Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
Daniel Migault <daniel.migault@ericsson.com> Wed, 15 March 2017 09:57 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80206129A95; Wed, 15 Mar 2017 02:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VywYaInJ0Oqx; Wed, 15 Mar 2017 02:57:06 -0700 (PDT)
Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21E53129A91; Wed, 15 Mar 2017 02:57:06 -0700 (PDT)
Received: by mail-it0-x244.google.com with SMTP id g138so2568964itb.0; Wed, 15 Mar 2017 02:57:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jqf7iIPA+FtQ1MmurkAUtYBLkBwYG+oU9B/In0VsKwE=; b=RxroFudxIPmSL1J+57g6yYZYd1CwffDwPeoEba3lOg0rAN7W/0XdO4o34mxrsy+Hi6 3eVnjcUSIK3n7ynCQ5P1WimnTiLg7mE4ThoAAx49QwcMqH0g+/xjL0usk5H74knXDAKP 9d3Cd0AZaV8jxl6GBshBo+luZ1ukGu2mXbSUBqX77GqD9j8nUN/P15pxPkP2KvEmM8m8 4OIcTRIoQgbPwv1D/iQPPAztUPds67YrMSWaQoiiggVfUSqGzfUylTazCzre1VhzwFEv huflKvQgpLL6O02X/xvJ/EByuWxrkthoG/+ZqAZEHlsQV/TQnyOCUXCp/a5qcj2rr6RQ PxrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jqf7iIPA+FtQ1MmurkAUtYBLkBwYG+oU9B/In0VsKwE=; b=XA4osVNDYIwz/9FHnJoyKYoDX2b349Z/2mIBJ5SqvBG9yYYppVlO39YHoc7FJrjHPk 0LXgwuEOE0G7fNvVFN35i7uOYnM3uW1Iem+bcWyxrOJr8dROMPRK/FcOH7jAa7eWn3Yd 6fLqJhhkLYsy0vyjETTmPEX0IH+Kutr+DRHeFpbftFGoCMOMb23wJRRNzOXvM5RZHZES NBq23IpG91QbwFPPE9U/Gtd0Nwr2THoRWtcQEj0rn2oiXHF8oKG07QA92mHzwTl8x+W7 +h359UI/l0+zHf3H/wyWK1NlEv0rsenMBEs7Pe1P8IYEN2mpx+3IAy8wqY44uygrjYNS /BQQ==
X-Gm-Message-State: AFeK/H2NopY01WUnKWVlut1YCfzA1Lc32FZTa21W8uUtgN8EDjVbjFb7wKJ238QQA1TiPYmcbVrKMKC1ixLkMA==
X-Received: by 10.36.206.6 with SMTP id v6mr4155334itg.48.1489571825447; Wed, 15 Mar 2017 02:57:05 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Wed, 15 Mar 2017 02:57:04 -0700 (PDT)
In-Reply-To: <148954159755.24347.12366542904819082480.idtracker@ietfa.amsl.com>
References: <148954159755.24347.12366542904819082480.idtracker@ietfa.amsl.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 15 Mar 2017 05:57:04 -0400
X-Google-Sender-Auth: pnOVMgabM3Fx80sOpsBR8fxNjT8
Message-ID: <CADZyTk=hvaU9Z9w6m7LYaR75CW3sKBW6ryXa+s3_53FFHohSgA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-rfc7321bis@ietf.org, "ipsec@ietf.org" <ipsec@ietf.org>, ipsecme-chairs@ietf.org, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
Content-Type: multipart/alternative; boundary="94eb2c0b0c5886001f054ac1f714"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ghCA8d3T3NoFoMe27pJleMncia0>
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 09:57:08 -0000
Regarding the first item manual key is prevented by AES-GCM RFC4306. We do not not such "MUST NOT" level for AES-CCM and Chacha20_poly1305. Maybe we could relax that a little bit and be more accurate saying: OLD: " If manual keying is used anyway, ENCR_AES_CBC MUST be used, and ENCR_AES_CCM, ENCR_AES_GCM and ENCR_CHACHA20_POLY1305 MUST NOT be used as these algorithms require IKE. " NEW: " If manual keying is used anyway, ENCR_AES_GCM MUST NOT be used and ENCR_AES_CBC SHOULD be used." NEWbis: " If manual keying is used anyway, ENCR_AES_CBC SHOULD be used." Yours, Daniel AES-GCM (RFC4306 section 2): """ Because reusing an nonce/key combination destroys the security guarantees of AES-GCM mode, it can be difficult to use this mode securely when using statically configured keys. For safety's sake, implementations MUST use an automated key management system, such as the Internet Key Exchange (IKE) [RFC2409 <https://tools.ietf.org/html/rfc2409>], to ensure that this requirement is met. """ AES-CCM (RFC4309) """ To be safe, implementations MUST use fresh keys with AES CCM. The Internet Key Exchange (IKE) [IKE <https://tools.ietf.org/html/rfc4309#ref-IKE>] protocol or IKEv2 [IKEv2 <https://tools.ietf.org/html/rfc4309#ref-IKEv2>] can be used to establish fresh keys. """ Chacha20_poly1305 (RFC7539) """ To generate such a key pair (r,s), we will use the ChaCha20 block function described in Section 2.3 <https://tools.ietf.org/html/rfc7539#section-2.3>. This assumes that we have a 256-bit session key for the Message Authentication Code (MAC) function, such as SK_ai and SK_ar in Internet Key Exchange Protocol version 2 (IKEv2) ([RFC7296 <https://tools.ietf.org/html/rfc7296>]), the integrity key in the Encapsulating Security Payload (ESP) and Authentication Header (AH), or the client_write_MAC_key and server_write_MAC_key in TLS. Any document that specifies the use of Poly1305 as a MAC algorithm for some protocol must specify that 256 bits are allocated for the integrity key. """ On Tue, Mar 14, 2017 at 9:33 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > Stephen Farrell has entered the following ballot position for > draft-ietf-ipsecme-rfc7321bis-05: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc7321bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - I agree with Christian's secdir review [1] that this > doesn't seem justified (at least on it's face): " If > manual keying is used anyway, ENCR_AES_CBC MUST be used, > and ENCR_AES_CCM, ENCR_AES_GCM and ENCR_CHACHA20_POLY1305 > MUST NOT be used as these algorithms require IKE. " Can > you explain the reasoning that lead the WG to say that? > > - ENCR_NULL IMO ought be MUST NOT - did the WG discuss > that explicitly? If so, can you provide a pointer to the > archive? If not, does it still have to be a MUST? I do > wonder who wants to use AH via NAT but cannot, which seems > to be the justification. > > [1] https://www.ietf.org/mail-archive/web/secdir/current/msg07262.html > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Stephen Farrell's Yes on draft-ietf-ipsec… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Yoav Nir
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Daniel Migault
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Paul Wouters