IETF Logo Mail Archive

Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with COMMENT)

Valery Smyslov <svan@elvis.ru> Thu, 01 December 2022 11:25 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 521A2C14F75F; Thu, 1 Dec 2022 03:25:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_O_Sm7WLQXW; Thu, 1 Dec 2022 03:25:11 -0800 (PST)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 821E6C14F74A; Thu, 1 Dec 2022 03:25:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Fy2k21V7Mx15vUwJTS9TTlvFrHVGUETxS35fOW81erk=; b=vvru266Mi/Iil8NgsBYDn7QrpO zXmDtQwNQxnjay0dF+W046/w0muU8+4NHstJQZDCF6or6/uijnJg3epbzsPmm7U6CaWGZN0mvhAkd 8Mlxu6EIkvZclrNCMM6Z4kvkTMORK0djuZ1bdFgCqkYsyMf87w7kalWUBKiV/IqXSzAc=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1p0hge-0003qu-NV; Thu, 01 Dec 2022 14:25:04 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1p0hge-0006UU-Gw; Thu, 01 Dec 2022 14:25:04 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 1 Dec 2022 14:25:04 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 1 Dec 2022 14:25:04 +0300
From: Valery Smyslov <svan@elvis.ru>
To: "'Eric Vyncke (evyncke)'" <evyncke@cisco.com>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-ikev2-multiple-ke@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi, charliep@computer.org, gih@apnic.net
References: <166971468911.7554.15756404808608648113@ietfa.amsl.com> <150a01d9041a$9c8b3590$d5a1a0b0$@elvis.ru> <9F638EF3-9E79-42C2-9318-1353703D2A7B@cisco.com> <154301d90490$139fc5e0$3adf51a0$@elvis.ru> <A1DD6BE1-824A-4BB2-82A7-C956842AD70C@cisco.com>
In-Reply-To: <A1DD6BE1-824A-4BB2-82A7-C956842AD70C@cisco.com>
Date: Thu, 01 Dec 2022 14:25:06 +0300
Message-ID: <16d801d90577$907a94e0$b16fbea0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHLbR3DTJkNFJdObyrZMalkiEcAqwIv0BmTAnFKSBoCb3fF1gKVuCShribdhIA=
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/12/01 10:32:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/12/01 00:48:00 #20630840
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/d5eglMpem7M0tA-X4qs63hYHWzM>
Subject: Re: [IPsec] Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 11:25:15 -0000

Hi Éric,

> -----Original Message-----
> From: Eric Vyncke (evyncke) [mailto:evyncke@cisco.com]
> Sent: Thursday, December 01, 2022 1:41 PM
> To: Valery Smyslov; 'The IESG'
> Cc: draft-ietf-ipsecme-ikev2-multiple-ke@ietf.org; ipsecme-chairs@ietf.org; ipsec@ietf.org;
> kivinen@iki.fi; charliep@computer.org; gih@apnic.net
> Subject: Re: Éric Vyncke's No Objection on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with COMMENT)
> 
> Hello Valery,
> 
> Thanks for your suggested text for the abstract, may I suggest a little more concise (albeit less precise)
> text for the 2nd paragraph (up to the authors of course):
> 
>             The primary application of this feature in IKEv2 is the ability to perform one or more
>             post-quantum key exchanges in conjunction with the classical key exchange,
>             so that the resulting shared key is resistant against quantum computer attacks.
>             Since there is currently no post-quantum key exchange that is against conventional (non-
> quantum)
>             adversaries, performing multiple key exchanges with different post-quantum algorithms along
>             with the classical key exchange algorithms addresses this concern, since the
>             overall security is at least as strong as each individual primitive.

I think in this text an important consideration is missing - that we now have enough trust in (EC)DH
against conventional computers, but we don't have this level of trust in most post-quantum
algorithms (both against conventional and quantum adversaries). That's why we want 
to combine them.

Ah, I can see now that the original text can be interpreted, that we don't trust
post-quantum key exchange only against conventional adversaries...
We can modify the text as follows (make it more concise, less precise, but still correct, IMHO):

        Since there is currently no post-quantum key exchange that is studied at
        the level that (EC)DH is studied, performing multiple key exchanges with different post-quantum 
        algorithms along with the well-established classical key exchange algorithms addresses this concern, since the
        overall security is at least as strong as each individual primitive.

