Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-multiple-ke
Paul Wouters <paul.wouters@aiven.io> Mon, 16 August 2021 20:24 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24AF93A0E25 for <ipsec@ietfa.amsl.com>; Mon, 16 Aug 2021 13:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQgAvA4yUS2G for <ipsec@ietfa.amsl.com>; Mon, 16 Aug 2021 13:24:29 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E52BF3A0E23 for <ipsec@ietf.org>; Mon, 16 Aug 2021 13:24:28 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id n12so28292291edx.8 for <ipsec@ietf.org>; Mon, 16 Aug 2021 13:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=mmj6WvOtB3IAQ7g2eIWKUOqVRmMwQOyvON1i5MsSGYQ=; b=fJwAsyCzCB8dE77fl6kAtqGtd+49zc46WwaUZMsaRYreZJ2F5WN04oeRuXKMLyWfjH 900dBocFB9wQVwBggkwjjlmVVb37z8co5mEACOrOHPk4HHi/wgoB2FFAUTPw92dMCne0 Sf/Rti6bgcBWfFU3oEor/luRcg+ILPo57efRg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=mmj6WvOtB3IAQ7g2eIWKUOqVRmMwQOyvON1i5MsSGYQ=; b=D1KY/hG09iN7HrrYS8Ay+4iCGU2rnG9XmZ4bQfL46sHEdoDzGfAfyY1vyvLJS7YNll 1tTBfhMaqQ1H2y8/KVDOCZJ4usaShTY+D7e/DAzJGVdcb4HXXNhVNIpJbzAdGxA3f8wK YSui9T+iuaT5lmHb/bz+4ccOo1AUyH0m1t4j6Ts5s9NJ1zlRoH3HzVlgckMsHfdOQcEy Rp89roJaQDQlZG6US6d9N6/W6PWk+QkADbwLoonHC1mOySDqmSefAdKhA5JREc36Yh1c VL6A6x6CLWPMdFKwrBiHNYAjzR/SwVFSBd6Ys84iUGXLkqUrdpsNRkGGdQZ0LuJnzrAW L4PA==
X-Gm-Message-State: AOAM532sbA/TNWIYQ1Qir+vCaE9zMdnBIjptBkjEyE1l8G8Uvyc2eY0G FyuGjnIUcfaUnVt6bxSilRmcIw==
X-Google-Smtp-Source: ABdhPJxs1yyalFAmKMqwXIncRneFuWTBbUfGtk5VDcLpijqVPNlzHFHNqOnIeKDXrkxT7m6iMbd/Ow==
X-Received: by 2002:aa7:df98:: with SMTP id b24mr402948edy.103.1629145466062; Mon, 16 Aug 2021 13:24:26 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id d19sm95262ejj.122.2021.08.16.13.24.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Aug 2021 13:24:25 -0700 (PDT)
Date: Mon, 16 Aug 2021 16:24:22 -0400
From: Paul Wouters <paul.wouters@aiven.io>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: 'Paul Wouters' <paul.wouters=40aiven.io@dmarc.ietf.org>, 'Tero Kivinen' <kivinen@iki.fi>, "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <1ced01d78558$c3696700$4a3c3500$@gmail.com>
Message-ID: <78be2fbb-5efa-826e-b593-1a7194ec34f4@nohats.ca>
References: <24831.15134.45575.357305@fireball.acr.fi> <6bca2d7d-a061-148b-bbdb-1783e72a936@nohats.ca> <1ced01d78558$c3696700$4a3c3500$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/rKTGMvtsBPyFoyrIysbba-iWHYE>
Subject: Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-multiple-ke
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2021 20:24:34 -0000
On Fri, 30 Jul 2021, Valery Smyslov wrote: [ replying as I got prompted by Tero on this regarding WGLC ] >> I have reviewed the document. In general I support this document. I >> really like the idea of renaming the DH Registry to KE. I do think it >> is not ready yet though. My comments and questions follow below. >> >> Key exchange methods negotiated via Transform Type 4 MUST always take >> place in the IKE_SA_INIT exchange. Additional key exchanges >> negotiated via newly defined transforms MUST take place in a series >> of IKE_INTERMEDIATE exchanges, in an order of the values of their >> transform types, so that key exchange negotiated using Transform Type >> n always precedes that of Transform Type n + 1. >> >> I don't understand this section, specifically the use of "Transform Type 4" >> and "Transport Type n+1", as we only have transform type 5 and nothing >> higher and that is Extended Sequence Number. > > A one para above new Transform Types are introduced: > Additional Key Exchange 1, Additional Key Exchange 2, > Additional Key Exchange 3, etc. Once added to IANA registry, > they will get their numbers (hopefully in an order of their names). > The text is trying to say, that when additional KE are being negotiated, > the order in which they will take place is defined by the order > of assigned Transform Types (which will correspond to the order of their names). > > In other words, if at the end of negotiation peers decided that > they will perform base KE (negotiated via Transform Type 4, which this draft > renames to "Key Exchange Method (KE)") 2048-bit MODP Group, > and two additional Key Exchanges - SIKE_P434, negotiated in > "Additional Key Exchange 3" transform, and FRODOKEM_640_AES, > negotiated in "Additional Key Exchange 5" transform, then > they agree to use 2048-bit MODP Group in the IKE_SA_INIT, > then SIKE_P434 in the first IKE_INTERMEDIATE > followed IKE_SA_INIT and FRODOKEM_640_AES in the next > IKE_INTERMEDIATE. I guess this all still feels like a bit of a kludge. I wonder if there is a way to do this with one new transform type, and an ordered