IETF Logo Mail Archive

Re: [IPsec] [Lwip] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)

Daniel Migault <mglt.ietf@gmail.com> Wed, 20 July 2022 01:20 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27C05C131946; Tue, 19 Jul 2022 18:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuBlzKwgGEFG; Tue, 19 Jul 2022 18:20:11 -0700 (PDT)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E7E1C131945; Tue, 19 Jul 2022 18:20:11 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id q41-20020a17090a1b2c00b001f2043c727aso674651pjq.1; Tue, 19 Jul 2022 18:20:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zBuqu3UHuX9ZnpgdP2B35WUeao6Kk3/WZMySiCrJ4Gg=; b=EXh7Lz5oTZsJGEGeiu+Ft2rSHa1MT/YfyeBYIjz6ikvKXL19U+hl2AkUxTFSPdYSN8 WNhwJbsUkZ46zA2Go3OwLyyQIBMQZ+N3K+0xoxFyvjDNC/POsjGM0xDOCMr9zdKcB8Pf GiWuN3wLoDVUrrmRx6gqRhadgMutBMC7NmLXH7z8QLR0on74q3ubJuq57yWP2at4AZUr p5RZcrGmMQXiCOUJJ5kXUGE2BlvNVPYDFsrJj8KurAw21XT6f9kW5GoItlzdL/1L4EIi wQcG8k3vw/0Was3aS6oMwmC3aBlv/chbMytJHly8D3uijMyrwuBhXe6glsGDaaPJL9d2 l58Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zBuqu3UHuX9ZnpgdP2B35WUeao6Kk3/WZMySiCrJ4Gg=; b=tAhb4+GpdZS4ZNj1sM//rbBHUbo/lrCORlX5i88D4kpTwXurwK1+QHRdEnntlOT34W +51waF84Anf1jyDcqAKl1TjFWITL8BTY39liLEdmoDBvs2f/s8oFBB4hPyTcEWlzwY5O QAqjAwuzdVEmWVH3hWEVwXQGde2LrJdOCgerDfgPiGr29mwvpohpryokyE64J+y1L2uG sSmKIM3BrIdOrTBg4qK+38xHiyrSCxAbSdVwoCy81KK+OvsxJrIMmF464/VlvI25YFZG Q+PJka0ySI0Y9UW0r+TN+rwTTssg1nZpIj3eRacZ91lfnDTADpw10chlztXhnVnrcElj 534w==
X-Gm-Message-State: AJIora8vOCe+Z7B9YS9VPMPfhsCsTiNmDjBVDCKFvYMfzlXR30QYVie+ Ei9yg9T0gs750kq77jREoetLvdoDt5ugTwHZmT0=
X-Google-Smtp-Source: AGRyM1u9xOIsodkVTGiuApPmPisYp70BTxQZH8/ex29VmejpZ6/Z8Q1vx1iznhI6tL2Tzm2DZycShIvGnjI5Gfv2qdI=
X-Received: by 2002:a17:90a:b117:b0:1ef:958f:e5b7 with SMTP id z23-20020a17090ab11700b001ef958fe5b7mr2429065pjq.107.1658280010488; Tue, 19 Jul 2022 18:20:10 -0700 (PDT)
MIME-Version: 1.0
References: <164919648646.8778.6947253487684946962@ietfa.amsl.com> <CADZyTkkdXs8tJu_J5M_Yb-VC2SbSECLen_igUrGVGtrNFng6QA@mail.gmail.com> <CAGL5yWb5oaridQzFdxoWQdieNxDb=pOB_5sMCBM+HdgCsn_NeA@mail.gmail.com> <CADZyTkk616G+U5323wBXhR35K=FojD2+V_L5UEv-=6Xzz-A4Tw@mail.gmail.com> <CADZyTkkw1h9F9pDrAYgQDOQ-BCwiezocMba4H3WUh9qvavmRYA@mail.gmail.com> <c07734f1-e33c-5aa6-92fd-24938298f3ba@nohats.ca> <CADZyTk=kRGEA3BTMz05uNQbbEgXQT+TTQ0C9-o0FFtK3ny5+oQ@mail.gmail.com> <a6ce149c-293f-9a46-86a5-964d71fe4b3@nohats.ca>
In-Reply-To: <a6ce149c-293f-9a46-86a5-964d71fe4b3@nohats.ca>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 19 Jul 2022 21:19:59 -0400
Message-ID: <CADZyTk=Fp+2n-zRhMXivcMt9ZihagTPwuQaowK-0qp_hm8s1Vg@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, lwip@ietf.org, Mohit Sethi <mohit.m.sethi@ericsson.com>, draft-ietf-lwig-minimal-esp@ietf.org, lwig-chairs@ietf.org, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f6a0b705e43266bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oP-M7lffpepUbaYFjkPKVzgkBJg>
Subject: Re: [IPsec] [Lwip] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2022 01:20:12 -0000

Hi Paul,

Thanks for the response. Please see my responses inline.

