Re: [Lwip] Review of draft-ietf-lwig-minimal-esp-00

Daniel Migault <daniel.migault@ericsson.com> Tue, 03 December 2019 13:22 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2701F12002E; Tue, 3 Dec 2019 05:22:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pncR0c_2FgbR; Tue, 3 Dec 2019 05:21:59 -0800 (PST)
Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EA0D120019; Tue, 3 Dec 2019 05:21:59 -0800 (PST)
Received: by mail-vs1-f52.google.com with SMTP id p21so2308514vsq.6; Tue, 03 Dec 2019 05:21:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jrkIUF4c5NCWFUwvueHAmgb46y1wjXsoS0sbNsjmYF4=; b=g3IQe1zgIoFK6ef1A1o1dAQoVOIfynnw4o35WJE9lINB6p1CFU7gcv1wVGxnMaCY33 x0Jwdz25hHrXexr7gTyABoLcFQwDO3vSJaXpC6nHGcl2CQZ3RnNfS0mtaWnnlzF6JEB1 yEse7goxOpSynnmAAB9xSBZ3gMTtFp6E6WZHcXa7r0YfhTH0WWxyzqg2beR5JuS3HI3G UyvmUmN/4LybdThRnpuMu3VfdZAqTUZcx2cBefA9AMd2FQbXR78MXXF3kqoIrqVPrwCj PAMkBJsUu5E2ZFliCIh/k/tyg7Vkh0TsyQJvGYRhwmyeUnHCIiVB/kn21UwqDy9oI7wU VKaQ==
X-Gm-Message-State: APjAAAUHSfUvRU0K8ATBbLg+BBsBaPusc3QHEw3ZuLWIU2SJARnnWjqV UffGnz0ZAP7cA4gQ/tMgtK5n/iRGV22es0Ftyb8=
X-Google-Smtp-Source: APXvYqyeLR4Y8ISKX4MjXyRhTb2ETzKm+PGD2Jf01PGplrElN10I0Qga8/hBWL0SxeqaxoomvxpN4mfkM/Ks35u9R5U=
X-Received: by 2002:a67:ead6:: with SMTP id s22mr2682754vso.69.1575379318298; Tue, 03 Dec 2019 05:21:58 -0800 (PST)
MIME-Version: 1.0
References: <060501d5a9da$b8552490$28ff6db0$@gmail.com>
In-Reply-To: <060501d5a9da$b8552490$28ff6db0$@gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Tue, 03 Dec 2019 08:21:47 -0500
Message-ID: <CADZyTkn6qaNs==afieUhZys2X9pbDh3ij09Q30Y9Kzv21GHs4A@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: Tobias Guggemos <tobias.guggemos@outlook.com>, lwip@ietf.org, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a75fc50598cc9408"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/mqxocZY5YA7qZ2cGNsUMehJlJLc>
Subject: Re: [Lwip] Review of draft-ietf-lwig-minimal-esp-00
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 13:22:01 -0000

Thank you Valery for the detailed review. That is really much appreciated.
We will update the document accordingly by the next few weeks also
considering the feed backs from Scott.

Yours,
Daniel

On Tue, Dec 3, 2019 at 8:08 AM Valery Smyslov <smyslov.ietf@gmail.com>
wrote:

> Hi,
>
> I reviewed draft-ietf-lwig-minimal-esp-00. In general I think that the
> document
> provides useful guidelines on how ESP can be implemented on constrained
> devices.
>
> General comment: the draft uses RFC2119 requirement language in several
> places,
> and it is not always clear whether it is just a repetition of the RFC4301
> requirements
> or a new requirement imposed by this document. In general, I think it's
> better not to include
> the existing RFC4301/4303 requirements in the draft or make it absolutely
> clear that these are not
> new requirements if you need to mention them (adding a reference to a
> corresponding section
> in the RFCs).
>
> Another general comment: sections 3-7 discuss how the corresponding ESP
> packet fields
> can be tweaked to deal with low resource devices. I think that for the
> sake of clarity
> the suggested measures must be summarized in each of these sections.
> Currently
> these sections contain quite a lot of discussion and no clear conclusions
> what
> is OK to do and in what situations. I think document will be more clear if
> such
> conclusions are put at the end of each section (currently some advises are
> spread
> over them).
>
>
> Specific comments:
>
> Section 3.
>
>    When fix SPI are used,
>    it is RECOMMENDED the constraint node has as many SPI values as ESP
>    session per host IP address, and that SA lookup includes the IP
>    addresses.
>
> This is probably wrong if we take into considerations that SA may be
> rekeyed.
> Some words should be added either prohibiting rekeying ESP SAs in this case
> or discussing that in case of rekey one will consume additional SPI values
> for in fact the same SA.
>
>    When used indoor, the privacy information is stored in the encrypted
>    data and as such does not leak privacy.
>
> I cannot parse this :-)
>
>    Such packet will not be rejected due to an SPI mismatch, but instead
>    after the signature check which requires more resource and thus make
>    DoS more efficient, especially for devices powered by batteries.
>
> I think this a very good argument against fixed (predictable) SPIs.
> In fact, after reading through this section it seems to me that the
> conclusion must be - predictable (fixed) SPIs SHOULD NOT be used.
>
>    Values 0-255 SHOULD NOT be used.
>
> I believe these values MUST NOT be used with IPsec ESP, no?
> Why "SHOULD NOT"? The values from this range are reserved
> for other protocols utilizing ESP (e.g. SPI (1) was used in SKIP).
>
> Section 4.
>
> I see no discussion regarding using ESN. I think there is generally no
> point
> to use ESN for constrained devices, but it can be useful if clock is used
> to generate (E)SN, as suggested in the draft. In this case 64-bit numbers
> can make sure that no two packets will be sent with the same ESN
> (provided the clock has high resolution).
>
> Section 5.
>
>    The purpose of padding is to respect the 32 bit alignment of ESP.
>
> It is not an accurate statement, the padding is also used when encryption
> transform requires the input to be a multiple of some number of bytes.
> Many modern transforms (based on GCM, CCM, CTR modes) don't have such
> a requirement, but some (e.g. based on CBC mode) do have.
>
> Section 6.
>
>    For interoperability, it is RECOMMENDED a minimal ESP
>    implementation discards dummy packets.
>
> I'm puzzled by this sentence. What else can the receiver do with dummy
> packets other than discard? RFC4303 leaves him only this option :-)
>
>
> Nits:
> Throughout the text:
> s/fix SPI/fixed SPI
> s/constraint node/constrained node
> s/algorythm/algorithm
>
> Section 2:
>
> s/IPsec suite protocol/IPsec protocol suite
>
> Section 3:
>
>    However, for some constraint nodes, generating a random SPI may
>    consume to much resource, in which case SPI can be generated using
>    predictable functions or even a fix value.
>
> s/to/too
>
>    When a constraint node uses fix value for SPIs, it imposes some
>    limitations on the number of inbound SA.  This limitation can be
>    alleviate by how the SA look up is performed.  When fix SPI are used,
>    it is RECOMMENDED the constraint node has as many SPI values as ESP
>    session per host IP address, and that SA lookup includes the IP
>    addresses.
>
> s/alleviate/alleviated
> s/RECOMMENDED the/RECOMMENDED that the
>
>    More specifically, traffic pattern MAY leak sufficient information in
>    itself.  In other words, privacy leakage is a complex and the use of
>    random SPI is unlikely to be sufficient.
>
> s/MAY/may
>
>    In addition,
>    predictable SPI enable an attacker to forge packets with a valid SPI.
>
> s/enable/enables
>
> Section 5:
>
>    As a result, TFC cannot not be enabled with minimal, and
>    communication protection that were relying on TFC will be more
>    sensitive to traffic shaping.
>
> s/cannot not/cannot
> s/minimal/minimal ESP
> s/were relying/rely
>
> Section 7:
>
>    Currently recommended
>    [RFC8221] only recommend crypto-suites with an ICV which makes the
>    ICV a mandatory field.
>
> s/recommend/recommends
>
> Section 8:
>
>    The recommended suites to use are expect to evolve over time
>    and implementer SHOULD follow the recommendations provided by
>    [RFC8221] and updates.
>
> s/expect/expected
> s/implementer/implementers
>
>        Note that it
>        is not because a encryption algorithm transform is widely
>        deployed that is secured.
>
> s/a/an
>
> Regards,
> Valery Smyslov.
>
>
>