IETF Logo Mail Archive

Re: [IPsec] Proposed method to achieve quantum resistant IKEv2

"Valery Smyslov" <svanru@gmail.com> Fri, 29 September 2017 12:58 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F21134525 for <ipsec@ietfa.amsl.com>; Fri, 29 Sep 2017 05:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOdjmI4KGkAE for <ipsec@ietfa.amsl.com>; Fri, 29 Sep 2017 05:58:42 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63C62134530 for <ipsec@ietf.org>; Fri, 29 Sep 2017 05:58:39 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id 80so74099lfy.4 for <ipsec@ietf.org>; Fri, 29 Sep 2017 05:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=sntKNauOEBR1IvjYywqid+d8cLF6S7tiVae3EyoploM=; b=Uw+QRZ6/eVs355gooDulf7sYyC+kDmgKvZIjJjWPJEM/J5kRDnZPwdq4j0NsPzO0SS exKp4KstvSr9XbAJpCsirMWjZpOnM45TGKyZRlpnl1n14W6eP0ve5IXpBTqbb5CRDvVz hOzANF9+Q8Hk2E3WguM+f3Ae2YJ2N7cKe6VUTBppPcGXrCJWCLVdW9S4b+Ia1Y8dqTvW KAKBTi5gzMAFy8vdF+XuOfIvPC72KE5AwFvE/Zn8Zcn8NoPpVDkyHSzLdn5V4oK0Xp62 op9DSq7UYx8fpU7Y+vdaRbvFZGnqgh0a8V8e+HqzypWoQyUya1KZcFsK4lFWpJQClkbp BHKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=sntKNauOEBR1IvjYywqid+d8cLF6S7tiVae3EyoploM=; b=gUlqZwKYBDK0X4vpUoRtU2AX66oXwih7LFTqtJG0sIU3IBheHhj+R6XJrCw3OgUm8w kkGYleApqT03JC6IZEcUXOM+ZtijO5jBM624sZB+DPyuOUlmoUP28MJ6Bwt/2maFTHmR 4rDIAx/aJmHKAe3zQKx/4u6rxIALxbZ8ZibuUgwiNWjPTU02UFjaDp/Ph01SC1Nxxe1G 01c+MwDfamVl/yeyAYtMdDWZmPRqKN62rI2GPNa1x6zztzmww4F29vzFBUoF6yN/00A5 QaMuACXLO5toakC9yAfYf3MmYd1Rn8tGLc0007vOylYI3M3dNT/JK+BTsjrQOD243Yix iPSg==
X-Gm-Message-State: AHPjjUhNDJ1XZoRTHluQjxAdymaR/7cgeURER6ERCRsgghNQbfzj987X 41LOUobULXHajf/Vvg0C17Q=
X-Google-Smtp-Source: AOwi7QDCLPPKVEwqfY1GO2/qwIxhiQJrJqWWMm8ZKGS0NM3aqyuzyi0C7bvwcSC8dp3tFb0QwyY+0w==
X-Received: by 10.46.29.139 with SMTP id w11mr3429556lje.171.1506689917537; Fri, 29 Sep 2017 05:58:37 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id z204sm554804lff.33.2017.09.29.05.58.32 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 29 Sep 2017 05:58:34 -0700 (PDT)
From: Valery Smyslov <svanru@gmail.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, "'Graham Bartlett (grbartle)'" <grbartle@cisco.com>
Cc: ipsec@ietf.org
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> <22922.57101.227283.113155@fireball.acr.fi> <7769.1502301632@obiwan.sandelman.ca> <04B7D970-30B0-4AE8-BAF9-210746B56FFF@cisco.com> <14600.1506615504@obiwan.sandelman.ca>
In-Reply-To: <14600.1506615504@obiwan.sandelman.ca>
Date: Fri, 29 Sep 2017 15:58:24 +0300
Message-ID: <00bd01d33922$a487c970$ed975c50$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJGClSbub5RkghZHKgMD6H8pOsCcwJfffzfAsuJTr8A5HSrWwGr2GqAAXTHICQBwMm63KGOlXzw
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/t0EvtNIw0SBPl81a90pP8rPgINM>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 12:58:44 -0000

Hi Michael,

>     > Is the main rational for not having fragmentation in IKE_SA_INIT that
>     > it could break the features of IKE that you list below?
> 
> 1) we are currently working on IKE over TCP because we already know that
>    IKE packets (and UDP encapsulated IPsec) are not get through.  Adding
>    IP fragmentation to the process will just make it worse.
> 
>    Adding IP-level fragmentation to the process adds additional state to the
>    gateway, often hidden to the IKE daemon itself.

That's true and that's one of the reason to avoid it by all means 
(the other and probably even more important reason - crippled
middleboxes that don't pass UDP fragments through).

>    Adding IKE-level fragmentation to the process adds an additional place
>    that DDoS attacks can hit.

We have DDoS protection mechanisms. I think it's possible to define 
IKE_SA_INIT fragmentation so that these mechanisms be still able to work.

>    So, one would have to have some mechanism to know what would get through,
>    and if to switch to TCP, etc. before even trying.

TCP has a lot of shortcomings. It's a last resort.

>     > The reason I ask, we’re working on the current draft and looking to
>     > implement optional fragmentation in the IKE_SA_INIT, but this would be
>     > friendly to cookies, TCP encaps, NAT-T etc
> 
> 2) I think it's not possible to do fragmentation on IKE_SA_INIT (and any
>    level) without opening up gateways up for DDoS attacks.
>    So, don't do it in IKE_SA_INIT in my opinion.

Repeating myself - I don't think it is impossible to define IKE_SA_INIT
fragmentation in such a way, that it won't weaken IKE DDoS protection.
There are two obstacles in my opinion.

1) Complexity. The exchange would most likely become overly complex
and even very unusual comparing to other exchanges (e.g. it is possible to 
acknowledge each fragment individually, this way a better DDoS protection
can be achieved,  but this is non-standard  behavior for IKE and could open 
its own can of worms).

2). Backward compatibility. It's difficult to negotiate using IKE fragmentation
in IKE_SA_INIT. Pre-configuration is a bad option. Most probably the cost 
would be an extra round trip + some tricks playing with invalid syntax and/or
 unknown exchange type).

> If you you want to do something, then it needs to be a new state between
> IKE_SA_INIT and IKE_AUTH.

Having an intermediate exchange that will reuse existing IKE Fragmentation
mechanism is a very attractive idea. It is even possible to leave out MessageID = 1 
for IKE_AUTH. The main problem with this approach is that it doesn't allow
to completely get rid of traditional DH in the future - we need to exchange 
KE to compute SK_* to use IKE fragmentation.

Regards,
Valery.

v2.23.0 | Report a Bug | By Email