[Ipsec] Important changes in draft-hoffman-rfc3664bis; please review
Paul Hoffman <paul.hoffman@vpnc.org> Thu, 06 October 2005 21:12 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ENd2C-00051J-W1; Thu, 06 Oct 2005 17:12:12 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ENd2B-000517-Rf for ipsec@megatron.ietf.org; Thu, 06 Oct 2005 17:12:11 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA16592 for <ipsec@ietf.org>; Thu, 6 Oct 2005 17:12:08 -0400 (EDT)
Received: from above.proper.com ([208.184.76.39]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ENdBJ-0000PS-9o for ipsec@ietf.org; Thu, 06 Oct 2005 17:21:39 -0400
Received: from [10.20.30.249] (dsl2-63-249-92-231.cruzio.com [63.249.92.231]) (authenticated bits=0) by above.proper.com (8.12.11/8.12.9) with ESMTP id j96LC0KW024941 for <ipsec@ietf.org>; Thu, 6 Oct 2005 14:12:01 -0700 (PDT) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p062309b5bf6b4213dee0@[10.20.30.249]>
Date: Thu, 06 Oct 2005 14:11:52 -0700
To: IPsec WG <ipsec@ietf.org>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Subject: [Ipsec] Important changes in draft-hoffman-rfc3664bis; please review
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Greetings again. At the IKEv2 bakeoff, a significant problem was
found with draft-hoffman-rfc3664bis, which has already been put in
the RFC Editor's queue. It would have been nice if this had been
noticed before we all agreed that the document was sound, but there
is still time to make a technical change to fix this.
A summary of the problem is:
In IKEv2 section 2.14 on generating keying material, it says:
If the
negotiated prf takes a fixed length key and the lengths of Ni and Nr
do not add up to that length, half the bits must come from Ni and
half from Nr, taking the first bits of each.
In section 2.15 on authentication, it says:
If the negotiated prf takes a fixed
size key, the shared secret MUST be of that fixed size.
rfc3664bis section 1.1 says:
This document specifies the same algorithm as RFC 3664 except that
the restriction on keys having to be exactly 128 bits from [AES-XCBC-
MAC] is removed. Implementations of RFC 3664 will have the same
bits-on-the-wire results as this algorithm; the only difference is
that keys that were not equal in length to 128 bits will no longer be
rejected, but instead will be made 128 bits.
The problem is that changing from fixed-key-size to variable-key-size
changes the bits output from generating keying material. Because the
nonces must each be at least 128 bits (from IKEv2 section 2.10), the
lengths will never add up to the key length unless the key is 256 or
longer.
Because of this, I have issued a new version of
draft-hoffman-rfc3664bis (-05, to be specific), that attempts to
solve the problem by adding the following two paragraphs to section
1.1:
-----
IKEv2 [IKEv2] uses PRFs for multiple purposes, most notably for
generating keying material and authentication of the IKE_SA. The
IKEv2 specification differentiates between PRFs with fixed key sizes
and those with variable key sizes.
When using the PRF described in this document with IKEv2, the PRF is
considered to be fixed-length for generating keying material but
variable-length for authentication. That is, when generating keying
material, "half the bits must come from Ni and half from Nr, taking
the first bits of each" as described in IKEv2 section 2.14, but when
authenticating with shared secrets (IKEv2 section 2.16), the shared
secret does not have to be 128 bits long. This somewhat tortured
logic allows IKEv2 implementations that use the fixed-length-key
semantics from RFC 3664 to interoperate with implementations that use
the variable-length-key semantics of this document.
-----
I have also asked Russ Housley to take the previous draft off the RFC
Editor's queue and, if there is general agreement on this change, put
the revised draft back into the queue.
All IKEv2 implementers: please read the whole document carefully
(again, I hope), particularly looking at these two paragraphs, and
comment on whether this fixes the problems stated. Thanks!
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Important changes in draft-hoffman-rfc366… Paul Hoffman
- RE: [Ipsec] Important changes in draft-hoffman-rf… Pasi.Eronen
- RE: [Ipsec] Important changes in draft-hoffman-rf… Pasi.Eronen
- RE: [Ipsec] Important changes in draft-hoffman-rf… Tero Kivinen