IETF Logo Mail Archive

Re: [IPsec] Interoperability problem concerning RFC 7427

"Valery Smyslov" <svanru@gmail.com> Tue, 04 October 2016 14:11 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD15129633 for <ipsec@ietfa.amsl.com>; Tue, 4 Oct 2016 07:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.235
X-Spam-Level: *
X-Spam-Status: No, score=1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=3.496, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrg5z3fsb92m for <ipsec@ietfa.amsl.com>; Tue, 4 Oct 2016 07:11:38 -0700 (PDT)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C356D12988A for <ipsec@ietf.org>; Tue, 4 Oct 2016 07:11:27 -0700 (PDT)
Received: by mail-lf0-x22a.google.com with SMTP id b75so52164542lfg.3 for <ipsec@ietf.org>; Tue, 04 Oct 2016 07:11:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-transfer-encoding; bh=M9EMCVzcaU3OV3Rn/7T124bKBV/ZJNj+nemFYWYaKCc=; b=ff7yTbSNQjMQ0wICe3qXbBVIRZ0KIrM/0DFsTTaf+iciS9xcTbdTcKYaYFXnNDwaqa ZHu4DpqA6rbbk+vr9ShcOb435aDVAQ56F+bPZASjDcajI27wNjsIIxdhuXUJA75+memq hiy3tLRnDysfR/XlA769bniZR5zBJrcmw4uHxcZCpv5jPnqgsB/qtYQ/AoaZsUymyjNb 3SlcjP6ozo7ti8rd63n8xPkd+PRH41hO/2rb58oQ01HGcBJuT4CJ31e956Y4PWqz1QMK KjiVJ+aqHvr2lZ7F1AvG2bL/XaNWztPl7JOTlZ7rY/E0YLjKXPbIkAQDg9Q1PWoME1nk 7f7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:subject:date :mime-version:content-transfer-encoding; bh=M9EMCVzcaU3OV3Rn/7T124bKBV/ZJNj+nemFYWYaKCc=; b=Cf+37ltMRV99+On/zYOf+0q1GKMwJLyQ2T91NTVTzSYJ1N9E8wtXxu3XB8vzEjmsQW r8Q82lIOEPmz5u5QdosNR8jMoqYd1XwJxPQROTCJFfLzwAO1/dINT/m1RnEa47pZG5sR CdPi3ndbu+1N5DdFXWGqE306f3e369kSh0+2hB7enbLuZ7PZ27WBy42PqUhq82v4t3uB PCAtrbxdMLDlAVU/b7TpXmvaeXF2QNqR7qTJz3Gddtg3Edx835qMGUZfhkqFW9wFMXfc UPdFPgCq8DOyQhviYGVrbQxEB9hXXg72uYjgoUr3ElPwsBDJ8VdTBnXHl7JWRYBV0aPD xcLg==
X-Gm-Message-State: AA6/9Rng0gONbQGfcppLA/AlEjfFeUi6i4XFSrTo9GNqfSNRz3gvCRBFXj9yP3OmLnPAMQ==
X-Received: by 10.46.5.2 with SMTP id 2mr1628142ljf.73.1475590285889; Tue, 04 Oct 2016 07:11:25 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g201sm752348lfg.8.2016.10.04.07.11.24 (version=TLS1 cipher=DES-CBC3-SHA bits=112/168); Tue, 04 Oct 2016 07:11:24 -0700 (PDT)
Message-ID: <A9D8744967E54265B20A0E6752ABC087@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
References: <MWHPR09MB14403946B9D23FF98C744FBEF0E40@MWHPR09MB1440.namprd09.prod.outlook.com><4413733F9BF24D94821C1814E88C3C26@buildpc> <22515.45673.944549.840807@fireball.acr.fi>
Date: Tue, 04 Oct 2016 17:11:18 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zHZvTwAbdP5cprMfzDt8JEKbxPQ>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] Interoperability problem concerning RFC 7427
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2016 14:11:41 -0000

Hi Tero, 

> [This is bit old email, but I have not seen any replies to this, and I
> am sending this as implementor not as chair.]
> 
> Valery Smyslov writes:
>> The problem is that RFC7427 doesn't provide any means to find out
>> what kind of signatures peer supports. If you have RSA certificate,
>> you need somehow to guess whether you can use newer PSS signature
>> format or should stick to old PKCS 1 one. The SIGNATURE_HASH_ALGORITHMS
>> notification doesn't provide any information of this kind. RFC7427
>> is silent whether support for RSASSA-PSS is required to be compliant
>> with it, so I think it is absolutely legal now to have support for Digital Signature
>> authentication method and have no support for RSASSA-PSS 
>> (as in the product we have tested with).
>> The draft draft-ietf-ipsecme-rfc4307bis does requires that if
>> Digital Signatures are supported, then RSASSA-PSS with SHA2-256
>> MUST be supported. However, even if it becomes RFC in near future,
>> it'll take a couple of years before it is adopted by major vendors.
> 
> Section 5 of the RFC7427 covers this, and we also discussed this when
> the RFC was being written. The consensus was that in most cases there
> is existing configuration between peers anyways, thus configuring
> which key to be used is just one more configuration option to do, and
> that is easy way to solve the issue.
> 
> I.e., in the end we decided we do not want to add negotiation for the
> public key algorithm.
> 
> [1] https://www.ietf.org/mail-archive/web/ipsec/current/msg08701.html
> [2] https://www.ietf.org/mail-archive/web/ipsec/current/msg08671.html

