IETF Logo Mail Archive

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

Yoav Nir <ynir.ietf@gmail.com> Fri, 16 February 2018 18:25 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80232129515 for <ipsec@ietfa.amsl.com>; Fri, 16 Feb 2018 10:25:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VygXK45ZORpA for <ipsec@ietfa.amsl.com>; Fri, 16 Feb 2018 10:25:28 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC4CD1200C1 for <ipsec@ietf.org>; Fri, 16 Feb 2018 10:25:27 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id v71so4692139wmv.2 for <ipsec@ietf.org>; Fri, 16 Feb 2018 10:25:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=F2NFZrPdl9YrERihEm53QkEWZDYng/mwje1I03se96A=; b=Cu9IeWakXEjBonn2VfnfHsTR+H6Jk8QsZPyUtYBxx8c0DTF8ppZp9d1Va9zx9Jdn6K vb8f74fs6Ro3lu8a36x4NxlI3xmIDLENiqa25sVaEPGv3X/vMiuY7vzM1WzVyVw4M23c uYF4nMDBI81dVS6ERVpYITVj6+XpyBZgZyHdch3qXjRmpy5E6rHSQuEBQpwe8TwCbcJP 9ny/THZqiBHsyOUBdvfcPPAxgicPT7eIbqQLRXAus74eQTyXnLqh1cMtk7mInb6q4GgY zMrPCFYLtm1w0lOISM3zj1geBAYvKlO3R8iK8fNH3PTCUPkpNy3SxsWGyvHljb/I8bBJ 8kMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=F2NFZrPdl9YrERihEm53QkEWZDYng/mwje1I03se96A=; b=Ns4zcaXGvvHfk5NOSKbujNE36OQewZmWEscO/qe0NL0K93JDOx00ujWkX/slQDSKhY WPzmkVSKxqB7bLgSqIFAy+gWubAMPOyW+L3hxb+p98jUJUI2uzEhZpL1cOpurEHC2SyB xQlpiqv2kaQjFydmdzAa7ANL0dSpGHkVB6BBqngkRI6sz+9OWaWJFxOIkAdfJ5ASoEA9 Z50Bs1ek552lCtieMJBJmJLdtT1yxkI3ZbJHND2VVC9Z3sSl8CjTIP/9nkXweLltqzVb +OQUxvydyrk4W5GzSkB0O/AX5IkzBGkbVInq/6SEUe4TjD39Ow6awEaBxDKzhmGACbh0 pISw==
X-Gm-Message-State: APf1xPCNYyyM0UcwMweoDgSJ2o5FVJSzCIefK13VoL4A6cB2Z5acUJ3Y SsaMeSS/Wi41/XbshnebTyU=
X-Google-Smtp-Source: AH8x224H9C3YgCpymi1rosTtBhjmqgjmHiYxRmmQMPVqKedaPm6QTbh5a/GweHgKy3267oQlEu9THw==
X-Received: by 10.28.17.141 with SMTP id 135mr5194715wmr.80.1518805526397; Fri, 16 Feb 2018 10:25:26 -0800 (PST)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id b136sm13186740wme.34.2018.02.16.10.25.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Feb 2018 10:25:25 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <97670585-978A-4E58-AC8A-833EB8790754@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_54762FB0-ACE7-46BB-81C8-532C041DB2F5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Fri, 16 Feb 2018 20:25:23 +0200
In-Reply-To: <23175.8000.242283.548415@fireball.acr.fi>
Cc: ipsec@ietf.org
To: Tero Kivinen <kivinen@iki.fi>
References: <23175.8000.242283.548415@fireball.acr.fi>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/pJqybt71TKrAFaGfS8YX6E16oVQ>
Subject: Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 18:25:31 -0000


> On 16 Feb 2018, at 20:13, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> This item does not have charter text yet, we do have text which
> explains what the problem is, but I think it requires some
> reformatting to fit as charter text.
> 
> The problem description is:
> 
> ----------------------------------------------------------------------
> 
> IKEv2 is currently vulnerable to the two following privacy concerns:
> 
> 1) It's not possible to run a server that obfuscates IKEv2/IPsec using
>   TLS.
> 
>    Today thanks to RFC 8229 it is possible to run an IKEv2/IPsec
>    server on TCP port 443 with TLS. However if a government agent
>    tries to send an SA_INIT over that it will discover that this
>    server runs IKEv2/IPsec, and may blacklist it. We should add a
>    mechanism to IKEv2 that allows the server to only respond to
>    SA_INIT from known entities (e.g. that possess a shared secret).

That would require that within the SA_INIT request, the initiator proves possession of a shared secret and does so in a non-replayable way.

Wouldn’t it be better for the initiator to prove identity or group membership in the TLS handshake?

> 
> 2) The privacy of the initiator's identity in the presence of a man in
>   the middle attacker is not protected.
> 
>    Today an attacker with full control of the network can receive the
>    IDi/IDr sent by the initiator in the first AUTH packet. We should
>    add a mechanism to IKEv2 that allows the initiator to only send
>    IDi/IDr to known entities (e.g. that possess a shared secret).

This is more feasible. I understand the issue, but the only use case where I think it’s important is remote access. It would make sense in remote access to reverse the order of authentication so that the responder identifies and authenticates first, but you’d still need the initiator to send the IDr first.

> ----------------------------------------------------------------------
> 
> Is this something that we should add to charter? Do people understand
> the issue?
> 
> Note, that there are multiple ways of solving these issues, for
> example the 2nd problem can also be solved by using pseudonyms, i.e.,
> sending random one use ID payloads during the IKE_AUTH, and after the
> peers have authenticated each other, they can do new exchange which
> will change the pseudonyms for next use. I think the 2nd option should
> be rewritten in bit more generic ways to allow that kind of option
> too.
> 
> Send your comments and whether you support adding this to the charter
> to the ipsec list in next two weeks.
> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email