IETF Logo Mail Archive

Re: [IPsec] Teaser for pitch talk at IETF 108

Tero Kivinen <kivinen@iki.fi> Wed, 29 July 2020 13:22 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DA63A0B2A for <ipsec@ietfa.amsl.com>; Wed, 29 Jul 2020 06:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsgwOR_qRPYm for <ipsec@ietfa.amsl.com>; Wed, 29 Jul 2020 06:22:20 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2269C3A0B1F for <ipsec@ietf.org>; Wed, 29 Jul 2020 06:22:19 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 66C8F200C3; Wed, 29 Jul 2020 16:22:16 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1596028936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e8kYGXczrOpD12vsWdEaPQm0HJpaIg7Z/S+a0mUi+S8=; b=OGKJNyoLktFEuVai+MBpAs3vwse0QwmInL1zPIKwiHeJ72tUGafvQPrK19Hm+rRm/UQrq9 wdniT3LniKcJnMA6F6azWCWv34AS9yTULcxkBUV+At3YpWHu0DH8e2RKx4ddX+oHMJyDZg 7/x37ZmU8XMYuYBtDbhaXVOHYzUYK/U=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 28A0A25C0EE3; Wed, 29 Jul 2020 16:22:15 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24353.30727.115426.454334@fireball.acr.fi>
Date: Wed, 29 Jul 2020 16:22:15 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Valery Smyslov <smyslov.ietf@gmail.com>, 'Michael Rossberg' <michael.rossberg@tu-ilmenau.de>, ipsec@ietf.org
In-Reply-To: <20200729100457.GD20687@gauss3.secunet.de>
References: <023E45E1-B1AA-4042-A8E3-DD7457235BC7@tu-ilmenau.de> <0fd501d664b6$fcc8c590$f65a50b0$@gmail.com> <20200729100457.GD20687@gauss3.secunet.de>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 15 min
X-Total-Time: 23 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1596028936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e8kYGXczrOpD12vsWdEaPQm0HJpaIg7Z/S+a0mUi+S8=; b=W4Dmui8Rypk4bvF+7AKiByTb9g1+J+FD1/VChDPYQWdXJ7u3mv+oztzCl9dACnTSC9S7CY e8V+R3uT06DcADBtkLpC9szbQkVWSNzWmiMV3kdYjsrxU8+FfCFRb6+nRNvM1BtrGGZadD 0VfM/SalkuZ7UdSplbEqKhf8oDIsz34=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1596028936; a=rsa-sha256; cv=none; b=Uu62+VVO3q1ECVbgo1ujf7ISzqYzupFjGUmS3IVYl4W85coroUbBlUxnJIvjG1tF9wyPox I6/8KQL+hDul56oVupoDnrBuXieDV39mtekwILVL31ghePMyPi8PTrIz01IzKwe9TRbZwt FfKN8Xz09u/oQ6JnoJ9Vh/6gosik0gw=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Ye8Ilhalt1DFxG3eWXrYbUiny9s>
Subject: Re: [IPsec] Teaser for pitch talk at IETF 108
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 13:22:29 -0000

Steffen Klassert writes:
> We have already the option to send the high sequence number bits
> when a combined mode algorithm is used.
> 
> RFC 4303, Section 2.2.1. says:
> 
> If a combined mode algorithm is employed, the algorithm choice determines
> whether the high-order ESN bits are transmitted or are included implicitly
> in the computation.

We do not have any algorithms that use that feature, and we do not
have option to negotiate it in IKEv2.

We could add new value for transform type 5 (Extended Sequence
Numbers) to say that we use extended sequence number, and that we
actually transmit the full extended sequence number. 

> We could just give multicast the same option if it wants to use
> replay protection.

As others have already pointed out earlier, with multicast the upper
layer must make care of replays and dropped packets themselves in any
case, so doing that also on the IPsec level does not really provide
that much more security. I mean if the multicast protocol run over UDP
over IPsec simply has internal sequence number inside the UDP, which
will then be authenticated by the IPsec that should be good enough for
replay protection.

There is issue that in that case attacker could do Denial of Service
attack against the IPsec, by replaying packets, and then the IPsec
gateway would decrypt and forward them.

When using multicast you already need to use SPI, and destination
address as your SAD lookup (RFC4303, section 2.1), i.e. use option 2
there. On the other hand you could use the SPI, destination address,
and source address to find the replay window and largest sequence
number used if you want to do anti-replay protection on multicast SAs
so that each sender has separate replay windows.

I assume this is not normally done as it would create so much more
extra work for keeping track of replay windows for every single
sender, and where the benefit is not that big as upper layer protocols
usually do have anti-replay built in.

> > And about security. In order to have IV combined with 
> > ESN and sub-windows identifiers this proposal removes secret 
> > salt from the nonce. This may have impact on security. 
> > I'm not a cryptographer, but I believe the impact is not negligible.
> > On the last CFRG session a draft draft-wood-cfrg-aead-limits was
> > discussed that calculates limits of data to be safely encrypted
> > by various AEAD ciphers. The authors claimed that having 
> > secret salt in the nonce increases this limits in case of multi-user
> > attacks and that the results in the draft are calculated
> > for this case. If plain AEAD ciphers (with no secret salt) are used
> > the limits are lower. 
> 
> A secret salt in the nonce would be a new requirement anyway.
> I've checked RFC 4106 (ESP for GCM) and RFC 7634 (ESP for
> ChaCha20-Poly1305), both don't require a secret salt.

It is true that they do not need secret salt, but they do have
unpredictable salt, which is created by the key derivation step. My
understanding was that this proposal did get rid of that salt too:

----------------------------------------------------------------------
4.  Nonce Format

   The nonce passed to the GCM-AES encryption algorithm has the
   following layout:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             Salt                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     Initialization Vector                     |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                          Figure 2: Nonce Format

   The components of the nonce are as follows:

   Salt
      The salt field is a four-octet value that is assigned at the
      beginning of the security association, and then remains constant
      for the life of the security association.  The salt SHOULD be
      unpredictable (i.e., chosen at random) before it is selected, but
      need not be secret.  We describe how to set the salt for a
      Security Association established via the Internet Key Exchange in
      Section 8.1.

-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email