IETF Logo Mail Archive

Re: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 27 March 2018 18:05 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5122E12E877 for <ipsec@ietfa.amsl.com>; Tue, 27 Mar 2018 11:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.799
X-Spam-Level:
X-Spam-Status: No, score=-6.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: DNS error: SERVFAIL)" header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5b5lSDjkAoU for <ipsec@ietfa.amsl.com>; Tue, 27 Mar 2018 11:05:05 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BCA912E858 for <ipsec@ietf.org>; Tue, 27 Mar 2018 11:05:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22652; q=dns/txt; s=iport; t=1522173905; x=1523383505; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=nBiyoYTWhBr4lv3opkCyMsmNiYGjg5skD9mTq8I3K+0=; b=HvDJYNBvK5N1CyEPJAdqD9Jxd7WSIBfxxC5dDloZndq+sE9V8GXq681/ ifS/XuYi12p1O1gcOKR8k5py31eDqDNhpT/hIu6Hmeg+wBngi7zmsg5V/ +hZ8B5C0ubeitPeHiYG1xBOOzXtfW/Gig5Q+R3ZlFNvB2epLDZ+6suswR E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0APAQCYh7pa/4MNJK1dGQEBAQEBAQEBAQEBAQcBAQEBAYJNdGFwKAqDUogAjRaBdIEPhmCHDIRlggMLGAEKhGECGoNpITQYAQIBAQEBAQECayiFJQEBAQQBASEKQQsQAgEIEQQBASgDAgICHwYLFAkIAQEEDgUIhCJMAxUPq2GCIIcQDYEsghIFhT6CGoFUQIQTglFCAQGBNz4fgkuCVAOHColDhkcuCAKLNYJ0jESJUIYGAhETAYEkARw4gVJwFTqCQ4IeAxiOF2+NP4EvgRcBAQ
X-IronPort-AV: E=Sophos; i="5.48,367,1517875200"; d="scan'208,217"; a="90247862"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Mar 2018 18:04:44 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w2RI4hpZ018193 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 27 Mar 2018 18:04:44 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 27 Mar 2018 14:04:43 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1320.000; Tue, 27 Mar 2018 14:04:43 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Daniel Migault <daniel.migault@ericsson.com>
CC: "IPsecme WG (ipsec@ietf.org)" <ipsec@ietf.org>
Thread-Topic: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv
Thread-Index: AdPEYabaslSsDVKJSGW5Eb13uZxLnQBsAJgAAAdEYyA=
Date: Tue, 27 Mar 2018 18:04:43 +0000
Message-ID: <157d7bd1e99b4044bec2ba4412d8e873@XCH-RTP-006.cisco.com>
References: <4c9091a6469945478d0fbce30447da94@XCH-RTP-006.cisco.com> <CADZyTk=kTpJeHbhWafA3bsUJ+rxOukE-54ccwmcd8a8VaDF0wQ@mail.gmail.com>
In-Reply-To: <CADZyTk=kTpJeHbhWafA3bsUJ+rxOukE-54ccwmcd8a8VaDF0wQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.53]
Content-Type: multipart/alternative; boundary="_000_157d7bd1e99b4044bec2ba4412d8e873XCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mgkMFdplDxIyDhv8_6JGg0k35B8>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 18:05:19 -0000

From: mglt.ietf@gmail.com <mglt.ietf@gmail.com> On Behalf Of Daniel Migault
Sent: Tuesday, March 27, 2018 1:22 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: IPsecme WG (ipsec@ietf.org) <ipsec@ietf.org>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv

Thank you Scott for your comments.

I understand the first comment as a text clarification to comment on the mechanism provided by section 3.5 of RFC6407 and explicitely mention that is does not apply here. Does the replacement below addresses your concern ?

OLD:
   Section 3.5 of [RFC6407] explains how
   repetition MAY BE prevented by using a prefix for each group member,
   which could be prefixed to the Sequence Number.  Otherwise, Implicit
   IV MUST NOT be used in multicast scenarios.

NEW:
   Section 3.5 of [RFC6407] provides a mechanism that MAY be used to prevent IV collisions when the same key is used by multiple users. The mechanism consists in partitioning the IV space between users by assigning the most significant byte to a user. When implicit IV transforms are used, such mechanism cannot be applied as the IV is not sent, but instead it is derived from the Sequence Number. A similar mechanism could be used by associating the most significant byte of the Sequence Number to a sender, while the 3 remaining bytes will be used to carry the counter value. Such mechanism prevents the use of Extended Sequence Number and limits the number of packet to be sent to 2** 24 =  16777216, that is 16 M.

Unless some mechanism are provided to avoid collision between Sequence Number, ( and so IV ), Implicit IV MUST NOT be used.

That works…



Regarding the second comment, I guess the idea was to mention that a responser cannot select a IIV Transform unless being sent by the initiator. I propose the following text. Do it address your comment ?

OLD:

   The rules of SA payload processing ensure that the responder will
   never send an SA payload containing the IIV indicator to an initiator
   that does not support IIV.


NEW:

   The rules of SA payload processing ensure that the responder will
   never send an SA payload containing the IIV transform to an initiator
   that does not support IIV.

I’m wondering whether this is necessary to state this.  For example, RFC 7634 (the ChaCha IPsec transform) does not have any similar language, even though (like this draft) they define a new transform id.

However, I’m not demanding any change; the text just sounds redundant to me…



The reason for not having AES_CTR was that the transform is on its way to be retired. I propose to remove AES-CTR, but if there is a need to provide AES-CTR with implicit IV we coudl also add additional code points.

I am currently proposing the following text:

OLD:
   AES-CTR, AES-CCM, AES-GCM and ChaCha20-Poly1305 are likely to
   implement the implicit IV described in this document.

NEW:

   AES-CCM, AES-GCM and ChaCha20-Poly1305 are likely to
   implement the implicit IV described in this document.

Works for me.


Yours,
Daniel
On Sun, Mar 25, 2018 at 2:10 PM, Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> wrote:

-          Section 4: “Section 3.5 of [RFC6407] explains how repetition MAY BE prevented by using a prefix for each group member”
Actually, RFC6407 just refers to RFC6054; that has the SID in the top 8 bits of the 8 byte sequence number.  Used literally, this doesn’t work, as the top 8 bits of the 8 byte sequence number are never expressed in the packet in implicit-iv.  You could put them in the top 8 bits of the 4 byte sequence number (which means you can’t use ESN, but it didn’t work in the multisender case anyways), but that would mean that each sender would be limited to 16M packets. I believe that these details are distinct enough that (if this is considered a viable alternative) they should be explicitly listed (including the 16M packet restriction).  Alternatively, we can just forbid this transform in the multisender case.


-          Section 6: “The rules of SA payload processing ensure that the responder will never send an SA payload containing the IIV indicator to an initiator that does not support IIV”

I believe that this is stale text; the current draft doesn’t use an indicator; instead, it defines separate transforms IDs.


-          Section 8 has “AES-CTR … [is] likely to implement the implicit IV described in this document”; however the transform ENCR_AES_CTR_IIV is not defined.  Is this intended?  Should we either remove the AES-CTR algorithm from the list of “likely to implement”, or should we actually define the transform id for it?



_______________________________________________
IPsec mailing list
IPsec@ietf.org<mailto:IPsec@ietf.org>
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email