Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol"
Paul Wouters <paul@nohats.ca> Mon, 19 January 2015 05:31 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBE581AD0C1 for <ipsec@ietfa.amsl.com>; Sun, 18 Jan 2015 21:31:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZ6TGNdg5LvY for <ipsec@ietfa.amsl.com>; Sun, 18 Jan 2015 21:31:01 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3FCC1AD0C0 for <ipsec@ietf.org>; Sun, 18 Jan 2015 21:31:00 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kQhRj3FDsz9gg; Mon, 19 Jan 2015 06:30:57 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=NoMLEkHi; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id z0hYlwknSjPD; Mon, 19 Jan 2015 06:30:55 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 19 Jan 2015 06:30:55 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 683288004F; Mon, 19 Jan 2015 00:30:53 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1421645453; bh=IFfTb+jKDt655HH446iNIo+R60gwsmyOMhJ/FXjpE5Y=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=NoMLEkHiVGZ4vfN0tj7iNuiEDw4kfh132InAZIjCYAcQ1cbJMtGSPlpN0bGWW92uh cySnleSJD1BTk509fg0drJodmhgRV6uLTn1beZTWW+OL+sYuiBWClfjz9O6fjgFQa7 K6fjPhtyT0iD7zAdGtlRS5QHGwkDgKRS012NpaIE=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t0J5Urgf007376; Mon, 19 Jan 2015 00:30:53 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 19 Jan 2015 00:30:52 -0500
From: Paul Wouters <paul@nohats.ca>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
In-Reply-To: <54BB6795.4050302@gmail.com>
Message-ID: <alpine.LFD.2.10.1501190010340.3172@bofh.nohats.ca>
References: <54BB6795.4050302@gmail.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/ng_EiR43ncuhZyVlzJ4BjBhWLvk>
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol"
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 05:31:05 -0000
On Sun, 18 Jan 2015, Yaron Sheffer wrote: > I re-read the new draft and I must say it is much clearer than the previous version. Still, a few comments: > * Please spell-check the draft. There are numerous typos. Will do. > * The "privileged IKE operations" is obviously a bit thin. "Initial Contact" may be a good example of an operation that we'd be better > off without. But if we don't have any specific examples, let's remove this section. That was partially because Valery and I didn't fully agree. Which means it might not belong in this document. Initial Contact is addressed in the document already in its own section. The question for example is about CREATE_CHILD_SA. Which comes back to your point below about making claims of owning an IP range that cannot be verified without an identity. I'm thinking with my OE hat on, so I am perfectly fine with restricting things to a single ip-ip connection (with natt support) and so in such a case the initial exchange is all that is needed and CREATE_CHILD_SA is never a valid exchange. > * Implementations MAY force... to single host-to-host IPsec SAs. If we cannot come up with a good way for an unauthenticated peer to > prove ownership of SA ranges (whatever "ownership" might mean in this context), then I guess we should change the MAY into a SHOULD. I even wanted a MUST, for the exact same reason. Any claim of IP address ownership other than the apparent source ip is dangerous. If the party does not authenticate, we cannot trust any claim. And two clients could attempt to claim the same ranges to get each other traffic. > * We are still using IP addresses to identify peers: "if an IKE peer receives... from an IP address that matches a configured > connection". I think an IKE peer that supports null auth should be able to distinguish peers depending on other characteristics, and > should be able to handle mixed configurations/policies even for a single IP address. You might be able to distinguish, but there is (per definition with auth_null) no proof, so any decisions based on apparent distinction would be very insecure. I'm not sure how you would support mixing auth and auth_null. If I setup a PSK between 1.2.3.4 and 5.6.7.8, and my 1.2.3.4 server suddenly gets AUTH_NULL, it has to reject it based on the wrong type of AUTH TYPE payload. If it would not reject it, would it mean this un-authenticated client mayb setup an IPsec SA that was supposed to be protected and limited to a machine that knows the PSK? > * I suggest adding this short subsection to the Security Considerations: > > Although this document discourages the use of non-null ID payloads to identify an unauthenticated peer, IKEv2 provides channel bindings > capabilities and those may be used to authenticate this identity at a later time, while binding the authenticated identity with the > original IKE exchange. This applies to a related but distinct use case, where peers cannot be authenticated at the time of the exchange > but do not wish to remain anonymous. Please see [AutoVPN] for one way of after-the-fact authentication of an IKE peer. If there is to be "authentication later", say through an Informational Exchange, then the time to present your ID (and your ID TYPE) is during that later authentication step. There is no good reason to throw in an untrustable identifier. It will only lead to implementation errors and security issues. I find channel binding extremely dangerous. It adds a lot of complexity for something that can simple be done with seperate or new IKE SAs. That is, an IKE peer could start with AUTH_NONE and later if it would need access to some non-public IP range, decide to start another IKE SA that is authenticated to the same peer. Mixing that all into a single IKE SA for complicated handovers seems unneccesary and prone to errors. Additionally, I have no idea how this channel binding is supposed to affect applications. If the remote peer gives me an AUTH_NULL based IPsec SA to 1.2.3.4, and later bumps that up to PSK authenticated, what does that mean for an application? What does it mean for the existing TCP connection to 1.2.3.4 going through ESP? You might have valid use cases with auto-vpn, but then, like for opportunustic IPsec, those use cases and their security considerations probably belong in their respective documents. I think this document should only put out a warning, especially to implementors, to think about what it means to have unauthenticated IKE and IPsec SAs. Paul
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Valery Smyslov
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Tero Kivinen
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Valery Smyslov
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Stephen Kent
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul Wouters
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul_Koning
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Stephen Kent
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Yaron Sheffer
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Tero Kivinen
- Re: [IPsec] WG Last Call on "The NULL Authenticat… Paul_Koning