Re: [Secdispatch] Controller-IKE

"David Carrel (carrel)" <carrel@cisco.com> Mon, 22 July 2019 15:42 UTC

Return-Path: <carrel@cisco.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD6512013B for <secdispatch@ietfa.amsl.com>; Mon, 22 Jul 2019 08:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=U3k2wVvQ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=QxaDYHtu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNQVCVLV61xh for <secdispatch@ietfa.amsl.com>; Mon, 22 Jul 2019 08:42:49 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 082DB12012B for <secdispatch@ietf.org>; Mon, 22 Jul 2019 08:42:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24353; q=dns/txt; s=iport; t=1563810168; x=1565019768; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=jTeJHbMO0JRUCyK8CO/eyLGA4MO2VJIyQ5vHBLrtDdI=; b=U3k2wVvQJHoXeA1akWTkfdrqFU0oI/zev7D8NnsWd5fCuncYu9WUk+IJ eXUhg16CVPAf+Ff3pVVxTQ2VsaQNO+7GHqi3/a9DchhpCqvneTIF1FXq+ WA35w9sWVgiUKxDbOr+IY8/kHXkyBMAqescy7m9MAigN8Vl2ZRvQKVMRC 4=;
IronPort-PHdr: =?us-ascii?q?9a23=3ADLxZ1h09BFedW94rsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxGOt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQAkThNvPuRyc7B89FElRi+iLzPA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BIAAAb2DVd/5RdJa1dCRwBAQEEAQE?= =?us-ascii?q?HBAEBgVMHAQELAYEULyQFJwNtVSAECyqEHYNHA4RSiSuCNiWSe4RVgS6BJAN?= =?us-ascii?q?UCQEBAQwBARgBCgoCAQGDekYCF4JMIzQJDgEDAQEEAQECAQZthR4MhUoBAQE?= =?us-ascii?q?BAwEBEBEdAQEsCwEPAgEIDgMDAQIoAwICAiULFAkIAgQOBSKDAAGBHU0DHQE?= =?us-ascii?q?CDKAlAoE4iGBxgTKCeQEBBYE2AoEPgj4YghMDBoE0AYkVdoFTF4F/gREnDBO?= =?us-ascii?q?CTD6CYQEBA4E0Sg0JglUygiaOeIR+iGuNGW0JAoIZhliEboN+BYRDG4IthyW?= =?us-ascii?q?EDIoslH2QCAIEAgQFAg4BAQWBUDiBWHAVOyoBgkGCQoEmAQiCQoUUhT9yDIE?= =?us-ascii?q?djCErgiUBAQ?=
X-IronPort-AV: E=Sophos;i="5.64,295,1559520000"; d="scan'208,217";a="600101951"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jul 2019 15:42:47 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x6MFgl0b001571 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jul 2019 15:42:47 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 22 Jul 2019 10:42:47 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 22 Jul 2019 10:42:46 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 22 Jul 2019 11:42:46 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kTg5m9F94/NtHLJeu9g6cNAAanAFIeSM3UQZYMfq2nW/BMK/Abg9NtxSjQa3FbJmadTW9a4DnGPoj92aVBinoDBlcEebYK2vqcV2LWY37/bDc6U89dGE/LiDwmR9Er1rfF8R2/ybXHQufqFlxwxf7pJpOT74RJ3ZyaKgbTBNjoPOOgW8FluuaqTzpVX+5GCCztcyktyzDHf/k59WNwKhwhQB4Pqq01tPOOJnGF001N2NniMKSfZOotNlMJy15yNICBbs320XVA66aymxYqX4OlnCpRIG1mtFXecw+A8UbbDg/ZiMEociieY7bzT1vrmFNkPcVU2RGUeOHzvIkApb8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jTeJHbMO0JRUCyK8CO/eyLGA4MO2VJIyQ5vHBLrtDdI=; b=CnsqoMupc4fqf/CJ/LYwi8Y3kUN6xJ5G7GU/CQCvQ7ofcde1vJ3MrfVPYn7pReJ/m0jr1qr9vfbbmsBzNMkWb9G2qS27/LaF7cA6Cn0FI+QXxKVzO9YqEG6U54gIqlxcxdtWtJnN5DaQfaYQBRTddR9d9Wa8K6/2l81RX0jfhNnYfHQ45Rzl3K2lnZmSrHMuYC09pwimsmtj7gHBYQVbAda/HponzZez3+6B2wdLL3MxiYL8xI5b0aA4r4YRn8tATqJuZjorj5cYXg3h1C2nKjzcxifXBDcR/ugPRg0XdUEk5V2LoJW7kDj4AE7vQ+E6ptQoMBJQcG+DEwfqRv96zg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jTeJHbMO0JRUCyK8CO/eyLGA4MO2VJIyQ5vHBLrtDdI=; b=QxaDYHtuLnZT01I2MPyMsl1pzmVisLwOZQuYEGPkA6OvWVUtjcNqHt/WxZdygP5HtHrV7P04OCxe9v6MXOAVe61CidzuI0ZzugSe7dr6YVnS9xsRqx8kHjWPzHoU8ai0V5qlTs4POrTL7FwgGnBTu9RfwhZ0Lar00ZyiDHBcGGs=
