Re: [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2-01
"Valery Smyslov" <smyslov.ietf@gmail.com> Mon, 12 February 2018 13:11 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAC3C12783A for <ipsec@ietfa.amsl.com>; Mon, 12 Feb 2018 05:11:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fJDQMSCXkDK for <ipsec@ietfa.amsl.com>; Mon, 12 Feb 2018 05:11:31 -0800 (PST)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91E8012741D for <ipsec@ietf.org>; Mon, 12 Feb 2018 05:11:30 -0800 (PST)
Received: by mail-lf0-x234.google.com with SMTP id f136so20350705lff.8 for <ipsec@ietf.org>; Mon, 12 Feb 2018 05:11:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=kTAT/cIIg3XW7XK/JIDZqXxX9HNp98C1xhxQCdUYb4o=; b=Jy8llQWcfirY6fAGQOLv8+UFo78UAW8R40Wj0kbXWduycV58nVZiazEIITERGsZRmv nbVpoghLf3d07pcAo4pqZQmA00OpjtE1M59iQiaxlVevaMvqw6xRJe46SH8qlDC8DqIf OqliDl+5cMd5nym9lT1kHUcj1u6GiEUg5aXrP4FIWKqyYreXIkaqxWLrs+tE9nkxCEsr fXsrzWGHMuAoXoHxb1H7QaU3aP75pV1UzAeLZR+dzB/oD5ekSZwCtvMZt0TDYkt2/aj6 tVDR4Y85JDA6/BLGzDYHc5Nk0qcZUfDKwDx8RMY6i5L+KXxyX0e+ZKg3wp/of30+CU+k s1Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=kTAT/cIIg3XW7XK/JIDZqXxX9HNp98C1xhxQCdUYb4o=; b=uU/VHjE1zLfqfSYoQhgZi2ajpK4vRkmFdQkpLOqUwB4XbaYshvYq7/RedTVTgteLnw rtXjpgyqgo42ASh2D/jhvab1nmcuYSf4aS0QyupdcaWxRscITNK8w04pDFt/cLBs1mzX AuznRcg3hoBxBD3vg3/G0qGlq2/E6/waNA/euQHPwmlwIggHc6aq8v+USjipxdcGtjYx OIdscfeLQ9BN5VcglWhEzHYqeDn9WbYSw4ai8dMP+yNp9hMbEq0v5aQvA7rwO6bZg08t fa1N+SeReZipbumCS8hDnBBfzMX5TS5ut0djEvovg64B8amfoSukJJamz5TlFvb6kjcn X54g==
X-Gm-Message-State: APf1xPBXOYZ1J8AogP6R56FdSl+rj8dA5XqpLmX0g4khd0j+qVhVIm1c MtQQpKBhxKvOx5U4hvGSP4oF/Q==
X-Google-Smtp-Source: AH8x225f0NrerEJt9roWgUGBvOPBdOo79aFFM7geT2FEfccowbxUcmxapaprdYKiRAQOysOkKm3SRg==
X-Received: by 10.46.23.156 with SMTP id 28mr4845615ljx.29.1518441088573; Mon, 12 Feb 2018 05:11:28 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id c63sm1658108lfg.55.2018.02.12.05.11.26 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 12 Feb 2018 05:11:27 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'CJ Tjhai' <cjt@post-quantum.com>
Cc: ipsec@ietf.org
References: <033701d39b5d$bf7f2140$3e7d63c0$@gmail.com> <CANs=h-UXGubRKH4xc_U4YHf2LgwatwsnL3173_0i59DGQo9wDw@mail.gmail.com>
In-Reply-To: <CANs=h-UXGubRKH4xc_U4YHf2LgwatwsnL3173_0i59DGQo9wDw@mail.gmail.com>
Date: Mon, 12 Feb 2018 16:11:27 +0300
Message-ID: <0ab401d3a402$fe205ce0$fa6116a0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQI9PLZY84Ug9ZhVQ5GFYO3tiZw4GADWihXiosHO7mA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nrSp-RuKJ0eHmUXk2PuuebCSlK4>
Subject: Re: [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 13:11:33 -0000
Hi, thank you for the explanation. See my comments inline. > 1. Negotiation > > We are glad to see that you also appreciate the need to negotiate a > hybrid group. As you may remember, we introduced a new Transform Type > in our version 00 of our draft and it had not been well-received in > IETF 99 Prague. We accept this push-back and it makes sense; since the > introduction of IKEv2, there has not been any new Transform Type > introduced. In fact, after IETF 99 Prague, we found out that there > exists IKEv2 implementations out there that will error out if they > receive an unknown Transform Type. I'm not sure it justifies introducing yet another negotiation mechanism. I understand that we live in non-ideal world, however adding one more mechanism for solving exactly the same problem due to existence of buggy implementations looks far too expensive for me. Unless these buggy implementations dominate... > As you pointed out, according to RFC 7296, if a responder receives a > proposal with Transform Type that it doesn't understand, it MUST > reject the proposal. However, we found that this is not true in > practice. StrongSwan is a good example; consider you have two peers > running StrongSwan where