Re: [IPsec] secdir review of draft-ietf-lwig-minimal-esp-03
Daniel Migault <daniel.migault@ericsson.com> Wed, 31 March 2021 12:46 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E116E3A275D; Wed, 31 Mar 2021 05:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id haQ3LIHaEiWV; Wed, 31 Mar 2021 05:46:30 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2087.outbound.protection.outlook.com [40.107.94.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69E4A3A2760; Wed, 31 Mar 2021 05:46:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bEMnE39zBUnGXCa6bo6z4YCN6CsxD1p5LBxTNQFfG9eH38CM+n4KwTWj3IdFSezqHGCqyjjaLVLLkxvpk0dHK9fTO2dZtkfGbJBFTSABdR4Qh4T0hkFMcObLXlx9prCfN6N7BAor96vRw9J88WQnLAudq0QxdLS2p+OeVzcSwbxeSU2GNdS6Gjp62IPOXwx/3eadHBSViAH23HtvmGIBQfaudYLs/FAAyYrlras1unCzKGarcKB65TIuLq2YHZSTZuAXlq/FHyy6GSzjqxdT5neiRmnUXyPLdmeSpci1wRCsBHwj15h803bMyl/3iKVOSfgZ1yDOtm3wBLM5RQ0lTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GxBbmdrdbHXEx9hZmOojJ2sDmZxK+VR2ij+/NXICWNo=; b=EP2EerNZn8upFHiUKjd2ZSqW98KIChZRQ+JFaQZ7agXzkKqcKKhK53nhb5hD5/z7wkE4SaJzuoHHdJcOhYhlqYRjwgpodHpfVXZV/LFWpl2tQ90XpiGcu9fHLQ4VEGl/+jRMOUrYc/4zhO3ynV8J2h8SvZLWu2yRC4fTmC6oC1skBQBCxbdNqg5ZF6FcnkA6meBxKF6W1TW55TIqNBVtRk9GT7+yI/oqBrM31Aoz7ihErAPUuKKQi7jOBRBrCpHZrjrlx0QARiViYbjqXlO7+7moiejM2v+duk7YEw6k81cOvnKKdxdT0zqn8lg5acUX7RMYXW6OXPdFeknzgoEiZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GxBbmdrdbHXEx9hZmOojJ2sDmZxK+VR2ij+/NXICWNo=; b=nyzsG4s0oZpukz3ryOL95IhdNJFQLKzm7RUMcZLPw970GUZYBAwWQnZ2K4N3b7V8jg9fFkV8FXIvQgYpx9uAtgoRi/sERRlwxBvcvLoD8DwPFcZUrNO7+k//7d0VvLF5wwruffrjp9Eo5+7Ft7rFYR1F8DKGXyC3OQV5fTpN/B0=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM6PR15MB4072.namprd15.prod.outlook.com (2603:10b6:5:2bf::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.33; Wed, 31 Mar 2021 12:46:27 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893%4]) with mapi id 15.20.3933.039; Wed, 31 Mar 2021 12:46:27 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: David Mandelberg <david@mandelberg.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-lwig-minimal-esp.all@ietf.org" <draft-ietf-lwig-minimal-esp.all@ietf.org>, IPsecME WG <ipsec@ietf.org>, "lwip@ietf.org" <lwip@ietf.org>
Thread-Topic: secdir review of draft-ietf-lwig-minimal-esp-03
Thread-Index: AQHXI1GfjWEz1qZlx0uM4o//1Jg8fKqeCHmQ
Date: Wed, 31 Mar 2021 12:46:27 +0000
Message-ID: <DM6PR15MB2379811A6726483DE59D21F1E37C9@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <91f5ebd2-b24f-ca04-eba0-60d0c9b6f401@mandelberg.org>
In-Reply-To: <91f5ebd2-b24f-ca04-eba0-60d0c9b6f401@mandelberg.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mandelberg.org; dkim=none (message not signed) header.d=none;mandelberg.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 41c67815-556d-483f-b1fa-08d8f443002c
x-ms-traffictypediagnostic: DM6PR15MB4072:
x-microsoft-antispam-prvs: <DM6PR15MB4072208296DE9ED30E7B8222E37C9@DM6PR15MB4072.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cFvt9q27tVyFOba6gJYFXQ66qcdB7mkbSFxCwn1vjzzSUtO6UxujKPXvSC6LSll1uiXJg+CZs2W6tADSZ0ATRwxwd1qdrlrbhtOtw5x/Iiouf0IwpKooDq0xjkOIDOArafWcLvumSF0oqIIlB5x1rOpKo7Tq+BI1IzliJXMeQqBh+8OvwBhzK0XYiVntnZvmxmVJZoqEQdnxX6SDqREy4pu8A/+nnzh3Qe6XKPJhwQwRL429MqFM+zhQU4sq/SWCpokwao2lRfJN19obLsU2WD2mNzexhr42zoKfwknDaC5Zre/yB/HCfr5NNlOlG9C6lbHbet2op0DFoHFAZgXIYh2oTjfJRbipQqSN4DKzv7TnisnvfziJzsmIEO4VXW8OJb0wIlHZkCnAfxB/wFF9pJnbwQJP9gmpnvdTm+Y4LHp8+OuO/PQXvVw+e/TA5UHJucN3pCBeC0cV5M1WFMcM1jjE08aq7LkLVpa0oZAM1071AHadzJ6ntMBtxFhiSEPeNESO4yIGEUDe7zM01uWSQEOB6NQwhiEzbfA+mhaHkAgqtGdbhvs4seeDFizJ9fcZdmmgv4dmQaJepAsaiHYt+AdulfQd5g6KSLWcLghBcB8nJvQ6NfXltRGWtSi+KZnYU+mJ/3h44QTOtuAXi6E9eBDLk1ZLbuj0JCYQAGhF7BQ7ytOJKkUpzKjuEcPwIhCW6RwUh27jGYQWfNMJOpZK+AHGy9u36RzHoghK+Sc9JcsyXlyZrnXcVAv8FUuRaFqu
