Re: [IPsec] Questions about RFC 5723
"Valery Smyslov" <smyslov.ietf@gmail.com> Fri, 12 July 2019 07:35 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1760120128 for <ipsec@ietfa.amsl.com>; Fri, 12 Jul 2019 00:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.797
X-Spam-Level:
X-Spam-Status: No, score=0.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHPyjaNw_VRu for <ipsec@ietfa.amsl.com>; Fri, 12 Jul 2019 00:35:09 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5637D120096 for <ipsec@ietf.org>; Fri, 12 Jul 2019 00:35:09 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id w13so8326953eds.4 for <ipsec@ietf.org>; Fri, 12 Jul 2019 00:35:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=Pe03So1Nv2vKM5Fe/P2RKcr4a00nUAZ+ikqnjkdVyiI=; b=QFcTlNna6DHACcJPmHwNZoo+Z5nlO9eopSG7V6RhOBZ7w1q37PeFMcOtP6jAfiqZue rX2kfKyY71WVpkY5zCfo+3soQGj89XYJY3R30MqpgCrP+xImpbKJ2S7RVbxUnLkyl0F4 +rqLXyL/LqebZGxTmQsDyECv9i+9k885GXClxTxRd5Roz1lp2nMsww/GC54YgZCvTGxk jtIOPMvYqv1k5+ladWQ1wyi7ZZUi90cSGkROPAFKaZb3twQXIxijEFRQYE8Pt3VWQCg0 BWcMPMVBh1Z9tkpm5Jr6zFOqEvULjDnojXvnMqE/CRln1id9RlRsVH1skDeqFIyHvqmS wtSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=Pe03So1Nv2vKM5Fe/P2RKcr4a00nUAZ+ikqnjkdVyiI=; b=BNZ+lZlD4jV04Z/M/j6o1sReN5PoY7EQliwk97IBKgpp/4kvteH+oDahMIHJw5jR5c g+VFtWm//dgexOKFkQqZaxulciYzIkH0pxYGEFW0bc9S/84L9JTVt6C7zTra9zRiyr2y rahCObNDraUTOYQU17MbQcuroTWEs0ni57k0L8oBnm0Z4jQMAEJbWaB0HbM3pzCbRQ8F k4/e2kaoSoy2Jg0u1gj8uVMGYiMPbbmnzRTPoRc+uILNV0W8Rlf2hzK7b6lyARVeqWN+ X0+mv6W+gareT5RVFY3CnncVlxJpYK03kKPTuzb5xqrb9Hc9igBBq6puT2TlniPsuYcr 4j4A==
X-Gm-Message-State: APjAAAVUYKdpvd7Uw6jzQCtib+nOcIsI+mkdpRiYnSIYx15iY3AQmK67 iao0NFKo8auxgyz9sTmse2U=
X-Google-Smtp-Source: APXvYqwQ2f8WO0aLYZ+JUnUvgtbTBFRLw+xzoZylWKdUkGEdoXET1MHgOXgYlQvK4WSOMJus4moYMQ==
X-Received: by 2002:a17:906:4acc:: with SMTP id u12mr6738606ejt.41.1562916907786; Fri, 12 Jul 2019 00:35:07 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id a3sm1571053ejb.83.2019.07.12.00.35.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 12 Jul 2019 00:35:07 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>, 'Yaron Sheffer' <yaronf.ietf@gmail.com>, 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, ipsec@ietf.org
Cc: 'vinay kornapalli' <vinaykornapalli@gmail.com>
References: <alpine.LRH.2.21.1907111548370.26855@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1907111548370.26855@bofh.nohats.ca>
Date: Fri, 12 Jul 2019 10:34:57 +0300
Message-ID: <023401d53884$4f00aae0$ed0200a0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH7GMB6pW49T1HsJGbqfwQ0VbE//aZ60BDA
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/psLNbiCm6pQDCCBLujDPNP74q_k>
Subject: Re: [IPsec] Questions about RFC 5723
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 07:35:12 -0000
Hi Paul, speaking as someone who implemented the IKE resumption. > Hi, > > I'm a little confused about some parts in RFC 5723 > > The first is about which SA's can be resumed. The introduction leaves > this ambiuous: > > To re-establish security associations (SAs) upon a failure recovery > condition is time-consuming, > > It does not say IKE SA or IPsec SA. And I have a feeling it depends a > bit on what you call "resumption". Only IKE SA is meant. > It then talks about resuming the IKE SAs.... Reading more, it seems > IPsec SA's are not "resumed" but "created from scratch"? Yes. > I also see: > > If a client temporarily loses network connectivity (and the IKE SA > times out through the liveness test facility, a.k.a. "dead peer > detection") > > This is also a little confusing for IKE and IPsec states, because the > liveness test is for an IPsec SA, not an IKE SA. But it is send via an > IKE SA. That is, if an IPsec SA has no outgoing traffic, there would > never be a check using IKE for this. So it is kind of misusing the fact > that the IKE SA is used for liveness tests to check on the status of > the IKE SA. I believe the authors meant that liveness check was triggered by traffic over IPsec SA, but resulted in timeout of IKE SA and thus deletion of IKE SA and all its children. > In 4.3.4 I see: > > Following the IKE_AUTH exchange, a new IKE SA is created by both > parties, see Section 5, and a Child SA is derived, per Section 2.17 > of [RFC4306]. > > Which Child SA? If the