IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-04.txt

"Valery Smyslov" <svanru@gmail.com> Tue, 22 March 2016 14:32 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D7112D831 for <ipsec@ietfa.amsl.com>; Tue, 22 Mar 2016 07:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.93
X-Spam-Level:
X-Spam-Status: No, score=-1.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgOCKkaQM-eR for <ipsec@ietfa.amsl.com>; Tue, 22 Mar 2016 07:32:14 -0700 (PDT)
Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C365312D813 for <ipsec@ietf.org>; Tue, 22 Mar 2016 07:32:13 -0700 (PDT)
Received: by mail-lb0-x236.google.com with SMTP id bc4so164536143lbc.2 for <ipsec@ietf.org>; Tue, 22 Mar 2016 07:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-transfer-encoding; bh=hzLiSugJ0sjYD1UQjsDEneXPrXaVm648uAy8FJUGmsU=; b=yAJcPzHkDiC6HSB81RWA7Yj2uv3XUlwgSa/4xTSJJACnz6L3XjN8Qzy+lSHR0WBQ7/ exjFyLq85UkGA+oEPPEZz1VRyu6PcC98WaeNzDs86rdMkF5JY1WowWUbfDQyCCovWJa+ +0fgEhqy8aiopNZh5zB4Fb913tMEB8jmlR5kJWEFpO5au+0W2ZtIcJNbJ+c2kJLCOe8+ UK6SMAieXy4+soVEt1jpyQMVevfK2L/mA4urgFLCF5r3IZBbTpBEb1jhjtQnPkh93zbE Si4yZ3kUfSw8HqYnm6xIsds42qUuk/kNEpyaHCUzjguhv41X7s81ogUF9OwGCCL4iUyU Axhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:references:subject:date :mime-version:content-transfer-encoding; bh=hzLiSugJ0sjYD1UQjsDEneXPrXaVm648uAy8FJUGmsU=; b=CjMZOuakLfheqAY9PRsjvcayHp+aLKj3ORnetfquLALgDOqsOrsitYQ0cK/wS/mAna BuxumeMVVCkYPWcMjz0WGJRVkZLvB708C/RSXySLBoy2VaGdfWa+1DHeZPpHI2NBBaQZ ky59awhbe2f46o9Vm2Pv0yoPm3GYiAaed/fNJWz+l4c6kBx6jCl43o/VJhOfZaA22Kpd azbRyB+0UUmfgeF3y2BtlZC3PTNhBFBLdEThNgicRejhlPpiS/kqaxW8bgydSZOacbsi IwfUuc8yhj2oABf1raCwPVIMb40wWqGM2nTdu8p1yQzwsyPYW4CcPdSJfguSId+8FJ1Z yMog==
X-Gm-Message-State: AD7BkJItJWwP+Fi2di3yYJ9TTvHcHJbKSVXvs8Ibc4k/0OH1lLgOQsl89DK0uknz6YS9aw==
X-Received: by 10.25.0.194 with SMTP id 185mr13605498lfa.4.1458657131917; Tue, 22 Mar 2016 07:32:11 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id jb5sm5224963lbc.8.2016.03.22.07.32.11 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Mar 2016 07:32:11 -0700 (PDT)
Message-ID: <E53614817950417DA0BB41038D08BB69@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@ietf.org
References: <alpine.LFD.2.20.1603161303170.21526@bofh.nohats.ca> <8EE26CB3-8BAB-4942-A209-24016E0BB44C@vpnc.org>
Date: Tue, 22 Mar 2016 17:32:21 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/lwIkUAzHZdPmx3yHk2pXvawtCNk>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-04.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 14:32:16 -0000

Hi,

> <chair hat on>
> 
> This version has many significant changes from the previous draft. 
> Please review it soon so we don't have a lot of surprises in WG Last 
> Call.
> 
> --Paul Hoffman

here is my review of the draft. 

Most issues are editorial. In a few places text needs to be improved,
Section 4.1. needs more explanation text. Otherwise the document looks good.



1. No period at the end of Abstract.

2. Section 1.

   The IKE protocol itself is
   also protected by encryption which is negotiated between the two
   endpoints using IKE.

    This text is not accurate, since it doesn't mention authentication (MAC),
    that also protects IKE SA.

3. Section 1.

    In the text

   To
   ensure interoperability, a set of "mandatory-to-implement" IKE
   encryption algorithms is defined.

    s/encryption algorithms/cryptographic algorithms

4. Section 1.1

   The algorithm implementation requirements and usage guidance may need
   to change over time to adapt to the changing world.  For this reason,
   the selection of mandatory-to-implement algorithms was removed from
   the main IKEv2 specification and placed in this document.

    Isn't it better to change:

    s/in this document/in a separate document

    (because the guidelines were not only in _this_ document, but also in previous documents)
    
5. Section 3.1

   The algorithms in the below table are negotiated in the SA payload
   and used for the Encrypted Payload.  

    Isn't "in the table below" more grammatically correct? The same in Section 3.3.

6. Section 3.1

       AES-GCM with a 16 octet ICV was not considered as in RFC4307.

    Shouldn't "as" be removed from grammar point of view?

7. Descriptions for AES-GCM and ENCR_AES_CCM_8 demonstrate some
    inconsistency. While the former claims that the advantage of using
    shorter than 16 bytes ICV are minimal, the latter claims that 
    8 bytes ICV is enough for IKE SA. Sure, the latter is for IoT use case,
    but I don't expect that the amount of data transferred over IKE SA
    in IoT and non-IoT cases is many magnitudes different.
    I think some other reasons must be given to justify this selection.
    For example: the majority of existing IoT devices implement
    ENCR_AES_CCM_8, so we decided to make it mandatory in IKE
    (well, I don't know if it is true, I'm not familiar with IoT world).

8. Section 3.2

   Transform Type 2 Algorithms are pseudo-random functions used to
   generate random values when needed.

    s/Algorithms/algorithms
    s/random/pseudorandom

9. Section 3.2

   If an algorithm is selected as the integrity algorithm, it SHOULD
   also be used as the PRF.  When using an AEAD cipher, a choice of PRF
   needs to be made.

    This text is not clear for me. What do you mean? The PRF needs always
    be negotiated in IKEv2, regardless of AEAD/non-AEAD cipher.
    Or do you mean that when non-AEAD cipher is used then
    PRF and ICV transforms SHOULD be based on the same underlying algorithm?
    Is it justified somewhere? Well, I can imagine some reasons for it, but I don't
    like uppervase "SHOULD" here unless you provide some reasoning.

10. Section 3.2

   PRF_HMAC_SHA2_256 was not mentioned in RFC4307, as no SHA2 based
   authentication was mentioned.  

    s/authentication/transforms

11. Section 3.2

   PRF_HMAC_SHA2_512 SHOULD be implemented as a future replacement for
   PRF_HMAC_SHA2_256 or for when stronger security is required.

    Shouldn't "for when" be "when" from grammatical point of view? The same in Section 3.3.

12. Section 3.2

    PRF_AES128_CBC is not in the the IKEv2 IANA registry. There is PRF_AES128_XCBC instead.

13. Section 3.3

    There is some disconnect between Sections 3.1 and 3.3. Section 3.1 lists
    ENCR_AES_CCM_8 as the only preferred choice for IoT. However,
    ENCR_AES_CCM_8 is AEAD cipher, so if it is used then no separate
    authentication transform is needed. Why then AUTH_AES_XCBC_96
    is listed in Section 3.3 for IoT use case? What encryption transform
    it is intended to be used with in IoT? 

14. Section 3.4

    Note that
   it is critical to enforce a secure Diffie Hellman exchange as this
   exchange provides encryption for the session.  

    s/encryption/keys
    s/Diffie Hellman/Diffie-Hellman

15. Section 3.4

    If an attacker can
   retrieve the private numbers (for example a, b) (and? or?) the public
   values (for example g**a, g**b), then the attacker can compute the
   secret and the keys used and decrypt the exchange.  

    What is (and? or?)? Is it some leftover? Shouldn't it be just "and"?

16. Section 4.1

   RSA Digital Signature is widely deployed and therefor kept for
   interoperability.  

    s/therefor/therefore

17.Section 4.2

    Recommendations for when a hash function is involved in a signature:

    Shouldn't it be rephrased for more smooth reading?

18. Section 4.2

    The last table contains unexplained comment "?SHOULD".

19. Section 4.2

    In general this section leaves an impression that it is incomplete
    and contains disconnects. For example, it states that 
    RSASSA-PSS MUST be implemented, however a few lines
    below in a table I read: RSASSA-PSS with SHA-256 - SHOULD.
    I think more explanation text should be added.

Regards,
Valery Smyslov.

v2.23.0 | Report a Bug | By Email