IETF Logo Mail Archive

Re: [IPsec] AD review of draft-ietf-ipsecme-ikev1-algo-to-historic-06

Paul Wouters <paul.wouters@aiven.io> Tue, 11 October 2022 20:08 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C122AC1522DD for <ipsec@ietfa.amsl.com>; Tue, 11 Oct 2022 13:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTohlKqrs4Sy for <ipsec@ietfa.amsl.com>; Tue, 11 Oct 2022 13:08:22 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96737C14F6E7 for <ipsec@ietf.org>; Tue, 11 Oct 2022 13:08:22 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id n12so23233954wrp.10 for <ipsec@ietf.org>; Tue, 11 Oct 2022 13:08:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=k/hNzXU/DKs11Xikkah0josKBibfzlPqFsBcIvpcg9Q=; b=UTVC3HOzUFoPMki0nV6cseKKb+5mD04XzaJajhQsc6FBDyjE5FPqkg0Kne8L80sbA1 B6Cptjvikp3eu8rFaC1kE2PLUxlhEasBaRU1WywX3S2RLD3MXjHCMYn9ReoglL4UEL4I 5iNfClYbwPxuNrGarmruROCsonD7CxrSkeoQ8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=k/hNzXU/DKs11Xikkah0josKBibfzlPqFsBcIvpcg9Q=; b=KCDSuX7tar2PZaZs+qQj+ewT8NWCdI7ehZkVZuNiOrBwkPaQ+WE2fj7a5jNI5PgVCs SLMSW8J/7anXPUi1oNnOzgCOGapGQpOFkXpB/cTjUVCSRhvN8M2H9G7Ze15DP3pni/Qf pBXmibwlJeR7fGKvxUQkTz9o5l64qZEoeH4Qv9mTQNLJrcebC6OToRVrUdubNQxj8jLj iZT2Odk0ajSCfs974Sm0XrGidjwofD9AS3c1TcwmbXsQrgZD5OhSs/6KrBArcundhSJR 4Sk90ketNIyD6fYuigKxAJO+z3WzfMyxCZeow+d8yvI7HJKJYqyQS0bAwd0R1bhlpDfL SH+g==
X-Gm-Message-State: ACrzQf1i55WzAuDWAibAgk8gFz5I0lRJONaxAHHzfnZl9ymc/WNOSwKc A8sFcmkuhx4FzX2A38RNT0pbhDd7NjK2LE2ymEl4ZAHsii99XQ==
X-Google-Smtp-Source: AMsMyM5ipKbsTgxkUhyZTi3/QsgyRA4VDQgh1WPQ04PKfebLJ+dnVShriCUYzRtpw06PxTNwUQE9dVDtomFw2tJtifY=
X-Received: by 2002:adf:ee0a:0:b0:22f:6a2a:92ab with SMTP id y10-20020adfee0a000000b0022f6a2a92abmr11113124wrn.545.1665518900177; Tue, 11 Oct 2022 13:08:20 -0700 (PDT)
MIME-Version: 1.0
References: <BN2P110MB1107B26385B3570CA30E4A22DC8B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107B26385B3570CA30E4A22DC8B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 11 Oct 2022 16:08:09 -0400
Message-ID: <CAGL5yWYzTEp+UPs+1a9cxxjyyobpKdUMpnwLH854jUv1tSdv8A@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069bbbd05eac7d685"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/eW8_fWuzcB3Xqqvl67uaVsl_Dxc>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ikev1-algo-to-historic-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2022 20:08:26 -0000

On Fri, Jul 15, 2022 at 6:06 PM Roman Danyliw <rdd@cert.org> wrote:

> Hi!
>
> I performed an AD review of draft-ietf-ipsecme-ikev1-algo-to-historic-06.
> Thanks for this work to formally move the community to IKEv2.
>

Sorry for the late reply. I thought I answered this, but I can't find a
trace of it, so I apparently did not.



> Based on the content of this document, I am assuming the WG intent is to
> follow option #3 of
> https://www.ietf.org/about/groups/iesg/statements/designating-rfcs-historic-2014-07-20/.
> Please correct me if I have it wrong.  To repeat the salient parts of the
> process here, when this document goes to IETF LC, there will be a companion
> "status change document" which also will be sent to IETF LC.  That status
> change document will move RFC207/2408/2409 to historic status.  The IESG
> will need to ballot on both.
>

I believe so yes.


> Below is my feedback.  Some of the editorial changes are to support the
> process described above.
>
> ** Abstract.  As this document is formally updating other documents,
> please state that in this section.  From idnits:
>
>   -- The draft header indicates that this document updates RFC8247, but the
>      abstract doesn't seem to mention this, which it should.
>
>   -- The draft header indicates that this document updates RFC8221, but the
>      abstract doesn't seem to mention this, which it should.
>
>
Fixed in -07. I wondered about whether it really updates 8221 and 8247,
because those RFCs don't really make a statement
on these algorithms. But as they state that non mentioned algorithms remain
at MAY, I felt more inclined to call it a real Update:
so I changed the text in the abstract to reflect this.


