IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06

CJ Tjhai <cjt@post-quantum.com> Fri, 21 October 2022 07:07 UTC

Return-Path: <cjt@post-quantum.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFCB1C1524B4 for <ipsec@ietfa.amsl.com>; Fri, 21 Oct 2022 00:07:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=post-quantum-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWawm-BSBvyx for <ipsec@ietfa.amsl.com>; Fri, 21 Oct 2022 00:07:49 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30EBDC1522CF for <ipsec@ietf.org>; Fri, 21 Oct 2022 00:07:49 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d24so1565637pls.4 for <ipsec@ietf.org>; Fri, 21 Oct 2022 00:07:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=post-quantum-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RHSy00H0T8fnrKtrjZhx4DCRFLsKXuNjO7SqWaJJr34=; b=BlOJ+2Xf+uEq5VxnL0YPYQmHm9UH4mTFY+1ojmeT9g1f92Uc9uoFw3XzVrE4OLB/wk byg8j0nx+783X9zBYoqaD+dNsn0ghv1aV7fzjdxuAmI+wnTC3awD8ezqnzodKyTk64oa H0WqGvKi62O8Z8QDOvnRie3DhralVlvjYjZZww+QclYK+Ji+bnet8mm/1bzDXQYwSf2p 2LuBGLAcTDu8lwFzfhJq101peDJJPL3zNopzz3DIrUGi69VAt9aSvldw/FQpN5YQXN/K 19y8tZI7IBtQkdvpo4CM/eWBSitrlDH+laC3DR21euheO6B5YqzqWrttsGfmp1tWgvii chaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RHSy00H0T8fnrKtrjZhx4DCRFLsKXuNjO7SqWaJJr34=; b=0onkLK4NDnqfCsqY1BLVoApCdS6E7viI6O/pX0KptwDtylPmBIAZdEVBn1OsuGj4aq No4Ma4gU9wxByc/5wAh0sV6lHnc1LV5QzxXYzNo2cwMFHpxF3NnOS6MIYBdOhX3uhXCr fno5zv8js2GVzxnVPsOvMxRYeYTBlEpokuwmrc3AR6GGvRTGT/FQDtHMprXPB6fMUA04 NDVB2YuV29kVISKGTw6vaUn9OdgZWqoiAC32JN/OSK4xNDL8/dI5gRsdCIjD4sOodSxX 62VT5claS5QmaOcjXW1jtiodUFOU4x86mE5Eypec/oJBjo+TheOBBicNAVJmr8yrb0yc iXKQ==
X-Gm-Message-State: ACrzQf1I+/AHw+uD5tV0XgxgFy+7lN4uvXzpcXtJEp5QWBJKcNZBDm7w 5s69X8QeUJmR9/Nw5C6/9Ur5yohJuGuAvohV2diQQNg6ICG8dspYiWGGJ10fsnXNLe2vyy9cuW9 uYj7oNPCcfnTmV08F1WX+zx4=
X-Google-Smtp-Source: AMsMyM7jNYd5P7/0qYipxKslsdGCzJaajeVlDlM3pVOTDxXTDkpC9X8Sdh17KLw+NA8A9+mlD4XjzgxrNlXQFKemFyc=
X-Received: by 2002:a17:902:b417:b0:181:d0e4:3310 with SMTP id x23-20020a170902b41700b00181d0e43310mr17958619plr.134.1666336068090; Fri, 21 Oct 2022 00:07:48 -0700 (PDT)
MIME-Version: 1.0
References: <BN2P110MB1107D456BF345148FADD88CFDC569@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <CANs=h-WWnrdv5+ewjKVnBdoC4X4eTosM5uZ1BDfED1EJ=V9UFw@mail.gmail.com> <BN2P110MB1107E6807021031C3A5B6A0CDC209@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <25415.3646.863005.336101@fireball.acr.fi> <010301d8de6f$6b669250$4233b6f0$@gmail.com>
In-Reply-To: <010301d8de6f$6b669250$4233b6f0$@gmail.com>
From: CJ Tjhai <cjt@post-quantum.com>
Date: Fri, 21 Oct 2022 08:07:36 +0100
Message-ID: <CANs=h-XDr=YLWbNr8SC2_wu==oeUwKCqLCZWS_09Y4q20nwq_A@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: Tero Kivinen <kivinen@iki.fi>, Valery Smyslov <svan@elvis.ru>, ipsec@ietf.org, Valery Smyslov <smyslov.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000006a52ba05eb8619cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/XtBulBxrrmx2l0SkmqWJa8lAWNk>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 07:07:53 -0000

Hi Roman,

We have updated our draft to incorporate Russ' feedback and also changes
from IANA review. it also includes the following changes following your
suggestions.

