Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-ikev2-qr-alt-07.txt
Valery Smyslov <smyslov.ietf@gmail.com> Tue, 29 August 2023 09:03 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A175DC151094 for <ipsec@ietfa.amsl.com>; Tue, 29 Aug 2023 02:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQrocQIDw3q7 for <ipsec@ietfa.amsl.com>; Tue, 29 Aug 2023 02:03:39 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB4C1C15108D for <ipsec@ietf.org>; Tue, 29 Aug 2023 02:03:38 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2bcb50e194dso62769071fa.3; Tue, 29 Aug 2023 02:03:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693299816; x=1693904616; h=thread-index:content-language:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=n6buVMKuedzDQSguNEytpTIvGAZsJAeFkNTc0PfAzYI=; b=dEhxKIcnCE9EmPHQlF6jF7gFAlIwHcpBNeHYc1Tr8TstrYBUGmmhxUfn5v96yagHIV Nf9ljfl61ZYK+uX3/hbDrZyCcnnZp02ANux53IGlmMLfvZ3oDhXb3pms6DXkyUt2JeAv DzYWV5qmNcKtpBrYMFr9csI+rLmRMJb/KWICHhG0KF+KduZeut1RXvrRfFYxCBLNabrA mkkFicx5WqjkEe1DpIKWclNziZAvMOT31fL1zErGIkFLBFTDU054q6aDcOYAhZMBMscK idr9bG6gMkGsy989/d/fwISKow94gMsv40UQDszxiYgJLxQpuBgZh4H6Bl2dOPedHZLi psHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693299816; x=1693904616; h=thread-index:content-language:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=n6buVMKuedzDQSguNEytpTIvGAZsJAeFkNTc0PfAzYI=; b=EVJu7poStpmRwzMylIlj5yEEkRs/kUKqv/DbkQ9oZsHZbfLc0VwIRMsYPJcz0DwHAY Aw9rIMVcPxeA6tU39ftOGn8K6HCSybgsWoXsvEkRJtnaWJo9m4D1oKLlAtSqHQH7SZns ZgyVXEzsCywM6owzkmVlRVio/iaJaUtKSk9ZHycWTE9kGBlGRf24/cSmavWmvaUm0AcF utQ6jeBMIY8L0KUnEu+QhnibRaUgE3wskuy4ZlaxGlTi4ghbpylCo+DLYEEYT8YL+DBi jML9weh+V3CQbO1P6fFik2My/iyCkYSrBtcM3e0E2wavaYfOhlKHciLm0PZ4YRzfmVEL gxFg==
X-Gm-Message-State: AOJu0YwWCuKxex7ab3kL1WnkkmGH01et1C7qhQ3ELh+bZEi9LdseIanp tmcLA7XbQkZbvXgiFfynI9p90NvVTKo=
X-Google-Smtp-Source: AGHT+IFU/pl5QvPQaAwUE4+LM+dz0z/OQy/LlPvG4dQKPVjD9M5p7q9Y/LLR6JJrZwTk78Q0gSuEOg==
X-Received: by 2002:a2e:3001:0:b0:2bc:f1d3:b54c with SMTP id w1-20020a2e3001000000b002bcf1d3b54cmr9800090ljw.20.1693299815979; Tue, 29 Aug 2023 02:03:35 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id e13-20020a2e8ecd000000b002b9e9a8532dsm2081867ljl.138.2023.08.29.02.03.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Aug 2023 02:03:35 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Rebecca Guthrie' <rmguthr=40uwe.nsa.gov@dmarc.ietf.org>, 'Valery Smyslov' <svan@elvis.ru>, 'IPsecME WG' <ipsec@ietf.org>
Cc: ipsec-chairs@ietf.org
References: <168145751264.47555.6193678852468782615@ietfa.amsl.com> <047601d96ea8$b40f8f60$1c2eae20$@elvis.ru> <PH8PR09MB92945FAFF119DE5ABFE3601BFC1EA@PH8PR09MB9294.namprd09.prod.outlook.com>
In-Reply-To: <PH8PR09MB92945FAFF119DE5ABFE3601BFC1EA@PH8PR09MB9294.namprd09.prod.outlook.com>
Date: Tue, 29 Aug 2023 12:03:31 +0300
Message-ID: <001e01d9da57$af3cfd40$0db6f7c0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQIePgQVeIW8tdg3uXSDhsDqpuiCAQIqk7X1AuFc2ZSvTjt4QA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tPV35mZLkLfeuaUCCTxuUVf1P_c>
Subject: Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-ikev2-qr-alt-07.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2023 09:03:42 -0000
Hi Rebecca,
thank you for your comments. Please, see inline.