list of proposals inside. I understand the desire to specify order, but I feel the current method is fragile and error prone. Eg if one end has Additional Key Exchange 1 = SIKE_P434, Additional Key Exchange 2 = FRODOKEM_640_AES and the other end has Additional Key Exchange 1 = FRODOKEM_640_AES, Additional Key Exchange 2 = SIKE_P434, where both might not really care which goes first or second. I think it would be worth thinking about this problem a bit more. > It is implied here (and defined in Section 3.1). But the real message here is that the order of key exchanges > performed in a sequence of IKE_INTERMEDIATE is defined by the order of "Additional Key Exchange *" > transforms via which they are negotiated. Then please say it clearly, instead of implying it. >> Each IKE_INTERMEDIATE exchange MUST bear exactly one key exchange method. >> >> I don't understand why there is this limitation. What if some Key >> Exchange mechanism will require 2 RTTs. Why preventively forbid that? > > We didn't consider such exotic key exchange methods and, I think, > if they appear, they will deserve a separate document. Sure, but it would be best if such a new document would not need to Updates: this document just for this one little change. So why not: - Each IKE_INTERMEDIATE exchange MUST bear exactly one key exchange method. + All Additional Key Exchanges MUST be in their own Exchange - that is + these KE's cannot be exchanged via a single IKE message exchange. I also just realised that Addtional Key Exchange is not the best term for this, as it is very close to Internet Key Exchange and people might think this is a chain of IKEv2 and something else. Maybe "Additional KE Exchange" would be better? > But the real message here is that you cannot perform > several key exchanges using a single IKE_INTERMEDIATE exchange. > In other words, you cannot put several public keys > of different Key Exchange methods in a single IKE_INTERMEDIATE > message. I tried to phrase it above, but I think it can be improved upon further. >> So how does an intiiator convey that it deems an additional Key Exchange >> to be mandatory? > > If the initiator includes "Additional Key Exchange N" transform, > then the responder MUST choose a single method from > those included in this transform. If the list of included > methods doesn't contain NONE, then the responder > have to choose one of them, so performing this KE > method is mandatory. To make it optional the initiator > includes NONE among other methods. This allows > the responder to select NONE and thus to skip doing > this additional KE. That makes it clearer, but. If each Additional Key Exchange carries a None, does that mean it these Exchanges can be fully omitted and we are only doing DH/KE from IKE_SA_INIT ? What if the Additional Key Exchange 1 contains None, and there is an Additional Key Exchange 2 ? Does it mean that everything can still be skipped ? I'm still not a big fan of the specification this way. I wish we could find a way to do this in one new transform type and somehow enforcing an ordered list. >> If the initiator includes any transform of type n (where >> n is among Additional Key Exchanges) in the proposal, the responder >> MUST select one of the algorithms proposed using this type. A >> transform ID NONE may be added to those transform types which contain >> key exchange methods that the initiator believes are optional. >> >> And so I again do not understand this. What is "n" here? a new transform >> type ? ( eg n=6 ??) or a new entry in the Transform Type 4 Key Exchange >> registry? > > n here is new Transform Type. We define "Additional Key Exchange 1", > "Additional Key Exchange 2", "Additional Key Exchange 3" ... > up to "Additional Key Exchange 7". Understood. >> At his point, the Additional Key Exchange is introduced, and I am >> beginning to understand things. This should really be explained before >> the text I pointed at above to make any sense to the reader. And see >> below on placing "Additional Key Exchanges" into the "Key Exchanges" >> Registry. > > Actually, the new transforms are introduced in 3.2.1, but I see your point > and probably we should add more clarifications before this section. Please please please include some asci art of this exchange in IKE_SA_INIT. I ensure you that will make it much more easy for a new reader to understand this. > (I also noted that Additional Key Exchange transforms are mentioned at the end of > 3.1 before their formal introduction, that must be fixed). > >> The next part explains the CREATE_CHILD_SA and IKE_FOLLOWUP_KE exchanges. I >> personally would prefer that a different exchange