the initiator introduces a proposal > containing a new Transform Type: > > SA: > Proposal 1: > Transform Type 1: ENCR_AES_CBC > Transform Type 2: PRF_HMAC_SHA2_256 > Transform Type 3: AUTH_HMAC_SHA2_256_128 > Transform Type 4: P-256 > Transform Type 6: New Transform Type > Proposal 2: > Transform Type 1: ENCR_AES_CBC > Transform Type 2: PRF_HMAC_SHA2_256 > Transform Type 3: AUTH_HMAC_SHA2_256_128 > Transform Type 4: MODP-3072 > > It is assumed that the responder runs StrongSwan implementing standard > RFC 7296, hence it does not understand Transform Type 6. Instead of > rejecting Proposal 1 and considering Proposal 2, the responder ignores > Transform Type 6 (i.e. selecting ENCR_AES_CBC, PRF_HMAC_SHA2_256, > AUTH_HMAC_SHA2_256_128, P-256). The initiator clearly does not propose > this proposal. This particular case would only be okay if Proposal 2 > offers P-256. This behavior is wrong, however I don't think it cannot be dealt with. Just always define your policies so that all PSKE proposals contain the same "classic" transforms, as "classic" proposal. This is an additional requirement for policy, but Is there any reason this is wrong from security point of view? > This is one particular implementation peculiarity, there > will be others that behaves oddly. The point is, if we introduce a new > Transform Type, it is very likely that backward compatibility can no > longer be achieved. Again, it depends. If the majority of implementations immediately crash once they receive unknown transform, then I agree that we need another mechanism... Most of other cases usually can be dealt with. Probably not all and probably not as elegant as we wish, but still I believe they can. > Hence, we pick a DH group that denotes a hybrid group and negotiate it > using the existing KE payload. Well, if you are so determined to deal with buggy implementations, then there are more natural alternatives. For example you may introduce a new SA-like payload, which would have the same syntax as SA payload, but different Payload Type, and put all PSQE stuff there. Since Critical Bit is not set in this payload, the existing implementations must ignore it. And if you find implementations that won't behave correctly even in this case, then put SA-like syntax in a new notify - I'm sure every existing implementation can handle this. So, my main concern is that with your proposal a new code is needed to parse, form, log etc. all the QSQE stuff, since it is presented in a completely new way. It is not a big deal if the amount of negotiation stuff is small (say, you define only one QSKE group). In your case, you want to express a complex combinations of different QSKE methods, which I, as implementer, would need to parse, form, log, match to policy etc. I prefer to reuse existing code for this and I see no reason why it cannot be done. > On your email, you also mentioned that in the future, we could use KE > payload to carry small PQ KE payload. Then, some logic is required to > distinguish what is carried in IKE_SA_INIT and what is carried in > IKE_AUX; it looks messy. It is easy. "Classic" KE is always done in the IKE_SA_INIT. All PQ KEs are done in the IKE_AUX. However, once one (or few) of the PQ KEs is considered cryptographically matured and this PQ KE has small enough public key, we'll add it as a new "classic" one, so that in done in the IKE_SA_INIT. No mess here. > 2. Fragmentation > > We remember that Tero did suggest to use an intermediary exchange > between IKE_SA_INIT and IKE_AUTH. However, after soliciting inputs > from a number of parties (both vendors and clients), it appeared that > the majority didn't like the idea of having this extra exchange as > introduced a considerable deviation from standard IKEv2 flow and felt > that we would just be introducing an IKE_SA_INIT fragmentation which > could be achieved by other