** Abstract.  To sync the language up with the status change document,
> please:
>
> OLD
> Internet Key Exchange version 1 (IKEv1) is deprecated.
>
> NEW
> This document formally deprecates Internet Key Exchange version 1
> (IKEv1).  Accordingly, RFC2407, RFC2408 and RFC2409 which specify IKEv1 are
> moved to Historic status.
>

It is not "this document" that deprecates it to historic but the
independent IESG action. So instead, I changed it to:

 Internet Key Exchange version 1 (IKEv1) has been deprecated and its
specification in RFC2407, RFC2408 and RFC2409 have been moved to Historic
status.



> ** The document
>
> ** Section 1.  As above.
> OLD
> IKEv1 has been moved to Historic status
>
> NEW
> This document formally deprecates Internet Key Exchange version 1
> (IKEv1).  Accordingly, RFC2407, RFC2408 and RFC2409 which specify IKEv1 is
> moved to Historic status.
>

Same reasoning as above. I just pulled the last sentence up to the first
sentence for clarification.


> ** Section 1.
>    Algorithm implementation requirements and usage guidelines for IKEv2
>    [RFC8247] and ESP/AH [RFC8221] gives guidance to implementors but
>    limits that guidance to avoid broken or weak algorithms.  It does not
>    deprecate algorithms that have aged and are not in use, but leave
>    these algorithms in a state of "MAY be used".
>
> I'm not following the text saying that "algorithms [are left] in a state
> of 'MAY be used'".  For example, the following Type 3 transforms are
> deprecated in Section 7 of this document: AUTH_HMAC_MD5_96, AUTH_DES_MAC
> and AUTH_KPDK_MD5.  However, Section 2.3 of RFC8247 seems very clear that
> AUTH_HMAC_MD5_96, AUTH_DES_MAC and AUTH_KPDK_MD5 are already "MUST NOT".
> Where is the "MAY be used" flexibility coming from?
>

In your example sub registry, there was nothing left in the state
mentioned. But if you look at:


https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-ikev1-algo-to-historic-06#section-5

then you can see a number of them.


>               +------------------------+----------+---------+
>               | Name                   | Status   | Comment |
>               +------------------------+----------+---------+
>               | AUTH_HMAC_SHA2_256_128 | MUST     |         |
>               | AUTH_HMAC_SHA2_512_256 | SHOULD   |         |
>               | AUTH_HMAC_SHA1_96      | MUST-    |         |
>               | AUTH_AES_XCBC_96       | SHOULD   | (IoT)   |
>               | AUTH_HMAC_MD5_96       | MUST NOT |         |
>               | AUTH_DES_MAC           | MUST NOT |         |
>               | AUTH_KPDK_MD5          | MUST NOT |         |
>
>
The reason for listing the entire table is that we ask IANA for the Status
column for population, and so we give the entire table even if there were
no entries for this specific table that changed between 8221 + 8247 and
this document.



> ** Section 1.  Explicitly state the update being made to RFC8247 and
> RFC8221.
>
>




> OLD
> This document deprecates those algorithms that are no longer advised ...
>
> NEW
>
> This document deprecates those algorithms from RFC8247 and RFC8221 that
> are no longer advised ...
>

Changed to:

       These two RFCs not deprecate algorithms that
       have aged and are not in use, but leave these algorithms in
       a state of "MAY be used" by not mentioning them. This document
deprecates
       those unmentioned algorithms that are no longer advised but for which
       there are no known attacks resulting in their earlier deprecation.


> ** Section 3.
>
>    A number of IKEv1 systems have reached their End of Life
>
> Is there a way to quantify that or support that claim?
>

No. We heard from a few vendors that they had frozen their IKEv1 stacks and
no new fixes would ever make it because they did not want to fix bugs
because of a need to re-certify
(eg FIPS) their implementation. From a practical point of view, IKEv1only
systems are now at a practical EOL because the market has pushed for IKEv2
(again, via some certifications)


> ** Section 3.  Please provide a reference for CVE-2016-5361.
>

Done.

** Section 3.
>
>    IKEv1 configurations SHOULD NOT be directly
>    translated to IKEv2 configurations without updating the cryptographic
>    algorithms used
>
> It seems odd to provide normative behavior for the technology that just
> got deprecated.  Consider rephrasing it to direct IKEv2 behavior.  Perhaps,
> "IKEv2 implementations SHOULD NOT directly import IKEv1 configurations
> without updating the cryptographic algorithms used."
>

Done.


> ** Section 5.
>
>    *  Encryption Algorithms: RC5, IDEA, CAST, Blowfish, and the
>       unspecified 3IDEA, ENCR_DES_IV64 and ENCR_DES_IV32
>
>    *  PRF Algorithms: the unspecified PRF_HMAC_TIGER
>
> Is it "unspecified" or "unstandardized" or "registered"?
>

It is unspecified. It is literally an entry in the IANA registry without
any RFC or non-RFC specification anywhere.


> ** Section 7.
>    All entries not mentioned here should receive no value in the new
>    Status field.
>
> Did the WG discuss a non-empty value?
>

The only value discussed for the status colum was "DEPRECATED". The WG
specifically did not want to add a RECOMMENDED value like TLS has done.

Diff can be seen at
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-ikev1-algo-to-historic-07.txt

Paul

v2.23.0 | Report a Bug | By Email