IETF Logo Mail Archive

Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)

Yoav Nir <ynir@checkpoint.com> Tue, 22 December 2009 07:46 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59D9A3A67C0 for <ipsec@core3.amsl.com>; Mon, 21 Dec 2009 23:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[AWL=-0.558, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0w8-MirNJgq for <ipsec@core3.amsl.com>; Mon, 21 Dec 2009 23:46:33 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 23C923A6784 for <ipsec@ietf.org>; Mon, 21 Dec 2009 23:46:33 -0800 (PST)
X-CheckPoint: {4B30782F-10005-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 3EED729C009; Tue, 22 Dec 2009 09:46:16 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 1866B29C002; Tue, 22 Dec 2009 09:46:16 +0200 (IST)
X-CheckPoint: {4B30782E-10000-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.32.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nBM7kFT7004242; Tue, 22 Dec 2009 09:46:15 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 22 Dec 2009 09:46:27 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "<Black_David@emc.com>" <Black_David@emc.com>
Date: Tue, 22 Dec 2009 09:46:12 +0200
Thread-Topic: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
Thread-Index: AcqC2t2y75n7FCKOSw6tYgu8xzkA5Q==
Message-ID: <C9D0DD15-C2CA-4A37-846F-F6BF92B2EEF5@checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F474@il-ex01.ad.checkpoint.com> <e225b1d484778f9b5a039516bef73e3f.squirrel@www.trepanning.net> <C2D311A6F086424F99E385949ECFEBCB01212D4C@CORPUSMX80B.corp.emc.com>
In-Reply-To: <C2D311A6F086424F99E385949ECFEBCB01212D4C@CORPUSMX80B.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "dharkins@lounge.org" <dharkins@lounge.org>, "kivinen@iki.fi" <kivinen@iki.fi>
Subject: Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2009 07:46:34 -0000

On Dec 21, 2009, at 8:54 PM, <Black_David@emc.com> wrote:

> Dan,
> 
>>  If we allocate new numbers to do it right then we will, in fact, live
>> forever with an ambiguous interpretation of groups 19, 20, and 21. I
>> agree we should fix the problem and not live with ambiguity. The proposal
>> to allocate new numbers doesn't seem to do that though.
> 
> Fine, here's how to accomplish that goal - the RFC that allocates
> the new group numbers should:
>  1) explain why the group numbers 19, 20 and 21 are ambiguous;
>  2) state that group numbers 19, 20 and 21 "SHOULD NOT be used";
>  3) instruct IANA to remove the group number registrations for
> 	19, 20 and 21 in a fashion that prevents reallocation; and
>  4) obsolete RFC 4753.
> That should avoid long term problems.

No, this will solve the problem in the long term. In the short term, there are things like Windows 7 out there that already use group 19 and group 20 (and they only send x). For the vendor to follow your obsolescence plan, they would need to have a patch that replaces the use of 19 and 20 with, say, groups 27 and 28. That would mean breaking interoperability with the old unpatched Windows 7, plus all other implementations out there (there is even less running code for groups 19 and 20). So a vendor would have to support both group 19 (wrong or right interpretation) and group 27 (hopefully only one right interpretation) 

> That said, I'd like to see more reason to believe that there is
> an actual "running code" problem before doing something this drastic.
> If most people working with elliptic curve "just know" that only
> one coordinate is used, we might not have a problem in practice.

Well, both Tero's company and mine have people who follow this list, and yet both companies made this mistake. "People just knowing" failed". Luckily for us, this running code was not yet released when they discovered the issue, so we don't have a support/upgrade problem. The real issue is with running code that's both broken and out there. Unfortunately, we can't rely on all developers on ECDH code being on this list. The mitigating factor is that those who implement by using OpenSSL code will run into the fact that OpenSSL APIs only give you the x coordinate, unless you supplement their code with your own function  that gets the y coordinate.

> 
> Thanks,
> --David

v2.23.0 | Report a Bug | By Email