IETF Logo Mail Archive

Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04

Daniel Migault <daniel.migault@ericsson.com> Tue, 26 June 2018 18:10 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52963131106 for <ipsec@ietfa.amsl.com>; Tue, 26 Jun 2018 11:10:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MhAVlLBmfQZL for <ipsec@ietfa.amsl.com>; Tue, 26 Jun 2018 11:10:54 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE4191310F7 for <ipsec@ietf.org>; Tue, 26 Jun 2018 11:10:53 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id y127-v6so1627691lfc.8 for <ipsec@ietf.org>; Tue, 26 Jun 2018 11:10:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=e5m4xOPEW2Caahh3RMa/JVoLMcJ2Wwe5Gv1IsnXd40Y=; b=eM3FZ7kCai+Cjng2VopE9bpQAc073vJATm/BSusvGCFkSRJEBgCGaTc0oVVWdfPjaw 1ZVlc42VCMDLG6THqehFSI6ZiCI1AZ1/bLVVA4l+lzu8WwMpDjjqE+jY/ANEXI9T3ZGT SQiHcj2ECr99YRcuLOpaO4cjHFRMPicUJc9zHUWzhmfgQTEuR2+JwDiY+pQk7TFW8ShJ xpPmThW/EnxZPVrmwlWFt4SOrOnhiIGLv8M5uJ1bOIK99spg/zf8AnWlhrez5yl7OkBC ZUObI+Kp5c823rLti3OiNg2Gk1PRLXZOEhQemipX8nB0yfVkhb7IBXAzc0PiFmSc7+V9 G3XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=e5m4xOPEW2Caahh3RMa/JVoLMcJ2Wwe5Gv1IsnXd40Y=; b=dWjLe5a2qhV/0yGIdQFAaKWW0fr2Z0wBrDZANTzajN+rPpt48hSHHm2R3hIgZlPEUN riJNuAyfnIv6Tzd/wWyXYnVYaPM5/FSPaBl2+3UIT29YLvFgGPtgJnQ0FXmpAfT44N7B Ir8KQRASMqnSg7hioeUcZ3PzgesaOULSt1qqzpMSISABwgGsEXE/OpCOuMPbhiqsXGKh NsJqnTLweGjYUUb3e6CuvylOW5aRpl/Cncoi6CzRMg2D2Dwc3FLj13WuDgcDJ2Oc0BKU Zgjnzzr/AmhGuwFNAWvmXK0ZUuU7Y6lElK/SANHcd72vwQFdq1JNdN5UtOXftDocqw3A rHxA==
X-Gm-Message-State: APt69E3sRyYrOV4STgqA8DTXl9sjiBYnyBZ0wGBDy7v62xqS5RYxFBv7 YR0kkt3qG7e1BM2j4sfvDXBRV9tTjYZXG/AsKVs=
X-Google-Smtp-Source: AAOMgpezhMLB4iY1NGin2svaq1/OH73ZBNoXLuCKCPLyjbjFzyjxsSpRZGX3qdwQvO/LekueRyqaxjAEgAWV616F6Jc=
X-Received: by 2002:a19:910a:: with SMTP id t10-v6mr1973234lfd.24.1530036652108; Tue, 26 Jun 2018 11:10:52 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:4281:0:0:0:0:0 with HTTP; Tue, 26 Jun 2018 11:10:51 -0700 (PDT)
In-Reply-To: <08e101d40d50$b5db2610$21917230$@gmail.com>
References: <BL0PR0901MB23068D6C3BFEFB11FDCB06B7F0710@BL0PR0901MB2306.namprd09.prod.outlook.com> <08e101d40d50$b5db2610$21917230$@gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Tue, 26 Jun 2018 14:10:51 -0400
X-Google-Sender-Auth: RJBlpnzsKuOurpmMCfhKE7mDT4Q
Message-ID: <CADZyTkmEjrr7dtZGP89U6graOwmWs-deM-_GjX+hedxdnvDjuA@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000246ebd056f8f6be6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/qjf57qvHgjV7BtgJSmU_zeJXDUw>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2018 18:11:02 -0000

Hi Valery,

Thanks for the feedback. Here are the update I propose. If that is fine for
everyone, I will update the current draft and publish a new version.

