Re: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv
Daniel Migault <daniel.migault@ericsson.com> Tue, 27 March 2018 18:10 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C7E612D77C for <ipsec@ietfa.amsl.com>; Tue, 27 Mar 2018 11:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1VokLXfmLp1 for <ipsec@ietfa.amsl.com>; Tue, 27 Mar 2018 11:10:30 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340B312778E for <ipsec@ietf.org>; Tue, 27 Mar 2018 11:10:30 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id q5-v6so9382401lff.12 for <ipsec@ietf.org>; Tue, 27 Mar 2018 11:10:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=XU40LUUjBW+ckbGCqeU+YVKvYw3LFrBmMDQLZ9+X150=; b=mJZaeK+voIsLo24tmhcG7cNsfuefJoFf2TLBpxI5wcChYVYec1HXqLc+tbgQmz0S9S JHiwyutR70P5sGrA/SvJUvTWkhKAqLzrl9UbUN3HzjayliP+TMtJXOyr5fR+nuPY+oBw kb/L3u6BDBBW955ehdDGUFexpH9UNFn9j5/C4Y5IO1iXTuNhocGiC7xPh64a6YM2vumF jOyD0Nbj2VyUGQsWKvKQDk/bwdAc5wPgDIyHclk2F2IxH3zj0rt4YTi2SMqHJQsh4en7 cVvOBwszCI0hzriaEnl79ANZ2KuQq0el5fuhCbiLaGWpAU6A7fvKQ2s+hRgVIVuFi9BM t57g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=XU40LUUjBW+ckbGCqeU+YVKvYw3LFrBmMDQLZ9+X150=; b=O0dvPEXWrgzMsauBvnKU2tJlbTzVtYWNrwNNaH6jfEK3IFReuZZDiytVuV53KQFcDR LnN/HohHXuf7HMyMiqfW/utGJSBeRFGI3uZf7sJZqay+KhbMjboc2JjtNnNKjn7Gq6SU 1IFEzdJ3hQcXD8dXRn7/ijJ1x0Xr1CnDhjr0IY5ogGskAagB/B0kr16ixqHR03ya8Q0h JEnMCXYGyvZG6x7+Lmzx2yHGEDcTesxCPeYGWa+9A7cYvcRY8OP6FdD3pOl6gcs9wyEb VMDKtxTxtTkVOiepxVsBNZ9+zaNdb3vH6dnAqCPfQ3KYL/zDz7hGaavNzL1j6kABlc+T 7MhQ==
X-Gm-Message-State: AElRT7HgyP0klQmq18DmgB2V16WRneHFQrh4km/H4bm0Zye650Fr46UF T9dq4a1QFxiNh+gIA/qwlTbJJddi5Ok8da0hum0=
X-Google-Smtp-Source: AIpwx4/PHEPG6cmgQdASVXY+SznEF8EB0Ic7ULItcmWEW5KLk9LJ6KkDw4UtGtiduKe7tBCMBT8WJ1t7EI7xaqa3enM=
X-Received: by 10.46.122.15 with SMTP id v15mr231210ljc.7.1522174228448; Tue, 27 Mar 2018 11:10:28 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.46.158.19 with HTTP; Tue, 27 Mar 2018 11:10:27 -0700 (PDT)
In-Reply-To: <157d7bd1e99b4044bec2ba4412d8e873@XCH-RTP-006.cisco.com>
References: <4c9091a6469945478d0fbce30447da94@XCH-RTP-006.cisco.com> <CADZyTk=kTpJeHbhWafA3bsUJ+rxOukE-54ccwmcd8a8VaDF0wQ@mail.gmail.com> <157d7bd1e99b4044bec2ba4412d8e873@XCH-RTP-006.cisco.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Tue, 27 Mar 2018 14:10:27 -0400
X-Google-Sender-Auth: ALA0ZtmiXMhIAoJbaZwUvwnWiJo
Message-ID: <CADZyTkm7+g=e6w=kKkwkqBS-irtRmay0zeWNoqoBjRzP9kw62w@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: "IPsecme WG (ipsec@ietf.org)" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="f4f5e8067d902c4ebc056868ce21"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/w1W1qAIHEYSzw3LzFBKNR828ot4>
Subject: Re: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 18:10:34 -0000
Thanks a lot Scott for the response. I am publishing the draft asap. Yours, Daniel On Tue, Mar 27, 2018 at 2:04 PM, Scott Fluhrer (sfluhrer) < sfluhrer@cisco.com> wrote: > > > *From:* mglt.ietf@gmail.com <mglt.ietf@gmail.com> *On Behalf Of *Daniel > Migault > *Sent:* Tuesday, March 27, 2018 1:22 PM > *To:* Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> > *Cc:* IPsecme WG (ipsec@ietf.org) <ipsec@ietf.org> > *Subject:* Re: [IPsec] Comments on draft-ietf-ipsecme-implicit-iv > > > > Thank you Scott for your comments. > > I understand the first comment as a text clarification to comment on the > mechanism provided by section 3.5 of RFC6407 and explicitely mention that > is does not apply here. Does the replacement below addresses your concern ? > > OLD: > Section 3.5 of [RFC6407] explains how > repetition MAY BE prevented by using a prefix for each group member, > which could be prefixed to the Sequence Number. Otherwise, Implicit > IV MUST NOT be used in multicast scenarios. > > NEW: > Section 3.5 of [RFC6407] provides a mechanism that MAY be used to > prevent IV collisions when the same key is used by multiple users. The > mechanism consists in partitioning the IV space between users by assigning > the most significant byte to a user. When implicit IV transforms are used, > such mechanism cannot be applied as the IV is not sent, but instead it is > derived from the Sequence Number. A similar mechanism could be used by > associating the most significant byte of the Sequence Number to a sender, > while the 3 remaining bytes will be used to carry the counter value. Such > mechanism prevents the use of Extended Sequence Number and limits the > number of packet to be sent to 2** 24 = 16777216, that is 16 M. > > Unless some mechanism are provided to avoid collision between Sequence > Number, ( and so IV ), Implicit IV MUST NOT be used. > > > > That works… > > > > > Regarding the second comment, I guess the idea was to mention that a > responser cannot select a IIV Transform unless being sent by the initiator. > I propose the following text. Do it address your comment ? > > OLD: > > The rules of SA payload processing ensure that the responder will > never send an SA payload containing the IIV indicator to an initiator > that does not support IIV. > > > NEW: > > The rules of SA payload processing ensure that the responder will > never send an SA payload containing the IIV transform to an initiator > that does not support IIV. > > > > I’m wondering whether this is necessary to state this. For example, RFC > 7634 (the ChaCha IPsec transform) does not have any similar language, even > though (like this draft) they define a new transform id. > > > > However, I’m not demanding any change; the text just sounds redundant to > me… > > > > > > The reason for not having AES_CTR was that the transform is on its way to > be retired. I propose to remove AES-CTR, but if there is a need to provide > AES-CTR with implicit IV we coudl also add additional code points. > > I am currently proposing the following text: > > OLD: > AES-CTR, AES-CCM, AES-GCM and ChaCha20-Poly1305 are likely to > implement the implicit IV described in this document. > > NEW: > > AES-CCM, AES-GCM and ChaCha20-Poly1305 are likely to > implement the implicit IV described in this document. > > > > Works for me. > > > > > > Yours, > > Daniel > > On Sun, Mar 25, 2018 at 2:10 PM, Scott Fluhrer (sfluhrer) < > sfluhrer@cisco.com> wrote: > > - Section 4: “Section 3.5 of [RFC6407] explains how repetition > MAY BE prevented by using a prefix for each group member” > > Actually, RFC6407 just refers to RFC6054; that has the SID in the top 8 > bits of the 8 byte sequence number. Used literally, this doesn’t work, as > the top 8 bits of the 8 byte sequence number are never expressed in the > packet in implicit-iv. You could put them in the top 8 bits of the 4 byte > sequence number (which means you can’t use ESN, but it didn’t work in the > multisender case anyways), but that would mean that each sender would be > limited to 16M packets. I believe that these details are distinct enough > that (if this is considered a viable alternative) they should be explicitly > listed (including the 16M packet restriction). Alternatively, we can just > forbid this transform in the multisender case. > > > > - Section 6: “The rules of SA payload processing ensure that the > responder will never send an SA payload containing the IIV indicator to an > initiator that does not support IIV” > > I believe that this is stale text; the current draft doesn’t use an > indicator; instead, it defines separate transforms IDs. > > > > - Section 8 has “AES-CTR … [is] likely to implement the implicit > IV described in this document”; however the transform ENCR_AES_CTR_IIV is > not defined. Is this intended? Should we either remove the AES-CTR > algorithm from the list of “likely to implement”, or should we actually > define the transform id for it? > > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
- [IPsec] Comments on draft-ietf-ipsecme-implicit-iv Scott Fluhrer (sfluhrer)
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Daniel Migault
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Comments on draft-ietf-ipsecme-implic… Daniel Migault