IETF Logo Mail Archive

Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)

Tero Kivinen <kivinen@iki.fi> Tue, 22 December 2009 10:23 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77E6B3A685A for <ipsec@core3.amsl.com>; Tue, 22 Dec 2009 02:23:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.578
X-Spam-Level:
X-Spam-Status: No, score=-2.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8+-+pR-LE-K for <ipsec@core3.amsl.com>; Tue, 22 Dec 2009 02:23:06 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id E41F23A69BD for <ipsec@ietf.org>; Tue, 22 Dec 2009 02:23:03 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nBMAMexN028234 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Dec 2009 12:22:40 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nBMAMeAO001248; Tue, 22 Dec 2009 12:22:40 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19248.40432.222096.933388@fireball.kivinen.iki.fi>
Date: Tue, 22 Dec 2009 12:22:40 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Dan Harkins <dharkins@lounge.org>
In-Reply-To: <7d5c3e9fd2fc64bdc5ae9849f28e948a.squirrel@www.trepanning.net>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F4CB@il-ex01.ad.checkpoint.com> <7d5c3e9fd2fc64bdc5ae9849f28e948a.squirrel@www.trepanning.net>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 7 min
X-Total-Time: 7 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>, "Black_David@emc.com" <black_david@emc.com>
Subject: Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2009 10:23:08 -0000

Dan Harkins writes:
>   My understanding of Tero's mail is that the code was originally written
> in 2001. It was modified sometime in 2007 to add "y". Then in July 2009
> it was changed to not add "y". So I think there is a problem for a product
> shipped from sometime in 2007 to July 2009 when it interoperates with
> product from outside that window, either before or after.

Yes. 

> And that problem will not go away by defining new numbers.

It does, as if none of the new versions include support for those
groups at all using those numbers (as they are obsoleted), then those
old unpatched versions are getting policy mismatch instead of MAC
failures, and they can fix their policy to use MODP groups.

>   We are going to have unconditional interoperability for new
> implementations whether we define new numbers or just clean up the
> existing specification.

No, as every time one of those new implementations talks to old
implementation following RFC4753 without errata, there will be MAC
failure which is hard to diagnostic.

If new version does not ever include old ECP group numbers in their SA
proposals, there is no way new versions and old versions could even
try to negotiate ECP groups, thus they would fall back to modp groups,
or at least get people to ask correct question, i.e. why the new
version removed ECP groups 19, 20, 21, 25, 26 and then vendor would
answer: "because they are obsoleted and replaced with groups n ..
n+m". 

>   I think most everyone agrees that elliptic curve groups aren't really
> used today so the problem can be resolved by fixing the documents. Yes,
> the errata introduces interoperability implications, so let's be happy
> that those implications are likely to be minor (and possibly non-existent).

EC groups are not used, but the implementations are already out there,
and some day someone might actually enable them in their policy, and
if we do not allocate new numbers we are going to get those problems
in the future. Those products using QuickSec OEM toolkit 4.4 - 5.0 are
not going to disappear, and those products will nicely interoperate
with each other.

We can provide them fix to the old products, but that does not mean
our customers will actually put that to their products, and some of
those products (ADLS boxes etc), might be something they will not
provide updates at all. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email