IETF Logo Mail Archive

Re: [Lwip] [IPsec] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)

Paul Wouters <paul.wouters@aiven.io> Tue, 19 July 2022 15:47 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FF34C157B59 for <lwip@ietfa.amsl.com>; Tue, 19 Jul 2022 08:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YoA_TilSRuBm for <lwip@ietfa.amsl.com>; Tue, 19 Jul 2022 08:47:46 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85366C188736 for <lwip@ietf.org>; Tue, 19 Jul 2022 08:47:41 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id va17so28039301ejb.0 for <lwip@ietf.org>; Tue, 19 Jul 2022 08:47:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=7G1aweO73Wm+ks2sxBBo7ti1+tJe/rLy8Ty43ej0Y5w=; b=e0CDIDe2OhtZu1TmJ+udR+1kQsd9ngA+YGKHjOZaAwxS3tvxH+/Kpc6f9bx0Msr3vT h3JfFXe2Jevt7/Ut0TBqIzbn7sEOIAC+51DNhvxnUEBRsMJP0Pfnp9PUzNhZeolOres2 h4Flb3VkmZjxagls8ruy93s0Lk9pcPXngRSak=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=7G1aweO73Wm+ks2sxBBo7ti1+tJe/rLy8Ty43ej0Y5w=; b=wvGLzUg1mif1+SI0Qw7TNuqpH6TOceaF6YB4zO5GhirFHD9RYcumv8fiGP/Lae1npX eLqCc6TPhds9bqIk/hjUjbFsNBfCONEueR8rWEQnH/YoBrEQw/0bD79PaGps6SiQKQuG YLh6Knlsb9hvMCMg+V2dSiKBaBK+sNZfsj3y145/fjOkhK64lqlhMbHk6D17U7dx5Chv Yt9A4oqnkQ1hIIbgJAsJqpGa6IYcVD/nI6lUghC4T9P8uUmY0nrzCcFY6FaQ7opLbtvD J4VfUr+LNOdgJjZSi1EhLFJNGaWAQ3ew1Z+I27Ldqdhi9SrDFzGQbfiD5gG2tbogHaZY f+Xg==
X-Gm-Message-State: AJIora+GFSjSx82wB2ACGXW/UQ90DovgBU4MwVnH9kkWePSq2SoaU+WI Ly8pwlGzg3RJv8tPjvh3ntwaOA==
X-Google-Smtp-Source: AGRyM1vDxzc76VaF/S9xe5FazYwS50l/3Bsq7vnR3/rCqy6TxIUa1oU2i//nTsSIHlrKu7kQcGca4g==
X-Received: by 2002:a17:907:7fa9:b0:72f:36fd:ef89 with SMTP id qk41-20020a1709077fa900b0072f36fdef89mr8869593ejc.433.1658245659601; Tue, 19 Jul 2022 08:47:39 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id ec21-20020a0564020d5500b0043ba24a26casm630532edb.23.2022.07.19.08.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Jul 2022 08:47:39 -0700 (PDT)
Date: Tue, 19 Jul 2022 11:47:34 -0400
From: Paul Wouters <paul.wouters@aiven.io>
To: Daniel Migault <mglt.ietf@gmail.com>
cc: The IESG <iesg@ietf.org>, lwip@ietf.org, Mohit Sethi <mohit.m.sethi@ericsson.com>, draft-ietf-lwig-minimal-esp@ietf.org, lwig-chairs@ietf.org, IPsecME WG <ipsec@ietf.org>
In-Reply-To: <CADZyTk=kRGEA3BTMz05uNQbbEgXQT+TTQ0C9-o0FFtK3ny5+oQ@mail.gmail.com>
Message-ID: <a6ce149c-293f-9a46-86a5-964d71fe4b3@nohats.ca>
References: <164919648646.8778.6947253487684946962@ietfa.amsl.com> <CADZyTkkdXs8tJu_J5M_Yb-VC2SbSECLen_igUrGVGtrNFng6QA@mail.gmail.com> <CAGL5yWb5oaridQzFdxoWQdieNxDb=pOB_5sMCBM+HdgCsn_NeA@mail.gmail.com> <CADZyTkk616G+U5323wBXhR35K=FojD2+V_L5UEv-=6Xzz-A4Tw@mail.gmail.com> <CADZyTkkw1h9F9pDrAYgQDOQ-BCwiezocMba4H3WUh9qvavmRYA@mail.gmail.com> <c07734f1-e33c-5aa6-92fd-24938298f3ba@nohats.ca> <CADZyTk=kRGEA3BTMz05uNQbbEgXQT+TTQ0C9-o0FFtK3ny5+oQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-726460855-1658245658=:61959"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/IbS3YlGZIy7sVr4emNBjl7_gnJ4>
Subject: Re: [Lwip] [IPsec] Paul Wouters' Discuss on draft-ietf-lwig-minimal-esp-08: (with DISCUSS and COMMENT)
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 15:47:50 -0000

