Re: [IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question
Scott C Moonen <smoonen@us.ibm.com> Tue, 24 November 2009 14:34 UTC
Return-Path: <smoonen@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AC5C3A6A6C; Tue, 24 Nov 2009 06:34:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dH+eVF0B9wY1; Tue, 24 Nov 2009 06:34:48 -0800 (PST)
Received: from e9.ny.us.ibm.com (e9.ny.us.ibm.com [32.97.182.139]) by core3.amsl.com (Postfix) with ESMTP id DFBD43A6861; Tue, 24 Nov 2009 06:34:47 -0800 (PST)
Received: from d01relay01.pok.ibm.com (d01relay01.pok.ibm.com [9.56.227.233]) by e9.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id nAOET7F3020646; Tue, 24 Nov 2009 09:29:07 -0500
Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245]) by d01relay01.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nAOEYgDd105922; Tue, 24 Nov 2009 09:34:42 -0500
Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nAOEaMIK018155; Tue, 24 Nov 2009 07:36:22 -0700
Received: from d03nm118.boulder.ibm.com (d03nm118.boulder.ibm.com [9.17.195.144]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id nAOEaL8b018146; Tue, 24 Nov 2009 07:36:22 -0700
In-Reply-To: <19211.58760.146418.200791@fireball.kivinen.iki.fi>
References: <p06240845c730d6c840bf@[10.20.30.158]> <19211.58760.146418.200791@fireball.kivinen.iki.fi>
MIME-Version: 1.0
X-MIMETrack: S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 11/24/2009 09:29:09 AM, Serialize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 11/24/2009 09:29:09 AM, Serialize complete at 11/24/2009 09:29:09 AM, S/MIME Sign failed at 11/24/2009 09:29:09 AM: The cryptographic key was not found, S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 11/24/2009 09:29:21 AM, Serialize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 11/24/2009 09:29:21 AM, Serialize complete at 11/24/2009 09:29:21 AM, S/MIME Sign failed at 11/24/2009 09:29:21 AM: The cryptographic key was not found, Serialize by Router on D03NM118/03/M/IBM(Release 8.5.1HF41 | October 22, 2009) at 11/24/2009 07:34:38, Serialize complete at 11/24/2009 07:34:38
To: Tero Kivinen <kivinen@iki.fi>
X-KeepSent: 014949C9:2D2A37A6-85257678:004F4391; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.0.2 HF623 January 16, 2009
From: Scott C Moonen <smoonen@us.ibm.com>
Message-ID: <OF014949C9.2D2A37A6-ON85257678.004F4391-85257678.0050127F@us.ibm.com>
Date: Tue, 24 Nov 2009 09:34:37 -0500
Content-Type: multipart/alternative; boundary="=_alternative 004F976385257678_="
Cc: IPsecme WG <ipsec@ietf.org>, ipsec-bounces@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 14:34:49 -0000
> > Section 2.18 also states that in the case of the old and new IKE SA > > selecting different PRFs, that the rekeying exchange (for SKEYSEED) > > is done using the *old* IKE SA's PRF. What happens after that? The > > end of section 2.18 says that SK_d, etc are computed from SKEYSEED > > as specified in section 2.14. If the PRF changed, which PRF is used > > for the prf+ calculations, the old PRF or the new PRF? > > I would interpret "because the rekeying exchange belongs to the old > IKE SA, it is the old IKE SA's PRF that is used", to cover also the > SK_d, SK_ai, etc generation and also prf+ uses. First thing that uses > new PRF, is when new IKE SA is used to generate KEYMAT, or SKEYSEED > for next IKE SA rekey. But I agree this is not very clear, and could > be clarified. We've interpreted it as follows: 1) the old IKE SA's PRF is used to produce SKEYSEED, but 2) the new IKE SA's PRF is used to produce SK_x. We've successfully interoperated with a number of other platforms that seem to have made the same interpretation. Scott Moonen (smoonen@us.ibm.com) z/OS Communications Server TCP/IP Development http://www.linkedin.com/in/smoonen From: Tero Kivinen <kivinen@iki.fi> To: Paul Hoffman <paul.hoffman@vpnc.org> Cc: IPsecme WG <ipsec@ietf.org> Date: 11/24/2009 08:55 AM Subject: [IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question Paul Hoffman writes: > We earlier agreed in issue #50 to make the KEr in Section 1.3.2 > (Rekeying IKE SAs with the CREATE_CHILD_SA Exchange) mandatory: > <-- HDR, SK {SA, Nr, KEr} > Note that this is not in the current draft, but will be in the next one. > > So, what happens if the responder does not include a KEr, following > the syntax in RFC 4306? Does the process revert back to using only > the SK_d and the new nonces, or does the responder reject the > request and indicate its preferred DH group in the > INVALID_KE_PAYLOAD notification payload (section 1.3)? The latter > seems much more likely, given the text in 2.18. If so, we should say > so explicitly. Note, that this can only happen if initiator allowed responder to not give KEr. Initiator tells the responder whether it requires Diffie-Hellman by listing Diffie-Hellman groups in its SA payload. If it does not include group 0 (NONE) then responder does not have option to send KEr (both for RFC4306 and IKEv2bis implementations). RFC4306 implementations are allowed to include the Diffie-Hellman group 0 (NONE), but IKEv2bis implementations are not allowed to include it anymore. This means that if RFC4306 implementation talks as initiator to the IKEv2bis responder implementation and RFC4306 implementation selects Diffie-Hellman group 0, and does not include KEi then IKEv2bis implementation will return INVALID_KE_PAYLOAD and request RFC4306 implementation to select some other group (provided the RFC4306 implementation listed any acceptable group in its SA payload). If they cannot find group which is acceptable for both then the negotiation will fail with NO_PROPOSAL_CHOSEN. On the other hand if IKEv2bis implementation talks as initiator to the RFC4306 implementation, then IKEv2bis implementation will include KEi, and MUST NOT include group 0 (NONE) in its SA payload, thus RFC4306 implementation is not allowed to select group 0, meaning it must return proper KEr, or NO_PROPOSAL_CHOSEN if none of the groups were acceptable (or INVALID_KE_PAYLOAD if group selected by KEi was not acceptable, but some other group in SA payload is). This means that if either end is IKEv2bis implementation, there cannot be situation where KEr is ignored, and where we would not have g^ir (new) for SKEYSEED calculation. I do not think we need extra text for this, as if implementors follow the currect text in section 2.18 which says IKEv2bis implementations MUST NOT propose the value "NONE, and MUST NOT accept such proposal, then there is no problem. > Section 2.18 also states that in the case of the old and new IKE SA > selecting different PRFs, that the rekeying exchange (for SKEYSEED) > is done using the *old* IKE SA's PRF. What happens after that? The > end of section 2.18 says that SK_d, etc are computed from SKEYSEED > as specified in section 2.14. If the PRF changed, which PRF is used > for the prf+ calculations, the old PRF or the new PRF? I would interpret "because the rekeying exchange belongs to the old IKE SA, it is the old IKE SA's PRF that is used", to cover also the SK_d, SK_ai, etc generation and also prf+ uses. First thing that uses new PRF, is when new IKE SA is used to generate KEYMAT, or SKEYSEED for next IKE SA rekey. But I agree this is not very clear, and could be clarified. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] #121: Rekeying IKE SAs: KEr errors and PR… Paul Hoffman
- Re: [IPsec] #121: Rekeying IKE SAs: KEr errors an… Pasi.Eronen
- [IPsec] #121: Rekeying IKE SAs: KEr errors and PR… Tero Kivinen
- Re: [IPsec] #121: Rekeying IKE SAs: KEr errors an… Scott C Moonen
- Re: [IPsec] #121: Rekeying IKE SAs: KEr errors an… Tero Kivinen
- Re: [IPsec] #121: Rekeying IKE SAs: KEr errors an… Paul Hoffman
- Re: [IPsec] #121: Rekeying IKE SAs: KEr errors an… Scott C Moonen
- Re: [IPsec] #121: Rekeying IKE SAs: KEr errors an… Tero Kivinen