IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 22 February 2017 18:24 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B1312967C; Wed, 22 Feb 2017 10:24:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtK0rEKNWCMX; Wed, 22 Feb 2017 10:24:06 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA801296B4; Wed, 22 Feb 2017 10:24:05 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id x71so10725868qkb.3; Wed, 22 Feb 2017 10:24:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JOZPz2+Y5CY8zSAZeT5b0CaTRr4MJLt0i0PeQM5jXm0=; b=Qppyl72vBy5XHg7I5SL/CZvy520Jqu/zYEhb3efP27+5aWC1m1dWUsQ5Bp/nuXleRo Q9TmHVa6QINp3c/9qj7kcPodhbTWOwfEjTipHp+WwXzx0ukKVUu83yGs1jp+eXrBOx7n 9r+n/lcUgWAcrgLFFJnNKmlleT9jOb6yKOVF8NFQ1+9slhyP5Q1/ig8QS53sxkrSoqjG DsWaP1GKazY2XFMkQDVXuOeJVRbVMRsHjvnhKDxr3rIzNDlJKxhS3ADz988/1NYtzovR wX8TaNSwMVkJOJ4pY4gOXalGmgIEdT/GhNRfgruHSvxr7x80K4nYtPGYJ3bGxHDQhBC1 1G9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JOZPz2+Y5CY8zSAZeT5b0CaTRr4MJLt0i0PeQM5jXm0=; b=MAhfS0n75z3lZqD1uyhtJfBhQuOedOsWxwobewH2TxmZvgNEH+dwktxHiaAes92yvp GXxN5+UVZZpiA1ckQNi/xvM+UDq8CHXAUssEQt9tbfjsDSr1KG4XJyxzrFfsMzMYcmnd 5tJmwX48QXsouIc5c1HrjLg7kB3OVDbXZulWeDTIjSXapFWQCAqLjiKvbMdRvB6Mm5ED o64SlW5aCcQWBWK3Js/kTSkgckIB+gPXmTPAxQsbDGGZBoBpu0KaiK9S7pXACqMEz3eU IosTwNPgPNV/T1vsoZUXwr4lBjm4TauO6TETwuw732yknx6BVrjziiOdv66Vd5ruPs/f V6pQ==
X-Gm-Message-State: AMke39n6ALQhnkUNZ6jfnkAODK2rxY/Jyi1ywt3dt4noamEzHePTSEDA6XOx0S58o6mACAM6qxKEvdAnq0EI6g==
X-Received: by 10.55.89.196 with SMTP id n187mr31303632qkb.17.1487787845009; Wed, 22 Feb 2017 10:24:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.170.77 with HTTP; Wed, 22 Feb 2017 10:24:04 -0800 (PST)
In-Reply-To: <22701.42500.198298.440746@fireball.acr.fi>
References: <CAHbuEH4K1MW8BitnOtmpoHwU6ZseqwNkYQTJ_YUE6cYxH9cshg@mail.gmail.com> <alpine.LRH.2.20.1702171211350.17106@bofh.nohats.ca> <CAHbuEH4f_67DKywJNL=POTu-dF8Ewb7T0aYO6U=uxAd6ocxGKA@mail.gmail.com> <alpine.LRH.2.20.1702211120080.3603@bofh.nohats.ca> <22701.42500.198298.440746@fireball.acr.fi>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 22 Feb 2017 13:24:04 -0500
Message-ID: <CAHbuEH7sZCGAJPP=97LAAfLhY+HxSj6V7KCty-T45YTmR-+Dyw@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/WUH1ZJWIoQl703zZs8tuuy-7iz4>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, draft-ietf-ipsecme-rfc7321bis@ietf.org, Paul Wouters <paul@nohats.ca>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-rfc7321bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 18:24:08 -0000

