IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-00.txt

Tero Kivinen <kivinen@iki.fi> Sun, 09 May 2021 11:21 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3D43A0BCE for <ipsec@ietfa.amsl.com>; Sun, 9 May 2021 04:21:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2Y4qr-cF-NS for <ipsec@ietfa.amsl.com>; Sun, 9 May 2021 04:21:42 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABFEC3A0BCB for <ipsec@ietf.org>; Sun, 9 May 2021 04:21:42 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id EC82B20B77; Sun, 9 May 2021 14:21:33 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1620559294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8YNdFtdwKQVH84uQAxizGEiSsgRFwEr0gNUbrgX98FM=; b=VVt14mNqwAQAyW0yYQlZ4NpG8Z8LW9/xPIovHj0edFkjGu/Y2t5sv5iBOhiVO2Ismx1grS JmZP8lkhXCXiS736V0aIt7QlAnCh5eDaA8T/+k/R6BgtdJaphxvOM/kRfeQrAuds/8iZ46 3KEFiFJVnn6SOkA7HI6puVdOp7KwOns=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 6F55A25C12A6; Sun, 9 May 2021 14:21:32 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <24727.50620.391438.681442@fireball.acr.fi>
Date: Sun, 09 May 2021 14:21:32 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Dan Harkins <dharkins@lounge.org>
Cc: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <872b98a9-a6fe-db41-276c-5d0a7e3aa9c5@lounge.org>
References: <161962448020.12575.13131318934919776038@ietfa.amsl.com> <40493aa4-ba3a-ad32-fda2-f5ab24d78296@nohats.ca> <6297c870-0507-b3e8-ee6e-5517bdc86bba@lounge.org> <1fcc66b-aca1-6a5-e275-35bd29b3580@nohats.ca> <872b98a9-a6fe-db41-276c-5d0a7e3aa9c5@lounge.org>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 17 min
X-Total-Time: 19 min
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1620559294; a=rsa-sha256; cv=none; b=siae47KmQEwt4vHp7L6m6Rfq2IOYcgqnZhgvWYgVI2S6cfgneykfo5Pse+f7V/cGFbu4NH KH9zJG6aNop2t7EVvNr/4bOadHzizBjYw8yXlObo7mRZ6FWALbPRcbKhYTlSwP11hClhBU /fHlvnGLb6VLPk4zbhYk2hd2HzZ1/lo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1620559294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8YNdFtdwKQVH84uQAxizGEiSsgRFwEr0gNUbrgX98FM=; b=qWYOoK0EyrSbiHPIWveG7Y1j+LsJtPoadLXGqHQj918w1bEiRHY84RcvkmnFzEN5n5JCVT 2YwVq52b03U01Ed2tqQ4cPZEFkN1H/K4GD/B61BV56hNzb7fssSq/8qbmSlR26aLJopdK9 3/Wno6qvZYmfAhnxriY+/VuHbdEgEbU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ke9Xesu8gcV0zBHxsXKHBILxIM4>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev1-algo-to-historic-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 11:21:46 -0000

Dan Harkins writes:
> >>   - there is another IKEv1 feature not available in IKEv2: a deniable
> >>     authentication method. IKEv1 had a very cool deniable exchange
> >>     involving encrypted nonces. IKEv2 decided to not support that for
> >>     whatever reason. Lack of support for a cool and usefu authentication
> >>     method doesn't really make the case to send IKEv1 to historic
> >
> > Can you clarify this a bit further for me? Is this deniable
> > authentication method part of all IKEv1 auth methods? Or is this a
> > specific feature that needed to be specifically enabled?
> 
>    It was one of the authentication methods: PSK, certs, encrypted
> nonces. The encrypted nonce method was completely deniable. Honest
> participants would get strong authentication but they could prove
> to a court-of-law that the whole exchange could be fabricated by a
> third party and deny ever taking part in it.

The draft-ietf-ipsec-ikev2-00.txt draft only included digital
signatures, -01 version added shared secret authentication, but
encrypted rsa was never even considered for IKEv2, i.e., it was never
explcitly removed, it was simply never taken in to the IKEv2.

If I remember correctly (this discussion happened around year 2002 or
so) the reason was that there were no requirement for it. While there
were IKEv1 implementations which supported authentication with public
key encryption mode, not all implementations had it. Also support for
the revised method of authentication with public key encryption was
even less common. Also VPN and remote access people did not consider
benefits from the authentication with public key encryption mode
useful for them.

Having two different keys, one for signing and one for encryption, for
authentication was considered complicated, and reusing same key for
both signing and for encryption was considered bad idea.

And also I think shared key authentication also offeres exactly same
benefits than authentication with public key encryption for the
deniability point of view (i.e., either end can calculate everything
as long as they know the shared secret).

> > That said, if the WG deemed this feature no longer required when
> > specifying IKEv2, then I do not think we need to mention this here when
> > we are talking about motivations for people to move from IKEv1 to IKEv2.
> >
> > If there is a good reason and people are prevented from upgrading to
> > IKEv2 because of this, I would be expecting an IKEv2 draft to be
> > developed to address this shortcoming. But it seems to me (I wasn't here
> > when these decisions were made) that the WG did not think this issue was
> > a concern ?
> 
>    I walked away from the WG after I produced -02 of the draft that became
> IKEv2 so I have no idea what the was thinking after April of 2002 (nearly
> two decades! Yikes). There were a number of decisions that the WG made that
> looking back were odd. This is just one of them. Deniability is a valuable
> property and I don't know why it was ditched.

It was not ditched, it was never included. I.e. the public key
encryption was not in the -00 version. Shared secret (which provide
deniability) was added in version -01.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email