IETF Logo Mail Archive

Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)

Paul Wouters <paul@nohats.ca> Mon, 19 June 2017 14:45 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E001270A7; Mon, 19 Jun 2017 07:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X46XKZc6JSMt; Mon, 19 Jun 2017 07:45:12 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222D4131505; Mon, 19 Jun 2017 07:45:08 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3wrv000pW8z1bS; Mon, 19 Jun 2017 16:45:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1497883504; bh=e8b5pflApT/2CkbbEJDgiwfMO0zkT/z2La+rUEmTeAs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=QaP3vxqe2eYPMpglI7gHQWHP0CC1vi5yxNMoDi2ENN0ox6h1pNkSXD6Ggn7LBuXlb wlrVRUHO0i8g7zPF/G4YGNs5XRuKV4qmTykyEmEwLI+HbZyQX+8bVYJfUo5iw7xiXH bGIKTv9MHoebCvfF2bJR5fw6GnDbqo3cV+c5vGHE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id zuWtq0mTmf-6; Mon, 19 Jun 2017 16:45:02 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 19 Jun 2017 16:45:01 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C674C353479; Mon, 19 Jun 2017 10:45:00 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca C674C353479
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B07E8421253B; Mon, 19 Jun 2017 10:45:00 -0400 (EDT)
Date: Mon, 19 Jun 2017 10:45:00 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: draft-ietf-ipsecme-rfc7321bis@ietf.org, Ben Campbell <ben@nostrum.com>, ipsecme-chairs@ietf.org, ipsec@ietf.org, The IESG <iesg@ietf.org>, david.waltermire@nist.gov
In-Reply-To: <22739.38728.808538.27709@fireball.acr.fi>
Message-ID: <alpine.LRH.2.21.1706191026150.5777@bofh.nohats.ca>
References: <148962889979.14189.965850110922865986.idtracker@ietfa.amsl.com> <alpine.LRH.2.20.999.1703161300150.32675@bofh.nohats.ca> <22739.38728.808538.27709@fireball.acr.fi>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/cdhtvNnoUclngyfyGAPuIUziwb0>
Subject: Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2017 14:45:24 -0000

On Thu, 23 Mar 2017, Tero Kivinen wrote:

> Paul Wouters writes:
>>> -3: I wonder why "... is not to be used..." is not "... MUST NOT be
>>> used...". But the section goes on to say if you do it anyway, you MUST
>>> NOT use certain cryptosuites. So, does "... is not to be used..." mean
>>> "SHOULD NOT"? Or is this one of those "MUST NOT BUT WE KNOW YOU WILL"
>>> sort of requirements?
>>
>> It is indeed. I think a SHOULD NOT would actually be appropriate ?
>
> We do not want to make the implementation of the manual keying MUST
> NOT, as it is still useful in testing and similar situations, but we
> do not want anybody using it in any real world use cases. As this
> document is mostly about the implementation and tries to stay out from
> the issues about what should be used (as explained in the 2nd
> paragraph of the section 1.3).
>
> On the other hand section 1.3 is really about the use of the manual
> keying, not about the implementation of manual keying, so that
> confuses things (we do have some other cases were we say things DES
> MUST NOT be used).
>
> I think the text needs to be clarified about this bit more, especially
> we do not want to say that ENCR_AES_CBC MUST be used, as there are
> other algorithms which can also be used (MUST be used would indicate
> no other algorithm is possible).

Here is a suggestion:

OLD text:

3.  Manual Keying

    Manual Keying is not to be used as it is inherently dangerous.
    Without any keying protocol, it does not offer Perfect Forward
    Secrecy ("PFS") protection.  Deployments tend to never be
    reconfigured with fresh session keys.  It also fails to scale and
    keeping SPI's unique amongst many servers is impractical.  This
    document was written for deploying ESP/AH using IKE ([RFC7296]) and
    assumes that keying happens using IKEv2.

    If manual keying is used anyway, ENCR_AES_CBC MUST be used, and
    ENCR_AES_CCM, ENCR_AES_GCM and ENCR_CHACHA20_POLY1305 MUST NOT be
    used as these algorithms require IKE.

NEW text:

3.  Manual Keying

Manual Keying SHOULD NOT be used as it is inherently dangerous.
Without any keying protocol, it does not offer Perfect Forward
Secrecy ("PFS") protection. Without IKE, another entity needs to
ensure refreshing of session keys, tracking SPI uniqueness and
ensuring nonces or IVs are not used more then once. This document
was written for deploying ESP/AH using IKE ([RFC7296]) and assumes
that keying happens using IKE version 2 or higher.

If manual keying is used anyway, AEAD algorithms MUST NOT be used,
as these algorithms require additional input provided by IKE and
are compromised if a counter is accidentally re-used, such as when
a counter overflows, or when a device reboots without remembering
the previously used counters. As of publication of this document,
ENCR_AES_CBC is the only non-AEAD Mandatory-To-Implement encryption
algorithm suitable for Manual Keying.

>>> - Table in section 6:
>>> I'm boggled by the first entry being labeled "MUST/MUST NOT". I don't see
>>> anything in the text to explain the "MUST" part--did I miss something?
>>
>>
>> First paragraph under the table:
>>
>>     AUTH_NONE has been downgraded from MAY in RFC7321 to MUST NOT.  The
>>     only reason NULL is acceptable is when authenticated encryption
>>     algorithms are selected from Section 5.  In all other cases, NULL
>>     MUST NOT be selected.
>
> It does not make it easier that there is typo in that paragraph, and
> it talks about NULL, when it should be talking about AUTH_NONE...

Queued up (NULL -> AUTH_NONE)

Paul

v2.23.0 | Report a Bug | By Email