Yours,
Daniel

On Tue, Jul 19, 2022 at 11:47 AM Paul Wouters <paul.wouters@aiven.io> wrote:

> On Mon, 18 Jul 2022, Daniel Migault wrote:
>
> >       The limited SPI numbers and rekeying is still not clear to me.
> >       We exchanged a few emails but that did not result in me
> understanding
> >       this.
> >
> >
> > I am happy to understand what is unclear. I suppose the text you are
> referring to is the one below - extracted from version 11.
> >
> >    Alternatively, some constrained devices will not implement IKEv2 or
> >    Minimal IKEv2 and as such will not be able to manage a roll-over
> >    between two distinct SAs.  In addition, some of these constrained
> >    devices are also likely to have a limited number of SAs - likely to
> >    be indexed over 3 bytes only for example.  One possible way to enable
> >    a rekey mechanism with these devices is to use the SPI where for
> >    example the first 3 bytes designates the SA while the remaining byte
> >    indicates a rekey index.  SPI numbers can be used to implement
> >    tracking the inbound SAs when rekeying is taking place.  When
> >    rekeying a SPI, the new SPI could use the SPI bytes to indicate the
> >    rekeying index.
>
> I don't understand what it is that the devices are trying to do. Both in
> terms of saving CPU or energy, and in terms of interpreting bytes of the
> protocol. Can you give a full example of a rekey taking place in the
> traditional way and in this new way proposed here? Perhaps when I see
> that, I can help with modifying the above text to make this process
> clear?
>
> The device could be provisioned with a master secret from which keys are
derived. It uses one byte of the SPI to indicate which key is in use. The
other peer is provisioned the same way and can generate the appropriate
key. This rekey improves the use case of a device (without IKEv2) only
provisioned with a single key while avoiding the management of multiple SAs
- especially when the rekey occurs. Typically a rekey performed by IKE
creates a new SA and deletes the previous one.

Let me know if the proposed text is clearer.

OLD
SPI numbers can be used to implement tracking the inbound SAs when rekeying
is taking place.  When rekeying a SPI, the new SPI could use the SPI bytes
to indicate the rekeying index.

NEW
This enables indicating both the SA and the key being used for the packet.
When the last byte of the SPI changes, the device generates or retrieves
the corresponding key and assigns it to the SA.


> >       The sequence number discussion mentions the issue of packets
> falling
> >       out of the receive window. We talked about an IKE option/notify to
> >       signal this and during that discussion it also came to light that
> this
> >       protocol is going to be used without IKEv2. This leaves an
> >       interoprability unaddressed.
> >
> > I do not see any mention of IKE option and SN, but maybe you can refresh
> my memory.
>
> Without signaling that this is going to use large jumps in the SN, the
> other end would drop packets outside of its replay window. If there is
> no IKE, how is the peer going to know about this? eg you write:
>
>     Note that standard receivers are generally configured with
>     incrementing counters and, if not appropriately configured, the use
>     of a significantly larger SN than the previous packet can result in
>     that packet falling outside of the peer's receiver window which could
>     cause that packet to be discarded.
>
> What you wrote is "this is a problem". Instead, I think you should state
> something like "Using time based SN should only be used when it is known
> that the remote peer supports this or when it is known that anti-replay
> windows are disabled".
>
> I added your text while keeping the description of the problem.


> > The only IKE option discussion I recall of is an option you propose to
> > request the other peer not to send dummy packets - which is primarily
> out of scope of minimal esp and whose usefulness remains to be proven.
>
> It was in relation to AEAD security.
>
> I did talk about using IKEv2 to convey some of these recommendations
> via IKEv2 so peers can become aware of these instead of the more vague
> wording the draft now uses that basically assumes all peers involved
> do minimal ESP. It is fine for you not to take up this suggestion.
>
> >       And since this protocol is also meant to run without IKEv2, there
> is
> >       an issue of only recommending AEAD algorithms that rely on IKEv2
> for
> >       its security properties.
> >
> >
> > I do not see the issue associated with AEAD, so can you be a bit more
> explicit. I do not see what is being provisioned via IKE that cannot be
> provisioned
> > via other means.
>
> Sure, anything IKEv2 provides can be provided in another way. AEAD
> normally relies on a protocol to ensure rekeying before a maximum
> amount of crypto operations is done, ensures nonces and counters
> are never re-used, and the same private key is not re-used when a
> device reboots. I can (reluctantly) agree, you don't need to do
> anything else in this document for this.
>
> > In addition, I do not see this as an issue if we were mandating AEAD.
> This is not the case. The document recommends the use of AEAD  as a general
> > purpose. I think this is relevant and does not prevent specific cases of
> not using AEAD. What text would you like to see ?
>
> Recommending or requiring are kind of the same thing with respect to
> requirements to comply. As I said, no need to add text for AEAD.
>
> >       Section 6 talks about Dummy packets but the labeling of the header
> >       is a bit misleading into thinking the Next Header behaviour is
> >       modified. I had suggested the section to be renamed.
> >
> > The current title is "6. Next Header (8 bit) and Dummy Packets". The
> section has been renamed, and I do not see what more needs to be done.
>
> The entire section is ONLY about dummy packets. Which happen to get
> indicated by a value contained in the Next Header. I find the title
> of the section misleading because it appears to talk about Next Header
> in general, especially when it starts talking about that it is a
> mandatory field. Again, I'll treat that as a comment and not a blocking
> issue, but the section should really just be called "Dummy Packets".
>
>
The document is structured by listing all field of ESP, so I prefer to keep
"Next header" in the title. While dummy packets are the main focus we also
describe the field with alternative uses like beet mode. I think it would
be strange to only have dummy packet in the title.

> Paul



-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email