No this was different issue. I remember that discussion very well (since
I initiated it) and I wouldn't start it over again. 

The issue we came across is not about different algorithms
(say indicating whether we need to use RSA or ECDSA if we have
both certificates). The algorithm is essentially one - RSA, and we have 
exactly one RSA certificate. However, we can create AUTH
payload using RSA-PKCS 1.5 or using RSASSA-PSS signature
formats. And we came across that the peer from different
vendor doesn't understand RSASSA-PSS signatures while
supporting RFC7427. This is the issue. We have no clue
whether it is safe to use RSASSA-PSS or not and
the RFC gives us no means to get this clue. This is the problem. 

[snip]

> So I do not think this issue will come up with using same private key
> for different EC signing methods, but it will come up with RSASSA-PSS.

I'm not so sure that EC signing methods will not suffer from 
this issue, giving the speed the new ones appear and become popular.

>> So, my question is - what to do with all this.
>> 1. Do nothing. Coming back to the interoperability problem we have,
> 
> This is what we decided when we published RFC7427. 

No, it was different discussion. You persuaded me then
that Certificate Request etc. works well for selecting
the proper private key. It doesn't work at all for selecting
the "proper" signature format.

>>     it is possible to find some workarounds:
>>     - don't use RSASSA-PSS until it becomes ubiquitous (however if everybody
>>         follows this way it'll never become ubiquitous)
>>     - it is possible for the initiator to restart exchange if it receives
>>        AUTHENTICATION_FAILED while using RSASSA_PSS
>>         and use RSA PKCS 1 in the new run. However, this approach
>>         will slow down connection setup and waste resources of
>>         both initiator and responder.
>>     - it is possible for responder to look at the format of signature 
>>         the initiator used and act in accordance - if the initiator
>>         doesn't use RSASSA-PSS then don't use it.
>>     These are all workarounds and they complicate implementations
>>     and waste resources for no good reason.
> 
> We said that in initiator you need to either try all keys, use
> Certificate request as hint, or have preconfiguration.

Certificate Request doesn't work. Preconfiguration doesn't scale.
Trying all signature formats is possible, but I expect that 
many implementers (and users) will just disable
RSASSA-PSS, that is a bad thing...

> In the responder you can use the same format than the initiator used
> (if it used signature authentication). If not, you can either use
> certificate requests as hint, or use preconfiguration.

Yes, it is possible for the responder to look at the signature
format the initiator used and act correcpondently.
However, if many initiators disable RSASSA-PSS for the
request then responders won't use it either, leading
to even more slow adoption of this signature sceme.

>> 2. Add some indication of signature form/format the peers support.
>>     I can see two possible solutions.
>>     - define new entries in Hash Algorithms registry
>>         that are not hash functions but are rather signature formats.
>>         For example, add RSASSA_PSS. If it is included
>>         in SIGNATURE_HASH_ALGORITHMS notification.
>>         it will mean that this format is supported with any real hash
>>         algorithms that are included in this notification.
>>         It is clearly a hack of RFC 7427.
>>     - define new notification SIGNATURE_FORMATS, which
>>         will include supported signature forms/formats.
>>         It seems to be a most "proper" way, however 
>>         it is the slowest one (new RFC is needed).
> 
> As we already once decided we are not going to do it, I do not think
> we want to come back to this. It is fine to come back to same issues
> if something has changed, but I do not think there has been any real

It is a bit different issue. And it is practical.

> changes in here, actually I think the issue is getting easier, as
> rfc4307bis will say that RSASSA-PSS is MUST, thus this issue will go
> away and everybody can start using RSASSA-PSS, and just have some
> fallback option for old implementations not supporting rfc4307bis.

Yes, the issue with RSASSA-PSS should go away once
the RFC4307bis is issued and adopted by majority of vendors.
It'll take a couple of years. 

> I do not think this is issue for ECDSA or EdDSA. And
> draft-nir-ipsecme-eddsa-01 says that *ph SHOULD ONT be used... 

Not so sure...

Regards,
Valery.

v2.23.0 | Report a Bug | By Email