Re: [secdir] Secdir review of draft-ietf-ipsecme-failure-detection-05

Magnus Nyström <> Fri, 11 March 2011 06:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C689F3A6892; Thu, 10 Mar 2011 22:32:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mGJmKchnBxnQ; Thu, 10 Mar 2011 22:31:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id F36453A6845; Thu, 10 Mar 2011 22:31:54 -0800 (PST)
Received: by iyj8 with SMTP id 8so2856559iyj.31 for <multiple recipients>; Thu, 10 Mar 2011 22:33:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Zy9w3lXfSqyAfmAgT70+cqzZRShvfjhNMAp+yIQr3HA=; b=TT1tWM33mT/ekYfdCUrPfQJzyWztuGFVc7zbrYWcKD4vfGrL18ZdUEOn8FWarwkJtk CPwmdIDRTUd1unIcPzX8YsNPbrgpvzZf+kF9tlCqcTqwp5Fny15RK0adwgfIzHxbIXYF 6IFSbU0MkhHUpAhhBjxNi5i5DqOWPIjHiuph8=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=PafONJDWlJcGBxMAsbiCzAJXR5gfeNrAap7C8CGyjj9JyXFT8DTWgsY61xUmy6FlwZ xSmdjoa84LPQvaa0fcd4ewzy8fqoqWFlj56iXSndnCUCG0VxdO33UzYO/6BsAGXZMi0m sem50zmLbSFDuPf4Ect+Q8bQwhBw+uE5uk4zM=
MIME-Version: 1.0
Received: by with SMTP id xi7mr11230840icb.168.1299825193564; Thu, 10 Mar 2011 22:33:13 -0800 (PST)
Received: by with HTTP; Thu, 10 Mar 2011 22:33:13 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Thu, 10 Mar 2011 22:33:13 -0800
Message-ID: <>
From: Magnus Nyström <>
To: Yoav Nir <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-ipsecme-failure-detection-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Mar 2011 06:32:04 -0000

Thanks for your quick response. Inline...

On Wed, Mar 9, 2011 at 11:50 PM, Yoav Nir <> wrote:
> Hi Magnus, thanks for the review.  My answers are inline.
> On Mar 7, 2011, at 9:14 AM, Magnus Nyström wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors. Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>> This document defines a new extension (the "QCD token") to the IKEv2
>> protocol that allows for faster detection of SA de-synchronization.
>> - General:
>>  o "Quick Crash Detection": Is "crash" really the right term here? As
>> the document indicates, the SA de-synchronization may have had other
>> reasons than a crash...? The term "failure detection" seems more
>> accurate.
> There are indeed several reasons why an IKE implementation might lose state. There's bugs in implementations or underlying operating systems, which may cause state loss, and are colloquially referred to as "crashes", there are power interruptions, and every product that I know of also has a user interface command to clear state.  At least the last of these is not even a failure at all.  So we might have termed this "Quick State Desynchronization Detection" (QSDD?), but crashes were the primary motivation for writing this, so we have used the name QCD from the start.  I think it stay, as long as the introduction says that it's OK.


>> - Section 1, Introduction:
>>  o "However, in many cases the rebooted peer is a VPN gateway that
>> protects only servers, or else the non-rebooted peer has a dynamic IP
>> address" - it is not clear from this how or why the dynamic IP address
>> of the non-rebooted peer impacts the tunnel re-establishment?
> I agree it is a little confusing and should be split into two sentences. How about:
> However, in many cases the rebooted peer is a VPN gateway that protects only server, so all traffic is inbound. In other cases, the non-rebooted peer has a dynamic IP address, so the rebooted peer cannot initiate IKE because its current IP address is unknown.

Yes, much clearer IMO.

>>  o Editorial: "is a quick" -> "in a quick"?
> Yes. Thanks.
>> - Section 2, RFC 5996 Crash Recovery :
>>  o "There are cases where the peer loses state and is able to recover
>> immediately; in those cases it might take several minutes to recover."
>> - so a peer is able to recover immediately, yet it might take several
>> minutes to recover?? Unclear what is meant here.
> How about "in those cases it might still take several minutes to recover the IPsec SAs."

Thanks; that's clearer.

>> - Section 5, Token Generation and Verification:
>>  o (Not sure why these methods are called stateless as the QCD_SECRET
>> must be maintained?)
> That's because they don't have a per-tunnel persistent state. An obvious (though never described) alternative is to generate a random token for each IKE SA, and store that in non-volatile storage. This was actually the design in one of the early drafts.
>>  o By adding a nonce to the token generation the attack outlined in
>> Section 9.3 would be impossible, as the attacker would also need to
>> guess the nonce (adding a nonce to the TOKEN_SECRET_DATA generation
>> would also have the effect that even for the same SPIs, the
>> TOKEN_SECRET_DATA would be different). More generally, a standard key
>> derivation scheme such as the Concatenation KDF in NIST SP 800-56 may
>> be considered.
> Yes, but then we would have to keep the nonce in state for each IKE SA, and this would vastly increase the non-volatile storage requirements. The goal is for the rebooted gateway to generate the correct token based only on an encrypted (with keys it doesn't have) IKE packet.

OK.But I still think SP 800-56A's Concat KDF could or should be
considered. It would map SPI-I and SPI-R as PartyUInfo and PartyVInfo
and for "free" you would be NIST-compatible. No nonce is required.

>> - Section 9.2, Security Considerations:
>>  o Last paragraph: "This method should not be used..." - unclear what
>> method is being referred to here?
> Seems clear to me. The first sentence in that paragraph talks about the method in section 5.2. The following sentences begin with "This method...", referring to the same method.

I see the text has changed slightly; A minor clarification could be to
replace the last "that method" with "The method in Section 5.2".

>> - Appendix A.2:
>>  o Would have been useful with a sentence or two that indicated why
>> the working group preferred the QCD proposal over the SIR one.
> OLD:
>   The working group preferred the QCD proposal to this one.
> NEW:
>   The working group preferred the QCD proposal to this one, because
>   of the lack of cryptographic protection for the queries and
>   responses.


-- Magnus