mechanisms. I'm puzzled here... The whole idea of QSKE is a considerable deviation from standard IKEv2. Comparing to the amount of needed changes to the protocol, introducing a new exchange that follows standard IKEv2 rules looks like a simple task. I believe it is easier than making all the modifications from the draft to the IKE_SA_INIT (that is already quite complex). > While IKE_AUX would be useful in environment where network is lossy, > we also need to consider the requirements for applications such as VPN > concentrator where connection rate is important, or peers that have a > considerable route trip time. If you put all the QSKE payloads in a single IKE_AUX (and won't do them one by one in a series of IKE_AUX), you'll have the same number of round trips as in your proposal. I see no advantage of your proposal here. Am I missing something? > We acknowledge that we have not included > any mechanisms to deal with loss packets in version 01 of our draft. > This is intentional as we would like to get the WG input on which > direction we should take our draft before going deeper. > > In terms of DoS attacks, we do not mandate the use of cookie > mechanism, but when implemented, the responder can check that incoming > messages corresponding to the second round of our protocol (note that > this is the expensive round in which public-key operations are > performed and space is allocated) have been agreed previously in a > first round of the protocol. It won't help you against poisoning reassembly queue with a bogus packets, since an attacker would know the correct cookie from the first round. And this attack is not possible at all with IKE_AUX (unless an attacker breaks classic DH in a real time). Please, see ipsecme mail archives from 2012-2013 where all these things concerning possible attacks on IKE fragmentation were discussed in detail. > We also believe that your comment that > what you propose is substantially more secure is not true. An attacker > who can monitor exchange of messages and inject packets, can trivially > DoS a connection (e.g. when the initiator sends the initial "HDR, > SAi1, KEi, Ni", the attacker immediately responds with a "HDR, SAr1, > KEr, Nr" of his choosing before the real responder does). An attacker > who can modify the initial packets is not detected until later in the > exchange. This is a different kind of attack and your proposal is susceptible to it as well. Moreover, the attack is described in the RFC7296 (Section 2.4, page 29) and some countermeasures are suggested. > Of course, this could require a significant amount of > resource allocation for post-quantum public data exchange. In our > approach, we could detect it before IKE_AUTH phase. Please, elaborate. Unless you mandate requesting cookie, your proposal is no more secure against this attack than classic IKEv2 or IKE_AUX. And mandating requesting cookie can be an option for all of them. When I was talking about DoS attack on your proposal that are not possible in IKE_AUX approach, I meant an reassembly queue poisoning attacks. Besides your proposal is more complex and less robust... > 3. Large payload > > We also hope that we don't end up having PQC ciphers with large > public-key. We don't mandate our proposed draft to support payloads > larger than 64KB. In fact, it is an added bonus of how we do > fragmentation. Well, with IKE_AUX we have this bonus almost for free too. However I agree that we'd better to avoid such huge KE payloads... > Best regards, > Authors of draft-tjhai-ipsecme-hybrid-qske-ikev2-01 Regards, Valery.
- [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2… CJ Tjhai
- Re: [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2… Valery Smyslov
- Re: [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2… Paul Wouters
- Re: [IPsec] draft-tjhai-ipsecme-hybrid-qske-ikev2… Tero Kivinen