Received: from BYAPR11MB3046.namprd11.prod.outlook.com (20.177.225.213) by BYAPR11MB2758.namprd11.prod.outlook.com (52.135.228.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.16; Mon, 22 Jul 2019 15:42:45 +0000
Received: from BYAPR11MB3046.namprd11.prod.outlook.com ([fe80::c895:4d83:c5b8:b3d6]) by BYAPR11MB3046.namprd11.prod.outlook.com ([fe80::c895:4d83:c5b8:b3d6%6]) with mapi id 15.20.2073.012; Mon, 22 Jul 2019 15:42:45 +0000
From: "David Carrel (carrel)" <carrel@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Controller-IKE
Thread-Index: AQHVPqG2qaTEIVD/zEy+2+Xv9S/jD6bWtyQA//+edAA=
Date: Mon, 22 Jul 2019 15:42:44 +0000
Message-ID: <698A5E01-5924-4D6C-9BD9-A8E87712086B@cisco.com>
References: <CDF90625-34F6-40C3-8AE4-AACD50D70C2E@cisco.com> <CABcZeBOC6FPDe-PrfB4QKJoNVoOVYN_JuzteZE9GyrX0O_s2mg@mail.gmail.com>
In-Reply-To: <CABcZeBOC6FPDe-PrfB4QKJoNVoOVYN_JuzteZE9GyrX0O_s2mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=carrel@cisco.com;
x-originating-ip: [2001:420:c0c8:1008::132]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2de1e4ba-1358-4289-992e-08d70ebb3d9a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR11MB2758;
x-ms-traffictypediagnostic: BYAPR11MB2758:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <BYAPR11MB27589A90A113A75DA6E1F4D7CBC40@BYAPR11MB2758.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01068D0A20
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(136003)(396003)(39860400002)(366004)(199004)(189003)(6486002)(486006)(6436002)(6916009)(316002)(478600001)(76176011)(6116002)(86362001)(25786009)(4326008)(71190400001)(71200400001)(14454004)(68736007)(8676002)(6506007)(476003)(81166006)(81156014)(2906002)(5660300002)(8936002)(186003)(91956017)(46003)(6246003)(7736002)(36756003)(76116006)(54896002)(6306002)(53546011)(966005)(53936002)(66476007)(66556008)(229853002)(66946007)(2616005)(102836004)(66446008)(33656002)(64756008)(11346002)(6512007)(99286004)(606006)(256004)(14444005)(446003)(236005); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2758; H:BYAPR11MB3046.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: d/CvJAVUE2P/OTkp2+6o9P1VHvrd3K4w+9z6/uHmSsKjOb4xuQF+ApLC12KvKdljbjX7xiXNSpBzGPrtX198/P4By64BrwVz0KMULwYGea6oCn4LoHvZPzei10wv+zlysfPcZJMhxJ9ixVb+52b9ig6qISFtzuhvkA7/+BYyL96VILBM3Ptbu2RQdhNLJ2wwNZdv5d+HdlcYvNcgFlst+WKaoPPT7Om1irn3YsWiGswmY3MfdE3wgFamLEBh5F2+e6YfaWGXj/fkcoRhJAl/gROgu23vx6gbKX5ZcIVJ7DIs39whIz1ZLwR05wmYErvPOEs0sihPvThxobTOKivFKqsde7nPqygLBh3PZOItRMEbMU5ifugIrZy3PgVA94N4ClhngRn8Gx6fu1yIjaFc9BAuTRRrbcmAuBunMVni2Qo=
Content-Type: multipart/alternative; boundary="_000_698A5E0159244D6C9BD9A8E87712086Bciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2de1e4ba-1358-4289-992e-08d70ebb3d9a
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2019 15:42:44.9870 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: carrel@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2758
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/AwhduPNCgURDqz6Xot5Ud9foqvU>
Subject: Re: [Secdispatch] Controller-IKE
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 15:42:52 -0000

Ekr,

Thanks!  Responses inline …

From: Eric Rescorla <ekr@rtfm.com>
Date: Monday, July 22, 2019 at 10:32 AM
To: "David Carrel (carrel)" <carrel@cisco.com>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
Subject: Re: [Secdispatch] Controller-IKE

Document: draft-carrel-ipsecme-controller-ike-01.txt

I took a quick look at this document, and I have a few thoughts,
in no particular order.

