IETF Logo Mail Archive

Re: [IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx

Yoav Nir <ynir.ietf@gmail.com> Sun, 19 March 2017 18:53 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03F712896F for <ipsec@ietfa.amsl.com>; Sun, 19 Mar 2017 11:53:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8unIEVnPPPN for <ipsec@ietfa.amsl.com>; Sun, 19 Mar 2017 11:53:01 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 482C81292FC for <ipsec@ietf.org>; Sun, 19 Mar 2017 11:53:00 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id u132so48828679wmg.0 for <ipsec@ietf.org>; Sun, 19 Mar 2017 11:53:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5ZjMu2EEoy08Rxroa1wFRJ7lFXcCVXpKaKv0WkTb0YI=; b=R2oqgmH2FAoy7a2vWRxB1Dkt33lN+QnTcKdGQMf0BJ+iXGjPQDhnRrI8f9OfLnixki pKTGHqtpuY1oKuuk+r+p276QMyOPyfFA+rL76eXaQZhdUhuAvaczC8ZMn7tpRSIBBtlM i7ylhmzC5bjKUh+mLphwUEYz/2kQDC6j6MQZsIVp1mNlaDvbQm+IFKTW9lJcHNDbIiTQ cbBDF7cJlzEW2rx7rrnes/iFUZ+Rwg/3mZYzCbeTIVxsrjvtZLN7oGvJ1z2DvCwAlszl AFNAFk018uD9YmM5hBWChVGyy2nYzUNSwa4VRVXM+HwBs6aEjLom/WJbj9QNggNp09NH H/Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5ZjMu2EEoy08Rxroa1wFRJ7lFXcCVXpKaKv0WkTb0YI=; b=XGri39RuOGw2pilV22B+an1+xGFl/aK/2pVMzI7rv2IpjTkpnd3oJE0gTNHbCAD1D8 /Lp3gkx9s+W9igX7aEbwd2O6idkeU5vMtzTpn7ElrDyJGvOtS/zKvYEWDzJur4XKQ5ZZ uAs6eqelI1ZrTaq412b6+q5anFGNJfrzS5c+45zVvlW+8naljW2WtaFuhj8D22ASofF3 8RJK3cBYO4cYgxcvfN5m0j3rWOgQ9WBJ36VUEh/vSyIZBfG+Kxh6QRS16Qyy0U0+SU3G uNzzOOBI5246ljrUUelLNQ2xqARv7cw4IJp9bNtFR2nReG/syihfQWEV16uaShKMkyK+ /GNw==
X-Gm-Message-State: AFeK/H1o3BdcQxYCdLg5Zq2dNuczU6dF1AoSl6qU5bH2m6WICgAbPBf1j3Nv+8LiDrEMZg==
X-Received: by 10.28.21.15 with SMTP id 15mr6784417wmv.11.1489949578763; Sun, 19 Mar 2017 11:52:58 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id m186sm10639394wmd.21.2017.03.19.11.52.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 19 Mar 2017 11:52:58 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <D2A9E1AB-6976-4557-AEDC-1A48CF1D8F66@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_A3303713-F582-4E8E-B2EC-A2926F04D2FF"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sun, 19 Mar 2017 20:52:55 +0200
In-Reply-To: <CABcZeBPFN0tUpm-2YVpSpVsP498C04YsaZVysAgdSE-AAbMXWg@mail.gmail.com>
Cc: ipsec@ietf.org
To: Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBNSy6PZYb02ceHfF6tHRuO4cYMNwmb42G1di7ZQ+8sg=Q@mail.gmail.com> <A01A175A-73CA-4666-8C56-EE8AB7E5A332@gmail.com> <CABcZeBPFN0tUpm-2YVpSpVsP498C04YsaZVysAgdSE-AAbMXWg@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/o6YXfMd70kC4uAavnqinVfZg11s>
Subject: Re: [IPsec] Comments on draft-mglt-ipsecme-implicit-iv-02.tx
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 18:53:04 -0000

> On 19 Mar 2017, at 19:30, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Sun, Mar 19, 2017 at 10:23 AM, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote:
> 
>> On 19 Mar 2017, at 16:55, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> Overall:
>> I notice that you are using a construction different from that used
>> in TLS 1.3, which doesn't directly repeat nonces across associations.
> 
> I didn't see an answer to this.

Nonces are specified as 64-bit IV (usually counter and we are forcing it to be a counter) plus 32-bit salt in RFC 4106.  We saw no reason to change that.

>> 
>> S 2.
>>    This document does not consider AES-CBC ([RFC3602])as AES-CBC
>>    requires the IV to be unpredictable.  Deriving it directly from the
>>    packet counter as described below is insecure.
>> 
>> Can you provide a cite for this?
> 
> Even RFC 3602 requires that the IV be randomly generated (and for good measure requires that it be unpredictable)
> 
> That's just a cite to a requirement, not to it being insecure. Do you have a citation to the relevant threat?

We could cite BEAST. Of course BEAST depends on HTTPS, so it’s not really applicable - it’s harder to manipulate the first 16 bytes of the IP header - but these have been the recommendations for using CBC in both RFCs and NIST documentations for years before BEAST.

> 
>> In any case, note that there are
>> straightforward algorithms for deriving a CBC IV from a counter
>> (e.g., run AES in counter mode with a different key). That structure
>> would actually be suitable for GCM as well (and would address
>> my point above).
> 
> If each implementation generates a random key and uses this to generate the IVs this is fine, but you still have to transmit the IV.  If we derive an “IV key” from the keying material, then we don’t have to transmit the IV.
> 
> You generate the IV from the sequence number, so you don't need to transmit the IV.
> That gives you an unpredictable IV without the per-packet overhead.
> 
> 
> We did bring this idea up at a WG meeting. This was not well-received for three reasons: (1) it’s unnecessarily complicated. (2) The world is going to AEAD. AES-CBC is the past, and (3) The perception was that saving 8 bytes per packet was important mostly for IoT, and they don’t care about CBC.
> 
> Sure, that's reasonable. I'm merely observing that there are designs which work for CBC.
> 
> 
>> S 3.
>>    o  IV: Initialization Vector.  Although security requirements vary,
>>       the common usage of this term implies that the value is
>>       unpredictable.
>> 
>> I don't think that this is true at all. I've frequently heard of a
>> zero IV. It's also odd in that your IV is in fact predictable.
>> 
>> 
>> S 5.
>> I'm a bit surprised that you are deciding to have duplicate
>> code points for every algorithm rather than some sort of IKE
>> negotiation payload. I see that the WG is currently defining
>> other extensions where you take that approach.
> 
> See slide #7 of https://www.ietf.org/proceedings/96/slides/slides-96-ipsecme-0.pdf <https://www.ietf.org/proceedings/96/slides/slides-96-ipsecme-0.pdf>
> 
> The problem is that IKEv2 has strict rules about unexpected attributes in the substructures of the SA payload. The sense of the room was to go with new identifiers.
> 
> OK. Well, I agree it's ultimately a WG decision, but it doesn't seem very elegant.

I was in the rough on this at first, but it was shown that every alternate negotiation mechanism had unwanted consequences.

Yoav

v2.23.0 | Report a Bug | By Email