IETF Logo Mail Archive

[lisp] Review of draft-ietf-lisp-crypto-00

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 23 March 2015 20:06 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EC871B29E6 for <lisp@ietfa.amsl.com>; Mon, 23 Mar 2015 13:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yo4kcQGcs_9h for <lisp@ietfa.amsl.com>; Mon, 23 Mar 2015 13:05:57 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87D721ACE6F for <lisp@ietf.org>; Mon, 23 Mar 2015 13:05:56 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 5196090013 for <lisp@ietf.org>; Mon, 23 Mar 2015 22:05:53 +0200 (EET)
Date: Mon, 23 Mar 2015 22:05:53 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: lisp@ietf.org
Message-ID: <20150323200553.GA22156@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/ZOJKT2qj0KIvTlRLOnxFRj58dsU>
Subject: [lisp] Review of draft-ietf-lisp-crypto-00
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 20:06:00 -0000


> 4.  Encoding and Transmitting Key Material
> 
>    The Diffie-Hellman key material is transmitted in Map-Request and
>    Map-Reply messages.  Diffie-Hellman parameters are encoded in the
>    LISP Security Type LCAF [LCAF].
> 
>      0                   1                   2                   3
>      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |           AFI = 16387         |     Rsvd1     |     Flags     |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |   Type = 11   |      Rsvd2    |             6 + n             |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |   Key Count   |      Rsvd3    | Key Algorithm |   Rsvd4     |R|
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |           Key Length          |       Key Material ...        |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |                        ... Key Material                       |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |              AFI = x          |       Locator Address ...     |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 
>           Diffie-Hellman parameters encoded in Key Material field
> 
>    The 'Key Count' field encodes the number of {'Key-Length', 'Key-
>    Material'} fields included in the encoded LCAF.  A maximum number of
>    keys that can be encoded are 3 keys, each identified by key-id 1,
>    followed by key-id 2, an finally key-id 3.
> 
>    The 'R' bit is not used for this use-case of the Security Type LCAF
>    but is reserved for [LISP-DDT] security.
> 
>    The 'Key Algorithm' encodes the cryptographic algorithm used.  The
>    following values are defined:
> 
> 
> 
> 
> 
> Farinacci                 Expires July 16, 2015                 [Page 4]
> 
> Internet-Draft       LISP Data-Plane Confidentiality        January 2015
> 
> 
>    Null:        0
>    Group-ID:    1
>    AES:         2
>    3DES:        3
>    SHA-256:     4

These don't look to be of the same type? And 3DES in 2015? If you want
serious backup for AES, there is Chacha20.

Also, one can't encrypt data with AES, one also needs mode for it.

Basically, for encryption strapped on top of DH, you need:

- (EC)DH group (or monoid)
- Hash function to use for key derivation.
- AEAD cipher.

>    When the 'Key Algorithm' value is 1 (Group-ID), the 'Key Material'
>    field is encoded as:
> 
>      0                   1                   2                   3
>      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |                          Group ID                             |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |                         Public Key ...                        |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 
>              Points to Key Material values from IANA Registry
> 
>    The Group-ID values are defined in [RFC2409] and [RFC3526] which
>    describe the Diffie Hellman parameters used for key exchange.

All the groups from RFC 2409 and the lowest from RFC 3526 look too
weak for modern use.

This might also be a good place to stick ECDH groups. Those would do
really nice things to the MTU:

- CFRG basic ECDH: 32 bytes/key
- CFRG high-security ECDH: 56 bytes/key
- ECDH "stratospheric" level: 66 bytes/key
- DH basic: 256 bytes/key.

And that "high-security ECDH" is considered stronger than even
IKE group 18 (1024 bytes/key!). And "stratospheric" is so big that
finding bigger curves is pretty difficult.


Also, if this one is selected, what will be the symmetric cipher?

>    When the 'Key Algorithm' value is not 1 (Group-ID), the 'Key
>    Material' field is encoded as:
> 
>      0                   1                   2                   3
>      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |    g-length   |              g-value ...                      |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |    p-length   |              p-value ...                      |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |                         Public Key ...                        |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 
>          Key Length describes the length of the Key Material field

What is the difference of AES vs. 3DES vs SHA256 here?


> 7.  Future Work

<this seems to be about crypto improvements>

What I think should be done about crypto:
- Actually specify how algorithm negotiation is supposed to work (I
  can't make heads or tails about that)
- Always use authenticated encryption (algorithms like AES-GCM and
  Chacha20-Poly1305), and also authenticate at least some of the LISP
  headers (those that aren't supposed to change)[1].
- Swap out 3DES for something more serious.
- Support ECDH, including modern Montgomery-curve ECDH (for stronger
  key exchange & smaller keys).
- Hash the map-request/map-reply packets into the encryption key
  computation[2], along with the DH result.



[1] IPSec ESP can be broken if no authentication is used.

[2] TLS didn't use to do this. Caused security issues.


-Ilari

v2.23.0 | Report a Bug | By Email