IETF Logo Mail Archive

Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-multiple-ke-07

Russ Housley <housley@vigilsec.com> Fri, 21 October 2022 13:28 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0566C14F74D; Fri, 21 Oct 2022 06:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWAhamKzG5pY; Fri, 21 Oct 2022 06:28:28 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94C6EC14CE23; Fri, 21 Oct 2022 06:28:28 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 45C791216B9; Fri, 21 Oct 2022 09:28:27 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 1C74D1216B7; Fri, 21 Oct 2022 09:28:27 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <4BED39D5-ED56-4B11-ACE4-6BB2A001AF92@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FADC6B96-E58A-4F05-96F8-752BE4294924"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Fri, 21 Oct 2022 09:28:26 -0400
In-Reply-To: <CANs=h-WKE5ATA3uMiLHW3xPn5nkj1N8H1iqJnCVq0+qs0KSDjg@mail.gmail.com>
Cc: Valery Smyslov <svan@elvis.ru>, IETF Gen-ART <gen-art@ietf.org>, draft-ietf-ipsecme-ikev2-multiple-ke.all@ietf.org, IETF IPsec <ipsec@ietf.org>, last-call@ietf.org
To: CJ Tjhai <cjt=40post-quantum.com@dmarc.ietf.org>
References: <166577542836.23178.15233206545328915936@ietfa.amsl.com> <CANs=h-WKE5ATA3uMiLHW3xPn5nkj1N8H1iqJnCVq0+qs0KSDjg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.09 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/1x8hlHpWCJ7lle_RpkEOCwCmuWM>
Subject: Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-multiple-ke-07
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 13:28:32 -0000

These changes resolve me comments.

Russ

> On Oct 21, 2022, at 2:48 AM, CJ Tjhai <cjt=40post-quantum.com@dmarc.ietf.org> wrote:
> 
> Hi Russ,
> 
> Many thanks for the review of our document. Please see our comments inline below. The updated version of the draft is available here: https://github.com/post-quantum/ietf-pq-ikev2/blob/master/draft-ietf-ipsecme-ikev2-multiple-ke-00.xml <https://github.com/post-quantum/ietf-pq-ikev2/blob/master/draft-ietf-ipsecme-ikev2-multiple-ke-00.xml>
> 
> Best regards,
> CJ and Valery
> 
> On Fri, 14 Oct 2022 at 20:24, Russ Housley via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
> Reviewer: Russ Housley
> Review result: Almost Ready
> 
> [ snip ] 
>  
> Minor Concerns:
> 
> Section 1.2 says:
> 
>    The secrets established from each key exchange are combined in a way
>    such that should the post-quantum secrets not be present, the derived
>    shared secret is equivalent to that of the standard IKEv2; on the
>    other hand, a post-quantum shared secret is obtained if both
>    classical and post-quantum key exchange data are present.
> 
> What is "post-quantum key exchange data"?
> 
> I am not sure what this is is really trying to tell me.  I think it is
> trying to make three points.  First, the shared secret is based on all of
> the key exchange mechanisms that are employed.  Second, when one
> traditional key exchange mechanism is employed, the result is compatible
> with IKEv2 as it is used today.  Third, the result is post-quantum safe,
> when classical and a post-quantum key exchange mechanisms are used
> together.  Please reword to be more clear.  Further, I suggest that
> the discussion of Child SAs be in a separate paragraph.
> 
> 
> We have changed that paragraph to the following:
> 
>    IKE peers perform multiple successive key exchanges to establish an
>    IKE Security Association (SA).  Each exchange produces a piece of
>    secret and these secrets are combined in a way such that:
> 
>    (a)  the final shared secret is computed from all of the component
>         key exchange secret;
> 
>    (b)  the shared secret as specified in [RFC7296] is obtained unless
>         both peers support and agree to use the additional key exchanges
>         introduced in this specification; and
> 
>    (c)  if any of the component key exchange method is a post-quantum
>         algorithm, the final shared secret is post-quantum secure.
> 
>  
> Section 1.2 says:
> 
>    The IKE SK_* values are updated after each exchange, and so
>    the final IKE SA keys depend on all the key exchanges, hence they are
>    secure if any of the key exchanges are secure.
> 
> I wondered what was meant by "secure", then I learned the answer in
> Section 2.  I think a forward pointer will help future readers.
> 
> 
> Yep, good idea. We have added a forward pointer to Section 3.2.2.
>  
> Section 3.1 says:
> 
>    Note that this document assumes, that each key exchange method
>    requires one round trip and consumes exactly one IKE_INTERMEDIATE
>    exchange.  This assumption is valid for all classic key exchange
>    methods defined so far and for all post-quantum methods currently
>    known.  For hypothetical future key exchange methods requiring
>    multiple round trips to complete, a separate document should define
>    how such methods are split into several IKE_INTERMEDIATE exchanges.
> 
> I suggest this go much earlier in Section 3.1.  It really is a very
> basic design constraint.
> 
> 
> Agreed. We have moved this paragraph further up in Section 3.1.
>  
> 
> Nits:
> 
> Section 3.1: s/IKE; however, that can/IKE; however, IKE_INIT messages can/
> 
> Section 3.2.2 says:
> 
>    (derived from the previous IKE_INTERMEDIATE
>    exchange, or the IKE_SA_INIT if there have not already been any
>    IKE_INTERMEDIATE exchanges)
> 
> I suggest:
> 
>    (derived IKE_SA_INIT for the first use of IKE_INTERMEDIATE,
>    otherwise from the previous IKE_INTERMEDIATE exchange)
> 
> 
> Thanks, we have changed them accordingly.
>   
> 
> Note:
> 
> I did not review the Appendix.
> 
> 
> 
> 
> PQ Solutions Limited (trading as ‘Post-Quantum’) is a private limited company incorporated in England and Wales with registered number 06808505.
>  
> This email is meant only for the intended recipient. If you have received this email in error, any review, use, dissemination, distribution, or copying of this email is strictly prohibited. Please notify us immediately of the error by return email and please delete this message from your system. Thank you in advance for your cooperation.
> 
> For more information about Post-Quantum, please visit www.post-quantum.com <http://www.post-quantum.com/>.
> 
> In the course of our business relationship, we may collect, store and transfer information about you. Please see our privacy notice at www.post-quantum.com/privacy-policy/ <http://www.post-quantum.com/privacy-policy/> to learn about how we use this information.
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

v2.23.0 | Report a Bug | By Email