IETF Logo Mail Archive

[IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question

Tero Kivinen <kivinen@iki.fi> Tue, 24 November 2009 13:54 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 81C8A3A6A3E for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 05:54:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_12=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xMp4jRYO2Rb for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 05:54:27 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 53DBA3A6784 for <ipsec@ietf.org>; Tue, 24 Nov 2009 05:54:26 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nAODsIVt004048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Nov 2009 15:54:18 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nAODsGuS028870; Tue, 24 Nov 2009 15:54:16 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19211.58760.146418.200791@fireball.kivinen.iki.fi>
Date: Tue, 24 Nov 2009 15:54:16 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240845c730d6c840bf@[10.20.30.158]>
References: <p06240845c730d6c840bf@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 15 min
X-Total-Time: 17 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 13:54:28 -0000

Paul Hoffman writes:
> We earlier agreed in issue #50 to make the KEr in Section 1.3.2
> (Rekeying IKE SAs with the CREATE_CHILD_SA Exchange) mandatory: 
>                              <--  HDR, SK {SA, Nr, KEr}
> Note that this is not in the current draft, but will be in the next one.
> 
> So, what happens if the responder does not include a KEr, following
> the syntax in RFC 4306?  Does the process revert back to using only
> the SK_d and the new nonces, or does the responder reject the
> request and indicate its preferred DH group in the
> INVALID_KE_PAYLOAD notification payload (section 1.3)? The latter
> seems much more likely, given the text in 2.18. If so, we should say
> so explicitly.

Note, that this can only happen if initiator allowed responder to not
give KEr. Initiator tells the responder whether it requires
Diffie-Hellman by listing Diffie-Hellman groups in its SA payload. If
it does not include group 0 (NONE) then responder does not have option
to send KEr (both for RFC4306 and IKEv2bis implementations).

RFC4306 implementations are allowed to include the Diffie-Hellman
group 0 (NONE), but IKEv2bis implementations are not allowed to
include it anymore.

This means that if RFC4306 implementation talks as initiator to the
IKEv2bis responder implementation and RFC4306 implementation selects
Diffie-Hellman group 0, and does not include KEi then IKEv2bis
implementation will return INVALID_KE_PAYLOAD and request RFC4306
implementation to select some other group (provided the RFC4306
implementation listed any acceptable group in its SA payload). If they
cannot find group which is acceptable for both then the negotiation
will fail with NO_PROPOSAL_CHOSEN.

On the other hand if IKEv2bis implementation talks as initiator to the
RFC4306 implementation, then IKEv2bis implementation will include KEi,
and MUST NOT include group 0 (NONE) in its SA payload, thus RFC4306
implementation is not allowed to select group 0, meaning it must
return proper KEr, or NO_PROPOSAL_CHOSEN if none of the groups were
acceptable (or INVALID_KE_PAYLOAD if group selected by KEi was not
acceptable, but some other group in SA payload is).

This means that if either end is IKEv2bis implementation, there cannot
be situation where KEr is ignored, and where we would not have g^ir
(new) for SKEYSEED calculation.

I do not think we need extra text for this, as if implementors follow
the currect text in section 2.18 which says IKEv2bis implementations
MUST NOT propose the value "NONE, and MUST NOT accept such proposal,
then there is no problem.

> Section 2.18 also states that in the case of the old and new IKE SA
> selecting different PRFs, that the rekeying exchange (for SKEYSEED)
> is done using the *old* IKE SA's PRF.  What happens after that?  The
> end of section 2.18 says that SK_d, etc are computed from SKEYSEED
> as specified in section 2.14.  If the PRF changed, which PRF is used
> for the prf+ calculations, the old PRF or the new PRF? 

I would interpret "because the rekeying exchange belongs to the old
IKE SA, it is the old IKE SA's PRF that is used", to cover also the
SK_d, SK_ai, etc generation and also prf+ uses. First thing that uses
new PRF, is when new IKE SA is used to generate KEYMAT, or SKEYSEED
for next IKE SA rekey. But I agree this is not very clear, and could
be clarified. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email