On Mon, 18 Jul 2022, Daniel Migault wrote:

>       The limited SPI numbers and rekeying is still not clear to me.
>       We exchanged a few emails but that did not result in me understanding
>       this.
> 
>  
> I am happy to understand what is unclear. I suppose the text you are referring to is the one below - extracted from version 11. 
> 
>    Alternatively, some constrained devices will not implement IKEv2 or
>    Minimal IKEv2 and as such will not be able to manage a roll-over
>    between two distinct SAs.  In addition, some of these constrained
>    devices are also likely to have a limited number of SAs - likely to
>    be indexed over 3 bytes only for example.  One possible way to enable
>    a rekey mechanism with these devices is to use the SPI where for
>    example the first 3 bytes designates the SA while the remaining byte
>    indicates a rekey index.  SPI numbers can be used to implement
>    tracking the inbound SAs when rekeying is taking place.  When
>    rekeying a SPI, the new SPI could use the SPI bytes to indicate the
>    rekeying index.

I don't understand what it is that the devices are trying to do. Both in
terms of saving CPU or energy, and in terms of interpreting bytes of the
protocol. Can you give a full example of a rekey taking place in the
traditional way and in this new way proposed here? Perhaps when I see
that, I can help with modifying the above text to make this process
clear?

>       The sequence number discussion mentions the issue of packets falling
>       out of the receive window. We talked about an IKE option/notify to
>       signal this and during that discussion it also came to light that this
>       protocol is going to be used without IKEv2. This leaves an
>       interoprability unaddressed.
> 
> I do not see any mention of IKE option and SN, but maybe you can refresh my memory.

Without signaling that this is going to use large jumps in the SN, the
other end would drop packets outside of its replay window. If there is
no IKE, how is the peer going to know about this? eg you write:

    Note that standard receivers are generally configured with
    incrementing counters and, if not appropriately configured, the use
    of a significantly larger SN than the previous packet can result in
    that packet falling outside of the peer's receiver window which could
    cause that packet to be discarded.

What you wrote is "this is a problem". Instead, I think you should state
something like "Using time based SN should only be used when it is known
that the remote peer supports this or when it is known that anti-replay
windows are disabled".

> The only IKE option discussion I recall of is an option you propose to
> request the other peer not to send dummy packets - which is primarily out of scope of minimal esp and whose usefulness remains to be proven.   

It was in relation to AEAD security.

I did talk about using IKEv2 to convey some of these recommendations
via IKEv2 so peers can become aware of these instead of the more vague
wording the draft now uses that basically assumes all peers involved
do minimal ESP. It is fine for you not to take up this suggestion.

>       And since this protocol is also meant to run without IKEv2, there is
>       an issue of only recommending AEAD algorithms that rely on IKEv2 for
>       its security properties.
> 
> 
> I do not see the issue associated with AEAD, so can you be a bit more explicit. I do not see what is being provisioned via IKE that cannot be provisioned
> via other means.

Sure, anything IKEv2 provides can be provided in another way. AEAD
normally relies on a protocol to ensure rekeying before a maximum
amount of crypto operations is done, ensures nonces and counters
are never re-used, and the same private key is not re-used when a
device reboots. I can (reluctantly) agree, you don't need to do
anything else in this document for this.

> In addition, I do not see this as an issue if we were mandating AEAD. This is not the case. The document recommends the use of AEAD  as a general
> purpose. I think this is relevant and does not prevent specific cases of not using AEAD. What text would you like to see ?

Recommending or requiring are kind of the same thing with respect to
requirements to comply. As I said, no need to add text for AEAD.

>       Section 6 talks about Dummy packets but the labeling of the header
>       is a bit misleading into thinking the Next Header behaviour is
>       modified. I had suggested the section to be renamed.
> 
> The current title is "6. Next Header (8 bit) and Dummy Packets". The section has been renamed, and I do not see what more needs to be done.

The entire section is ONLY about dummy packets. Which happen to get
indicated by a value contained in the Next Header. I find the title
of the section misleading because it appears to talk about Next Header
in general, especially when it starts talking about that it is a
mandatory field. Again, I'll treat that as a comment and not a blocking
issue, but the section should really just be called "Dummy Packets".

Paul

v2.23.0 | Report a Bug | By Email