IETF Logo Mail Archive

Re: [IPsec] New Version Notification for draft-tjhai-ipsecme-hybrid-qske-ikev2-03.txt

Tobias Heider <heidert@nm.ifi.lmu.de> Fri, 29 March 2019 08:39 UTC

Return-Path: <heidert@nm.ifi.lmu.de>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85EB31203B6; Fri, 29 Mar 2019 01:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_dQ4qanlgUt; Fri, 29 Mar 2019 01:39:24 -0700 (PDT)
Received: from acheron.ifi.lmu.de (acheron.ifi.lmu.de [IPv6:2001:4ca0:4000:1:129:187:214:135]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61495120026; Fri, 29 Mar 2019 01:39:24 -0700 (PDT)
Received: from [IPv6:2001:67c:1232:144:e08f:7ce8:fb50:addb] (unknown [IPv6:2001:67c:1232:144:e08f:7ce8:fb50:addb]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: heidert) by acheron.ifi.lmu.de (Postfix) with ESMTPSA id 35AEC35DAC6; Fri, 29 Mar 2019 09:39:22 +0100 (CET)
From: Tobias Heider <heidert@nm.ifi.lmu.de>
To: IPsecME WG <ipsec@ietf.org>
Cc: draft-tjhai-ipsecme-hybrid-qske-ikev2@ietf.org, stefan@gazdag.de
References: <154748799416.9552.17299073748247797491.idtracker@ietfa.amsl.com> <000101d4ad6b$4a790ca0$df6b25e0$@gmail.com> <13654392-83f1-6995-6ca5-f72b2b0be7eb@nm.ifi.lmu.de>
Message-ID: <fe9886a7-3235-8fe7-d0f6-2076a6da235d@nm.ifi.lmu.de>
Date: Fri, 29 Mar 2019 09:39:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <13654392-83f1-6995-6ca5-f72b2b0be7eb@nm.ifi.lmu.de>
Content-Type: multipart/alternative; boundary="------------FFE6BE6EC2DD7AE8711223B0"
Content-Language: en-US-large
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/cOvDnXg1BJ2klASsFfvAHGAVQeg>
Subject: Re: [IPsec] New Version Notification for draft-tjhai-ipsecme-hybrid-qske-ikev2-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 08:39:42 -0000

Hi,

little update on the nonces:
Stefan and I have been asking around the CFRG people what they think
about omitting
additional nonces and the consensus seems to be that this is not an easy
question
and that this could probably only be resolved doing formal verification.

Also we were strongly advised to get formal verification for the whole
protocol
including the INTERMEDIATE, and to seek help at CFRG at some point.

We're trying to bring people together who are interested in helping with
this,
If anyone has previous experience with formal verification of secure
network
protocols and wants to join, feel free to contact me.

Regards,
Tobias

On 3/27/19 6:29 PM, Tobias Heider wrote:
> Hi,
>
> we had a side meeting today where some of us shared our experiences
> implementing this
> draft and we had the chance to discuss the future of this draft with
> the authors.
> Here's what we have talked about and our results:
>
> #1 Nonces in IKE_INTERMEDIATE and CHILD_SA exchanges:
>
> The current draft proposes to send a pair of new nonces in every
> subsequent IKE_INTERMEDIATE exchange.
> We agreed that none of us sees any obvious security problems with only
> using the nonces exchanged in
> IKE_SA_INIT, but we should try to get this confirmed by cryptologists
> (maybe CFRG can help).
>
> #2 Using a single IKE_INTERMEDIATE to transport all additional keys
>
> One single big IKE_INTERMEDIATE message that transports all additional
> key exchanges would be enough to
> allow big keys to be fragmented. The main problem of this approach is
> that fragmentation handles lost
> fragments by resending all fragments. There is no way of requesting
> retransmission of a single fragment.
> This may turn out to be a problem, which is why each new key is sent
> in a separate IKE_INTERMEDIATE.
> Another solution might be to change fragmentation to allow
> retransmission of single fragments.
>
> #3 Using a reserved field to avoid 7 new transform types
>
> It was discussed whether it makes sense to use a reserved field in the
> transform substructure header
> to combine transforms of the same transform type (e.g. Diffie-Hellman
> group) with logical AND instead of OR.
> We agreed that the current solution is less work to implement and
> using the reserved field offers no
> functional benefit.
>
> #4 Big Keys (e.G. Classic McEliece)
>
> In general there was consensus that we should find a way to enable the
> use of McEliece keys.
> The problem is that McEliece keys are >1MB in size and thus can not
> fit into the KE payload
> (which has a 16 bit size field).
>
> The solution we came up with is fragmenting a single key over several
> KE payloads which are transmitted
> in a single IKE_INTERMEDIATE message that can be fragmented over
> several udp datagrams using
> IKEv2 fragmentation:
> HDR, SK {KE(Fragment 1), KE(Fragment 2), KE(Fragment 3)} -->
> 	<-- HDR, SK {KE(Fragment 1), KE(Fragment 2), KE(Fragment 3)}
>
> This approach is only limited by the size field of the IKEv2 header,
> which is 32 bit.
>
> #5 Rekeying and CREATE_CHILD_SA
>
> Nonces should be handled as said in #1.
> The draft does not yet specify how the new SKEYSEED is generated.
> We agreed that the best way would be to do this in a single prf
> (different than in the INTERMEDIATE
> exchanges which are "rekeying" incrementally), e.G. :
>
>     SKEYSEED = prf(SK_d(old), KE1result | KE2result | ... | Ni |Nr)
>
> The use of INFORMATIONAL exchange for the additional key exchanges was
> criticized.
> Several alternative designs were discussed, here's the most important
> ones:
>
> Design 1: Sending all in a single exchange:
>
> HDR(CREATE_CHILD_SA), SK {SA, Ni, KEi, KEi2, KEi3, KEi4} -->
>     <-- HDR(CREATE_CHILD_SA), SK {SA, Nr, KEr, KEr2, KEr3, KEr4}
>
> Problems include that the initiator might generate keys that are then
> not accepted by the responder.
> Also the message would probably be very big, so the same problems as
> in #2 apply here.
> It was discussed what happens if the responder does not accept the
> proposal.
> As in normal IKEv2 the INVALID_KE notify can be sent by the responder
> and that CREATE_CHILD_SA
> has to be redone with the new knowledge of what the responder supports.
>
> Design 2: Single additional INFORMATIONAL
>
> HDR(CREATE_CHILD_SA), SK {SA, Ni, KEi} -->
>     <-- HDR(CREATE_CHILD_SA), SK {SA, Nr, KEr, N(ADDITIONAL_KE)(link1)}
>
> HDR(INFORMATIONAL), SK {KEi2, KEi3, KEi4, N(ADDITIONAL_KE)(link1)} -->
>     <-- HDR(INFORMATIONAL), SK {KEr2, KEr3, KEr4}
>
> Implementers might have problems with the complexity of using the
> (link1) cookie
> values as well as with the use of INFORMATIONAL for yet another thing.
>
> Feel free to correct us or comment if we made a mistake or missed
> something important!
> Thanks to everyone for joining the conversation!
>
> Regards,
> Tobias and Stefan
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email