IETF Logo Mail Archive

Re: [IPsec] Roman Danyliw's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)

"Valery Smyslov" <smyslov.ietf@gmail.com> Wed, 08 January 2020 14:42 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F7B1120106; Wed, 8 Jan 2020 06:42:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCBIT2w81qBv; Wed, 8 Jan 2020 06:42:04 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F141120100; Wed, 8 Jan 2020 06:42:04 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id 203so2601048lfa.12; Wed, 08 Jan 2020 06:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=hXIcNN7eFaLqquOJxDkbUoMcBAdBEgfrkX+UM7KI738=; b=ckKsW5rMzu10Z3y3uFf9F7+lcDilEHDqwGvnjkxUIz4ey8lVAYVd71KAdHAtINOFRZ 4JQn4VwisnezuJoMJXXjQ+TSO9xDC/89MqcRy16yrzqPyvnqJoAdua6YZjLUGjKWRaVM RD2yT405owfDZSJhKjxDqw2KK8Kcy0WWg+8kv4p/Ux4HWLyvq2H7HLKr+dt1RZiwI+9k 50qlb2VY3eDZjlwHkCM4T7H2J9vp4GrP0heoNZCvRP/Nv6SFlJRY7mL+7xRUomRxT69B 0hHZD93xHF8w1HO+l6IxkmSGLKA/yxHuNjSsRNWvXmLX34CP0QHBFFWLl/4QNAq/5tK7 7eMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=hXIcNN7eFaLqquOJxDkbUoMcBAdBEgfrkX+UM7KI738=; b=mQIEOia40x7GvidzcWBYNRo/qx92q8fjZojhBRBmI/l0TY71fXfa3GpUJH46aZWg9E 016c4AEM3niPnTyo1bRu2//Ks7Vrl6QsubUVg9hN2wkyXWWq2zEyNwA8efjb5Cz+SePF iPrxr/EyzQwyDvrX2/YbmLfH4+v0kyS3wIq3MoCJn6lDTIKYetQbGK8N3Ev5wWocBczG KHDn64iRvhbEs/O/8ol8rSN7BszRiuG16s6lGK0AtsZaTO8b7SMfVz/a/wgXyfJu7FU4 NDmwRHWixov7UsyWB2u57wO/MwgIeXBWl5sJJBOfKFStnkHxlj2vtghHnenk00CYMauR MFCw==
X-Gm-Message-State: APjAAAXjP2FgOCTSlDtRSmdDvSEi3j0q5a5CrELuQH/v238qPMRme6DB aawmUVTvnuxqdc8jKNTOBZo=
X-Google-Smtp-Source: APXvYqw1mDm1nZIf8Q4Ubm0UQOENtFQAr0m1y5QlcOgmFiWMTD0SM+zP+0sCaoHuMUOmNrGtGAvHPA==
X-Received: by 2002:a19:7401:: with SMTP id v1mr2984457lfe.129.1578494522434; Wed, 08 Jan 2020 06:42:02 -0800 (PST)
Received: from chichi (95-27-147-103.broadband.corbina.ru. [95.27.147.103]) by smtp.gmail.com with ESMTPSA id m21sm1489645lfh.53.2020.01.08.06.42.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 08 Jan 2020 06:42:01 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>
Cc: ipsec@ietf.org, ipsecme-chairs@ietf.org, david.waltermire@nist.gov, draft-ietf-ipsecme-qr-ikev2@ietf.org
References: <157848972183.22539.2744332616397571958.idtracker@ietfa.amsl.com>
In-Reply-To: <157848972183.22539.2744332616397571958.idtracker@ietfa.amsl.com>
Date: Wed, 08 Jan 2020 17:41:59 +0300
Message-ID: <00ec01d5c631$c8b5ea40$5a21bec0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFITT44UlchcJP7OR6RvXiyPMteCqj7tQ5A
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/qRbRiBn-KKUWOl8ZY-IJK8Ik8bE>
Subject: Re: [IPsec] Roman Danyliw's No Objection on draft-ietf-ipsecme-qr-ikev2-10: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 14:42:08 -0000

Hi Roman,

> Roman Danyliw has entered the following ballot position for
> draft-ietf-ipsecme-qr-ikev2-10: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> These are all editorial.
> 
> ** Section 1.  Per “Recent achievements in developing quantum computers
> …”, is
> there a citation?

