Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
Paul Wouters <paul@nohats.ca> Mon, 19 June 2017 14:45 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E001270A7; Mon, 19 Jun 2017 07:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X46XKZc6JSMt; Mon, 19 Jun 2017 07:45:12 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222D4131505; Mon, 19 Jun 2017 07:45:08 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3wrv000pW8z1bS; Mon, 19 Jun 2017 16:45:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1497883504; bh=e8b5pflApT/2CkbbEJDgiwfMO0zkT/z2La+rUEmTeAs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=QaP3vxqe2eYPMpglI7gHQWHP0CC1vi5yxNMoDi2ENN0ox6h1pNkSXD6Ggn7LBuXlb wlrVRUHO0i8g7zPF/G4YGNs5XRuKV4qmTykyEmEwLI+HbZyQX+8bVYJfUo5iw7xiXH bGIKTv9MHoebCvfF2bJR5fw6GnDbqo3cV+c5vGHE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id zuWtq0mTmf-6; Mon, 19 Jun 2017 16:45:02 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 19 Jun 2017 16:45:01 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C674C353479; Mon, 19 Jun 2017 10:45:00 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca C674C353479
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B07E8421253B; Mon, 19 Jun 2017 10:45:00 -0400 (EDT)
Date: Mon, 19 Jun 2017 10:45:00 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: draft-ietf-ipsecme-rfc7321bis@ietf.org, Ben Campbell <ben@nostrum.com>, ipsecme-chairs@ietf.org, ipsec@ietf.org, The IESG <iesg@ietf.org>, david.waltermire@nist.gov
In-Reply-To: <22739.38728.808538.27709@fireball.acr.fi>
Message-ID: <alpine.LRH.2.21.1706191026150.5777@bofh.nohats.ca>
References: <148962889979.14189.965850110922865986.idtracker@ietfa.amsl.com> <alpine.LRH.2.20.999.1703161300150.32675@bofh.nohats.ca> <22739.38728.808538.27709@fireball.acr.fi>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/cdhtvNnoUclngyfyGAPuIUziwb0>
Subject: Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2017 14:45:24 -0000
On Thu, 23 Mar 2017, Tero Kivinen wrote: > Paul Wouters writes: >>> -3: I wonder why "... is not to be used..." is not "... MUST NOT be >>> used...". But the section goes on to say if you do it anyway, you MUST >>> NOT use certain cryptosuites. So, does "... is not to be used..." mean >>> "SHOULD NOT"? Or is this one of those "MUST NOT BUT WE KNOW YOU WILL" >>> sort of requirements? >> >> It is indeed. I think a SHOULD NOT would actually be appropriate ? > > We do not want to make the implementation of the manual keying MUST > NOT, as it is still useful in testing and similar situations, but we > do not want anybody using it in any real world use cases. As this > document is mostly about the implementation and tries to stay out from > the issues about what should be used (as explained in the 2nd > paragraph of the section 1.3). > > On the other hand section 1.3 is really about the use of the manual > keying, not about the implementation of manual keying, so that > confuses things (we do have some other cases were we say things DES > MUST NOT be used). > > I think the text needs to be clarified about this bit more, especially > we do not want to say that ENCR_AES_CBC MUST be used, as there are > other algorithms which can also be used (MUST be used would indicate > no other algorithm is possible). Here is a suggestion: OLD text: 3. Manual Keying Manual Keying is not to be used as it is inherently dangerous. Without any keying protocol, it does not offer Perfect Forward Secrecy ("PFS") protection. Deployments tend to never be reconfigured with fresh session keys. It also fails to scale and keeping SPI's unique amongst many servers is impractical. This document was written for deploying ESP/AH using IKE ([RFC7296]) and assumes that keying happens using IKEv2. If manual keying is used anyway, ENCR_AES_CBC MUST be used, and ENCR_AES_CCM, ENCR_AES_GCM and ENCR_CHACHA20_POLY1305 MUST NOT be used as these algorithms require IKE. NEW text: 3. Manual Keying Manual Keying SHOULD NOT be used as it is inherently dangerous. Without any keying protocol, it does not offer Perfect Forward Secrecy ("PFS") protection. Without IKE, another entity needs to ensure refreshing of session keys, tracking SPI uniqueness and ensuring nonces or IVs are not used more then once. This document was written for deploying ESP/AH using IKE ([RFC7296]) and assumes that keying happens using IKE version 2 or higher. If manual keying is used anyway, AEAD algorithms MUST NOT be used, as these algorithms require additional input provided by IKE and are compromised if a counter is accidentally re-used, such as when a counter overflows, or when a device reboots without remembering the previously used counters. As of publication of this document, ENCR_AES_CBC is the only non-AEAD Mandatory-To-Implement encryption algorithm suitable for Manual Keying. >>> - Table in section 6: >>> I'm boggled by the first entry being labeled "MUST/MUST NOT". I don't see >>> anything in the text to explain the "MUST" part--did I miss something? >> >> >> First paragraph under the table: >> >> AUTH_NONE has been downgraded from MAY in RFC7321 to MUST NOT. The >> only reason NULL is acceptable is when authenticated encryption >> algorithms are selected from Section 5. In all other cases, NULL >> MUST NOT be selected. > > It does not make it easier that there is typo in that paragraph, and > it talks about NULL, when it should be talking about AUTH_NONE... Queued up (NULL -> AUTH_NONE) Paul
- [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-… Ben Campbell
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Waltermire, David A. (Fed)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Ben Campbell
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Frankel, Sheila E. (Fed)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Tero Kivinen
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Eric Rescorla
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Paul.Koning
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Russ Housley
- Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipse… Eric Rescorla