Moving forward with IKE V2: A proposal for final edits to ikev2-04
"Theodore Ts'o" <tytso@mit.edu> Fri, 31 January 2003 00:32 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14424 for <ipsec-archive@lists.ietf.org>; Thu, 30 Jan 2003 19:32:41 -0500 (EST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA18118 Thu, 30 Jan 2003 17:54:53 -0500 (EST)
To: ipsec@lists.tislabs.com
Subject: Moving forward with IKE V2: A proposal for final edits to ikev2-04
From: Theodore Ts'o <tytso@mit.edu>
Phone: (781) 391-3464
Message-Id: <E18eNcL-0004sj-00@think.thunk.org>
Date: Thu, 30 Jan 2003 17:57:09 -0500
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Charlie Kaufman, the document editor for IKE v2, has been travelling and out of e-mail contact this past week. I'm told that he will be back and (hopefully) responding to e-mail this weekend, but that he will be away on more travel next week, and will be fully back on-line on February seven. This brings us relative uncomfortably close to our deadline of trying to complete the IKEv2 proposal by February 15th. The good news is that we believe that we are very close, and that one last, good, hard push is what's necessary to get us to get over the finish line. For example, this past week, it looks like we were had almost achieved consensus on the matter of the question of Secure Legacy Authentication, with Derrell Piper (one of the co-authors of draft-hoffman-sla-00.txt), Charlie Kaufman, Uri Blumenthal, and Steve Kent all expressing comfort to his proposal, which represents a very large percentage of the people who have been discussing this issue on the IPSEC mailing list. Never have we been so close to consensus on this issue, which is great! So in order to come to consensus, we would like to present the following straw-man proposal, as a miniature "last call" for the working group. In Atlanta, we received very clear input from the working group that support for Legacy Authentication is very, very important for IKE v2. As we have seen with IKE v1, there are many ways of accomplishing this, and not all people will agree on what might be the "best" method. Even if we continuing arguing for the next two years (and I don't think the IESG will give us that long), it is extremely doubtful that we will ever come to unanimity on this quesiton. For this reason, what we propose is that we pick an approach, and be done with it. The question then before the working group is whether or not there is another way to accomplish the task, but whether there are either (a) fatal flaws in the proposal presented, (b) clear, overwhelming advantages to do things a different way (and no handwaving; it must be a complete proposal), or (c) minor enhancements that all can agree are worthwhile to include in the protocol and worthwhile to implement. Otherwise we will be arguing until the cows come home (and/or when the IESG shuts us down, or the mob from problem-statement mailing list show up with the pitchforks, tar, and feathers :-). So without further ado, please consider and comment the following proposal as final editing directions to ikev2-04.txt: ----------------------------------- 1) Use as the basis of secure legacy authentication the proposal made by Derrell Pipper on January 23rd, 2003: HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr HDR*, IDi, [CERTREQ], [IDr,] SAi2, TSi, TSr --> <-- HDR*, IDr, [CERT,] AUTH, EAP(n) HDR*, [AUTH,] EAP(n) --> <-- HDR*, EAP(status) [, SAr2, TSi, TSr ] For those EAP mechanisms which generate a shared key, the AUTH payload MUST be sent from the client to the server when it has sufficient information to generate it. (as proposed by Charlie) If there exists EAP mechanisms where the a new session key may negotiated during the course of the EAP exchange, the client MUST send another AUTH payload if/when a new session key is generated. (as proposed by Darrell --- this probably isn't a problem in practice) Hugo has suggested that for EAP mechanisms that generate a shared key, the responder should send an AUTH message based on the shared key in the message containing the EAP(success) message, as backup in case for some reason the CERT based exchange might have gotten spoofed somehow. This seems to me to be a case of gilding the lilly, and is probably not be worth the extra complexity, but I encourage comment on the working group about whether or not this additional twist should be included. Hugo has a few other concerns about this proposal; none of them seem fatal, but I encourage working group members to look over his message of January 25th, and to please speak up ASAP if you believe these concerns need to be addressed --- and if so, how. ----------------------------------- 