On Wed, Feb 22, 2017 at 9:53 AM, Tero Kivinen <kivinen@iki.fi> wrote:
> Paul Wouters writes:
>> On Fri, 17 Feb 2017, Kathleen Moriarty wrote:
>>
>> >> It is actually not much a change. If you look at 7321 Section 3, it states:
>> >>
>> >>         Confidentiality without authentication is not effective [DP07]
>> >>         and therefore SHOULD NOT be used.
>> >
>> > Yes, I saw that and agree security-wise that this is a bad practice.
>> > But 7321 say a lot more on both ESP and AH authentication than that
>> > one sentence.  What I am saying is that the change in this document
>> > requires more text to explain it.
>> >
>> > You also have the following text in that section:
>> >
>> >   To provide both confidentiality and authentication, an authenticated
>> >   encryption transform from Section 2.1 SHOULD be used in ESP, in
>> >   conjunction with NULL authentication.
>>
>> The way I read that section is that it tries to explain AEAD ciphers
>> versus separate ENCR+INTEG ciphers. It is not making claims about
>> using encryption without authentication, just that when using an AEAD,
>> you do not use a separate authentication algorithm and when not using
>> an AEAD you do use a separate authentication.
>
> There is 3 ways of provide both confidentiality and authentication in
> IPsec:
>
> 1) ESP with AEAD cipher
> 2) ESP with non-AEAD cipher + authentication
> 3) ESP with non-AEAD cipher + no authentication combined with AH with
>    authentication
>
> I.e.,
>
> 1) Use combined mode cipher, i.e. AEAD cipher. In that case the AEAD
> ciphers is set for the encryption algorithm, and the authentication
> algorithm is not sent. Example of this is ENCR_AES_GCM_16 or
> ENCR_CHACHA20_POLY1305.
>
> 2) Use ESP with both encryption and authentication algorithm. In this
> case we are still using only ESP, but we have separate algorithms, for
> example ENCR_AES_CBC combined with AUTH_HMAC_SHA2_256_128.
>
> 3) Use ESP for confidentiality and AH for authentication. In that case
> the ESP is used with encryption algorithm like ENCR_AES_CBC, and
> without authentication algorithm, and then there is second IPsec
> protocol AH that will provide authentication with algorithm like
> AUTH_HMAC_SHA2_256_128.
>
> The first one is preferred, i.e., RFC7321 said SHOULD for AEAD
> algorithms, and did say MAY for 2nd option (ESP with both encryption
> and authentication algorithms), and said NOT RECOMMENDED for the last
> option.
>
>> > It's fine again with the following text:
>> >
>> >   Alternatively, an ESP
>> >   encryption transform and ESP authentication transform MAY be used
>> >   together.  It is NOT RECOMMENDED to use ESP with NULL authentication
>> >   in conjunction with AH; some configurations of this combination of
>> >   services have been shown to be insecure [PD10].
>>
>> Again, the way I read it is that it (not too clearly) is trying to
>> explain AEAD vs non-AEAD.
>
> Again all of the above was explaining those 3 different ways of doing
> confidentiality + authentication.
>
>> > Then at the end of the next paragraph:
>> >
>> >   Therefore, an encryption
>> >   transform MUST NOT be used with a NULL authentication transform
>> >   (unless the encryption transform is an authenticated encryption
>> >   transform from Section 2.1).
>>
>> And again. They probably should have cut all the text and just left
>> this one paragraph in :P
>>
>> Note that this MUST NOT conflicts with the SHOULD NOT quoted above
>> that we promoted to MUST NOT that we are talking about here.
>
> Yes, the 7321 did say MUST NOT for confidentility only, after saying
> SHOULD NOT for it earlier...
>
> In the section 3 of the 7321 the second last paragraph then moves to
> explain other cases, i.e. where we only want to provide authentication
> without confidentiality, where it prefers the ESP with NULL encryption
> over AH, and then it says that encryption without authentication is
> MUST NOT, although it should point out that in addition to the AEAD
> case the ESP + AH is another exception to that rule...
>
>> >> The 7321 document was a bit unclear with respect to encryption algos
>> >> versus AEAD algos which might look like it allows a wider acceptance
>> >> of encryption without authentication, but really does not intend to.
>> >
>> > What I am saying is that it would be helpful to provide text to
>> > explain the change.
>>
>> I'm unsure what to write? 7321 should have used MUST NOT instead of
>> SHOULD NOT for the exact same unchanged reasons provided in 7321.
>> And as I pointed out above, it kind of does outside that one silly
>> paragraph.
>>
>> If really needed, I can do something like:
>>
>>       Encryption without authentication MUST NOT be used. [RFC7321]
>>       erroneously stated in Section 3 that this insecure practise
>>       is a SHOULD NOT, where elsewhere in [RFC7321] it properly
>>       stated this as MUST NOT.
>>
>> Perhaps one of my co-authors can come up with a better suggestion?
>
> Perhaps we should add bit similar text like I did earlier, i.e.,
> explain that there is 3 ways of doing confidentiality + authentication
> and add some more text about them.

I think that may help head off questions in last call and IESG review
if anyone else looks back at 7321.

Thank you.

> --
> kivinen@iki.fi



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email