IETF Logo Mail Archive

Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04

Daniel Migault <daniel.migault@ericsson.com> Wed, 27 June 2018 15:46 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12981130FC7 for <ipsec@ietfa.amsl.com>; Wed, 27 Jun 2018 08:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ua0iK9o4RTIQ for <ipsec@ietfa.amsl.com>; Wed, 27 Jun 2018 08:46:45 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0B7130E93 for <ipsec@ietf.org>; Wed, 27 Jun 2018 08:46:44 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id t7-v6so2024030ljj.6 for <ipsec@ietf.org>; Wed, 27 Jun 2018 08:46:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=iGTAq/auIgO2kEXyUJfoculWC+UiFN9uC47HRdVnrNs=; b=EqZoQH1MQg8QTuLR72Zr5RBXrcJ0G51KES6q5O7J4AJYpgoCBPIFjAJ5IwiKmF2dQK JhhIIrbAMwEw6BffC95F0ESohHYXoq1VPTUkQl563+xN68aPrpzeOj9BRhYhHJImGGxp PW/+nAniuRdmLvt66lWOxtn1UCwL1euo7mRhpaBwpb7hLHYQHTu/FlMrskKcot1vFS1t LsNtfGfEm/aVRsClbo17GZXca/zNgIw8Q/zhnGCvXiziBFWiGxeGY4D/cny9lJvSC7uT fk4BYlyJQNVTWqwsBQdiuQAWxwlmBDzDvAtTRErup4SyhvRXLPTVosttSwPtHVL/67+p SVRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=iGTAq/auIgO2kEXyUJfoculWC+UiFN9uC47HRdVnrNs=; b=AmAlR9zdgphQwxizfK4VQVPQVK04A4Vk1OmrmRERKGvsxVH1t8cgTADbzNfxtzSRFd LOuRkhac7F2AgN13ts/jo8GJlUSMpKAo6dkLXAxoXiVafEZITu2j1QTjkuhV0JCYTlOJ IcRXZKuyboJY5G03F2IiCDNucyX3a7LVNyrxAb343sbnOES9uDi/gD2sl/pl9e3gGGQv 3RpYwmEc3WErjn6uvd75tb1lSRNDUWVUS3JX/4VAvA47vCAWtp2Frq28Hj28xu2W/a5l GTttgULxcvW7C61XTceGkUoGUixariaJvZIWHyEJDY0cbPG5n/8xmoT9Mdzf2M75lkOQ N89g==
X-Gm-Message-State: APt69E2+u39Z3BX8KHDmj7DepyzHNELa+hjhMltvhl5MvgJzRAiRE5p8 UBc5IAegi8nXk/MqIGnfiV9xGTj5ROM3DL/GkWA=
X-Google-Smtp-Source: AAOMgpc5DPsneFTFUg58Khw4Dba2zdAPtfbqTRW+S+wwuzB5F3TJVwPQcCMDazFQzq4hOo1EJ7+bBqPsZC8pbtLjvEA=
X-Received: by 2002:a2e:500d:: with SMTP id e13-v6mr4376873ljb.70.1530114402875; Wed, 27 Jun 2018 08:46:42 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:4281:0:0:0:0:0 with HTTP; Wed, 27 Jun 2018 08:46:42 -0700 (PDT)
In-Reply-To: <097b01d40de8$37fdca20$a7f95e60$@gmail.com>
References: <BL0PR0901MB23068D6C3BFEFB11FDCB06B7F0710@BL0PR0901MB2306.namprd09.prod.outlook.com> <08e101d40d50$b5db2610$21917230$@gmail.com> <CADZyTkmEjrr7dtZGP89U6graOwmWs-deM-_GjX+hedxdnvDjuA@mail.gmail.com> <097b01d40de8$37fdca20$a7f95e60$@gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 27 Jun 2018 11:46:42 -0400
X-Google-Sender-Auth: m1Xm7h5_xFOifcZoqKz2YVzyfEY
Message-ID: <CADZyTkmxzc9JRXAW_Oe9cP+e0JnUoLGNzvwe+oOvdMvP2oQ_6w@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: IPsecME WG <ipsec@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
Content-Type: multipart/alternative; boundary="00000000000072fdd7056fa1851f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zpzAi7I3nXB-7Lfaok_nQBmd5U0>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 15:46:52 -0000

Thanks for your comments Valery. The new version [1] has teh two paragraphs
in the security consideration.
Yours,
Daniel

[1] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/

On Wed, Jun 27, 2018 at 3:26 AM, Valery Smyslov <smyslov.ietf@gmail.com>
wrote:

> HI Daniel,
>
>
>
> I still think the “NOT RECOMMENDED” wording is a bit confusing.
>
> I’d suggest to change this para to be more explicit:
>
>
>
>    As the IV must not repeat for one SA when Counter-Mode ciphers are
>
>    used, Implicit IV as described in this document MUST NOT be used in
>
>    setups with the chance that the Sequence Number overlaps for one SA.
>
>    Multicast as described in [RFC5374], [RFC6407] and
>
>    [I-D.yeung-g-ikev2] is a prominent example, where many senders share
>
>    one secret and thus one SA.  As such, Implicit IV may only be used with
> Multicast
>
>    if some mechanisms are employed that prevent Sequence Number to overlap
>
>    for one SA, otherwise Implicit IV MUST NOT be used with Multicast.
>
>
>
> Regards,
>
> Valery.
>
>
>
>
>
> *From:* mglt.ietf@gmail.com [mailto:mglt.ietf@gmail.com] *On Behalf Of *Daniel
> Migault
> *Sent:* Tuesday, June 26, 2018 9:11 PM
> *To:* Valery Smyslov
> *Cc:* Waltermire, David A. (Fed); IPsecME WG
> *Subject:* Re: [IPsec] WGLC on draft-ietf-ipsecme-implicit-iv-04
>
>
>
> Hi Valery,
>
>
>
> Thanks for the feedback. Here are the update I propose. If that is fine
> for everyone, I will update the current draft and publish a new version.
>
>
>
> Yours,
>
> Daniel
>
>
>
> On Tue, Jun 26, 2018 at 9:22 AM, Valery Smyslov <smyslov.ietf@gmail.com>
> wrote:
>
> Hi,
>
> I reviewed the draft and I believe it is almost ready. However,
> I think there still are few issues.
>
> 1. The last para of section 4 says:
>
>    As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are
>    used, Implicit IV as described in this document MUST NOT be used in
>    setups with the chance that the Sequence Number overlaps for one SA.
>    Multicast as described in [RFC5374], [RFC6407] and
>    [I-D.yeung-g-ikev2] is a prominent example, where many senders share
>    one secret and thus one SA.  As such, it is NOT RECOMMENDED to use
>    Implicit IV with Multicast.
>
> I have three problems with this para. First, I think that this para
> should be moved into the Security Considerations section.
>
> <mglt>
>
> I am fine having it in the security consideration. Anyone opposed ?
>
> </mglt>
>
>
>
> Second, using RFC 2119 word in the beginning ("As the IV MUST NOT repeat")
> seems to be wrong here, since it is not an imperative, it's an explanation
> here
> (because the preposition "As" is used; note that the draft has already
> stated that the
> nonce MUST NOT repeat in the beginning of Section 4).
>
>
>
> <mglt>
>
> I think that this address your purpose:
>
> OLD:
>
>    As the IV MUST NOT repeat for one SA when Counter-Mode ciphers are
>    used, Implicit IV as described in this document MUST NOT be used in
>    setups with the chance that the Sequence Number overlaps for one SA.
>
> NEW
>
>    As the IV must not repeat for one SA when Counter-Mode ciphers are
>    used, Implicit IV as described in this document MUST NOT be used in
>    setups with the chance that the Sequence Number overlaps for one SA.
>
>
>
> And last (but not least),
> I have some trouble following this para, it seems to me that it is
> self-contradicting.
> First it says that IIV MUST NOT be used if there is a chance that SN
> repeats
> (which I fully agree with), then it says that multicast is a prominent
> example of this situation (i.e. the situation when SN may repeat, which
> I fully agree with too) and finally it concludes that for multicast
> IIV is NOT RECOMMENDED (i.e. it SHOULD NOT be used).
> In other words it is allowed to use IIV for multicast in some
> circumstances,
> which in my opinion contradicts with earlier MUST NOT.
> Either remove the last sentence, or give more explanation
> when it is possible to use IIV for multicast.
>
> <mglt>
>
> OK I see your point. The reason is mostly that we had a quite long
> explanation we removed because we went to the details of a solution we do
> not standardize. I suggest we simply mention that some means are deployed.
>
>
>
> OLD:
>
>    Multicast as described in [RFC5374], [RFC6407] and
>    [I-D.yeung-g-ikev2] is a prominent example, where many senders share
>    one secret and thus one SA.  As such, it is NOT RECOMMENDED to use
>    Implicit IV with Multicast.
>
> NEW:
>
>    Multicast as described in [RFC5374], [RFC6407] and
>    [I-D.yeung-g-ikev2] is a prominent example, where many senders share
>    one secret and thus one SA.  As such, it is NOT RECOMMENDED to use
>    Implicit IV with Multicast, unless deployment specific mechanisms
> prevent the IV to repeat are provided.
>
> </mglt>
>
>
>
>
> 2. The draft defines IIV for ESP only and forbids to use it for IKEv2.
> It was discussed and I believe it is right, but I'd like to see few
> words (presumably in the Security Considerations) why IIV
> in its current form cannot be used in IKEv2. Something along the lines:
>
>   This document defines three new encryption transforms that use implicit
> IV.
>   Unlike most encryption transforms defined to date, which can be used
>    for both ESP and IKEv2, these transforms are defined for ESP only and
> cannot
>    be used in IKEv2. The reason is that IKEv2 messages don't contain unique
>    per-message value, that can be used for IV generation. The Message-ID
>    field in IKEv2 header is somewhat counterpart of SN field in ESP header,
>    but recent IKEv2 extensions ([RFC6311], [RFC7383]) do allow it to
> repeat,
>    so there is no an easy way to derive unique IV from IKEv2 header fields.
>
>
>
> <mglt>
>
> I am fine adding the text in the draft.
>
> </mglt>
>
>
> Regards,
> Valery.
>
>
> > This message starts a working group last call (WGLC) on
> draft-ietf-ipsecme-implicit-iv-04, which will conclude
> > on June 29, 2018 at UTC 23:59. Please review and provide feedback on the
> -04 version
> > (https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/).
> Please indicate if you believe this draft is
> > ready for publication or if you have comments that must be addressed
> before the draft progresses.
> >
> > Regards,
> > Dave
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>

v2.23.0 | Report a Bug | By Email