Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-multiple-ke-07
CJ Tjhai <cjt@post-quantum.com> Fri, 21 October 2022 06:48 UTC
Return-Path: <cjt@post-quantum.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAB7C152586 for <last-call@ietfa.amsl.com>; Thu, 20 Oct 2022 23:48:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=post-quantum-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CgPkepMAUxIN for <last-call@ietfa.amsl.com>; Thu, 20 Oct 2022 23:48:21 -0700 (PDT)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1584FC1524B5 for <last-call@ietf.org>; Thu, 20 Oct 2022 23:48:21 -0700 (PDT)
Received: by mail-pg1-x52f.google.com with SMTP id r18so1723384pgr.12 for <last-call@ietf.org>; Thu, 20 Oct 2022 23:48:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=post-quantum-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VUmjSth/FuV3mG/pULGvxvyPz3cWPLutUBp9KX+c/tk=; b=5E4OTgVbt620MecG8XFnj6DhHasKpiRIETU1xcis9twMy86lzjYZXKDtUfu7sHzKaa ejTRb60z5mwaDjTNjH2DwrOIlU0bQA7L64WGm/UXuT0AD9Kt9+YvIGxRVJRVZoQvXqm2 7Iq6rJiPAuEYKosPaksTTJXGpE/nWDzqbSLQ6IgIB4MsORIIVLFwQGuNeDbK92reFaYS SJr+HojWY6JaBJIHCLkg3GxHkZVx2ihD2BvkqNEMHgjcJSxkMhzpDjnesLO9oD4h3kr4 6aX9dCIz/aFRoLDlUBdPKnHBrZxD/dexD7XPRaYRQOuTd4S2UIQzZf+r5MgJTIn1Ybro SNQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VUmjSth/FuV3mG/pULGvxvyPz3cWPLutUBp9KX+c/tk=; b=G7oRJ61S1xMNMXBkoM+Mbs+Gv9uNJ8gced7FrNRbPQ+gQu3nX+sUom9vRHFOJMy8Fu YIR3/97XmuSZURrfwLQ6/iac7uvuLTFUzCP40assZLwsA6zN88J6drannbgeDbr7JI0q g8ekxXletSNPsogEN6CaedcGYc06f0FrXyAmfFXmIZ9PjN1M/WEsNY9rX8/4GcQFyd5I 3DWVjwOOjm3DPbC6A3as2HFTrYJodpY1wcM/UyfVHCKgiAzJMPYL2vVVbxbEUvePsA7Z euQuPgPP4Df59fyPUwz0P27b32GIy3U39m7fOF1DKAb4YnSuKm3nB30KywakCSYK6Enk +Eqw==
X-Gm-Message-State: ACrzQf3pl/mslv5r09wcM4G/5r12vndmLj82C94HEBD7Nv22BDQqY3wA uPArtbVWlkFr8nKVRmF60J40CdbGqXdyfhimdtjDHfVOlrz7sWWDefMgYYXe+lqXM5E/xbTZslS wym3GVTLl9r93mSuPtpTF
X-Google-Smtp-Source: AMsMyM5HQXFtaYIcTwQ0+zEeiAlHP3V2U4v+ilZqIfNGCL60jfiQet/L/3J6IplKmjKGl3HmqBZpaJc68/ZAy/0m7zM=
X-Received: by 2002:a05:6a00:1149:b0:53e:62c8:10bc with SMTP id b9-20020a056a00114900b0053e62c810bcmr17569463pfm.49.1666334899976; Thu, 20 Oct 2022 23:48:19 -0700 (PDT)
MIME-Version: 1.0
References: <166577542836.23178.15233206545328915936@ietfa.amsl.com>
In-Reply-To: <166577542836.23178.15233206545328915936@ietfa.amsl.com>
From: CJ Tjhai <cjt@post-quantum.com>
Date: Fri, 21 Oct 2022 07:48:08 +0100
Message-ID: <CANs=h-WKE5ATA3uMiLHW3xPn5nkj1N8H1iqJnCVq0+qs0KSDjg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Valery Smyslov <svan@elvis.ru>, gen-art@ietf.org, draft-ietf-ipsecme-ikev2-multiple-ke.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ca56bd05eb85d31f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/vghxJq_J5wAiL7sRKytb4MZzFFA>
Subject: Re: [Last-Call] Genart last call review of draft-ietf-ipsecme-ikev2-multiple-ke-07
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 06:48:26 -0000
Hi Russ, Many thanks for the review of our document. Please see our comments inline below. The updated version of the draft is available here: https://github.com/post-quantum/ietf-pq-ikev2/blob/master/draft-ietf-ipsecme-ikev2-multiple-ke-00.xml Best regards, CJ and Valery On Fri, 14 Oct 2022 at 20:24, Russ Housley via Datatracker <noreply@ietf.org> wrote: > Reviewer: Russ Housley > Review result: Almost Ready > > [ snip ] > > Minor Concerns: > > Section 1.2 says: > > The secrets established from each key exchange are combined in a way > such that should the post-quantum secrets not be present, the derived > shared secret is equivalent to that of the standard IKEv2; on the > other hand, a post-quantum shared secret is obtained if both > classical and post-quantum key exchange data are present. > > What is "post-quantum key exchange data"? > > I am not sure what this