IETF Logo Mail Archive

Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)

Tero Kivinen <kivinen@iki.fi> Tue, 18 October 2016 13:24 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D08129A6A; Tue, 18 Oct 2016 06:24:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISPAotSbBZ5x; Tue, 18 Oct 2016 06:24:38 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D842129A64; Tue, 18 Oct 2016 06:24:38 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9IDOYn9013841 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 18 Oct 2016 16:24:34 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9IDOYgB029757; Tue, 18 Oct 2016 16:24:34 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <22534.8850.6018.431180@fireball.acr.fi>
Date: Tue, 18 Oct 2016 16:24:34 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <913F2EDE-2945-4036-A555-51611F8CF5AC@gmail.com>
References: <alpine.LRH.2.20.1610091711050.8864@bofh.nohats.ca> <D42AB86C.538C3%john.mattsson@ericsson.com> <CADZyTknqvF=zxW2thuN7mf_St2UmnWZzd8dVb5dWzDJ5=8tz5w@mail.gmail.com> <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <22533.64120.595277.953942@fireball.acr.fi> <913F2EDE-2945-4036-A555-51611F8CF5AC@gmail.com>
X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 10 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/LCSu7StLUUTQXeiwlMfsZvXOOBA>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 13:24:39 -0000

Yoav Nir writes:
> > Same here, and it also makes it so that we cannot say our
> > implementation is conforming rfc4307bis, even when we do already have
> > support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to
> > implement algorithms in the new document, but we do also have code to
> > propose the RFC5114 MODP groups, if user configures them to be used.
> 
> I don’t think that’s the right way to interpret compliance with
> RFC4307bis. If you can configure your implementation to support only
> algorithms that are MUST, SHOULD, or MAY in the document, then you
> can configure your implementation to comply with 4307bis. I don’t
> think implementation compliance requires pulling out code. 

When rfc4307bis says MUST NOT do DES, and MUST NOT do 768-bit MODP, I
assume that to be conforming to that document, user is not able to
configure DES with 768-bit MODP group.

Of course MUST NOTs are difficult as it is really hard to show where
in your code you implement this specific MUST NOT (yes, there was one
customer asking us to point out where in code we implement each MUST
NOTs).

> Our implementation allows the user to key in long hex strings to
> construct MODP groups that are not available out of the box. With
> your interpretation we can never be compliant because they can
> always make up their own 512-bit group and add that to the available
> groups. 

That is different issue, as this is SHOULD feature in the RFC7296:

   parameters, up to certain size limits.  In support of this goal, all
   implementations of IKEv2 SHOULD include a management facility that
   allows specification (by a user or system administrator) of Diffie-
   Hellman parameters (the generator, modulus, and exponent lengths and
   values) for new Diffie-Hellman groups.  Implementations SHOULD
   provide a management interface through which these parameters and the
   associated Transform IDs may be entered (by a user or system
   administrator), to enable negotiating such groups.

Also there is nothing in the rfc4307bis saying that that is MUST
NOT...

On the otherhand if someone uses that interface to configure the
768-bit MODP group 1, then he is going against MUST NOT in rfc4307bis,
and his system is longer conforming... It might be good idea to limit
that interface so it will not allow any groups which are shorter than
1024-bits, just so users cannot do stupid things... 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email