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(136003)(376002)(39850400004)(396003)(52536014)(83380400001)(316002)(2906002)(5660300002)(110136005)(26005)(55016002)(478600001)(38100700001)(71200400001)(7696005)(33656002)(86362001)(186003)(9686003)(76116006)(8936002)(8676002)(66446008)(64756008)(66556008)(66476007)(66946007)(6506007)(53546011)(966005)(44832011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 4wBBEh28j1hE1K6Wxi1G6D+CmKry9adCMG/LhkdUHCNhVbUPKMUBaFKrDoAd5n59FghqaGwOjAk9/9qGmTDl1fu+JsUASdObtqz4xEFlNBf7DcZc1YXq6stxZQ2+Kqk5Sw01NacS2/6KUU78hYy0rQgusL2HIpTAk0RhJQEDmqjPhgOrPBRgDcaZqiq9aNFBvqFJ2cRhQ1IJ7ySSlyTFpaWVy2HdyqjNhIVz0CisxSawzWM1CYRUN6DFanGTLBDhpt+ui2MsNpAptOPaaGodxjKG8xg8LutTP0Xoygux8ocp6EFdmKrNch45ZhZAb9ewOzTGeOaei5uH20Wp8HM73hkw0pVG+e7v/BVQqOWpn6RPrF08ttOVD/+JssZOIl9L85eUyqcm5AFcdpY+na6av/uAk/g/G8ukNh77Qx/CV4wmH56zPOSBkurOWjMX3wLQPpNAyUGNd6hDkyei/6i/As/rsWVhZ3Nc7xoZP7ySMIItVR8QGWoQkXi0A3U5i67b0TaRRTxmeNe6aajOwJGz7b8oYwsyTdSyIODVyLZ7PnVQICbz5ROhfOfCezeBYXH3MqEbLbv6VB0SXO+u2kcH2OsHuxCQGLUKL60ND26PvoEIWLs/5D/zdYhjHU2Ck+R44jZtl+G+PoFjDin7d0af87MjtAHJlINL83Vzjg0p/zjCzlLmUQNg6RyWWUXio2JG8R+uTKJRMJTaPmvNc14a67KLXj3Cc5NqlWpZls6rwXPzM2ZYeMVUBsjavhPSjQcfCK4E2ZHp0bvzO0one4DwCxtEH3OfD5I0um8khvbFVqsnlFE7QNuPsEyR7TLmUXDjY/TmCtQRAhP5NfWHkWFlMIe0QcxWSUl/R4QKNf5OR8slN16id93sIHxIWyTnazy6362Zzdn82rc0y1T2p0vYH8VqLvwD0D956BjGL8ErpBiQAYtHwxsvKO5YyVVznf8O/ADuhzOip1aPtzyDDqvkc+KjJT/NAauD1Hdb/h+SNo85u4HQY3WxfIxD9mCdjJl+wnDKq/1YW+8J2uN28hw7VRe/l87Xmm54GhycmIwXM0IquuGMOEP7D7H7Gdt5Qw71RkRFFs1AFqNGUeFL+5CCujbWXsAt4sEKaiTpFzOjr2ARWvLxIMmgobS0cCv2a9wiQSpKekdeNZFqJy/iMiZGx7bevMbAnmnHhMEHBg4zVLEKjt0yZTY3XtB95LgZVR4UNwoE9rCA2QbSsMjeLB4tBQBcbtujq3M4SowO7ZAl6WxvxI9KPe1DZbBAQCHOidK0KDRrJTOhX26fd1otUqGcBIY08cnt16BJCMnJcXIoYiA=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 41c67815-556d-483f-b1fa-08d8f443002c
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2021 12:46:27.5150 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qZAQL5H5sb2j6SrUF+VCGCtL8uDH3rHsHwFbu4u6Pjunbqj3ED9Zu5sCdKMcIJfygsvulZms7mJbehet08dqgSWqfaJTrVhGo14uGmC84iw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB4072
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/snaAM1y9yZYaWq8MDrWynmGzr8Y>
Subject: Re: [IPsec] secdir review of draft-ietf-lwig-minimal-esp-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 12:46:36 -0000
Hi David, Thanks the review. I think the text in [1] addresses your concern. I will probably publish the a new version today. Please see my responses inline. Yours, Daniel [1] https://github.com/mglt/draft-mglt-lwig-minimal-esp/pull/1/commits/fb9393a246298e37adcf2683afa2061a40b4ed89 -----Original Message----- From: David Mandelberg <david@mandelberg.org> Sent: Saturday, March 27, 2021 5:39 PM To: iesg@ietf.org; secdir@ietf.org; draft-ietf-lwig-minimal-esp.all@ietf.org Subject: secdir review of draft-ietf-lwig-minimal-esp-03 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with nits. (Section 3, nit) In the paragraph that includes "However, nonrandom SPI and restricting their possible values MAY lead to privacy and security concerns" , it would be nice to add something like "(see below for more details)". When I first read that paragraph, I was about to comment that it's unclear what the privacy/security concerns are, but then it was explained a few paragraphs below. <mglt> That is correct, we restructured a bit the section to clarify this by having a subsection dedicated to considerations over the generation of SPIs. The current section is available at [1] and is mentioned below: [1] https://github.com/mglt/draft-mglt-lwig-minimal-esp/pull/1/commits/fb9393a246298e37adcf2683afa2061a40b4ed89 <section title="Considerations over SPI generation"> <t>SPI that are not randomly generated over 32 bits MAY lead to privacy and security concerns. As a result, the use of alternative designs requires careful security and privacy reviews. This section provides some considerations upon the adoption of alternative designs. </t> <t>Note that SPI value is used only for inbound traffic, as such the SPI negotiated with IKEv2 <xref target="RFC7296"/> or <xref target="RFC7815"/> by a peer, is the value used by the remote peer when it sends traffic. As SPI is only used for inbound traffic by the peer, this allows each peer to manage the set of SPIs used for its inbound traffic. Similarly, the privacy concerns associated with the generation of nonrandom SPI is also limited to the incoming traffic.