3) Change in signature processing. In a discussion between Hugo and Charlie, on January 22-24th there was agreement to change section 4.15 to make IKEv2 more robust to future changes to the protocol: 4.15 Authentication of the IKE-SA The peers are authenticated by having each sign (or MAC using a shared secret as the key) a block of data. For the responder, the octets to be signed start with the first octet of the first SPI in the header of the second message and end with the last octet of the last payload in the second message. Appended to this (for purposes of computing the signature) [are] the initiator's nonce Ni (just the value, not the payload containing it), [and a value MIDr computed as prf(SK_ar,IDr). Note that neither the nonce Ni or value MIDi are transmitted.] Similarly, the initiator signs the first message, starting with the first octet of the first SPI in the header and ending with the last octet of the last payload. Appended to this (for purposes of computing the signature) [are] the responder's nonce Nr, [and a value MIDi computed as prf(SK_ai,IDi)]. ... where IDi and IDr are the entire Idx payload. --------------------------------------------- 3) For the Cipher Suite issue, that we use Paul Hoffman's proposed set of Cipher suites. There is less consensus on this issue on the mailing list, but most people don't seem to have strong feelings, so we believe we just pick something: Suite-ID Meaning -------- ------- 0 Covers: IKE (MUST) 168-bit 3DES CBC encryption Diffie-Hellman group 2 (1024-bit) HMAC-SHA1 integrity and prf 1 Covers: ESP (MUST) 3DES encryption with three keys HMAC-SHA1 integrity 2 Covers: AH (SHOULD) HMAC-SHA1 integrity 3 Covers: IKE (MUST) 168-bit 3DES CBC encryption Diffie-Hellman group 5 (1536-bit) HMAC-SHA1 integrity and prf 4 Covers: IKE (MUST) AES encryption in CBC mode with 128-bit keys Diffie-Hellman group 5 (1536-bit) HMAC-SHA1 integrity and prf 5 Covers: IKE (MUST) AES encryption in CBC mode with 128-bit keys Diffie-Hellman group 14 (2048-bit) HMAC-SHA1 integrity and prf 6 Covers: ESP (MUST) AES encryption in CBC mode with 128-bit keys HMAC-SHA1 integrity 7 Covers: IKE (SHOULD) AES encryption in CTR mode with 128-bit keys Diffie-Hellman group 14 (2048-bit) AES-CBC MAC + XCBC integrity and prf 8 Covers: ESP (SHOULD) AES encryption in CTR mode with 128-bit keys AES-CBC MAC + XCBC integrity I have adjusted the MUST/SHOULD from Paul's message since I believe that for implementations that will be moving to implement IKEv2, it is reasonable to require the implementation of AES, as it as so many advantages over 3DES. If it weren't for the existing chips that only support AES-CBC, I'd argue for making AES-CTR mandatory instead, but given where we are, this set of MUST/SHOULD seems to me to be the most reasonable set of ciphers. Question: Should AES Counter mode be made mandatory to ensure compatibility in the future? Existing chips only support AES-CBC, so this might make things harder for people as they transition to IKEV2. On the other hand, by the time we see start seeing IKEv2 products, it might be reasonable to require the presence of AES-CTR support. ----------------------------------- (SEMI-)CLOSED ISSUES ===================== The following issues have been burbling on the list, although in the opinion of the IPSEC Working group chairs, there isn't consensus in the IPSEC working group to act on them. If you feel otherwise, please speak now. A) Revised identity -------------------- Paul Hoffman has a proposal, draft-ietf-ipsec-revised-identity-00.txt, which radically changes how identities are handled. Specifically, it would eliminate the ID payload with the following types: ID_IPV4_ADDR 1 ID_FQDN 2 ID_RFC822_ADDR 3 ID_IPV6_ADDR 5 ID_DER_ASN1_DN 9 ID_DER_ASN1_GN 10 ID_KEY_ID 11 et.al, and replaces it with a FullID payload with the following types: 1 PKIX certificate 2 Certificate bundle 3 Hash-and-URL of PKIX certificate 4 URL to a PKIX certificate bundle 5 PKIX keyIdentifier 6 IDForSharedSecret This would be fundamental change in the management and administraton of IPSEC and IKE, so is not something to adopt lightly, and without a clear consensus of the working group. This was discussed in two threads on the IPSEC mailing list: one starting on November 5th (subject Adding revised identities to IKEv2), and one starting on December 8th (subject: Summary of revised identity changes). People who spoke in favor on the mailing list included Francis Dupont and Bill Sommerfeld, with qualified support from Michael Richardson (if support for bare keys is added) and Tero Kivinen (who is concerned about the complexity of the proposal). This proposal was discussed in Atlanta, but