Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Paul Wouters <paul@nohats.ca> Wed, 23 August 2017 18:42 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210D4132926 for <ipsec@ietfa.amsl.com>; Wed, 23 Aug 2017 11:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkqHDOZ2iY_c for <ipsec@ietfa.amsl.com>; Wed, 23 Aug 2017 11:42:26 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C52AE132732 for <ipsec@ietf.org>; Wed, 23 Aug 2017 11:42:25 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xcx9p1T6BzCDW; Wed, 23 Aug 2017 20:42:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1503513742; bh=m/ann52WhwKY0GbkzPw2PBre9VnlyZVg4rt6Ocuz68U=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Sw/H9iyAL5f3F31ovV5NJTlS7rNrzROysBNExOcZwArE7u3L2Wd8b+/2NM2FGaXQH LGa+bxKrEys5tMExX6crUz2nLQHT1P7hrvK26mR+2xBrpkWGDdcBoMN+BTT/eYjPQV dh0L8D+LP1w39y+FrXncyezBieJRbaMxGirOiptU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id rfbcL3rdICmj; Wed, 23 Aug 2017 20:42:19 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 23 Aug 2017 20:42:19 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3D95D41B353; Wed, 23 Aug 2017 14:42:18 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 3D95D41B353
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2066A4095D6B; Wed, 23 Aug 2017 14:42:18 -0400 (EDT)
Date: Wed, 23 Aug 2017 14:42:17 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <svanru@gmail.com>
cc: "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, "'Scott Fluhrer (sfluhrer)'" <sfluhrer@cisco.com>, ipsec@ietf.org, 'Vukasin Karadzic' <vukasin.karadzic@gmail.com>
In-Reply-To: <00f701d31c14$901b2ca0$b05185e0$@gmail.com>
Message-ID: <alpine.LRH.2.21.1708231438550.19044@bofh.nohats.ca>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca> <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com> <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com> <00f701d31c14$901b2ca0$b05185e0$@gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/v7VnZ_fuUTj5Or5aR7vJnyzzPzk>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 18:42:29 -0000
On Wed, 23 Aug 2017, Valery Smyslov wrote: >> It is a good idea. A new optional notification that includes the auth_data as it would be calculated without the >> PPK would work. With that, the corner case of ' PPK_id configured on initiator but missing on the responder' is >> addressed. There is an additional cost of the extra notification message for every initiator that has no- >> mandatory ppk configured for the responder. > > Yes, and there is also an extra cost for initiator of performing AUTH calculation (e.g. digital signature) > twice - one with SK_p' and the other with SK_p. Good news are is that it is > a) is performed by initiator only, so there is no risk of DoS attack on responder > b) is needed only if initiator is configured in "permissive" mode - when its policy allows both PPK and non-PPK > SAs with the particular responder > >> In the worst case scenario the responder would need to go >> through looking up the PPK_id and if that fails then authenticate the auth_data. Even though it is slightly >> more work for the responder, I don't consider that heavy processing that would introduce attack concerns. > > Exactly. This is a good idea. It solves our issue when both ends are configured to initiate and/or respond, and one end is updated and the other isn't, yet we don't know which endpoint will become initiator or responder. The only thing I think we should double check with some cryptogrpahers, is if this opens up any kind of quantum or classic attack. I don't think it does, but it would be good to get confirmed. > In general I think that if protocol allows more flexible operational conditions, then it is a good thing. > If we add this feature, then it will be completely optional for both initiator and responder > (neither initiator is required to send NO_PPK_AUTH, nor responder is required to understand it). > So, if people strictly follow transition plan, then there is no much need in this feature. > However, I suspect that in fields some folks may find these rules too restrictive under some circumstances. > So we can add a bit more flexibility in the protocol for those folks for a relatively low cost. Yes, one of the scenarios is the one where both endpoints are configured to bring up the connection and you cannot predict which end will become initiator or responder. Paul
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Derrell Piper
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Graham Bartlett (grbartle)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Vukasin Karadzic
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)