Re: [IPsec] Paul Wouters' Discuss on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with DISCUSS and COMMENT)
Paul Wouters <paul@nohats.ca> Wed, 30 November 2022 17:38 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 840C7C1524B0; Wed, 30 Nov 2022 09:38:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mh72B4sxG-Mq; Wed, 30 Nov 2022 09:38:43 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3F29C1524A0; Wed, 30 Nov 2022 09:38:42 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4NMmdr0ZPPzCQf; Wed, 30 Nov 2022 18:38:40 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1669829920; bh=qljymablKYdLJSjLVvrmEfEdx/2HaJZ0mK9MRs7c+1w=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=o6a5AjaS81xdDOI5EXNUQWlMZu8rWOrM0X8rkvoyGG4mMp0bjmoqoOp4h3QHnwOR6 yqP43NVAuPBsi+HpqrtpoKvSL2sH7mOoysTMIsuzcDZ96SK575fKu58pyycZQMcI1X TypUrKkY7u2prMChbqZu00uoMqqDyQu4ou4roiZY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id h8yh1GvSPfDj; Wed, 30 Nov 2022 18:38:38 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 30 Nov 2022 18:38:38 +0100 (CET)
Received: from smtpclient.apple (unknown [72.136.120.29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 19BF14150C7; Wed, 30 Nov 2022 12:38:37 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 30 Nov 2022 12:38:34 -0500
Message-Id: <0C0E6D99-8FD7-4EB9-9B22-FED4E3BE3545@nohats.ca>
References: <15d901d904dd$a182fce0$e488f6a0$@elvis.ru>
Cc: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-ikev2-multiple-ke@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <15d901d904dd$a182fce0$e488f6a0$@elvis.ru>
To: Valery Smyslov <svan@elvis.ru>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/jaiNSmeSNwBwORNAACx35V4-Cfo>
Subject: Re: [IPsec] Paul Wouters' Discuss on draft-ietf-ipsecme-ikev2-multiple-ke-10: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 17:38:47 -0000
Ok, all good with me. Thanks Valery! Sent using a virtual keyboard on a phone > On Nov 30, 2022, at 12:03, Valery Smyslov <svan@elvis.ru> wrote: > > We are converging :-) > >>> I'm a bit reluctant to add all this information to the abstract. It is already a bit too long >>> (since Éric and Warren suggested to augment it with the explanation text of how >>> this design helps in situation when PQ algorithms are less trusted). So currently >>> the abstract is: >>> >>> This document describes how to extend the Internet Key Exchange Protocol >>> Version 2 (IKEv2) to allow multiple key exchanges to take place >>> while computing a shared secret during a Security Association (SA) setup. >>> >>> The primary application of this feature in IKEv2 is the ability to perform one or more >>> post-quantum key exchanges in conjunction with the classical (Elliptic Curve) Diffie-Hellman (EC)DH >> key exchange, >>> so that the resulting shared key is resistant against quantum computer attacks. >>> Since there is currently no post-quantum key exchange that is trusted at >>> the level that (EC)DH is trusted for against conventional (non-quantum) >>> adversaries, performing multiple key exchanges with different post-quantum algorithms along >>> with the well-established classical key exchange algorithms addresses this concern, since the >>> overall security is at least as strong as each individual primitive. >>> >>> Another possible application for this extension is the ability to combine several key exchanges >>> in situations when no single key exchange algorithm is trusted by both initiator and responder. >>> >>> This document updates RFC7296 by renaming a transform type 4 from "Diffie-Hellman Group (D-H)" >>> to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie- >> Hellman Group Num" >>> to "Key Exchange Method". It also renames an IANA registry for this transform type >>> from "Transform Type 4 - Diffie-Hellman Group Transform IDs" to >>> "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize >>> key exchange algorithms that can be used in IKEv2. >>> >>> Do you *really* want to make it longer? I'm not sure that if we just mention >>> the names of the added exchange and notifies, that will help readers of the abstract >>> to understand what this document is about... >> >> This document updates RFC7296. It introduces the IKE_FOLLOWUP_KE Exchange. It renames [...] >> >>> [update] >>> >>> I've just noticed your message sent in response to Warren. So, since you insist :-), >>> I suggest adding the following text before "This document updates...": >>> >>> This document utilizes the IKE_INTERMEDIATE exchange to perform multiple key exchanges when >>> an IKE SA is being established and introduces a new IKEv2 exchange IKE_FOLLOWUP_KE to perform >>> them when IKE SA is up (during rekeys or creating additional Child SAs). >>> >>> is it now OK? >> >> Also fine :) > > Great! > >>>> I don't think it would hurt pointing to Section 2.4 of RFC 7296. I see >>>> this as a likely possible implemention mistake. >>> >>> My problem with your proposal here is that this situation is not >>> specific to this document. In other words, whether the initiator >>> proposes any additional key exchanges or not, if an attacker >>> manages to send a response before the genuine responder >>> and the initiator continues establishing IKE SA using this response, >>> then it will fail. There is nothing specific to the multiple key exchanges. >>> And we implicitly assume that implementations follow RFC 7296. >> >> I want to prevent code like: >> >> if (AKE-required && !AKE-received) >> return STF_FATAL // kills state >> >> I know it is a "reminder", but I think an important one. > > RFC 7296 states that the proposed defense against this attack is a MAY > (due to relatively high cost of the defense). So, I've added the following text at the end > of 3.2.1: > > It is possible that an attacker manages to send a response to the initiator's IKE_SA_INIT request > before the genuine responder. If the initiator continues creating IKE SA using this response, the attempt will fail. > Implementers may wish to consider a possible defense technique described in Section 2.4 of [RFC7296]. > > We really cannot advise something marked as MAY, we can only remind that this technique exists. > >>>> Just