Is it OK?

Regards,
Valery. 

> 
> Hope this helps
> 
> -éric
> 
> 
> On 30/11/2022, 08:48, "iesg on behalf of Valery Smyslov" <iesg-bounces@ietf.org on behalf of
> svan@elvis.ru> wrote:
> 
>     Hi Éric,
> 
>     > Hello Valery,
>     >
>     > TL;DR:  Thanks for your reply and your comments. I agree with them ;-)
>     >
>     > If you want a more detailed reply, then look for EV> below
> 
>     OK, I snipped the text where we have an agreement.
> 
>     > Regards
>     >
>     > -éric
> 
>     [snipped]
> 
>     >     > The bullet 2) is a nice explanation about *why* there must be multiple key
>     >     > exchanges with different methods. Until reading that part, I was really
>     >     > wondering why this I-D was about the link with PQC and multiple key exchanges.
>     >     > Should this be mentioned in the abstract already ?
>     >
>     >     I don't mind, but as far as I know, IESG wants abstract to be short :-)
>     >     If you (and other ADs) think it's a good idea, then we'll add this text.
>     >
>     > EV> I know about short abstract, but they should also give an idea of the content & purpose
> 
>     If it is OK with the IESG we'll extend the abstract with this text. It will look like:
> 
>             This document describes how to extend the Internet Key Exchange Protocol
>             Version 2 (IKEv2) to allow multiple key exchanges to take place
>             while computing a shared secret during a Security Association (SA) setup.
> 
>             The primary application of this feature in IKEv2 is the ability to perform one or more
>             post-quantum key exchanges in conjunction with the classical (Elliptic Curve) Diffie-Hellman
> (EC)DH key exchange,
>             so that the resulting shared key is resistant against quantum computer attacks.
>             Since there is currently no post-quantum key exchange that is trusted at
>             the level that (EC)DH is trusted for against conventional (non-quantum)
>             adversaries, performing multiple key exchanges with different post-quantum algorithms along
>             with the well-established classical key exchange algorithms addresses this concern, since the
>             overall security is at least as strong as each individual primitive.
> 
>             Another possible application for this extension is the ability to combine several key exchanges
>             in situations when no single key exchange algorithm is trusted by both initiator and responder.
> 
>            This document updates RFC7296 by renaming a transform type 4 from "Diffie-Hellman Group (D-
> H)"
>             to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie-
> Hellman Group Num"
>             to "Key Exchange Method". It also renames an IANA registry for this transform type
>             from "Transform Type 4 - Diffie-Hellman Group Transform IDs" to
>             "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize
>             key exchange algorithms that can be used in IKEv2.
> 
>     Hope it's now clear and not *too* long :-)
> 
>     >     > Should "FIPS" be prefixed by "USA" as in "USA FIPS" ?
>     >
>     >     I don't know, rely on my co-authors (actually it seems that
>     >     this is a well-known organization outside USA, but formally you are right).
>     >
>     > EV> I live a in Federal state as well (Belgium), so while I understand that FIPS stands for the USA one,
> let's
>     > be inclusive. Up to you and the authors.
> 
>     No problem, will change the text to:
> 
>             USA Federal Information Processing Standards (FIPS) compliance.  IPsec is widely used in Federal
> Information
>             Systems and FIPS certification is an important requirement.
>             However, at the time of writing, none of the algorithms that is believed
>             to be post-quantum is FIPS compliant yet.  Nonetheless, it is possible to combine
>             this post-quantum algorithm with a FIPS complaint key establishment method so that
>             the overall design remains FIPS compliant [NISTPQCFAQ].
> 
>     Is it OK that prefix "USA" is added once and not to every appearance of "FIPS" ?
> 
>     The updated PR is available at:
>      https://github.com/post-quantum/ietf-pq-ikev2/pull/22
> 
>     Regards,
>     Valery.
> 
>     >     > ## Notes
>     >     >
>     >     > This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
>     >     > [`ietf-comments` tool][ICT] to automatically convert this review into
>     >     > individual GitHub issues.
>     >     >
>     >     > [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
>     >     > [ICT]: https://github.com/mnot/ietf-comments
>     >     >
>     >
>     >
> 
>

v2.23.0 | Report a Bug | By Email