IETF Logo Mail Archive

[IPsec] IKE_AUX comments

Daniel Van Geest <Daniel.VanGeest@isara.com> Tue, 03 July 2018 16:12 UTC

Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993C6130FB2 for <ipsec@ietfa.amsl.com>; Tue, 3 Jul 2018 09:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZWFCLCnhQGs for <ipsec@ietfa.amsl.com>; Tue, 3 Jul 2018 09:12:38 -0700 (PDT)
Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8480A1310F6 for <ipsec@ietf.org>; Tue, 3 Jul 2018 09:08:35 -0700 (PDT)
Received: from 172-1-110-12.lightspeed.sntcca.sbcglobal.net (HELO cas.isaracorp.com) ([172.1.110.12]) by ip2.isaracorp.com with ESMTP; 03 Jul 2018 16:08:34 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Tue, 3 Jul 2018 12:06:23 -0400
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.003; Tue, 3 Jul 2018 12:06:22 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>, "ipsec@ietf.org" <ipsec@ietf.org>
CC: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: IKE_AUX comments
Thread-Index: AQHUEufJG9ukeXZd00OB/ArBblFw6g==
Date: Tue, 03 Jul 2018 16:06:22 +0000
Message-ID: <A853873B-ED06-4719-94E1-2CC24E693AD2@isara.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.5.17.248]
Content-Type: multipart/alternative; boundary="_000_A853873BED06471994E12CC24E693AD2isaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/n0QysCUXfgYUddrtWxtiEKvLqh4>
Subject: [IPsec] IKE_AUX comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 16:12:54 -0000

Hi Valery, I have some comments on https://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-aux-00

AUX_EXCHANGE_SUPPORTED:

   This specification doesn't define any data this

   notification may contain, so the Notification Data is left empty.

   However, other specifications may override this.  Implementations

   MUST ignore the non-empty Notification Data if they don't understand

   its purpose.

If there are multiple future specifications which use AUX_EXCHANGE_SUPPORTED, is it expected that multiple AUX_EXCHANGE_SUPPORTED notifications would be sent in IKE_SA_INIT?  I don’t know of any other notifications where there might be multiple copies sent in one exchange, not that this is a reason to avoid it, but it might be simpler to not introduce this possibility.  Also, if the data is simple/only a few bytes there’s a chance of ambiguity as to whether the data is defined by one specification or another.  I think it would be simpler if the notification data is just left empty (or left for IKE_AUX-specific data, see below).  Other specifications will have to define how their own features are negotiated, so any related data could be sent in the notifications for those specifications and doesn’t need to be sent in IKE_AUX.

Authentication:

   ICV_INIT_1, ICV_INIT_2, ICV_INIT_3, etc. represent the content of the

   Integrity Checksum Data field from the Encrypted payloads (or

   Encrypted Fragment payloads) from all the IKE_AUX messages sent by

   the initiator in an order of increasing MessageIDs (and increasing

   Fragment Numbers for the same Message ID).

AEAD encryption transform IDs don’t use an Integrity Checksum Data field in their Encrypted payloads, so this method won’t work for authentication of IKE_AUX exchanges when AEAD is used.

Additionally, Scott pointed out to me that Integrity Check Values aren’t designed to be secure against someone who knows the key (which would be the case for a Quantum-enabled attacker) and that for algorithms like GMAC the attacker would be able to find a collision.  So then your statement later:

   THe forgery would become evident in the

   IKE_AUTH exchange (provided the attacker caanot break employed

   authentication mechanism)
wouldn’t hold; an attacker could find a forgery with the same ICV and IKE_AUTH exchange would succeed.

But regardless of that, AEAD is a good enough reason why ICVs shouldn’t be used here.  Presumably you don’t want to include the whole data for the entire set of IKE_AUX exchanges in the signed octets because that would mean persisting the data for all IKE_AUX exchanges until IKE_AUTH is processed, requiring a lot of extra buffer state and increasing the attack surface for buffer exhausting?

A second-preimage-resistant hash function is needed to use a digest of the IKE_AUX messages in the signed octets.  This algorithm could possibly be negotiated in the AUX_EXCHANGE_SUPPORTED notification data.

Thanks,
Daniel

v2.23.0 | Report a Bug | By Email