than CREATE_CHILD_SA >> is used if the completion of such an exchange does not lead to a fully >> rekeyed state. This use of completing a CREATE_CHILD_SA and being in a >> state that is not "rekeyed" or "failed" complicates the state machine. > > That's true. However, there is a tradeoff here. If you defined a new two-message exchange, > that performed multiple key exchange methods at once, then > the initiator would include public keys for all KE methods it proposed > which is terrible for performance reasons, since the responder may > reject most of them. The message size is also would grow dramatically, > and in case the responder selected a tiny subset of what was proposed, > this would be extremely inefficient. I'm not convinced this is a valid reason to break open the clear state of CREATE_CHILD_SA and a REKEYed IKE SA. This is really unpleasant for our state machine. >> The data associated with this notification is a blob meaningful only to the responder >> >> Why a blob? Why not the imminent new SPI it generated for this new IKE SA? >> If you really want a blob, there should be an example of how to generate >> the blobs. I don't see any such guidance in the document. > > The purpose of this data blob is to allow the responder to link > CREATE_CHILD_SA and subsequent IKE_FOLLOWUP_KE between > themselves in case the initiator creates several Child SAs > (or rekeys them, or rekeys IKE SA) simultaneously. Again, then why not simply use the MSGID of the corresponding CREATE_CHILD_SA ? >> Below is an example of three additional key exchanges. >> >> Initiator Responder >> --------------------------------------------------------------------- >> HDR(CREATE_CHILD_SA), SK {SA, Ni, KEi} --> >> <-- HDR(CREATE_CHILD_SA), SK {SA, Nr, KEr, >> N(ADDITIONAL_KEY_EXCHANGE)(link1)} >> >> >> Why does the initiator not start out with a N(ADDITIONAL_KEY_EXCHANGE) ? >> There has been an Additional Key Exchange in the initial exchanges, so >> why not start out with one in the rekey from the initiator? > > Because N(ADDITIONAL_KEY_EXCHANGE)(data blob) is for the responder > to allow it to properly link IKE_FOLLOWUP_KE with this particular CREATE_CHILD_SA. Understood (but see above) >> It has given no indication it might be mandatory from the initiator's point of view. > > You are right, this must be clarified in the draft. Okay. >> It is possible that due to some unexpected events (e.g. reboot) the >> initiator could forget that it is in the process of performing >> additional key exchanges and never starts next IKE_FOLLOWUP_KE >> exchanges. The responder MUST handle this situation gracefully >> >> And wouldn't that solve this weird state issue if the initiator already >> signalled this clearly in CREATE_CHILD_SA, so the responder could in >> that case already return an error in the CREATE_CHILD_SA exchange? > > Sorry, I didn't follow your idea. Can you elaborate? I'm lost here too now. But I think however something workds if it saves state and reboots should not affect the protocol design? >> Note that I find the argument weird, why would an IKE peer forget some >> of its state after a reboot? Both peers should always remember AKE's >> were used and have to be used again upon (PFS) rekeys. > > It's true, but in this case the initiator forgets that it started CREATE_CHILD_SA > (with AKEs) before reboot. In this case it never continues this sequence > after rebooting and restoring last stable IKE SA state. Well yes. If the initiator is broken, the connection might fail. I don't think we need to guard against that. >> it MUST send back a new error type notification STATE_NOT_FOUND. >> This is a non-fatal error notification >> [...] >> If the initiator receives this notification in >> response to IKE_FOLLOWUP_KE exchange performing additional key >> exchange, it MUST cancel this exchange and MUST treat the whole >> series of exchanges started from the CREATE_CHILD_SA exchange as >> failed. >> >> So why use a non-fatal error notification that leads to a guaranteed failure ? > > Because the failure may be recoverable - just start new CREATE_CHILD_SA > with AKEs. I see no need to delete IKE SA in this case. > Of course, if the failure persisted after several attempts, then > the only thing peer can do - delete SA. I think this just complicates things too much. We shouldn't have confused peers or forgetful peers. Just hard fail when something unexpected happens. assert() for the win :P >> Note there seems to be a notion of AKE's having continuous state, as >> opposed to (EC)DH where you start a new state with the rekey exchange. >> Perhaps this should be clarified at the beginning of the