> Greetings,
>
> I wrote to the mail list before IETF 117 that I support adoption of draft-smyslov-ipsecme-ikev2-qr-alt,
> and I have comments I would like to make. The draft did not get discussed at 117, so I'll share my
> comments here.
>
> Comment: I suggest that the draft define a new Notify Payload, USE_EARLY_PPK, that uniquely specifies
> support for this draft, rather than relying on USE_PPK and INTERMEDIATE_EXCHANGE_SUPPORTED.
>
> Explanation: There was agreement at the 116 meeting that the extension specified in this draft should
> not be used in conjunction with RFC 8784. The draft does allow for a fall-back to the PSK mechanism
> specified in RFC 8784 if the mechanism specified in this draft is not supported by the responder- this
> necessitates USE_PPK to be used ambiguously, such that its inclusion by the initiator in IKE_SA_INIT can
> represent the initiator's intent to do either (this draft's PSK mechanism or RFC 8784).
>
> However, since it is still possible that RFC 8784 and RFC 9242 are used together, the inclusion of both
> USE_PPK and INTERMEDIATE_EXCHANGE_SUPPORTED does not uniquely specify this draft; rather, it
> could mean that an IKE peer supports RFC 8784, plans to use IKE_INTERMEDIATE for another purpose,
> and does not support this draft.
Correct.
> There may be a time where certain IKEv2 instances require the use of this draft such that the peer will
> abort the creation of the IKE SA if the extension specified in this draft cannot be supported. The peer
> may require the use of this draft either after transitioning away from RFC 8784, or having never
> supported RFC 8784 at all. In either case, the initiator and responder must be able to negotiate the use
> of this extension in IKE_SA_INIT. As the draft is currently written, depending on assumptions made by
> initiator and responder and depending on what is supported, they are able to get all the way to the end
> of IKE_INTERMEDIATE before realizing requirements cannot be met.
>
> In the case where the Initiator requires draft-smslov-ipsecme-ikev2-qr-alt and RFC 9370, and the
> Responder supports RFC 8784 and RFC 9370, both will include USE_PPK and
> INTERMEDIATE_EXCHANGE_SUPPORTED in their respective IKE_SA_INIT messages, but the Initiator will
> not discover that it must abandon the SA until it has computed all of the intermediate key exchanges
> only to receive no response to its PPK_IDENTITY_KEY notification(s).
That's true, alas.
> On the other hand, if the Responder requires the use of this draft and the Initiator instead supports RFC
> 8784, it is unclear what the responder should do when it does not receive a PPK negotiation message
> from the Initiator in the last IKE_INTERMEDIATE exchange. It is possible that the Responder may be
> expecting another IKE_INTERMEDIATE message containing PPK negotiation information, but if the
> Initiator does not support this extension, then it would instead begin the IKE_AUTH exchange.
In this case the responder has nothing to do except for aborting the negotiation.