is is really trying to tell me. I think it is > trying to make three points. First, the shared secret is based on all of > the key exchange mechanisms that are employed. Second, when one > traditional key exchange mechanism is employed, the result is compatible > with IKEv2 as it is used today. Third, the result is post-quantum safe, > when classical and a post-quantum key exchange mechanisms are used > together. Please reword to be more clear. Further, I suggest that > the discussion of Child SAs be in a separate paragraph. > > We have changed that paragraph to the following: IKE peers perform multiple successive key exchanges to establish an IKE Security Association (SA). Each exchange produces a piece of secret and these secrets are combined in a way such that: (a) the final shared secret is computed from all of the component key exchange secret; (b) the shared secret as specified in [RFC7296] is obtained unless both peers support and agree to use the additional key exchanges introduced in this specification; and (c) if any of the component key exchange method is a post-quantum algorithm, the final shared secret is post-quantum secure. > Section 1.2 says: > > The IKE SK_* values are updated after each exchange, and so > the final IKE SA keys depend on all the key exchanges, hence they are > secure if any of the key exchanges are secure. > > I wondered what was meant by "secure", then I learned the answer in > Section 2. I think a forward pointer will help future readers. > > Yep, good idea. We have added a forward pointer to Section 3.2.2. > Section 3.1 says: > > Note that this document assumes, that each key exchange method > requires one round trip and consumes exactly one IKE_INTERMEDIATE > exchange. This assumption is valid for all classic key exchange > methods defined so far and for all post-quantum methods currently > known. For hypothetical future key exchange methods requiring > multiple round trips to complete, a separate document should define > how such methods are split into several IKE_INTERMEDIATE exchanges. > > I suggest this go much earlier in Section 3.1. It really is a very > basic design constraint. > > Agreed. We have moved this paragraph further up in Section 3.1. > > Nits: > > Section 3.1: s/IKE; however, that can/IKE; however, IKE_INIT messages can/ > > Section 3.2.2 says: > > (derived from the previous IKE_INTERMEDIATE > exchange, or the IKE_SA_INIT if there have not already been any > IKE_INTERMEDIATE exchanges) > > I suggest: > > (derived IKE_SA_INIT for the first use of IKE_INTERMEDIATE, > otherwise from the previous IKE_INTERMEDIATE exchange) > > Thanks, we have changed them accordingly. > > Note: > > I did not review the Appendix. > > > > -- PQ Solutions Limited (trading as ‘Post-Quantum’) is a private limited company incorporated in England and Wales with registered number 06808505. This email is meant only for the intended recipient. If you have received this email in error, any review, use, dissemination, distribution, or copying of this email is strictly prohibited. Please notify us immediately of the error by return email and please delete this message from your system. Thank you in advance for your cooperation. For more information about Post-Quantum, please visit www.post-quantum.com <http://www.post-quantum.com>. In the course of our business relationship, we may collect, store and transfer information about you. Please see our privacy notice at www.post-quantum.com/privacy-policy/ <http://www.post-quantum.com/privacy-policy/> to learn about how we use this information.
- [Last-Call] Genart last call review of draft-ietf… Russ Housley via Datatracker
- Re: [Last-Call] Genart last call review of draft-… CJ Tjhai
- Re: [Last-Call] Genart last call review of draft-… Russ Housley