document? > > Can you please provide text candidate? I can try. >> This document adds the following Transform Types to the "Transform >> Type Values" registry: >> >> Type Description Used In >> ----------------------------------------------------------------- >> <TBA> Additional Key Exchange 1 (optional in IKE, AH, ESP) >> <TBA> Additional Key Exchange 2 (optional in IKE, AH, ESP) >> <TBA> Additional Key Exchange 3 (optional in IKE, AH, ESP) >> <TBA> Additional Key Exchange 4 (optional in IKE, AH, ESP) >> >> >> Why are the descriptions referring to "additional" key exchange? I would >> assume the registry is just a list of Key Exchange types, and whether >> one of these is "additional" or not depends on its use in IKE ? That is, >> one of the Key Exchanges that today is "additional" might one day be >> used as the only Key Exchange without Additional Key Exchanges? If we >> really are making some of these exchanges as "additional use only", then >> we should really create a new transform type registry for AKE that is >> separate from the Key Exchange Type (4). > > Additional here means that KE methods negotiated via these transforms > are always performed in addition to KE method, negotiated via Transform Type 4. so this was again me being confused about the entire mechanism of the draft. This is why I strongly urge you to add some ascii art about how these payloads flow (as part of the SA payload) >> the key lengths of these >> transforms SHALL be at least 256 bits long in order to provide >> sufficient resistance to quantum attacks. >> >> I would use MUST instead of SHALL. > > OK. > >> The main focus of this document is to prevent a passive attacker >> performing a "harvest and decrypt" attack. In other words, an >> attacker that records messages exchanges today and proceeds to >> decrypt them once he owns a quantum computer. This attack is >> prevented due to the hybrid nature of the key exchange. Other >> attacks involving an active attacker using a quantum-computer are not >> completely solved by this document. This is for two reasons. >> >> I think this part and the text right underneath this belongs in the >> Introduction more than it belongs in the Security Considerations >> section. > > This probably makes sence. I'll discuss this with my co-authors. Okay. >> Unfortunately, this design is susceptible to the following >> downgrade attack. >> >> I'm not convinced this is an issue actually. If you really do think a >> proper configuration would not sufficiently protect against this, the >> initiator could send a notify in the second IKE_SA_INIT of the rejected >> KE value from the previous response, so that this attack would be >> detected. > > I won't comment on this - this is just an appendix with early > design alternatives. I'll let my co-authors to comment on this. Okay. >> We discarded this approach because we believe that the working >> group may not be happy using the RESERVED field to change the >> format of a packet and that implementers may not like the >> complexity added from checking the fragmentation flag in each >> received payload. >> >> I think that is exactly why we have RESERVED fields. As implementer, I >> don't think that this would have been too complex. But I think using >> INTERMEDIATE is fine, especially if multiple solutions can use this >> method for their own usage, and having a generic method is better than >> having specific methods per postquantum/hybrid solution. > > OK, we are in agreement :-) While we might be in agreement, we are in disagreement on why the other approach was discarded :) So the real question is, should it be considered? I do think that this document needs some more work to clarify things, and I would really like to see more people reviewing this document as well. I would also like to see a discusion of a "simpler" design that would not use 4 Transform Type's, but only 1, and see if that would be "simpler" (simpler in quotes twice because i can't evaluate yet without such discussion which would be the simpler solution. Paul
- [IPsec] WGLC for draft-ietf-ipsecme-ikev2-multipl… Tero Kivinen
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… Tobias Brunner
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… Valery Smyslov
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… rmguthr@uwe.nsa.gov
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… CJ Tjhai
- [IPsec] WGLC for draft-ietf-ipsecme-ikev2-multipl… Tero Kivinen
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… Paul Wouters
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… CJ Tjhai
- Re: [IPsec] WGLC for draft-ietf-ipsecme-ikev2-mul… Valery Smyslov