[IPsec] Some comments to draft-ietf-ipsecme-dh-checks-01
Tero Kivinen <kivinen@iki.fi> Tue, 02 April 2013 13:06 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A69F21F8E4C for <ipsec@ietfa.amsl.com>; Tue, 2 Apr 2013 06:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rTCwe0y9jil for <ipsec@ietfa.amsl.com>; Tue, 2 Apr 2013 06:06:34 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 3DEA421F8D94 for <ipsec@ietf.org>; Tue, 2 Apr 2013 06:06:29 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r32D6Pvp010139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 2 Apr 2013 16:06:25 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r32D6PgL001054; Tue, 2 Apr 2013 16:06:25 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20826.55248.860637.210630@fireball.kivinen.iki.fi>
Date: Tue, 02 Apr 2013 16:06:24 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 34 min
X-Total-Time: 33 min
Subject: [IPsec] Some comments to draft-ietf-ipsecme-dh-checks-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 13:06:35 -0000
The section 2.5 says:
----------------------------------------------------------------------
2.5. Protocol Behavior
The recipient of a DH public key that fails one of the above tests
can assume that the sender either is truly malicious or else it has a
bug in its implementation. The recipient MAY respond with an
unauthenticated INVALID_SYNTAX notification, and MUST immediately
drop the IKE SA.
----------------------------------------------------------------------
I think the "MUST immediately drop the IKE SA" is wrong.
I.e if initiator sends IKE_SA_INIT request out as follows:
Initiator Responder
-------------------------------------------------------------------
HDR, SAi1, KEi, Ni -->
and the responder gets it and starts to generate proper respond
message (i.e. starts to do Diffie-Hellman generate), but while it is
doing it attacker M sends faked message back:
<-- HDR, SAr1, KEr*, Nr, [CERTREQ]
where the KEr* is generated so that it will fail the tests (i.e.
sending all 0xffff...fff as KEr, which would fail the 1 < r < p-1
check), then using current text the Initiator deletes the IKE SA. When
the Responder is ready with properly generated KEr, it will send its
reply:
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
but it is too late, as Initiator has already "immediately dropped the
IKE SA".
Also these tests might also fail during the CREATE_CHILD_SA
exchange.
I think the more appropriate text would be to say:
----------------------------------------------------------------------
2.5. Protocol Behavior
The recipient of a DH public key that fails one of the above tests
can assume that the sender either is truly malicious or else it has a
bug in its implementation.
If this error happens during the IKE_SA_INIT exchange, then the
recipient MUST drop the message containing invalid KE payload. If
the invalid KE payload was in the IKE_SA_INIT request, then
responder receiving it MAY send INVALID_SYNTAX error back, but it
MUST NOT start creating any new IKE SA based on such request. If
the invalid KE payload was in the IKE_SA_INIT reply, then Initiator
receiving that reply, ignores the message, and continues waiting
for later messages containing properly formatted KE payload.
If the invalid KE payload happen during the CREATE_CHILD_SA
exchange (or any other exchange after the IKE SA connection has
been authenticated) and the invalid KE payload is in the request
message, then responder MUST reply with INVALID_SYNTAX error notify
and drop the IKE SA. If the invalid KE payload is in the reply
message, then initiator getting this reply message MUST immediately
delete the IKE SA by sending IKE SA delete notification (as an new
exchange).
----------------------------------------------------------------------
This also requires some changes to the section 3.3, i.e. replace
----------------------------------------------------------------------
The behavior recommended in Section 2.5 is in line with generic error
treatment during the IKE_SA_INIT exchange, Sec. 2.21.1 of [RFC5996].
The sender is not required to send back an error notification, and
the recipient cannot depend on this notification because it is
unauthenticated. Thus, the notification is only useful to debug
implementation errors.
...
----------------------------------------------------------------------
with
----------------------------------------------------------------------
The behavior recommended in Section 2.5 is in line with generic
error treatment during the IKE_SA_INIT exchange, Sec. 2.21.1 of
[RFC5996]. The sender is not required to send back an error
notification, and the recipient cannot depend on this notification
because it is unauthenticated. Thus, the notification is only
useful to debug implementation errors. Also the Initiator getting
reply message back with invalid KE payload should simply drop it as
it can be from attacker, and wait for the real peer to reply.
If the error happens after the peers have been authenticated we do
have a trusted channel to send the errors. In that case we want to
tear down the IKE SA as this kind of failures indicate there is
something seriously wrong with the other peer, and clearing the IKE
SA and starting from the beginning might help. If it is the
responder failing these tests, it can simply return the fatal error
notify (INVALID_SYNTAX, see Section 2.21.3 of RFC5996) and both
peers will delete the IKE SA. The Initiator does not have this
option, as when he notices this problem the exchange is already
done. It needs to start new exchange to delete IKE SA. This IKE SA
clearing is mandatory as Initiator cannot create the Child SA based
on the invalid KE data, and other end already created it as it sent
its reply, thus Child SA state is out of sync. Most compatible way
to delete IKE SA is to just send IKE SA delete notification, even
though starting new INFORMATIONAL exchange and sending
INVALID_SYNTAX notify could also work.
...
--
kivinen@iki.fi
- [IPsec] Some comments to draft-ietf-ipsecme-dh-ch… Tero Kivinen
- Re: [IPsec] Some comments to draft-ietf-ipsecme-d… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Some comments to draft-ietf-ipsecme-d… Tero Kivinen
- Re: [IPsec] Some comments to draft-ietf-ipsecme-d… Paul Hoffman