Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-04.txt
"Valery Smyslov" <svanru@gmail.com> Tue, 22 March 2016 14:32 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D7112D831 for <ipsec@ietfa.amsl.com>; Tue, 22 Mar 2016 07:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.93
X-Spam-Level:
X-Spam-Status: No, score=-1.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgOCKkaQM-eR for <ipsec@ietfa.amsl.com>; Tue, 22 Mar 2016 07:32:14 -0700 (PDT)
Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C365312D813 for <ipsec@ietf.org>; Tue, 22 Mar 2016 07:32:13 -0700 (PDT)
Received: by mail-lb0-x236.google.com with SMTP id bc4so164536143lbc.2 for <ipsec@ietf.org>; Tue, 22 Mar 2016 07:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-transfer-encoding; bh=hzLiSugJ0sjYD1UQjsDEneXPrXaVm648uAy8FJUGmsU=; b=yAJcPzHkDiC6HSB81RWA7Yj2uv3XUlwgSa/4xTSJJACnz6L3XjN8Qzy+lSHR0WBQ7/ exjFyLq85UkGA+oEPPEZz1VRyu6PcC98WaeNzDs86rdMkF5JY1WowWUbfDQyCCovWJa+ +0fgEhqy8aiopNZh5zB4Fb913tMEB8jmlR5kJWEFpO5au+0W2ZtIcJNbJ+c2kJLCOe8+ UK6SMAieXy4+soVEt1jpyQMVevfK2L/mA4urgFLCF5r3IZBbTpBEb1jhjtQnPkh93zbE Si4yZ3kUfSw8HqYnm6xIsds42qUuk/kNEpyaHCUzjguhv41X7s81ogUF9OwGCCL4iUyU Axhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:references:subject:date :mime-version:content-transfer-encoding; bh=hzLiSugJ0sjYD1UQjsDEneXPrXaVm648uAy8FJUGmsU=; b=CjMZOuakLfheqAY9PRsjvcayHp+aLKj3ORnetfquLALgDOqsOrsitYQ0cK/wS/mAna BuxumeMVVCkYPWcMjz0WGJRVkZLvB708C/RSXySLBoy2VaGdfWa+1DHeZPpHI2NBBaQZ ky59awhbe2f46o9Vm2Pv0yoPm3GYiAaed/fNJWz+l4c6kBx6jCl43o/VJhOfZaA22Kpd azbRyB+0UUmfgeF3y2BtlZC3PTNhBFBLdEThNgicRejhlPpiS/kqaxW8bgydSZOacbsi IwfUuc8yhj2oABf1raCwPVIMb40wWqGM2nTdu8p1yQzwsyPYW4CcPdSJfguSId+8FJ1Z yMog==
X-Gm-Message-State: AD7BkJItJWwP+Fi2di3yYJ9TTvHcHJbKSVXvs8Ibc4k/0OH1lLgOQsl89DK0uknz6YS9aw==
X-Received: by 10.25.0.194 with SMTP id 185mr13605498lfa.4.1458657131917; Tue, 22 Mar 2016 07:32:11 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id jb5sm5224963lbc.8.2016.03.22.07.32.11 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Mar 2016 07:32:11 -0700 (PDT)
Message-ID: <E53614817950417DA0BB41038D08BB69@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@ietf.org
References: <alpine.LFD.2.20.1603161303170.21526@bofh.nohats.ca> <8EE26CB3-8BAB-4942-A209-24016E0BB44C@vpnc.org>
Date: Tue, 22 Mar 2016 17:32:21 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/lwIkUAzHZdPmx3yHk2pXvawtCNk>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-04.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 14:32:16 -0000
Hi, > <chair hat on> > > This version has many significant changes from the previous draft. > Please review it soon so we don't have a lot of surprises in WG Last > Call. > > --Paul Hoffman here is my review of the draft. Most issues are editorial. In a few places text needs to be improved, Section 4.1. needs more explanation text. Otherwise the document looks good. 1. No period at the end of Abstract. 2. Section 1. The IKE protocol itself is also protected by encryption which is negotiated between the two endpoints using IKE. This text is not accurate, since it doesn't mention authentication (MAC), that also protects IKE SA. 3. Section 1. In the text To ensure interoperability, a set of "mandatory-to-implement" IKE encryption algorithms is defined. s/encryption algorithms/cryptographic algorithms 4. Section 1.1 The algorithm implementation requirements and usage guidance may need to change over time to adapt to the changing world. For this reason, the selection of mandatory-to-implement algorithms was removed from the main IKEv2 specification and placed in this document. Isn't it better to change: s/in this document/in a separate document (because the guidelines were not only in _this_ document, but also in previous documents) 5. Section 3.1 The algorithms in the below table are negotiated in the SA payload and used for the Encrypted Payload. Isn't "in the table below" more grammatically correct? The same in Section 3.3. 