Re: [secdir] secdir review of draft-ietf-ipsecme-rfc7321bis-05

Paul Wouters <pwouters@redhat.com> Wed, 15 March 2017 13:20 UTC

Return-Path: <pwouters@redhat.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC091131498; Wed, 15 Mar 2017 06:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BpB33XQ1OKkN; Wed, 15 Mar 2017 06:20:52 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 620D5131496; Wed, 15 Mar 2017 06:20:52 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E08CB2BC7FD; Wed, 15 Mar 2017 13:12:24 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E08CB2BC7FD
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pwouters@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E08CB2BC7FD
Received: from thinkpad.nohats.ca (vpn-235-251.phx2.redhat.com [10.3.235.251]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v2FDCMFs017460; Wed, 15 Mar 2017 09:12:23 -0400
To: Christian Huitema <huitema@huitema.net>, The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-ipsecme-rfc7321bis.all@ietf.org, ipsec@ietf.org
References: <2927d78d-7293-ba53-4aa3-0351e0a6e7b2@huitema.net> <b23b258d-bcaa-dc07-9c9b-3d0f0b085a74@huitema.net>
From: Paul Wouters <pwouters@redhat.com>
Message-ID: <ad3c09a4-2953-ca9d-3e89-6bbb2f344605@redhat.com>
Date: Wed, 15 Mar 2017 09:12:21 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <b23b258d-bcaa-dc07-9c9b-3d0f0b085a74@huitema.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 15 Mar 2017 13:12:25 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1o3vh5nw-zvrsgmvTqLeEjIaXig>
Subject: Re: [secdir] secdir review of draft-ietf-ipsecme-rfc7321bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 13:20:54 -0000

On 03/14/2017 09:08 PM, Christian Huitema wrote:

Thanks for your review Christian!

> Adding Paul explicitly, since the forwarding through the draft.all alias
> does not pass through the gates of redhat.

Thanks, sorry for DMARC'ing issues. I did report it to our IT, but I doubt things will change :(

>> This document is ready for publication as a Proposed Standard, with some nits.
>>
>> My first set of nits concerns the keywords "SHOULD+", "SHOULD-" and "MUST-" that the 
>> draft is defining. These keywords would make an interesting update to RFC 6919. I 
>> understand that "SHOULD+" and "MUST-" are already defined and used in RFC 7321, and 
>> that you have at places to say "RFC 7321 said SHOULD+, but we change that to MUST". 
>> So maybe you should just note that "RFC 7321 defines these additional keywords".
>> Also, you never use SHOULD- in the text, so there is no need to define it. You
>> only MUST- once, to downgrade "AUTH_HMAC_SHA1_96" from MUST to MUST-. You could save 
>> space in the document by just adding a footnote for the SHA1 entry in the table,
>> stating that "this MUST means REALLY SHOULD NOT." Or maybe you really want to
>> update RFC 6919.

We really tried to keep the bis documents 4307bis and 7321bis close to the original so
that updates read easily. So even if we do not use one of the keywords now, we might in
a new version, so I think it is good for this set of documents to try and keep the same
keyword list.

>> The second set of nits contains manual keying. According to the draft, anyone using 
>> manual keying is punished for doing so, and will only be able to use ENCR_AES_CBC. I 
>> assume that there is WG consensus on that, but the justification that other algorithms
>> really require IKEv2 is a bit weak. If there is an API to configure encryption with the
>> results of an IKEv2 negotiation, it could just as well be used with the results of a
>> manual configuration. Not sure that the definition of algorithms is the best place to
>> deprecate manual configuration, even if there are some pretty good reasons to do that.

I answered this in the list already, but the short version is that any algorithm that
requires IVs to never repeat can never use manual keying because then there is no mechanism
to prevent re-using IVs, as most IV's are implemented as counters, which at some point will
overflow back to 0 and then the attacker can gain the private key knowledge.

Additionally, thre is no PFS when using manual keying, so any compromise could decrypt
all previous traffic. With IKE we are talking about 1-8 hours of session key lifetimes,
which are just beyond manual keying that stays in place with the same key for months, years
or worse.

I'm willing to explain the text a bit on this to clarify.

>> My last set of nits concerns the relation between this draft and the IANA registry of 
>> Internet Key Exchange Version 2 (IKEv2) Parameters. I understand that we have five states 
>> of specification or recommendation:
>> * MUST implement and MAY use algorithms such as ENCR_AES_GCM_16;
>> * SHOULD implement and MAY use algorithms such as ENCR_CHACHA20_POLY1305;
>> * SHOULD implement and MAY use but only for IoT devices, e.g. ENCR_AES_CCM_8;
>> * SHOULD NOT implement and MUST NOT use, e.g. ENCR_DES; Presumably, the code 
>>   has to be yanked from existing implementations.
>> * and then MAY implement and MAY use, e.g. ENCR_CAMELLIA_CBC.
>> But the fifth category is only specified by default, as "those algorithms that
>> are listed in the IANA registry but not referenced in the draft." I wonder whether there
>> is a way to express that clearly in the draft.

Since the tables are pretty big, that's a bit hard to do, and it would distract from the
very few prime algorithms we would like them to focus on.

Implementers I guess should have the IANA IKEv2 page open along with the RFC for the full
picture. I do want to say that for ipsec, the algorithms that are only in MAY are either
pretty new and have no deployment yet (curve25519, chacha20-poly1305) or are kind of
obsolete but no known attack against them has been successful (cast, serpent, twofish)

Paul