Charlie, Barbara, and Ted were left with the impression that there was not consensus among those who met to discuss legacy authentication after the IPSEC wg meeting to pursue adoption of Paul's proposed change. Paul believes otherwise. Since it is the job of working group chairs to determine consensus, we (Barbara and Ted) hereby ask that those who believe we should pursue the revised identity proposal to please speak up. It should be noted that there are some intermediate positions beyond what is currently in draft-ietf-ipsec-ikev2-04.txt and the revised-identies draft. For example, we could add the Hash-and-URL type to the Certificate payload, if the goal is shrink the size of IKE messages (with the tradeoff of increasing complexity in IKE implementations). We could also add a CERT hash type to the ID payload, without nuking the traditional FQDN or IPv4/6 addresses identity mechanisms (although again, by adding new types, we would be increasing the complexity of the specification and implementations). Due the relatively small number of people who have spoken in favor of this proposal or its less-radical alternates, the default choice for IKEv2 has to be what is currently in ikev2-04. So those who believe we should make this change (or those who strongly believe we should not) are requested to speak up now, or forever hold your peace.... B) DHCP-based vs. MODECFG style remote access configuration ----------------------------------------------------------- Currently, draft-ietf-ipsec-ikev2-04.txt handles remote access via a Configuration payload with defined attributes. An alternate mechanism involves using tunneled DHCP requests. The latter approach is about to be published as an RFC by the IPSRA working group. Proponents of this method argue that it is more powerful than modecfg (because of the extensibility and large number of options already specified for DHCP; for example, being able to specify DNS, time, print, or WINS servers, and so on.) It is also argued that it requires less code on the server/firewall, since an existing DHCP server can be used. Proponents of the modecfg approach argue that many implementation already have support for modecfg, and that setting up sort-lived specialized tunnels to allow the DHCP packets to flow through the gateway is kludgy, and requires multiple special case entries into packet forwarding tables. Modecfg proponents also argue that it is also possible to transform modecfg requests into DHCP requests, so there are implementation choices that do not require reimplementation of the DHCP's address assignment function. They also point out that it certainly is possible --- and in some ways easier --- to obtain the time, print, WINS server information by using DHCP (via the DHCPINFORM request) after the IPSEC tunnel is setup and the client address is assigned. Either approach seems to be workable. It is certainly true that most of the people in Atlanta were implementors who were already familiar with modecfg, representing a large implementation community. That being said, there is also some number of working group members that are in favor of an approach similar to draft-ietf-ipsec-dhcp-13, including Van Aken Dirk, Michael Richardson, and Scott G. Kelley. One way or another, however we need to make a choice and move forward. Given that we have a fully specified solution in the ikev2-04 draft, and it would seem that while there is a sizeable minority in favor of the ipsec-dhcp-13 approach, the majority are comfortable with the modecfg based approach. So at this point, we, as working group chairs, judge that the consensus is with the current approach. If there are those who feel otherwise, or who see fatal problems with the current approach, please speak now. Ted and Barabara IPSEC wg chairs
- Moving forward with IKE V2: A proposal for final … Theodore Ts'o
- Revised identity, again Paul Hoffman / VPNC
- Ciphersuites MUSTs and SHOULDs Paul Hoffman / VPNC
- Re: Revised identity, again Cheryl Madson
- Re: Moving forward with IKE V2: A proposal for fi… Stephen Kent
- Re: Moving forward with IKE V2: A proposal for fi… Charlie_Kaufman
- Re: Moving forward with IKE V2: A proposal for fi… Charlie_Kaufman
- Re: Moving forward with IKE V2: A proposal for fi… Francis Dupont
- Re: Moving forward with IKE V2: A proposal for fi… Stephen Kent
- RE: Ciphersuites MUSTs and SHOULDs Roger Younglove
- Re: Revised identity, again Scott G. Kelly
- Re: Moving forward with IKE V2: A proposal for fi… Hugo Krawczyk
- RE: Moving forward with IKE V2: A proposal for fi… Geoffrey Huang
- Re: Moving forward with IKE V2: A proposal for fi… Derrell Piper
- RE: Moving forward with IKE V2: A proposal for fi… Victor Volpe