Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04
Daniel Migault <daniel.migault@ericsson.com> Wed, 27 June 2018 15:46 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12981130FC7 for <ipsec@ietfa.amsl.com>; Wed, 27 Jun 2018 08:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ua0iK9o4RTIQ for <ipsec@ietfa.amsl.com>; Wed, 27 Jun 2018 08:46:45 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0B7130E93 for <ipsec@ietf.org>; Wed, 27 Jun 2018 08:46:44 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id t7-v6so2024030ljj.6 for <ipsec@ietf.org>; Wed, 27 Jun 2018 08:46:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=iGTAq/auIgO2kEXyUJfoculWC+UiFN9uC47HRdVnrNs=; b=EqZoQH1MQg8QTuLR72Zr5RBXrcJ0G51KES6q5O7J4AJYpgoCBPIFjAJ5IwiKmF2dQK JhhIIrbAMwEw6BffC95F0ESohHYXoq1VPTUkQl563+xN68aPrpzeOj9BRhYhHJImGGxp PW/+nAniuRdmLvt66lWOxtn1UCwL1euo7mRhpaBwpb7hLHYQHTu/FlMrskKcot1vFS1t LsNtfGfEm/aVRsClbo17GZXca/zNgIw8Q/zhnGCvXiziBFWiGxeGY4D/cny9lJvSC7uT fk4BYlyJQNVTWqwsBQdiuQAWxwlmBDzDvAtTRErup4SyhvRXLPTVosttSwPtHVL/67+p SVRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=iGTAq/auIgO2kEXyUJfoculWC+UiFN9uC47HRdVnrNs=; b=AmAlR9zdgphQwxizfK4VQVPQVK04A4Vk1OmrmRERKGvsxVH1t8cgTADbzNfxtzSRFd LOuRkhac7F2AgN13ts/jo8GJlUSMpKAo6dkLXAxoXiVafEZITu2j1QTjkuhV0JCYTlOJ IcRXZKuyboJY5G03F2IiCDNucyX3a7LVNyrxAb343sbnOES9uDi/gD2sl/pl9e3gGGQv 3RpYwmEc3WErjn6uvd75tb1lSRNDUWVUS3JX/4VAvA47vCAWtp2Frq28Hj28xu2W/a5l GTttgULxcvW7C61XTceGkUoGUixariaJvZIWHyEJDY0cbPG5n/8xmoT9Mdzf2M75lkOQ N89g==
X-Gm-Message-State: APt69E2+u39Z3BX8KHDmj7DepyzHNELa+hjhMltvhl5MvgJzRAiRE5p8 UBc5IAegi8nXk/MqIGnfiV9xGTj5ROM3DL/GkWA=
X-Google-Smtp-Source: AAOMgpc5DPsneFTFUg58Khw4Dba2zdAPtfbqTRW+S+wwuzB5F3TJVwPQcCMDazFQzq4hOo1EJ7+bBqPsZC8pbtLjvEA=
X-Received: by 2002:a2e:500d:: with SMTP id e13-v6mr4376873ljb.70.1530114402875; Wed, 27 Jun 2018 08:46:42 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:4281:0:0:0:0:0 with HTTP; Wed, 27 Jun 2018 08:46:42 -0700 (PDT)
In-Reply-To: <097b01d40de8$37fdca20$a7f95e60$@gmail.com>
References: <BL0PR0901MB23068D6C3BFEFB11FDCB06B7F0710@BL0PR0901MB2306.namprd09.prod.outlook.com> <08e101d40d50$b5db2610$21917230$@gmail.com> <CADZyTkmEjrr7dtZGP89U6graOwmWs-deM-_GjX+hedxdnvDjuA@mail.gmail.com> <097b01d40de8$37fdca20$a7f95e60$@gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 27 Jun 2018 11:46:42 -0400
X-Google-Sender-Auth: m1Xm7h5_xFOifcZoqKz2YVzyfEY
Message-ID: <CADZyTkmxzc9JRXAW_Oe9cP+e0JnUoLGNzvwe+oOvdMvP2oQ_6w@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: IPsecME WG <ipsec@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
Content-Type: multipart/alternative; boundary="00000000000072fdd7056fa1851f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zpzAi7I3nXB-7Lfaok_nQBmd5U0>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 15:46:52 -0000
Thanks for your comments Valery. The new version [1] has teh two paragraphs in the security consideration. Yours, Daniel [1] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/ On Wed, Jun 27, 2018 at 3:26 AM, Valery Smyslov <smyslov.ietf@gmail.com> wrote: > HI Daniel, > > > > I still think the “NOT RECOMMENDED” wording is a bit confusing. > > I’d suggest to change this para to be more explicit: > > > > As the IV must not repeat for one SA when Counter-Mode ciphers are > > used, Implicit IV as described in this document MUST NOT be used in > > setups with the chance that the Sequence Number overlaps for one SA. > > Multicast as described in [RFC5374], [RFC6407] and > > [I-D.yeung-g-ikev2] is a prominent example, where many senders share > > one secret and thus one SA. As such, Implicit IV may only be used with > Multicast > > if some mechanisms are employed that prevent Sequence Number to overlap > > for one SA, otherwise Implicit IV MUST NOT be used with Multicast. > > > > Regards, > > Valery. > > > > > > *From:* mglt.ietf@gmail.com [mailto:mglt.ietf@gmail.com] *On Behalf Of *Daniel > Migault > *Sent:* Tuesday, June 26, 2018 9:11 PM > *To:* Valery Smyslov > *Cc:* Waltermire, David A. (Fed); IPsecME WG > *Subject:* Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04 > > > > Hi Valery, > > > > Thanks for the feedback. Here are the update I propose. If that is fine > for everyone, I will update the current draft and publish a new version. > > > > Yours, > > Daniel > > > > On Tue, Jun 26, 2018 at 9:22 AM, Valery Smyslov <smyslov.ietf@gmail.com> > wrote: > > Hi, > > I reviewed the draft and I believe it is almost ready. However, > I think there still are few issues. > > 1. The last para of section 4 says: > > As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are > used, Implicit IV as described in this document MUST NOT be used in > setups with the chance that the Sequence Number overlaps