give it some thought, but if we leave it as is that is fine too. >>> >>> As I'm lazy, I prefer to do nothing here (unless you or my co-authors strongly disagree :-)) >> >> Fine with me. Can't get worse than CREATE_CHILD_SA I guess :P > > CREATE_CHILD_SA_FOLLOWUP_KEY_EXCHANGE? :-) > Oh, sorry, you seemed to propose something similar :-) > >>>> I also think that is only a reason to ignore the CREATE_CHILD_SA, and >>>> not a reason to destroy the existing IKE SA (and thus any existing Child >>>> SA) >>> >>> Well, generally invalid response means that there is something wrong >>> with the peer thus we cannot be sure that it follows spec. >> >> Yeah but stabbing them in the heart in case they might be dying is a bit >> drastic :P >> >> Put it in another way, I would violate the RFC on this point and keep >> the existing IKE SA until its lifetime has been reached. >> >>>>> I think that the text may be clarified a bit. How about? >>>> >>>> I guess first we need to agree on what to do..... >>> >>> OK, let me clarify our point. >>> >>> First, there is nothing specific to the multiple key exchanges here. The situation is that >>> the responder sends a message that is inappropriate from the protocol point of view. >>> There may be many reasons to consider it inappropriate - missing mandatory >>> payload, incorrect choice of algorithms etc., this specification just adds one >>> more reason - duplicated algorithms. >>> >>> What should the initiator do in this situation? It generally cannot send INVALID_SYNTAX, >>> since RFC 7296 discourages doing so (section 2.21.3): >>> >>> Because sending such >>> error messages as an INFORMATIONAL exchange might lead to further >>> errors that could cause loops, such errors SHOULD NOT be sent. >>> >>> The initiator generally cannot continue using this SA, because of possible >>> the states on the peers are now out of sync (the responder thinks the exchange completed >> successfully). >>> So the safe way is to delete the problem SA. If it is not yet created, then just stop creating it, >>> otherwise send a Delete payload. >>> >>> Note, that the text you proposed >>> >>> the initiator should log the error and MUST abort the exchange with a permanent error >>> >>> actually has the same consequence. Since the responder sent a response with no error notify, >>> it thinks that the exchange is completed successfully. On the other hand, your text suggests >>> that the initiator treat this exchange as failed. So, the states on the initiator and the responder >>> are now out of sync. RFC 7296 states (2.21.3): >>> >>> If errors are seen that indicate that the peers do not have the same >>> state, it might be good to delete the IKE SA to clean up state and >>> start over. >> >> "might" :-) > > Yes, RFC 7296 is not very clear here, using RFC 2119 language would be more appropriate :-) > >> Again, I agree on killing the newly failed SA. But let's say you have an >> IKE SA up and a Child SA up (might even be a child using classic algo >> only), I don't see why adding a new Child SA that fails should kill the >> existing functional Child SA and IKE SA. >> >> Sure there should be a loop detection and exponential back-off on >> failures to prevent a DoS of trying to get this post-quantum Child SA >> up. But tearing down the existing Child SA and IKE SA will presumbly >> just cause a more complicated loop anyway. These working SA's will come >> back up again and then get torn down again when the post-quantum Child >> SA fails. So I don't think your suggestion is better. > > Well, to get to some compromise we can state in the draft that in this situation > the initiator MAY send a Delete payload to delete the IKE SA itself > and MUST NOT initiate any IKE_FOLLOWUP_KE exchanges. > > If the responder's message contains one or more duplicated choices, the initiator > should log the error and MUST treat the exchange as failed. > The initiator MUST NOT initiate any IKE_INTERMEDIATE (or IKE_FOLLOWUP_KE) exchanges, so that no new SA is created. > If this happens in the CREATE_CHILD_SA exchange, then the initiator MAY delete the IKE SA, > over which the invalid message was received, by sending a Delete payload. > > Is it OK now? > >>>>>> ### Section 3.2.2 >>>>>> ``` >>>>>> The other keying materials SK_d, SK_ai, SK_ar, SK_ei, >>>>>> SK_er, SK_pi, SK_pr are updated as: >>>>>> >>>>>> [...] >>>>>> ``` >>>>>> Why not say: The other keying materials SK_d, SK_ai, SK_ar, SK_ei, SK_er, >>>>>> SK_pi, SK_pr are generated from the SKEYSEED(n) as per RFC 7296. >>>>> >>>>> No objection. >>>> >>>> Just to clarify, where I wrote [...] I meant to cover the illustration >>>> under the text as well. The point of this change was to not repeat a >>>> stock 7296 exchange (which might confuse implementers in believeing this >>>> is different from stock 7296) >>> >>> I'd rather to keep the illustration. There is a subtle difference from RFC 7296 - >>> while keys have "generation", the SPIs and nonces are used from the IKE_SA_INIT. >>> The illustration makes this difference more clear, in my opinion. >> >> If you want to keep the illustration, then just ignore this entire >> change I proposed or it becomes duplicative. > > OK. > > The updated PR is available at: > https://github.com/post-quantum/ietf-pq-ikev2/pull/22 > >> If you get a new draft before tomorrow 10am EST, I can update my DISCUSS >> to a YES ballot :) > > We'll do our best :-) > > Thank you, > Valery. > >> Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Paul Wouters' Discuss on draft-ietf-ipsec… Paul Wouters via Datatracker
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Michael Richardson
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Valery Smyslov
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Paul Wouters
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… CJ Tjhai
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Valery Smyslov
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Valery Smyslov
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Paul Wouters
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Valery Smyslov
- Re: [IPsec] Paul Wouters' Discuss on draft-ietf-i… Paul Wouters