Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review
Paul Wouters <paul@nohats.ca> Tue, 26 May 2015 16:06 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 297951A9115; Tue, 26 May 2015 09:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EE5ZNygZBY6; Tue, 26 May 2015 09:06:24 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA2B81A90E9; Tue, 26 May 2015 09:06:18 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lx0X85Fzjz7WC; Tue, 26 May 2015 18:06:16 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=iVS0msRp
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id YhmcOxPC0QZC; Tue, 26 May 2015 18:06:14 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 26 May 2015 18:06:14 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 57D868004A; Tue, 26 May 2015 12:06:12 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1432656372; bh=ztIWOlIZWE7wyYDPXi4uW6RJbakgnSbklNK5R1XVBug=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=iVS0msRpHqmkj614l9+lC/3wI3NJML0OqLLy+Gr9sjhxZ5gysFHt2MSKqzBESv5dO O9EAP4drQ+dj3KrIweDhRE+zGaaEl8yj5Za2tstaV4AbL56bQ9Ay6CKrkv7gDaoIEA 1E0IS9CdWzIIETOPAEqZAU5SLoj5So5sMGGdqPgc=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t4QG6B44030839; Tue, 26 May 2015 12:06:11 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 26 May 2015 12:06:11 -0400
From: Paul Wouters <paul@nohats.ca>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
In-Reply-To: <CAHbuEH5PP4aLjocOSAGHrT_eog1y8qW5y_rL3XfbNfSmBjC1Dg@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1505261158390.21553@bofh.nohats.ca>
References: <CAF4+nEF7oeR4swbG8uQXLnb-QrkSsKSRWjTK3huzWiK71f7UTA@mail.gmail.com> <alpine.LFD.2.11.1505261012020.12821@bofh.nohats.ca> <CAHbuEH5PP4aLjocOSAGHrT_eog1y8qW5y_rL3XfbNfSmBjC1Dg@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/jiQso1tRCjFwInt7Oxxgr1zbxkM>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, draft-ietf-ipsecme-ikev2-null-auth.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SECDIR review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 16:06:26 -0000
On Tue, 26 May 2015, Kathleen Moriarty wrote: > I'm okay with that change. I thought that we discussed this last, there was an emphasis on the possibility to > avoid logging unauthenticated sessions though? We mostly talked about not using unauthenticated IDs and only use them for logging. Then Tero wanted it for additional debug and we loosened up to allow ID's other than ID_NULL for AUTH_NULL. We added text to ensure no security decisions are based on unauthenticated IDs in section 2.2. We never talked about completely not logging unauthenticated sessions. I'm sure everyone would like at least some logging of that. What we noticed in our deployment though is that logging failures is what really kills you - in our Opportunistic IPsec we clearly enounter 99.99 percent of "no IKE daemon, so incoming ICMP message", followed by a 0.01% chance we found an IKE server that was never meant to talk IKE to us, returning a NO_PROPOSAL_CHOSEN. On an open DNS resolver (yes we like real hammer tests) this filled up on 4GB log disk in 15 minutes. So we are making changes to minimize logging in the Opportunistic case. But these considerations are not specific to AUTH_NULL and should go into the (to be created) Opportunistic IPsec document. > I see there is wiggle room to allow for that still. Does the > new text meet your needs and still allow for logging of authenticated sessions (my previous concern that was > addressed). As I read the new text, it makes no statement about authenticted IKE, only about things to do or not do when using unauthenticated IKE Paul > Thanks, > Kathleen > > On Tue, May 26, 2015 at 10:20 AM, Paul Wouters <paul@nohats.ca> wrote: > On Tue, 26 May 2015, Donald Eastlake wrote: > > Thanks for the review Donald, > > The Security Considerations section is quite thorough. I did notice one small thing: > Section 3.1 is labeled > "Audit trail and peer identification". But the content of that Security Considerations > section is about not > trusting identification when null authentication is used. It seems to me that a few > words to the effect that > some clear indication should be present in audit/log trails when a purported identity > has not been > authentication should be included, as I expected them to be from the section heading. > > > The bulk of that section was moved into section 2.2i and 3.2. > > How about: > > OLD: > > With NULL Authentication an established IKE session is no longer > guaranteed to provide a verifiable (authenticated) entity known to > the system or network. Implementers that implement NULL > Authentication should ensure their implementation does not make any > assumptions that depend on IKE peers being "friendly", "trusted" or > "identifiable". > > NEW: > > With NULL Authentication an established IKE session is no longer > guaranteed to provide a verifiable (authenticated) entity known to > the system or network. Any logging of unproven ID payloads that > were not authenticated should be clearly marked and treated as > "untrusted", possibly accompanied by logging the remote IP address > of the IKE session. Rate limiting of logging might be required to > prevent excessive logging causing system damage. > > then move this bit: > > Implementers that implement NULL > Authentication should ensure their implementation does not make any > assumptions that depend on IKE peers being "friendly", "trusted" or > "identifiable". > > To just above the "While implementations should..." in section 3.2 > > Paul > > > > > -- > > Best regards, > Kathleen > >
- [secdir] draft-ietf-ipsecme-ikev2-null-auth-06 SE… Donald Eastlake
- Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-0… Paul Wouters
- Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-0… Kathleen Moriarty
- Re: [secdir] draft-ietf-ipsecme-ikev2-null-auth-0… Paul Wouters