</t> <t>When alternate designs are considered, it is likely that the number of possible SPIs will be limited. This limit should both consider the number of inbound SAs - possibly per IP addresses - as well as the ability for the node to rekey. SPI can typically be used to proceed to clean key update and the SPI value may be used to indicate which key is being used. This can typically be implemented by a SPI being encoded with the Security Association Database (SAD) entry on a subset of bytes (for example 3 bytes), while the remaining byte is left to indicate the rekey index. </t> <t>The use of a smaller number of SPIs across communications comes with privacy and security concerns. Typically some specific values or subset of SPI values may reveal the models or manufacturer of the node implementing ESP. This may raise some privacy issues as an observer is likely to be able to determine the constrained devices of the network. In some cases, these nodes may host a very limited number of applications - typically a single application - in which case the SPI would provide some information related to the application of the user. In addition, the device or application may be associated with some vulnerabilities, in which case specific SPI values may be used by an attacker to discover vulnerabilities. </t> <t> While the use of randomly generated SPI may reduce the leakage or privacy or security related information by ESP itself, these information may also be leaked otherwise and a privacy analysis should consider at least the type of information as well the traffic pattern. Typically, temperature sensors, wind sensors, used outdoors do not leak privacy sensitive information and mosty of its traffic is expected to be outbound traffic. When used indoors, a sensor that reports every minute an encrypted status of the door (closed or opened) leaks truly little privacy sensitive information outside the local network. </t> </section> </mglt> (Section 4) Am I understanding correctly, that the last paragraph is giving the option of resetting the Sequence Number when rekeying? Does IPSec try to prevent eavesdroppers from determining when rekeying happens? (I really don't know that much about IPSec.) If it does, then resetting the SN could leak that information, if not then there's nothing to leak. <mglt> No. The last sentence of the section intended to prevent implementers to only consider the SN to define the life time of their SA. If implementer choose to use ESN for that purpose, it might be a good indication that a re-key mechanism is needed. The current text has been updated to clarify this by the following text: """ Note that the limit of messages being sent is primarily determined by the security associated with the key rather than the SN. The security of all data protected under a given key decreases slightly with each message and a node MUST ensure the limit is not reached - even though the SN would permit it. Estimation of the maximum number of packets to be sent by a node is always challenging and as such should be considered cautiously as nodes could be online for much more time than expected. Even for constrained devices, it is RECOMMENDED to implement some rekey mechanisms (see <xref target="sec-security-considerations"/>). """ Regarding IPsec, a rekey leads to the creation of a new SA, so if you do not want to leak the information you may create the new SA in advance and only use it later. However, the creation is performed via an IKEv2 exchange which is not a very busy channel. As a result, exchanges performed on this channel are potential rekey exchanges. As result, it seems to me a bit hard to hide when a rekey occurs. SN do not have to be reset to 0. The only requirement is to increase these SN for each packet. On the other hand, this make it possible to maintain the SN number keep growing while SPI and keys are updated... until you reach the end. If you need to keep the same SPI, you may delete the SA first before starting a new negotiation, this would enable you to re-use the same SPI. </mglt>
- Re: [IPsec] secdir review of draft-ietf-lwig-mini… Daniel Migault
- Re: [IPsec] secdir review of draft-ietf-lwig-mini… David Mandelberg