Do you mean a citation about achievements? I'm not sure it's easy to find a stable
reference here, but probably Scott or David or Panos have a good one...

> ** Section 1. Per:
>    If the preshared key has
>    sufficient entropy and the PRF, encryption and authentication
>    transforms are quantum-secure, then the resulting system is believed
>    to be quantum resistant, that is, invulnerable to an attacker with a
>    quantum computer.
> 
> -- The definition of quantum resistant doesn’t seem exactly precise.  A
> quantum-resistant algorithm isn’t “invulnerable to an attacker with a
> quantum
> computer”, rather isn’t it instead no easier to attack than with known
> classical architectures?

My understanding is that it's infeasible to break such a system even 
with a help of quantum computer. 
Grover's algorithm still gives an attacker equipped with QC
an advantage comparing with classical architectures, but 
proper selection of algorithms and key lengths doesn't 
allow him to break the system.

It was discussed a bit during AD's review of the draft:
https://mailarchive.ietf.org/arch/msg/ipsec/8AEgzGjqsDMTUy1X0IB4JWv_zlE

And probably my co-authors will give more authoritative answer here.

> -- The first clause says the underlying primitives are quantum-secure, but
> then
> says that this translated into something being quantum-resistant.  I found it
> confusing to mix both terms (which sometimes are used interchangeably)

To be frank I don't feel difference here, but again I rely on my co-authors here.

> ** Section 1.  Per “This document describes a way to extend IKEv2 to have a
> similar property; assuming that the two end systems share a long secret key
> then the resulting exchange is quantum resistant.”, I stumbled over this
> language a bit because I wasn’t sure which property you were referencing –
> was
> it the list of things in the previous paragraph’s last sentence that made it
> “quantum-secure”?

I believe it is a property of being "quantum-secure" (or "quantum resistant").

If we change all instances of "quantum resistant" with "quantum-secure"
in the Section 1, will the text be more clear?

> ** Section 3. Per the description of modified IKEv2 key derivation:
> 
> -- Recommend explicitly citing the relevant section:
> OLD:
> Then, it computes this modification of the standard IKEv2 key derivation:
> 
> NEW:
> Then, it computes this modification of the standard IKEv2 key derivation
> from
> Section 2.14 of [RFC7296]:

OK.

> -- Recommend explaining the notation/relationship between the “prime
> versions”
> of the sub-keys (i.e., SK_d’ and SK_pi’ and SK_pr’) in the this SKEYSEED
> formula with the SKEYSEED formula in Section 2.14 of [RFC72196].

I'm not sure I fully understand what you mean.
I think we provide formulas of how prime and non-prime versions
are correlated (i.e. how non-prime versions are computed from prime versions).
Am I missing something?

> ** Editorial Nits:
> 
> -- Section 1.  Editorial. s/this note/this document/ -- trying to be consistent
> on how the I-D references itself.

OK, already noted by Barry.

> -- Section 4.  Editorial.  Recommended clarity:
> 
> OLD:
> This will not affect the strength against a
>    passive attacker; it would mean that an attacker with a quantum
>    computer (which is sufficiently fast to be able to break the (EC)DH
>    in real time) would not be able to perform a downgrade attack.
> 
> NEW:
> This will not alter the resistance to a passive attack as even an attacker with
> a quantum computer (which is sufficiently fast to be able to break the
> (EC)DH
> in real time) would not be able to perform a downgrade attack.

No, this would change the meaning. The idea here that the second optional
step of marking all PPKs as mandatory has no effect against passive attackers
(because PPK is already used for all connections), instead by this step
we protect ourselves against a hypothetical downgrade attack performed
by active attacker. So, how about:

    This will not affect the strength against a
    passive attacker, but it would mean that an active attacker with a quantum
    computer (which is sufficiently fast to be able to break the (EC)DH
    in real time) would not be able to perform a downgrade attack.

> -- Section 5.2.3.  Typo. s/Addtionally/Additionally/
> 
> -- Section 6.  Typo. s/transmited/transmitted/

Thank you,
Valery.

> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email