for one SA. > Multicast as described in [RFC5374], [RFC6407] and > [I-D.yeung-g-ikev2] is a prominent example, where many senders share > one secret and thus one SA. As such, it is NOT RECOMMENDED to use > Implicit IV with Multicast. > > I have three problems with this para. First, I think that this para > should be moved into the Security Considerations section. > > <mglt> > > I am fine having it in the security consideration. Anyone opposed ? > > </mglt> > > > > Second, using RFC 2119 word in the beginning ("As the IV MUST NOT repeat") > seems to be wrong here, since it is not an imperative, it's an explanation > here > (because the preposition "As" is used; note that the draft has already > stated that the > nonce MUST NOT repeat in the beginning of Section 4). > > > > <mglt> > > I think that this address your purpose: > > OLD: > > As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are > used, Implicit IV as described in this document MUST NOT be used in > setups with the chance that the Sequence Number overlaps for one SA. > > NEW > > As the IV must not repeat for one SA when Counter-Mode ciphers are > used, Implicit IV as described in this document MUST NOT be used in > setups with the chance that the Sequence Number overlaps for one SA. > > > > And last (but not least), > I have some trouble following this para, it seems to me that it is > self-contradicting. > First it says that IIV MUST NOT be used if there is a chance that SN > repeats > (which I fully agree with), then it says that multicast is a prominent > example of this situation (i.e. the situation when SN may repeat, which > I fully agree with too) and finally it concludes that for multicast > IIV is NOT RECOMMENDED (i.e. it SHOULD NOT be used). > In other words it is allowed to use IIV for multicast in some > circumstances, > which in my opinion contradicts with earlier MUST NOT. > Either remove the last sentence, or give more explanation > when it is possible to use IIV for multicast. > > <mglt> > > OK I see your point. The reason is mostly that we had a quite long > explanation we removed because we went to the details of a solution we do > not standardize. I suggest we simply mention that some means are deployed. > > > > OLD: > > Multicast as described in [RFC5374], [RFC6407] and > [I-D.yeung-g-ikev2] is a prominent example, where many senders share > one secret and thus one SA. As such, it is NOT RECOMMENDED to use > Implicit IV with Multicast. > > NEW: > > Multicast as described in [RFC5374], [RFC6407] and > [I-D.yeung-g-ikev2] is a prominent example, where many senders share > one secret and thus one SA. As such, it is NOT RECOMMENDED to use > Implicit IV with Multicast, unless deployment specific mechanisms > prevent the IV to repeat are provided. > > </mglt> > > > > > 2. The draft defines IIV for ESP only and forbids to use it for IKEv2. > It was discussed and I believe it is right, but I'd like to see few > words (presumably in the Security Considerations) why IIV > in its current form cannot be used in IKEv2. Something along the lines: > > This document defines three new encryption transforms that use implicit > IV. > Unlike most encryption transforms defined to date, which can be used > for both ESP and IKEv2, these transforms are defined for ESP only and > cannot > be used in IKEv2. The reason is that IKEv2 messages don't contain unique > per-message value, that can be used for IV generation. The Message-ID > field in IKEv2 header is somewhat counterpart of SN field in ESP header, > but recent IKEv2 extensions ([RFC6311], [RFC7383]) do allow it to > repeat, > so there is no an easy way to derive unique IV from IKEv2 header fields. > > > > <mglt> > > I am fine adding the text in the draft. > > </mglt> > > > Regards, > Valery. > > > > This message starts a working group last call (WGLC) on > draft-ietf-ipsecme-implicit-iv-04, which will conclude > > on June 29, 2018 at UTC 23:59. Please review and provide feedback on the > -04 version > > (https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/). > Please indicate if you believe this draft is > > ready for publication or if you have comments that must be addressed > before the draft progresses. > > > > Regards, > > Dave > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Tobias Guggemos
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Daniel Migault
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… David Schinazi
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Daniel Migault
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Waltermire, David A. (Fed)
- [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04 Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-i… Daniel Migault