peers had more then one IPsec SA, how does one > determine which IPsec SA to generate key material for first? Because > this paragraph does not talk about a new CREATE_CHILD_SA, it looks as if > the child sa derivation would not need another Exchange, but I can find > no information on how this would be done, unless we just pull KEYMAT > from the new SKEYSEED, but then child SA and ordering is completely > unspecified and this could only work when there is a single IPsec SA for > the IKE SA? A single (pair of ) IPsec SA is created as result of IKE_AUTH following IKE_SA_RESUME, as if it follows IKE_SA_INIT instead of IKE_SA_RESUME. If more IPsec SAs are needed they are created via CREATE_CHILD_SA, as usual. > And this is the really confusing part in section 5: > > IKE and IPsec State after Resumption > > During the resumption process, both peers create IKE and IPsec state > for the resumed IKE SA. Although the SA is only completed following > a successful IKE_AUTH exchange, many of its components are created > earlier, notably the SA's crypto material > > So here too it says "create IKE and IPsec state". Which IPsec state > first? Then it talks about "the SA" and "the SA's" ? The IPsec SA you want to encrypt traffic with. Usually you have an outgoing traffic that triggers IPsec SA creation. If you don't have IKE SA at the moment, you create one with IKE_SA_INIT and then create IPsec SA for the traffic in the IKE_AUTH. With IKE resumption the only difference is that the initiator somehow determines that it has a ready to use ticket from the responder and instead of initiating IKE_SA_INIT it initiates IKE_SESSION_RESUME. The IPsec SA related stuff in the IKE_AUTH (traffic selectors, algorithms negotiation, cfg payload etc) is not affected by resumption. > My guess is that we first pull key material for the IKE SA, and then for > one of the IPsec SA's (perhaps this document assumes there is only 1 > IPsec SA for any IKE SA that can be resumed?). Or based on Note 6: > > Note 6: Since information about Child SAs and configuration payloads > is not resumed, IKEv2 features related to Child SA > negotiation (such as IPCOMP_SUPPORTED, > ESP_TFC_PADDING_NOT_SUPPORTED, ROHC-over-IPsec [ROHCoIPsec] > and configuration) aren't usually affected by session > resumption. > > Perhaps what is meant is that a session resumption only resumed a > childless IKE SA, and now the initiator must do CREATE_CHILD_SA's for > each IPsec SA it wants to have again (not really "resumption", as these > are created "from scratch" like regular CREATE_CHILD_SA? No, one IPsec SA can be created in the IKE_AUTH (usually the IPsec SA you are in immediate need to protect the outgoing traffic). Other IPsec SAs can be later created via CREATE_CHILD_SA. > Also, when using PFS, these CREATE_CHILD_SA's would do a DH again, at > which point one wonders why to do resumption at all if you have more > than one IPsec SA, as you would be doing DH's anyway for all children, > you might as well do one more for a regular IKE_SA_INIT ? In any case you save on authentication (this may involve signature computing/verification and probably human intervention in case of EAP). > So the essense of my question is: Am I correct that an IKE session > resumption only resumes the IKE SA, and that all IPsec SA's need to be > re-negotiated using CREATE_CHILD_SA ? You are correct that IKE session resumption only resumes IKE SA. However, one IPsec SA can be created in the IKE_AUTH as part of session resumption, the others must be created via CREATE_CHILD_SA. > Secondary question: When using pfs=yes, what is the envisioned behaviour > of CREATE_CHILD_SA? Do a new DH? Or is it assumed that resumption would > be an incompatible policy with pfs=yes ? With resumption you essentially re-use DH from the old (already deleted) IKE SA for the IPsec SA that is created during resumption in the IKE_AUTH. If it is not appropriate, then resume IKE SA as childless and create all IPsec SAs via CREATE_CHILD_SA with DH. Regards, Valery. > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Questions about RFC 5723 Paul Wouters
- Re: [IPsec] Questions about RFC 5723 Valery Smyslov
- Re: [IPsec] Questions about RFC 5723 Paul Wouters
- Re: [IPsec] Questions about RFC 5723 Yaron Sheffer