IETF Logo Mail Archive

Re: [IPsec] draft-mglt-ipsecme-diet-esp-iv-generation

Daniel Migault <mglt.ietf@gmail.com> Tue, 15 July 2014 07:49 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905121B2834 for <ipsec@ietfa.amsl.com>; Tue, 15 Jul 2014 00:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qFDvHyh4wQ4Q for <ipsec@ietfa.amsl.com>; Tue, 15 Jul 2014 00:49:57 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 087361A0327 for <ipsec@ietf.org>; Tue, 15 Jul 2014 00:49:56 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id hi2so3796420wib.17 for <ipsec@ietf.org>; Tue, 15 Jul 2014 00:49:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uOr4x2WHCXzyitUUkFyy28OcHCBIZJVCMaLJq5z45nQ=; b=oVXAT9cDHq3jYAKn6qQLcJzEYFTDvF/CoZ3Y/fIGbi3iLCuXNt0o+HDMAkQ3/HNdmC ToMYwPZfhIvj8eXSy3FmsUdKAYDQkYiBEYLK7v5mtJFXMUGmktqe5HjmTOnOJazxtF4Y 5hsSxunB+A3BZz5WF5Jdrpl+J5VnYPYtxRpG7o84kYN6n3v93qgnBVzgsRBDYIjWmtm+ +RkDVoUXGQbPNm8w5paufQEqWpWexO6CsVi6tL2uA0WYiIDBAfT87hkpe3uUhG57EoGq ObuSrZ1F2vMbIaJlZuoFzR3y4WZEjXrFGI3ERt9Bdzv4edtxR9Kc/vgfBbCCV174Mtlf 5FAA==
MIME-Version: 1.0
X-Received: by 10.180.14.162 with SMTP id q2mr3598012wic.54.1405410595719; Tue, 15 Jul 2014 00:49:55 -0700 (PDT)
Received: by 10.194.137.67 with HTTP; Tue, 15 Jul 2014 00:49:55 -0700 (PDT)
In-Reply-To: <E7229C5FA6D74B19823BA343439FBD81@buildpc>
References: <CADZyTk=DUkRDX8sfXLS+HTqGw61ZMPexMC9yQadnKd4z9HwmGg@mail.gmail.com> <E7229C5FA6D74B19823BA343439FBD81@buildpc>
Date: Tue, 15 Jul 2014 09:49:55 +0200
Message-ID: <CADZyTkmaQoRW2GdZG0xWVZ5ppcmQYy0p16E97JPjquXMQkWeag@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Valery Smyslov <svanru@gmail.com>
Content-Type: multipart/alternative; boundary="f46d04138d31524efe04fe36a7ae"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/wZXVTWVqiU4TrRG-q9nbCfeRiZQ
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] draft-mglt-ipsecme-diet-esp-iv-generation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 07:49:59 -0000

Hi Valery and thank you for your feed backs.

Instead of negotiating the IV compression in a separate way, Valery
suggests to have a specific mode like AES-CBC_WITH_IV_COMPRESSION for
example.

To me its sounds better than what is being described in the draft.

Please let us know what you think about this alternative, and which
function would you use to generate the pseudo random IVs in each packets.

See inline for more comments.

BR,
Daniel


On Tue, Jul 15, 2014 at 9:23 AM, Valery Smyslov <svanru@gmail.com> wrote:

> Hi,
>
> I have some comments regarding the draft.
>
> First, it is not absolutely clear from the draft how the IV is generated
> for each packet. I presume
> that the IVs are taken sequentially for every new
> ESP packet to send from the bit string generated
> by prf+. But then it is not clear for me how the receiver
> would regenerate the same IV in case of packets loss
> and reordering. Sending LSB of IV would help here a bit, but then receiver
> would do quite a lot of work to guess
> the right IV, the overall process is not deterministic
> and opens a possibility for simple DoS attack.
>

This is true, and we should have added more text on that. The initial idea
is to rely on the Sequence Number, and their should be a deterministic way
to bind SN and IV for bot peers. However you are right, to avoid simple
DoS, there should also be a deterministic way to decompress the SN.


> The receiver would also look at the sequence number to deal with packets
> loss and reordering, but as far as I understnad the SN is optional in
> Diet-ESP.
>

It depends what optional means. Diet-ESP packets MUST have a complete
Sequence Number to enable anti-replay and to compute the ICV. On the other
hand, Diet-ESP provides the option to send only the LSB of the SN on the
wire. In order to avoid simple DoS attacks, the decompression of the SN
should be "almost" deterministic.


> Then, I'm not a crypto expert, but using the same
> key for both encryption and IV generation looks
> like a bit unsound.
>

This sounds bad to me too. Actually this is my main concern.


> Finally, I would prefer defining new transorms
> (for example AES-CBC with implicit IV) instead of negotiating IV
> compression separately.
>

That is maybe the way to do. Thanks for your feed back.

>
> Regards,
> Valery Smyslov.
>
>
>


-- 
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58

v2.23.0 | Report a Bug | By Email