IETF Logo Mail Archive

[IPsec] Fw: WG Last Call on draft-ietf-ipsecme-rfc4307bis

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Thu, 14 April 2016 17:21 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1986512E43F for <ipsec@ietfa.amsl.com>; Thu, 14 Apr 2016 10:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI-wN0CX2pcv for <ipsec@ietfa.amsl.com>; Thu, 14 Apr 2016 10:21:56 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0117.outbound.protection.outlook.com [23.103.201.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 197EE12DE39 for <ipsec@ietf.org>; Thu, 14 Apr 2016 10:21:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RF72ApYSpCYDrDWFp1cXjnmtHVa2lF8yax7KxCAQeJY=; b=dOeeFTeLhIrlpFZCVTuAm+ff9UkMu8gatSrDMtPcNPnxZPzJlIKcN4DUrRAvrpf0/pFdS9zfGXcNMaaW47M0/eRyROCj2fnYwGuiyToWJ67R17ME2VpAzbI5tiB3r4vSuCvFMpEvL8v5gqvcGJQYbWm9f07jqIDh+TZFkh76dKc=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB123.namprd09.prod.outlook.com (10.255.200.25) with Microsoft SMTP Server (TLS) id 15.1.453.26; Thu, 14 Apr 2016 17:21:53 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0453.029; Thu, 14 Apr 2016 17:21:53 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "paul@nohats.ca" <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>
Thread-Topic: [IPsec] WG Last Call on draft-ietf-ipsecme-rfc4307bis
Thread-Index: AQHRkcovbsJyFXKE70eisU5dbT9l/p+Jka20gAANjICAAB8jWg==
Date: Thu, 14 Apr 2016 17:21:53 +0000
Message-ID: <BN1PR09MB124FF51AE06C547926E0E15F3970@BN1PR09MB124.namprd09.prod.outlook.com>
References: <325E33E7-8F06-414A-B0BB-FCBEEA8CC6C6@vpnc.org> <BN1PR09MB12405E30D629908A9F33AB0F3970@BN1PR09MB124.namprd09.prod.outlook.com>, <alpine.LRH.2.20.1604141109300.5053@ns0.nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1604141109300.5053@ns0.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: nohats.ca; dkim=none (message not signed) header.d=none;nohats.ca; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.105.150]
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr,ExtAddr
x-ms-office365-filtering-correlation-id: dc1ccc4e-c504-4fd5-5419-08d36489461c
x-microsoft-exchange-diagnostics: 1; BN1PR09MB123; 5:/hWbKOrKpHG2Bwn1cOmu/j0B0C1NO2t5zZHIij2R/MzvtYnRJIC7BNaqA3mPyTB42lsnCuX2EUdhnsGEmmv8QLDSmokdDxY0ZJSbE79VW0uGVsWhgPsl0/nwyEklZYXxU5yizUopbq31vinooAGEGw==; 24:xJkM12ZDZEjrKAxWTCr/GsFYdFn+fo8OnfFbJz7gOnsMf9hqvD2Ua+YGuuBs3JpRYKDrPnXA8iGNGswlqmLQWKi7/eiQ3QGtK4CvLHKtJHw=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB123;
x-microsoft-antispam-prvs: <BN1PR09MB123C366AF2ADBB3AADCCC19F3970@BN1PR09MB123.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB123; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB123;
x-forefront-prvs: 0912297777
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(74316001)(50986999)(54356999)(76176999)(86362001)(19580405001)(19580395003)(33656002)(76576001)(87936001)(106116001)(99286002)(122556002)(66066001)(586003)(6116002)(3846002)(9686002)(5008740100001)(1220700001)(1096002)(92566002)(5001770100001)(189998001)(81166005)(107886002)(5004730100002)(2906002)(230783001)(10400500002)(2501003)(102836003)(3280700002)(3660700001)(5003600100002)(5002640100001)(2950100001)(2900100001)(77096005)(15975445007)(11100500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB123; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2016 17:21:53.2993 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB123
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/m9WuBK6mu2KoDMHdBOzpKCIt3uQ>
Subject: [IPsec] Fw: WG Last Call on draft-ietf-ipsecme-rfc4307bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 17:21:59 -0000

Paul,

I just copied from your quote in section 1.3 here: "This may differ from a user point of view that may deploy and configure IKEv2 with only the safest cipher suite.  On the other hand, comments and recommendations from this document are also expected to be useful for such users."

We should be clear about recommendation for interoperability reason and recommendation for security reason: they are different.

Quynh. 
________________________________________
From: IPsec <ipsec-bounces@ietf.org> on behalf of paul@nohats.ca <paul@nohats.ca>
Sent: Thursday, April 14, 2016 11:22 AM
To: Dang, Quynh (Fed)
Cc: IPsecME WG; Paul Hoffman; Frankel, Sheila E. (Fed)
Subject: Re: [IPsec] WG Last Call on draft-ietf-ipsecme-rfc4307bis

On Thu, 14 Apr 2016, Dang, Quynh (Fed) wrote:

> 1) All of the DH-groups smaller than 2K in the table 3.4 must not be used because they are not strong enough. Right now, groups 5, 2 and 22 are being listed as "should not" which means that  "must not use unless a user has a strong reason". The problem is that a user can always have a strong reason because there is no definition of "a strong reason".
>
> The group 2 (1K DH group) is currently mandatory-to-implement; therefore, implementers must implement it for interop. reason. But, the problem is that the draft is also for users. So, there are two problems. The first one is that the working group should update the standard to mandate a stronger DH group (or a ECC group) (which is hard to get done soon). And, the second (which is urgent) is that the draft should explicitly say that "users must not use those weak groups".

The draft is not for users. It is also not for default values. This is
explained at

https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-07#section-1.3

    The recommendations of this document mostly target IKEv2 implementers
    as implementations need to meet both high security expectations as
    well as high interoperability between various vendors and with
    different versions.  Interoperability requires a smooth move to more
    secure cipher suites.  This may differ from a user point of view that
    may deploy and configure IKEv2 with only the safest cipher suite.  On
    the other hand, comments and recommendations from this document are
    also expected to be useful for such users.



Removing group 2 an 5 is expected to cause interoperability issues
because not everyone switch to group 14 for IKEv2 and not everyone
properly implements INVALID_KE and restarting with a different
DH group.

I would also not call group 5 (1536) "weak".

> The fact that many existing devices are still using the group 2 ( 1K DH group) does not make the group secure. The document should provide sound technical guidelines for users. If a user still chooses to use a weak group, that would be his/her own fault.

The user can only make that fault if the implementations still support
those DH groups.

> 2) Similarly for RSA sizes smaller than 2K and digital signatures using SHA1,  "should not" should become "must not".

And what percentage of certificate based VPN connections would break?
I suspect more than 75%

Many deployments actually kept away from 2048 bit RSA because it causes
IKE fragmentation (RFC-7383) was only added to IKEv2 in November 2014.
Give implementors 1 year, then add a year for just missing fresh 1024
bit certificates, and you are at the start of 2017. So I don't think
we can say MUST NOT for RSA 1024 bit keys.

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email