IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06

Roman Danyliw <rdd@cert.org> Mon, 10 October 2022 21:01 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B86F5C14CE40 for <ipsec@ietfa.amsl.com>; Mon, 10 Oct 2022 14:01:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rVA_qUP92SK for <ipsec@ietfa.amsl.com>; Mon, 10 Oct 2022 14:01:07 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0090.outbound.protection.office365.us [23.103.208.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D247C14F6EB for <ipsec@ietf.org>; Mon, 10 Oct 2022 14:01:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Jay1yZkCDETyilvJF7mvJ9OTeDf5U4Kh5UrcsUfNgLFMqiN2wHlJCmF8ICpsfWpaitV7q4DB8DEI+cYwlaLNN7wZ/K4aHkq8IN/rIWWnjnSwhaNoXY1HQpbhnKPw1R1eivJhhnLz7bBEIpGyHV2Jci9Vy4SzIUGOUOFLTMSIYabFEylm6oYYF6pfWK0g0JCCa9lYZJwaFXIRu21cixQnZI72F7ZKP5Las0gcRVM9CXljvFekJMRKmNkgYjnJdRgt8B7t2mi4MgYi06ZxMSFyi1gWSDM11WxUzpMz6TGDxjmfYkekVP4HO3yUKBgCMfSaOAvsTG4OoS9WBOu8rJ9kIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jqxdZJcG0nH6DWBHOwsYFB6G3lIE9M1XN1Ax+49wu6I=; b=Uuab9Vb2TE0j+um19nGHmet/GE3pklI7dtNn+tZMV0FHANT5DfaI+HClHrSxfZAbpNvWWQT28z5MVHhqMgUQNODqb1FVTuR3hDP13mBD23MStiwT1tBZDdTn/y6HP2PSf/WFGSnLhLNm8wo7Xh4pzKVsded1W+zbJwNkbKn6AfyGSThj8Cr92VEZeoqPFrknG064VJXp+6cEyciVI5KUKdxLbLidnhs7x1Dlc8VOr/KH5jUOD872clvQ61wqKJnKG0oOwfqeZvn6BtWCE1bPRPjBljqcLoG5CK3mwFpdxZ6LF+usr3uE2+/ALEK99APUa3vUzqbaV76tK9DtsKWfzg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jqxdZJcG0nH6DWBHOwsYFB6G3lIE9M1XN1Ax+49wu6I=; b=O1osOugX9qkQv8CmfkAARUlZmSZ9mYgKtRt14gVMnS90LRDJjY0Esli+8ysvYWuf2Hihat2av7mhJ2H0dQqsQDLQsNSIlGBXRRdF1fAjt0H2Gxlw9DOMilr2bygnr5PLtwfPlBcWiXK1rXTZ3zhifXmsY1Dwo4xXTr4D3VXioDg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1105.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.20; Mon, 10 Oct 2022 21:01:03 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1%6]) with mapi id 15.20.5676.040; Mon, 10 Oct 2022 21:01:03 +0000
From: Roman Danyliw <rdd@cert.org>
To: CJ Tjhai <cjt@post-quantum.com>
CC: Valery Smyslov <svan@elvis.ru>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
Thread-Index: AdjVFve8l6i95Y8RTMyDGHjJmSSKlwDP4BIAASTrI1A=
Date: Mon, 10 Oct 2022 21:01:03 +0000
Message-ID: <BN2P110MB1107E6807021031C3A5B6A0CDC209@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107D456BF345148FADD88CFDC569@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <CANs=h-WWnrdv5+ewjKVnBdoC4X4eTosM5uZ1BDfED1EJ=V9UFw@mail.gmail.com>
In-Reply-To: <CANs=h-WWnrdv5+ewjKVnBdoC4X4eTosM5uZ1BDfED1EJ=V9UFw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1105:EE_
x-ms-office365-filtering-correlation-id: 73e9b899-0b26-412e-e8a0-08daab028b17
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GzEQMlt1PNec3KO6ZqbzHysRN9MWABc7Oik7F07hoMXtg4UkDPMpOIaRQ0YnEg+4toi+meBjY3c38zePcUnXmyQ5oYG6Qp95JZOsquhhtNJBxD6mrGZReqPXWXsqtocLeJrua2fKVJBT0Z0yFONiav3QngSxeeGXnfGfNKMqGGnX9bTBybUBUxaCK6BvunRmw0engIFtlpBJ/V4+r6pK8sjOd2vHlFFu2kE52VFUB2nn3qZkMvEFstVlf1TrWiYeTwGt+WNZ/+nMT5P91eo8yEUUlUS4zInJY3pfuLGSVxGBCzEV7Ltz7idf/092LvK/2oOMUM6SWVuQHtK/+/kWVOb/9ltHvhjr4+P01gTP0xfQ/rMlDqb8bAJPCWI/t4oUx4Uve7BFDfrwfB9ujaz1YT6A4eI6GwAMbgQBUP+Sd23UWtX33GN7j0nj/gOaS5mTWxEsKDdajtyvm3ien2GSFX0a6pmc9o4b/TNpgREqW6y3u3VGBthlwdX0kIB+90MKcTCPLQmFxqYuhzAjgLna81ezgx6tesbnmJc8b2OK970wabJDhlqAfOhUNUGq1DRMYZOBLSEBSNhFPo0QCCCKFDyZJ3JkeskaMdxCnrVyNLNPSsa+HuKkIgdQdWCqgYBlZaxzhfi+V9XufoTPdB7ddoVr+PFYJ2nbMgi64I93CV0F/g4b4qp34kbe0+PuRjiE8e4k91MhabPEv8s6unwBYw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(4326008)(5660300002)(66946007)(8676002)(83380400001)(66556008)(66476007)(66446008)(38100700002)(64756008)(166002)(82960400001)(8936002)(33656002)(86362001)(966005)(54906003)(52536014)(2906002)(6916009)(186003)(498600001)(71200400001)(53546011)(38070700005)(76116006)(55016003)(122000001)(26005)(9686003)(6506007)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: soYhKCy4F9MN8zI3F4otbYByAvdxu2rRpiAkkVHal8uzlrZM5hWqynKegyOH57saCdoXrxboSo9isOaFIoeOOcoIzkgKncc0pOCqPmR+bv7nyd1dUCW1RWl3L7bCZ1WvcbcHyTGSndU/mlVlzZwqtKhXnpOB/cqf0RAop6tjJVO8zXbWBcv8zKttysDIiwVWMX8FpFi1r34jU3JLUeYLVnetYN2RzWyD4rTf5qX3PLECLziIejuhebu5So4w5XpKDyV0uS4St4/kNafLzKumGeChBtujTPhHKhVmB74fZiTt95E8rdYKnPnQACMgYQ3oJSnNBugVgWv7E4g/9Oko3fWLei+kzWSoJgAzEwuLziI2NzHr42qrp7oNT+avJrl15Eh1GL3wGBbegVU5g8hTO+1maUvnS7kZIWLJmbNdB4E=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB1107E6807021031C3A5B6A0CDC209BN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 73e9b899-0b26-412e-e8a0-08daab028b17
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2022 21:01:03.7605 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1105
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/bXDgFRrHFY1VvLLblVjtTUbQcW4>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 21:01:11 -0000