> Defining a new Notify Payload, USE_EARLY_PPK, that uniquely specifies support for this draft would
> remove the described ambiguity. In order to indicate support for the fall-back to RFC 8784 capability, the
> Initiator would send both USE_PPK and USE_EARLY_PPK Notify Payloads. It should be the case that when
> these are sent together, the preference for USE_EARLY_PPK is implicit. If the responder also supports
> USE_EARLY_PPK, it will ignore USE_PPK. If the responder does not support or does not recognize
> USE_EARLY_PPK, it may still support USE_PPK, and can proceed with the PSK mechanism described in
> RFC 8784.
The draft was initially written as an extension to 8784, thus the negotiation was done in an implicit way.
I agree that this is sub-optimal in situations when it's critical for one of the peers to use this
mechanism and the other peer doesn't support it - this becomes clear late in the negotiation process.
It is possible to make the negotiation explicit by introducing a new status notify (however,
I would use name USE_ALT_PPK, since PPK is used early for IPsec SAs anyway).
In this case perhaps it's better to completely de-couple the negotiation of this specification
from 8784: the initiator may send only USE_PPK (supports only 8784), only
USE_ALT_PPK (wants to use only this specification) or both (wants to use
this specification, but agrees to fall-back to 8784 if it is not supported by the responder).
The responder would respond accordingly.
> Comment: During IKE_INTERMEDIATE, use N(PPK_IDENTITY) in initiator message and
> N(PPK_IDENTITY_KEY) in responder message, only for the single PPK the responder has selected.
>
> Explanation: Currently, in the last IKE_INTERMEDIATE, the initiator sends SK { ... N(PPK_IDENTITY_KEY,
> PPK_ID_1) [ , ... , N(PPK_IDENTITY_KEY, PPK_ID_n ) ] } where PPK_IDENTITY_KEY is sent for each PPK_ID
> the initiator is offering. The responder then sends SK { N(PPK_IDENTITY) } for the PPK it selects, using the
> N(PPK_IDENTITY) Notify Payload specified in RFC 8784.
>
> It's my understanding that the initiator and responder expect the PPKs to match for any given PPK_ID
> (i.e. that there is a very high likelihood that they match). If this assumption is incorrect, please correct
> me, but if this is the case, in order to perform fewer computations and shrink the size of the initiator
> message, it may make sense to use N(PPK_IDENTITY) [RFC8784] in the initiator message, and the new
> N(PPK_IDENTITY_KEY) in the responder message, only for the single PPK the responder has selected.
> Then, before the initiator sends IKE_AUTH, it can use the confirmation value sent by the responder in
> N(PPK_IDENTITY_KEY) to check that the PPK values the initiator and responder are using match. (If they
> do not match, the initiator could send another IKE_INTERMEDIATE containing N(PPK_IDENTITY_KEY)s for
> each PPK it supports, as currently specified.) Depending on how many PPKs the initiator offers, this may
> not considerably shrink the message size.
The reason why the initiator provides key confirmation(s) to the responder and not vice versa
is that in this case it's more easy to handle PPK mismatch case in the protocol.
If the responder detects that the PPK value for the selected PPK mismatches, then it just sends
back AUTHENTICATION_FAILED (in the IKE_INTERMEDIATE) and the negotiation is aborted gracefully.
On the other hand, if the responder provided key confirmation to the initiator,
then in the situation when the selected PPK value mismatched, the initiator should inform the responder
somehow about this. From the responder's point of view the IKE_INTERMEDIATE exchange
has been completed successfully and the responder has been waiting for the IKE_AUTH request.
But the initiator could not start IKE_AUTH because it was unable to compute SK_* values.
The initiator might either send a clear INFORMATIONAL with AUTHENTICATION_FAILED
(that is not trusted at all) or might just abort the negotiation leaving the responder with
the incomplete IKE SA, which would be eventually deleted, but would still consume some
memory before this and thus increasing surface for DoS attacks.
Note, that in this case there would be also no diagnostics on the responder
about the real reason the negotiation failed (it looked like DoS attack to the responder).
> Comment: Update Security Considerations section.