The updated draft is available here
https://github.com/post-quantum/ietf-pq-ikev2/blob/master/draft-ietf-ipsecme-ikev2-multiple-ke-00.xml
.

Should we publish version 08 of the draft, or should we just wait for the
end of IETF LC?

Best wishes,
CJ and Valery


[snip]

[Roman] Makes sense.  Thanks. To prevent this from coming up during
subsequent reviews.  Please add a reference to that FAQ here.

We have added the reference to NIST FAQs.

[snip]

[Roman] A recommended value would help if you are comfortable giving it, or
explaining why it’s hard to give one.  This is a common question that comes
from transport review during IETC LC or IESG review.

We added the following sentences:

Note that due to various factors such as computational resource

and key exchange algorithm used, it is not possible to give a

normative guidance on how long this timeout period should be.

In general, 5-20 seconds of waiting time should be appropriate

in most cases.



[snip]


[Roman] Adding a bit of clarifying text like discussed here would be
helpful – that the ordering does not matter.

We added this text as suggested:

The ordering of the additional key exchanges should not matter in
general, as only the final shared secret is of interest.
Nonetheless, because the strength of the running shared secret
increases with every additional key exchange, an implementer may
want to first perform the most secure method (in some metrics) and
followed by less secure one(s).




[Roman] Agreed. Consider if you need to talk about work that ISN’T done in
this document here.  To keep things on point, I would recommend deleting
this text.



We have removed the text as suggested.



On Wed, 12 Oct 2022 at 20:18, Valery Smyslov <smyslov.ietf@gmail.com> wrote:

> Hi Tero,
>
> > Roman Danyliw writes:
> > >     ** Section 3.2.4.
> > >
> > >     The responder MUST handle this
> > >        situation gracefully and delete the associated state if it does
> not
> > >        receive the next expected IKE_FOLLOWUP_KE request after some
> > >        reasonable period of time.
> > >
> > >     Is there a guidance on the timeout value?
> > >
> > > IKEv2 traditionally does not mandate exact timeouts. For example, the
> > same
> > > situation happens if the initiator completes IKE_SA_INIT and never
> starts
> > > IKE_AUTH. The responder should eventually delete the incomplete IKE SA,
> > but
> > > RFC 7296 does not specify how long the waiting time is.
> > >
> > > FWIW, our implementations waits 5 seconds by default (which is
> > adjustable
> > > value).
> > >
> > > Do you think we should recommend (but not mandate) to wait for 5-10
> > seconds?
> > >
> > > [Roman] A recommended value would help if you are comfortable giving
> > it, or
> > > explaining why it’s hard to give one.  This is a common question that
> > comes
> > > from transport review during IETC LC or IESG review.
> >
> > Suitable values can be between few seconds up to few minutes. For
> > example timeout between IKE_SA_INIT and IKE_AUTH might require user
> > interaction, thus it might be up to minutes if PIN code to unlock user
> > auth device is required etc.
> >
> > Because the timeouts are so different depending on the environment and
> > usage scenario we do not give them in the IKEv2 document.
>
> With the IKE_FOLLOWUP_KE exchange user interaction is not a problem (it
> should not take place).
> However, since we are talking about PQ algorithms and some of them
> may be quite costly in terms of generating a key pair, the initiator may
> just
> be unable to provide data for the next IKE_FOLLOWUP_KE exchange quickly.
>
> So, while I think that several minutes is too long in this case,
> I agree that timeout values could be very different depending on the
> initiator's resources and on the algorithm employed. For this reason
> we didn't specify it. We can give a vague recommendation
> that waiting for 5-20 seconds can be appropriate in most situations,
> but definitely we don't want making these values normative.
>
> Regards,
> Valery.
>
> > --
> > kivinen@iki.fi
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>
>

-- 

PQ Solutions Limited (trading as ‘Post-Quantum’) is a private limited 
company incorporated in England and Wales with registered number 06808505.
 

This email is meant only for the intended recipient. If you have received 
this email in error, any review, use, dissemination, distribution, or 
copying of this email is strictly prohibited. Please notify us immediately 
of the error by return email and please delete this message from your 
system. Thank you in advance for your cooperation.


For more information 
about Post-Quantum, please visit www.post-quantum.com 
<http://www.post-quantum.com>.

In the course of our business relationship, 
we may collect, store and transfer information about you. Please see our 
privacy notice at www.post-quantum.com/privacy-policy/ 
<http://www.post-quantum.com/privacy-policy/> to learn about how we use 
this information.

v2.23.0 | Report a Bug | By Email