Yours,
Daniel

On Tue, Jun 26, 2018 at 9:22 AM, Valery Smyslov <smyslov.ietf@gmail.com>
wrote:

> Hi,
>
> I reviewed the draft and I believe it is almost ready. However,
> I think there still are few issues.
>
> 1. The last para of section 4 says:
>
>    As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are
>    used, Implicit IV as described in this document MUST NOT be used in
>    setups with the chance that the Sequence Number overlaps for one SA.
>    Multicast as described in [RFC5374], [RFC6407] and
>    [I-D.yeung-g-ikev2] is a prominent example, where many senders share
>    one secret and thus one SA.  As such, it is NOT RECOMMENDED to use
>    Implicit IV with Multicast.
>
> I have three problems with this para. First, I think that this para
> should be moved into the Security Considerations section.
>
<mglt>
I am fine having it in the security consideration. Anyone opposed ?
</mglt>

Second, using RFC 2119 word in the beginning ("As the IV MUST NOT repeat")
> seems to be wrong here, since it is not an imperative, it's an explanation
> here
> (because the preposition "As" is used; note that the draft has already
> stated that the
> nonce MUST NOT repeat in the beginning of Section 4).


<mglt>
I think that this address your purpose:
OLD:
   As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are
   used, Implicit IV as described in this document MUST NOT be used in
   setups with the chance that the Sequence Number overlaps for one SA.
NEW
   As the IV must not repeat for one SA when Counter-Mode ciphers are
   used, Implicit IV as described in this document MUST NOT be used in
   setups with the chance that the Sequence Number overlaps for one SA.

And last (but not least),
> I have some trouble following this para, it seems to me that it is
> self-contradicting.
> First it says that IIV MUST NOT be used if there is a chance that SN
> repeats
> (which I fully agree with), then it says that multicast is a prominent
> example of this situation (i.e. the situation when SN may repeat, which
> I fully agree with too) and finally it concludes that for multicast
> IIV is NOT RECOMMENDED (i.e. it SHOULD NOT be used).
> In other words it is allowed to use IIV for multicast in some
> circumstances,
> which in my opinion contradicts with earlier MUST NOT.
> Either remove the last sentence, or give more explanation
> when it is possible to use IIV for multicast.
>
<mglt>
OK I see your point. The reason is mostly that we had a quite long
explanation we removed because we went to the details of a solution we do
not standardize. I suggest we simply mention that some means are deployed.

OLD:
   Multicast as described in [RFC5374], [RFC6407] and
   [I-D.yeung-g-ikev2] is a prominent example, where many senders share
   one secret and thus one SA.  As such, it is NOT RECOMMENDED to use
   Implicit IV with Multicast.

NEW:
   Multicast as described in [RFC5374], [RFC6407] and
   [I-D.yeung-g-ikev2] is a prominent example, where many senders share
   one secret and thus one SA.  As such, it is NOT RECOMMENDED to use
   Implicit IV with Multicast, unless deployment specific mechanisms
prevent the IV to repeat are provided.

</mglt>


> 2. The draft defines IIV for ESP only and forbids to use it for IKEv2.
> It was discussed and I believe it is right, but I'd like to see few
> words (presumably in the Security Considerations) why IIV
> in its current form cannot be used in IKEv2. Something along the lines:
>
>   This document defines three new encryption transforms that use implicit
> IV.
>   Unlike most encryption transforms defined to date, which can be used
>    for both ESP and IKEv2, these transforms are defined for ESP only and
> cannot
>    be used in IKEv2. The reason is that IKEv2 messages don't contain unique
>    per-message value, that can be used for IV generation. The Message-ID
>    field in IKEv2 header is somewhat counterpart of SN field in ESP header,
>    but recent IKEv2 extensions ([RFC6311], [RFC7383]) do allow it to
> repeat,
>    so there is no an easy way to derive unique IV from IKEv2 header fields.
>

<mglt>
I am fine adding the text in the draft.
</mglt>

>
> Regards,
> Valery.
>
> > This message starts a working group last call (WGLC) on
> draft-ietf-ipsecme-implicit-iv-04, which will conclude
> > on June 29, 2018 at UTC 23:59. Please review and provide feedback on the
> -04 version
> > (https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/).
> Please indicate if you believe this draft is
> > ready for publication or if you have comments that must be addressed
> before the draft progresses.
> >
> > Regards,
> > Dave
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email