>
> Explanation: The Security Considerations section currently cites RFC 8784. I'd suggest that RFC 9242's
> security considerations be referenced as well, and I'd suggest repeating some of the security
> considerations from RFC 9370 that are relevant here- in particular, the second paragraph of RFC 9370
> discusses how to ensure quantum resistance in Transform Types 2 and 3- this is worth repeating here,
> especially in the case that this draft is used independently (without RFC 9370) to provide QR.
>
> In RFC 8784 and RFC 9370, there is discussion of the security of each extension with regard to an active
> attacker- it may be useful in this draft to extend this discussion here in order to cover 1. the addition of
> IKE_INTERMEDIATE, 2. the fact that QR is achieved prior to IKE_AUTH (either if this draft is used on its
> own or in conjunction with RFC 9370), and 3. the fact that authentication is QR (compared to RFC 9370
> alone).
The current Security Consideration section is mostly a stub.
I agree that more considerations should be added there.
Thank you for the concrete proposals.
Regards,
Valery.
> - Rebecca
>
> Rebecca Guthrie
> she/her
> Center for Cybersecurity Standards (CCSS)
> Cybersecurity Collaboration Center (CCC)
> National Security Agency (NSA)
>
> -----Original Message-----
> From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Valery Smyslov
> Sent: Friday, April 14, 2023 4:11 AM
> To: IPsecME WG <ipsec@ietf.org>
> Cc: ipsec-chairs@ietf.org
> Subject: Re: [IPsec] New Version Notification for draft-smyslov-ipsecme-ikev2-qr-alt-07.txt
>
> Hi,
>
> a new version of the draft has been published.
> It addresses issue with mismatched PPKs and also adds some clarifications on interaction with RFC 8784.
>
> As it was discussed at the IETF116 IPSECME meeting, once the new version is published, a call for
> adoption would be issued.
>
> Chairs, can you please issue an adoption call?
>
> Regards,
> Valery.
>
> > -----Original Message-----
> > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > Sent: Friday, April 14, 2023 10:32 AM
> > To: Valery Smyslov
> > Subject: New Version Notification for
> > draft-smyslov-ipsecme-ikev2-qr-alt-07.txt
> >
> >
> > A new version of I-D, draft-smyslov-ipsecme-ikev2-qr-alt-07.txt
> > has been successfully submitted by Valery Smyslov and posted to the
> > IETF repository.
> >
> > Name: draft-smyslov-ipsecme-ikev2-qr-alt
> > Revision: 07
> > Title: Alternative Approach for Mixing Preshared Keys in IKEv2 for Post-quantum Security
> > Document date: 2023-04-14
> > Group: Individual Submission
> > Pages: 9
> > URL: https://www.ietf.org/archive/id/draft-smyslov-ipsecme-ikev2-qr-alt-07.txt
> > Status: https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-qr-alt/
> > Htmlized: https://datatracker.ietf.org/doc/html/draft-smyslov-ipsecme-ikev2-qr-alt
> > Diff: https://author-tools.ietf.org/iddiff?url2=draft-smyslov-ipsecme-ikev2-qr-alt-07
> >
> > Abstract:
> > An IKEv2 extension defined in [RFC8784] allows IPsec traffic to be
> > protected against someone storing VPN communications today and
> > decrypting it later, when (and if) cryptographically relevant quantum
> > computers are available. However, this protection doesn't cover an
> > initial IKEv2 SA, which might be unacceptable in some scenarios.
> > This specification defines an alternative way get protection against
> > quantum computers, but unlike the [RFC8784] solution it covers the
> > initial IKEv2 SA too.
> >
> >
> >
> >
> > The IETF Secretariat
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov
- Re: [IPsec] New Version Notification for draft-sm… Rebecca Guthrie
- Re: [IPsec] New Version Notification for draft-sm… Vukašin Karadžić
- Re: [IPsec] New Version Notification for draft-sm… Paul Wouters
- Re: [IPsec] New Version Notification for draft-sm… Valery Smyslov