IETF Logo Mail Archive

Re: [Secdispatch] Controller-IKE

Eric Rescorla <ekr@rtfm.com> Mon, 22 July 2019 16:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ECE1120274 for <secdispatch@ietfa.amsl.com>; Mon, 22 Jul 2019 09:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3KAPRFTI5_D for <secdispatch@ietfa.amsl.com>; Mon, 22 Jul 2019 09:13:25 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAD2B1201F8 for <secdispatch@ietf.org>; Mon, 22 Jul 2019 09:13:24 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id v18so38137674ljh.6 for <secdispatch@ietf.org>; Mon, 22 Jul 2019 09:13:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lU8iFLTx8w3Z4UxWZ1sYxC2ZJjrentvbrZPY217MUk0=; b=CehOREj1VkE4o5pJcf+3B0PD/yfwH9LXJ6UgWoPhD2N/h0qlAObDP0bw/G49lIZPx/ 00dTGi4S1LZi5Vn2+HeMOJaClgz5ZL6j0cEJxgFF1rPkzGyrzue3DJwQjqXbCbJX5or+ gdDjoKCFocgE+5WRG0GnM0M0IdaAS0cB0G4lhpOin/h2RHdbSK0XjLtY2I6+FIehL0mS ryX800zLgYAyHR0Zh3eYFcRK+ySN/3tqTjniZ6/60MKnk9Ju4dtN5Q8nYvq78EKxqZSA Ul5uSyvwpp6bm9p7Sn5PuvoUMYVgFOZ3RTa7b/YuI7yCammAGW4Gxt8bNIPzr3PBtgfu eXug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lU8iFLTx8w3Z4UxWZ1sYxC2ZJjrentvbrZPY217MUk0=; b=Kj9lARUKHKfdpu/XnWccHY/5PMj2C7tvFN8iEihdeMs18vy/cH9CMjGJ6pzPKNrkyv l3IvSelYYq5QNRjagSABR8zdlGKyjvtVwQt5Q+dBgIu6gXgyfr1XMrWsGaDcXrZIKpoh DFwXKOVX5glR9qCIAfgVPtJGuDqbF53C8rjKB/iyn4w7f37SabJARSs7mqD6hRnmUx4+ UZUVrABnwSQOqoz9cxD/L6NWJehXYlUlD7S5gH2fumYlyX0PJfSDQzoZBdWpNhov3M0P RcNp6UeWXfHLzyYEyG4exvBb2JVi2AHmWfSIhsF69ldZ8ZVlksOkTorOWP9SZm0qoVCM 5Ftw==
X-Gm-Message-State: APjAAAXMBL66o3edmYxIh0oM+vRvI158/jwX43v+wF/IS4MYGVpyI04r aRubM6ACH1ySVnd88UXpGp6AQ/PloqwCFtNGIKI=
X-Google-Smtp-Source: APXvYqxl3K2nvaOFzOxSp3tTSeXrxAgWy/GuXX9oY2DXVGGKTLkdGzwA2WuNQhCEx9bS2SWSHPj6v1pVF9vWjSHO30A=
X-Received: by 2002:a2e:b0e6:: with SMTP id h6mr35177205ljl.18.1563812003038; Mon, 22 Jul 2019 09:13:23 -0700 (PDT)
MIME-Version: 1.0
References: <CDF90625-34F6-40C3-8AE4-AACD50D70C2E@cisco.com> <CABcZeBOC6FPDe-PrfB4QKJoNVoOVYN_JuzteZE9GyrX0O_s2mg@mail.gmail.com> <698A5E01-5924-4D6C-9BD9-A8E87712086B@cisco.com>
In-Reply-To: <698A5E01-5924-4D6C-9BD9-A8E87712086B@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 22 Jul 2019 09:12:46 -0700
Message-ID: <CABcZeBMTeRuFQShONVAXOkaw6o=-0Jy4Pnrw8dHwwsFD+oBvfQ@mail.gmail.com>
To: "David Carrel (carrel)" <carrel@cisco.com>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f00cae058e475a60"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/xsiGQlzonFsmk7FWGQLPeC1qtL0>
Subject: Re: [Secdispatch] Controller-IKE
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 16:13:29 -0000

On Mon, Jul 22, 2019 at 8:42 AM David Carrel (carrel) <carrel@cisco.com>
wrote:

> Ekr,
>
>
>
> Thanks!  Responses inline …
>
>
>
> *From: *Eric Rescorla <ekr@rtfm.com>
> *Date: *Monday, July 22, 2019 at 10:32 AM
> *To: *"David Carrel (carrel)" <carrel@cisco.com>
> *Cc: *"secdispatch@ietf.org" <secdispatch@ietf.org>
> *Subject: *Re: [Secdispatch] Controller-IKE
>
>
>
> Document: draft-carrel-ipsecme-controller-ike-01.txt
>
> I took a quick look at this document, and I have a few thoughts,
> in no particular order.
>
> * I understand the desire to think of this as an extension
> of IKE, but it's actually pretty different, and I'm not sure
> how much leverage you are getting from trying to make them
> similar.
>
> This isn’t an extension of IKE.  It is an alternative.  It provides the
> functionality that a standard IKE process provides.  Basically it creates
> pairwise keys and creates IPsec SAs.  For example, you can remove a Linux
> userspace IKE daemon and replace it with Controller-IKE and still utilize
> the unmodified kernel IPsec.
>

Yes. My point is that it's not clear to me why you are calling it
"Controller IKE" or using the IKE crypto functions, which aren't really
what we usually pick for new protocols.