6. Section 3.1 AES-GCM with a 16 octet ICV was not considered as in RFC4307. Shouldn't "as" be removed from grammar point of view? 7. Descriptions for AES-GCM and ENCR_AES_CCM_8 demonstrate some inconsistency. While the former claims that the advantage of using shorter than 16 bytes ICV are minimal, the latter claims that 8 bytes ICV is enough for IKE SA. Sure, the latter is for IoT use case, but I don't expect that the amount of data transferred over IKE SA in IoT and non-IoT cases is many magnitudes different. I think some other reasons must be given to justify this selection. For example: the majority of existing IoT devices implement ENCR_AES_CCM_8, so we decided to make it mandatory in IKE (well, I don't know if it is true, I'm not familiar with IoT world). 8. Section 3.2 Transform Type 2 Algorithms are pseudo-random functions used to generate random values when needed. s/Algorithms/algorithms s/random/pseudorandom 9. Section 3.2 If an algorithm is selected as the integrity algorithm, it SHOULD also be used as the PRF. When using an AEAD cipher, a choice of PRF needs to be made. This text is not clear for me. What do you mean? The PRF needs always be negotiated in IKEv2, regardless of AEAD/non-AEAD cipher. Or do you mean that when non-AEAD cipher is used then PRF and ICV transforms SHOULD be based on the same underlying algorithm? Is it justified somewhere? Well, I can imagine some reasons for it, but I don't like uppervase "SHOULD" here unless you provide some reasoning. 10. Section 3.2 PRF_HMAC_SHA2_256 was not mentioned in RFC4307, as no SHA2 based authentication was mentioned. s/authentication/transforms 11. Section 3.2 PRF_HMAC_SHA2_512 SHOULD be implemented as a future replacement for PRF_HMAC_SHA2_256 or for when stronger security is required. Shouldn't "for when" be "when" from grammatical point of view? The same in Section 3.3. 12. Section 3.2 PRF_AES128_CBC is not in the the IKEv2 IANA registry. There is PRF_AES128_XCBC instead. 13. Section 3.3 There is some disconnect between Sections 3.1 and 3.3. Section 3.1 lists ENCR_AES_CCM_8 as the only preferred choice for IoT. However, ENCR_AES_CCM_8 is AEAD cipher, so if it is used then no separate authentication transform is needed. Why then AUTH_AES_XCBC_96 is listed in Section 3.3 for IoT use case? What encryption transform it is intended to be used with in IoT? 14. Section 3.4 Note that it is critical to enforce a secure Diffie Hellman exchange as this exchange provides encryption for the session. s/encryption/keys s/Diffie Hellman/Diffie-Hellman 15. Section 3.4 If an attacker can retrieve the private numbers (for example a, b) (and? or?) the public values (for example g**a, g**b), then the attacker can compute the secret and the keys used and decrypt the exchange. What is (and? or?)? Is it some leftover? Shouldn't it be just "and"? 16. Section 4.1 RSA Digital Signature is widely deployed and therefor kept for interoperability. s/therefor/therefore 17.Section 4.2 Recommendations for when a hash function is involved in a signature: Shouldn't it be rephrased for more smooth reading? 18. Section 4.2 The last table contains unexplained comment "?SHOULD". 19. Section 4.2 In general this section leaves an impression that it is incomplete and contains disconnects. For example, it states that RSASSA-PSS MUST be implemented, however a few lines below in a table I read: RSASSA-PSS with SHA-256 - SHOULD. I think more explanation text should be added. Regards, Valery Smyslov.
- [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Paul Hoffman
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Paul Hoffman