Hi!

Thanks for the explanation and the revised text in -07.  I’m advancing the document to IETF LC.

I have a few replies to consider with any additional IETF LC feedback.

From: CJ Tjhai <cjt@post-quantum.com>
Sent: Tuesday, October 4, 2022 9:05 PM
To: Roman Danyliw <rdd@cert.org>
Cc: Valery Smyslov <svan@elvis.ru>; ipsec@ietf.org
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ikev2-multiple-ke-06

[snip]

On Fri, 30 Sept 2022 at 23:20, Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>> wrote:

[snip]
** Section 2

Federal Information Processing Standards (FIPS) compliance.
        IPsec is widely used in Federal Information Systems and FIPS
        certification is an important requirement.  However, algorithms
        that are believed to be post-quantum are not FIPS compliant yet.
        Still, the goal is that the overall hybrid post-quantum IKEv2
        design can be FIPS compliant.

What kind of coordination was done to ensure that this design is FIPS compliant?  Do we have a read if it is?

See NIST PQC FAQs (Transition and Migration section): https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs

Are multiple classic (EC)DH key exchanges FIPS compliant?

Based on the above FAQ, if at least one (EC)DH is FIPS complaint, we think that the overall exchange should be.

[Roman] Makes sense.  Thanks. To prevent this from coming up during subsequent reviews.  Please add a reference to that FAQ here.

[snip]
** Section 3.2.4.

The responder MUST handle this
   situation gracefully and delete the associated state if it does not
   receive the next expected IKE_FOLLOWUP_KE request after some
   reasonable period of time.

Is there a guidance on the timeout value?

IKEv2 traditionally does not mandate exact timeouts. For example, the same situation happens if the initiator completes IKE_SA_INIT and never starts IKE_AUTH. The responder should eventually delete the incomplete IKE SA, but RFC 7296 does not specify how long the waiting time is.

FWIW, our implementations waits 5 seconds by default (which is adjustable value).

Do you think we should recommend (but not mandate) to wait for 5-10 seconds?

[Roman] A recommended value would help if you are comfortable giving it, or explaining why it’s hard to give one.  This is a common question that comes from transport review during IETC LC or IESG review.


[snip]

** Section 5.  Is there any significance to the order of the KEs?  Does 4096-bit MODP Group then PQ_KEM1 yield anything different than the reverse?  Should the classic KEM come before the PQC one(s)?

In order to avoid potential fragmentation issue, KE payload should be small enough, so it may not be desirable to use PQ_KEM1 (assuming its public key/ciphertext is larger than 1.5KB) in the KE payload. So in general, we expect the KE payload to be used for (EC)DH and this will help in terms of backward compatibility. Ignoring this consideration, we think the ordering of the key exchange should not matter as we are only interested in the overall shared secret.

Having said that, we could also see that one could argue that it matters. Note that the "strength" of the running shared secret (assuming there is no issue on the random number generator used) increases with every new additional key exchange. So one may wish to first perform the most secure method (in some metrics) and then add less trusted one(s).

[Roman] Adding a bit of clarifying text like discussed here would be helpful – that the ordering does not matter.


** Section 5.

   Post-quantum authenticity
   may be provided by using a post-quantum digital signature and several
   of them have been being explored by IETF.  For example, if the
   implementation is able to reliably track state, the hash based
   method, XMSS has the status of an RFC, see [RFC8391].  Currently,
   post-quantum authentication methods are not specified in this
   document, but are planned to be incorporated in due course.

-- What activity in the IETF exploring PQ digital signatures?

There is this work on composite signatures: https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs/
and an expired draft on the same subject but specific to IKEv2: https://datatracker.ietf.org/doc/draft-guthrie-ipsecme-ikev2-hybrid-auth/


-- Is using XMSS a recommendation?

Due to the need to keep states, we think XMSS may not be that suitable for IKEv2.

-- What is the planned due course referenced here?

We believe the document should focus on confidentiality. Supports for PQ digital signatures can be added as a separate document.

[Roman] Agreed. Consider if you need to talk about work that ISN’T done in this document here.  To keep things on point, I would recommend deleting this text.

Regards,
Roman

v2.23.0 | Report a Bug | By Email