>
>
> * I think it would be useful to be a little clearer about what
> resource you are trying to conserve here. I get that using straight
> IKE would require N^2 associations, but this does as well. It doesn't
> require N^2 protocol exchanges, but it requires N^2 DH operations (if
> everyone wants to talk to everyone else). So, the main value seems
> to be that you can send to someone in 0-RTT without exchanging
> any messages beforehand. Is that correct?
>
> You are right that there continues to be N^2 associations and this does
> not reduce the DH calculations, but (as you note) this does reduce the
> number of peer-to-peer messages and does reduce the RTT.  Depending on the
> size of the full mesh SD-WAN, and the bandwidth costs, the reduction of
> messages is definitely a positive.  There are other benefits such as
> allowing for the use of “secure” provisioned networks for control, while
> utilizing lower security (public) networks for IPsec traffic.  And in fact
> there are applications where the data connection between peers is NOT
> 2-way, meaning traditional IKE will not establish between the peers, but
> the SD-WAN does come up.
>

Thanks. This is helpful.


> * The PFS story here seems pretty bad: I'm assuming that people
> aren't going to change their DH keys very often (as it's extremely
> expensive for everyone else).
>
> True, the DH load can be expensive, but no more so than an equivalent mesh
> of traditional IKE.  We would not need to re-key any less often.  I believe
> this makes the PFS story equivalent.
>
This doesn't seem correct to me. Consider the case where you do pairwise
IKE and then delete the SA and the DH ephemerals. At this point, compromise
doesn't leak the traffic keys at all. By contrast, in Controller-IKE
because I need to store my DH share indefinitely in case a new peer comes
online, then that represents a long-term source of compromise.



> * What happens if node A takes node B's DH key and nonce and
> advertises them as its own? If I understand the draft correctly,
> C will end up with the same SPKI and keys between C-B and C-A.
> Is that right? If so, that sounds at minimum like an identity
> misbinding attack, but if you are using implicit IVs
> (https://tools.ietf.org/html/draft-ietf-ipsecme-implicit-iv-07),
> then wouldn't you get nonce reuse, which would be quite bad.
>
> This is a very good observation.  The straightforward answer is to mix the
> controller validated identity into the keymat to ensure that someone else
> using my DH/nonce will not generate the identical keys with a 3rd peer.
> Thanks!!
>
That's probably enough, but I'd want to see some kind of analysis that
shows that this is true.

>
>
> * You also seem to have a KCI problem, where if your keys is
> compromised, an attacker can impersonate anyone to you.
>
> I don’t see this?  Can you explain further?  If my DH private is
> compromised, then an attacker can impersonate me to anyone else (until I
> re-key).  Presumably if you get my private DH, I have been compromised
> fully.  But this is the same situation with any key management protocol.
>
Not exactly. Consider a protocol like TLS 1.3 where you have both short and
long term keys. Compromise of your long-term key (e.g., it's leaked but
your machine isn't still compromised) allows someone to impersonate you to
other people but not to impersonate other people to you, because they can't
forge a signature you will accept. However, that's not the case with
Controller-IKE. I don't believe that it's possible to achieve KCI
resistance with a static-static DH protocol like Controller-IKE but you can
with a combined ephemeral/static protocol like OPTLS.


>
> ISTM that you would be in a better position if you adopted a 0-RTT DH
> flow in the style of OPTLS. I.e., A and B each have keys g^a, g^b and
> you mix them in with ephemeral DH keys g^x and g^y. This kind of
> exchange is reasonably well studied, and has good PFS and key
> confirmation properties. You can piggyback the key establishment
> messages along with the data you want to send, so you'll still get
> data on the first message.
>
> Definitely worth looking at.  I can’t give you a quick response on this,
> but I will crunch on this.  Of course, this would involve modifying ESP.  I
> wouldn’t want to make that a requirement to this moving forward, but it
> could be separately considered as an ESP extension that any KMP could avail
> themselves of.
>
Well, you don't *need* to piggyback: you can send the key establishment
messages in separate packets. Piggybacking just gives you fate sharing so
there's no way for the ESP messages to arrive in the opposite order.

QUIC is a worked example of this style of protocol.

-Ekr

-Ekr
>
>
>
> Dave
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Jul 19, 2019 at 7:20 PM David Carrel (carrel) <carrel@cisco.com>
> wrote:
>
> Folks,
>
>
>
> I would like to present Controller-IKE in the Montreal Security Dispatch
> meeting.  There is growing interest from routing folks, and I strongly feel
> we should evaluate and progress this in the security area.  I’ll have some
> slides to share shortly.  For now, please do read the draft.  Also there
> are some drafts referencing this:
>
>
>
> Controller-IKE:
> https://tools.ietf.org/html/draft-carrel-ipsecme-controller-ike-01
>
>
>
> Also some docs referencing this form of key management:
>
> BESS, Secure EVPN:
> https://tools.ietf.org/html/draft-sajassi-bess-secure-evpn-02
>
> And: https://tools.ietf.org/html/draft-dunbar-bess-bgp-sdwan-usage-01
>
>
>
> Comments appreciated.
>
>
>
> Dave
>
>
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>
>

v2.23.0 | Report a Bug | By Email