Re: [secdir] secdir review of draft-ietf-storm-ipsec-ips-update-03

"Black, David" <> Wed, 21 August 2013 20:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B248811E8146; Wed, 21 Aug 2013 13:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I2MtBTgykvNN; Wed, 21 Aug 2013 13:17:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C25AA11E8152; Wed, 21 Aug 2013 13:17:06 -0700 (PDT)
Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id r7LKH1Im001776 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 13:17:02 -0700
Received: from ( []) by (RSA Interceptor); Wed, 21 Aug 2013 13:16:50 -0700
Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id r7LKGlC4026171; Wed, 21 Aug 2013 16:16:47 -0400
Received: from ([]) by ([]) with mapi; Wed, 21 Aug 2013 16:16:47 -0400
From: "Black, David" <>
To: "" <tlyu@MIT.EDU>, "" <>, "" <>, "" <>
Date: Wed, 21 Aug 2013 16:16:39 -0400
Thread-Topic: secdir review of draft-ietf-storm-ipsec-ips-update-03
Thread-Index: Ac6eq1U6aUgpzNAsQz+niqUAY1KY+Q==
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Black, David" <>
Subject: Re: [secdir] secdir review of draft-ietf-storm-ipsec-ips-update-03
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Aug 2013 20:17:12 -0000


Thank you for this review.

I would prefer not to repeat general advice applicable to all uses of
IPsec in this draft.  That applies to the exposure of AES GCM to nonce reuse
and means of preventing that reuse (e.g., use of IKE) which are covered in the
Security Considerations section of RFC 4106; if that advice is inadequate,
I'd suggest a revision of RFC 4106 rather than adding advice to this draft.

* OTOH, it would make sense to add a sentence to point out that all of the
referenced security RFCs and the security considerations in all of the
other referenced RFCs are applicable if that seems useful.

As explained in Section 2.2, the hardware implementation considerations
originally used to select AES-CTR as a "SHOULD implement" transform now
favor AES-GCM.  Based on those considerations, AES-GCM is a significantly
better choice due to its hardware-friendly hash, so retaining the "SHOULD"
for AES-CTR doesn't make sense.

The comments on 3DES seems off the mark to me.  The IETF approach to
security, as I've understood it, is to require implementation of
sufficient security mechanisms so that they will be available if needed.  
Since the protocols to which this draft's requirements apply will operate
at high data rates in some environments (e.g., see discussion in Section 2.2),
3DES is no longer appropriate as the single "MUST implement" confidentiality
transform.  Further, the comparison to AES-GCM seems misplaced, as AES-CBC
is the new "MUST implement" transform, not AES-GCM.

* I'll add some advice about matching strengths of symmetric and asymmetric
keys with a pointer to NIST SP 800-57, as there are key length requirements
in this draft.

* ESP sequence number cycling is prohibited (MUST rekey before that happens)
by RFC 2404 and RFC 4303, so I don't see any point in discussing its 
consequences.  OTOH, I think it would be good to call attention to this
requirement to rekey before the ESP sequence number rolls over and point out
that extended sequence numbers greatly reduce the frequency at which that may
be necessary (probably in Section 2 of this draft).

The three paragraphs noted by '*' above indicate the three changes that I'd
propose to make in response to this review - is that reasonable?

With this draft in IESG Evaluation for next week's telechat (August 29),
I would plan to defer these changes until after the telechat.


> -----Original Message-----
> From: Tom Yu [mailto:tlyu@MIT.EDU]
> Sent: Wednesday, August 21, 2013 2:57 PM
> To:;; draft-ietf-storm-ipsec-ips-
> Subject: secdir review of draft-ietf-storm-ipsec-ips-update-03
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> I believe this document is ready with minor issues.
> The Security Considerations section in its entirety is
>     "This entire document is about security."
> Although the above statement is true, I think it would also be
> beneficial to provide additional information in the Security
> Considerations to help implementers and administrators make informed
> risk assessments.  This could include describing the consequences of
> failing to adopt the recommendations of this document.  I have
> outlined below some possible risk tradeoffs to consider describing in
> the document.
> AES in GCM mode is vulnerable to catastrophic forgery attacks if a
> nonce is ever repeated with a given key.  Hopefully this won't be a
> practical issue, but implementation bugs involving random number
> generators are not uncommon.  Forgery in a content protection context
> is probably also less of a concern than forgery in an authentication
> context.
> What concerns with AES-CTR motivate its demotion?  I do seem to recall
> that (contrary to best practice) confidentiality can be done
> separately from integrity in IPsec.  Is this composition done in a way
> that has vulnerabilities?  I'm not very familiar with IPsec and am not
> remembering the details at the moment.
> If there is sufficiently low traffic, is it likely that a site
> constrained by legacy or resource issues could use 3DES (with its
> 64-bit block size) at an acceptable risk level?  (possibly with
> frequent rekeying)  Ciphertext collision isn't as catastrophic with
> CBC mode ciphers as nonce collision is for AES-GCM.  McGrew's paper
> about collision attacks includes equations that estimate data leakage.
> It could be useful to include advice about matching symmetric key
> lengths with public key strengths.  See NIST SP 800-57 Part 1.
> What are the consequences of sequence number cycling in ESP?