* I understand the desire to think of this as an extension
of IKE, but it's actually pretty different, and I'm not sure
how much leverage you are getting from trying to make them
similar.
This isn’t an extension of IKE.  It is an alternative.  It provides the functionality that a standard IKE process provides.  Basically it creates pairwise keys and creates IPsec SAs.  For example, you can remove a Linux userspace IKE daemon and replace it with Controller-IKE and still utilize the unmodified kernel IPsec.


* I think it would be useful to be a little clearer about what
resource you are trying to conserve here. I get that using straight
IKE would require N^2 associations, but this does as well. It doesn't
require N^2 protocol exchanges, but it requires N^2 DH operations (if
everyone wants to talk to everyone else). So, the main value seems
to be that you can send to someone in 0-RTT without exchanging
any messages beforehand. Is that correct?
You are right that there continues to be N^2 associations and this does not reduce the DH calculations, but (as you note) this does reduce the number of peer-to-peer messages and does reduce the RTT.  Depending on the size of the full mesh SD-WAN, and the bandwidth costs, the reduction of messages is definitely a positive.  There are other benefits such as allowing for the use of “secure” provisioned networks for control, while utilizing lower security (public) networks for IPsec traffic.  And in fact there are applications where the data connection between peers is NOT 2-way, meaning traditional IKE will not establish between the peers, but the SD-WAN does come up.


* The PFS story here seems pretty bad: I'm assuming that people
aren't going to change their DH keys very often (as it's extremely
expensive for everyone else).
True, the DH load can be expensive, but no more so than an equivalent mesh of traditional IKE.  We would not need to re-key any less often.  I believe this makes the PFS story equivalent.  In addition, Controller-IKE does allow for resending the same DH public value with a new nonce.  This doesn’t improve PFS, but does allow for a more frequent re-keying without incurring the DH cost.


* What happens if node A takes node B's DH key and nonce and
advertises them as its own? If I understand the draft correctly,
C will end up with the same SPKI and keys between C-B and C-A.
Is that right? If so, that sounds at minimum like an identity
misbinding attack, but if you are using implicit IVs
(https://tools.ietf.org/html/draft-ietf-ipsecme-implicit-iv-07),
then wouldn't you get nonce reuse, which would be quite bad.
This is a very good observation.  The straightforward answer is to mix the controller validated identity into the keymat to ensure that someone else using my DH/nonce will not generate the identical keys with a 3rd peer.  Thanks!!


* You also seem to have a KCI problem, where if your keys is
compromised, an attacker can impersonate anyone to you.
I don’t see this?  Can you explain further?  If my DH private is compromised, then an attacker can impersonate me to anyone else (until I re-key).  Presumably if you get my private DH, I have been compromised fully.  But this is the same situation with any key management protocol.



ISTM that you would be in a better position if you adopted a 0-RTT DH
flow in the style of OPTLS. I.e., A and B each have keys g^a, g^b and
you mix them in with ephemeral DH keys g^x and g^y. This kind of
exchange is reasonably well studied, and has good PFS and key
confirmation properties. You can piggyback the key establishment
messages along with the data you want to send, so you'll still get
data on the first message.
Definitely worth looking at.  I can’t give you a quick response on this, but I will crunch on this.  Of course, this would involve modifying ESP.  I wouldn’t want to make that a requirement to this moving forward, but it could be separately considered as an ESP extension that any KMP could avail themselves of.
-Ekr

Dave












On Fri, Jul 19, 2019 at 7:20 PM David Carrel (carrel) <carrel@cisco.com<mailto:carrel@cisco.com>> wrote:
Folks,

I would like to present Controller-IKE in the Montreal Security Dispatch meeting.  There is growing interest from routing folks, and I strongly feel we should evaluate and progress this in the security area.  I’ll have some slides to share shortly.  For now, please do read the draft.  Also there are some drafts referencing this:

Controller-IKE: https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-01

Also some docs referencing this form of key management:
BESS, Secure EVPN: https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-02
And: https://tools.ietf.org/html/draft-dunbar-bess-bgp-sdwan-usage-01

Comments appreciated.

Dave

_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch