Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-08
Benjamin Kaduk <kaduk@mit.edu> Fri, 08 November 2019 20:51 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A4001208C2; Fri, 8 Nov 2019 12:51:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iACVDvb75hcF; Fri, 8 Nov 2019 12:51:16 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05D8D120871; Fri, 8 Nov 2019 12:51:15 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xA8KpBvM020956 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 8 Nov 2019 15:51:13 -0500
Date: Fri, 08 Nov 2019 12:51:10 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Tero Kivinen <kivinen@iki.fi>
Cc: draft-ietf-ipsecme-qr-ikev2.all@ietf.org, ipsec@ietf.org
Message-ID: <20191108205110.GK47216@kduck.mit.edu>
References: <20191105023831.GH55993@kduck.mit.edu> <24004.48693.528411.949232@fireball.acr.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <24004.48693.528411.949232@fireball.acr.fi>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/w_LpbPXKr7Og8x3VjKOzTAeuB8M>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 20:51:19 -0000
Hi Tero, On Fri, Nov 08, 2019 at 03:00:37AM +0200, Tero Kivinen wrote: > Benjamin Kaduk writes: > > Section 3 > > > > N(USE_PPK) is a status notification payload with the type 16435; it > > has a protocol ID of 0, no SPI and no notification data associated > > with it. > > > > [check the IANA status of the value] > > As others already commented I as an IANA Expert for those registries > did do an assignment for those notification values, as they were > stable enough already in 2018 February... > > Creating new registry could not be done as expert review, so that > creation PPK_ID type registry was left to this document. Of course > there was no problem with using the numbers, as there is nobody else > who can allocate things from that registry as that registry does not > yet exists. > > > value. Not all implementations are able to configure arbitrary > > octet strings; to improve the potential interoperability, it is > > recommended that, in the PPK_ID_FIXED case, both the PPK and the > > PPK_ID strings be limited to the base64 character set, namely the > > 64 characters 0-9, A-Z, a-z, + and /. > > > > I don't have much experience with the conventions in this space; does it > > make sense to distinguish between the PPK representation as configured > > (which would use the base64 alphabet) and the "actual PPK" that could be > > binary after, e.g., a base64-decoding step? I guess it could be > > reasonable to rely on the ability of the PRF to take an arbitrary-length > > input and just have sufficient entropy even while limiting the PPK value > > to the base64 alphabet. > > We had long discussion this in one of the meetings some time ago, and > I think the problem is that some implementations use configuration > files where they write the keys directly, some use config files > pointing to the file on the disk, and some use some database backend, > and then there are the ones that use GUI to enter the key. > > When you have key "makemetastygoat" that is easy. When you have key > which contains NULs, newlines, 8-bit characters etc., there are > several cases where you cannot enter such key to configuration of > implementation. > > We decided that base64 is good enough, i.e., the keys do not get too > much longer, but every single system should be able to configure key > using that charset. > > As the keys are feed in to the PRF anyways there is no need to require > them to be binary, only thing that should matter is how much entropy > there is in the key, and with base64 it is easy to calculate. That's roughly where I ended up after thinking about it, so I'm glad we're all on the same page. (And my apologies for having everyone spend more words on it.) > > Section 6 > > > > We should document the privacy considerations of the PPK_ID both in the > > face of an attacker with a quantum computer (now or in the future) and > > in the face of a classical attacker. The latter would, IIUC, need to be > > an active MITM in order to see anything other than N(USE_PPK), and who > > would also get IDi along with the PPK_ID value, so there's not much of a > > change in the privacy stance. > > We did discuss this and decided that it would be possible to protect > the identity (IDi, and IDr) using pseudonyms if such thing is needed. > I.e., instead of using real IDi and IDr, we use some random identity > string. After the IKE SA creation we can do IKE SA rekey to gain QR > protection for the IKE SA traffic too, and after that we can agree on > the next ID to be used for next connection. This way the identities > will be always different and completely random. > > The PPK_ID does not need to have meaning outside the fact that it > identifies the PPK we are going to be using. So it can be random from > the beginning, and you can either use similar agreeing on next PPK_IDs > after rekey than for IDi/IDr, or you can simply use each PPK only once > and generate lots of them before you even start. > > None of this is written in the draft, as we kept the focus on making > IKEv2 quantum resistant and keeping the original properties of the > IKEv2 intact otherwise. Adding better identity protection is something > that can be done separately and can also be used with or without QR. Okay. > > Section 7 > > > > We should have a registration template for what information new > > registration requests should include. (In particular, since we allow > > changing entries, a "change controller" and contact information will be > > needed.) I suggest including a column for "reference to specification > > (if available)", even though the "Expert Review" policy does not > > strictly require one. We could also provide some guidance to the DEs as > > to what criteria they may or may not want to apply in deciding whether > > to approve or reject a registration request. > > As an IANA expert and most likely a candidate for expert for this > registry too, I do not think such templates or rules for expert are > needed. I hope people will trust experts enough to make smart > decisions. Okay, I'll put that down as "we considered providing guidance but decided not to", which is fine. > In this case I do not think there will be too many new registrations Indeed, I cannot think of many possibilities there. Thanks, Ben
- [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-… Benjamin Kaduk
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Benjamin Kaduk
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Benjamin Kaduk
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Scott Fluhrer (sfluhrer)
- [IPsec] AD review of draft-ietf-ipsecme-qr-ikev2-… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Tero Kivinen
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Benjamin Kaduk
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Benjamin Kaduk
- Re: [IPsec] AD review of draft-ietf-ipsecme-qr-ik… Valery Smyslov