed, since some > information is still visible to an attacker equipped with QC, > e.g. the parameters of the multicast SAs. The section > should be rewritten instead. Works for me. > Thank you again for the detailed review! I just want to get this document out also, and there does not seem to be that many people interested in it, so I had to do my review of it already now. Usually I do my full reviews only after WGLC while doing shephard writeup, but moved it bit earlier now just to get things going forward. -- kivinen@iki.fi
- [IPsec] Comments to the g-ikev2 Tero Kivinen
- Re: [IPsec] Comments to the g-ikev2 Valery Smyslov
- Re: [IPsec] Comments to the g-ikev2 Tero Kivinen
- Re: [IPsec] Comments to the g-ikev2 Valery Smyslov
- Re: [IPsec] Comments to the g-ikev2 Tero Kivinen