Re: [IPsec] [Lwip] Iotdir last call review of draft-ietf-lwig-minimal-esp-03

[Daniel Migault]

Hi Nancy,

Regarding ISSUE 3, I have the impression that the concern that AES-GCM,
Chacha20-Poly1305 or AES-CCM only send a 64 bit IV which suggest that only
64 bit IV can be sent with ESP.
In fact the IV is not a field in ESP but is defined for each suite, as a
result, ESP would be able to support any suite with larger or short IV.
Then, the use of a 96 bit nonce is not uncommon, actually AES-GCM and
Chacha20-Poly1305 do use 96 bit nonce and AES-CCM uses a 88 bit nonce. The
nonce is formed based on a slat and the IV. Similar construction may be
provided for AES-GCM-SIV if needed as far as I can see.

AES-GCM-SIV is only defined as an algorithm, I also suggest to add other
alternatives that have a similar goals. The current text is as follows and
I think it might close the ISSUE 3.

When the key is likely to be re-used across reboots, it is RECOMMENDED to
consider algorithms that are nonce misuse resistant such as, for example,
AES-SIV [RFC5297], AES-GCM-SIV [RFC8452] or Deoxys-II [deoxys].
Note however that currently none of them has yet been defined for ESP.

I suspect the ISSUE 1 and ISSUE 2 are related to IV collision. If so it
seems to me related to the  collision of IV. If so I think the current
proposed text for SN addresses the concerns that an algorithm should not be
used beyond its limits. In addition the following text in the security
consideration seems to address that concern as well:

the nodes MUST ensure that keys are not used beyond their lifetime and that
the appropriate use of the key remains across reboots - e.g. conditions on
counters and nonces remains valid.

I suspect that collision is related to the collision of IV which is only a
concern when the IV needs to be unpredictable.  I am tempted to think that
algorithms that the properties of the IV are really part of the algorithm
properties and that they cover / include into the lifetime of the keys. On
the other hand, most recommended algorithms AES-GCM, AES-CCM,
Chacha-Poly1305 are using IVs that just do not need to repeat, and so use
counters where collision is not a concern. Of course this does not concerne
collision across reboot, but I do not think these were the collisions that
caused your concern.  If I am correct, that probably also addresses ISSUEs
1 and ISSUE 2.

I will publish the version with the current changes so reviews have the
most recent editorial changes and will update from that according to your
response. Again thank you for the in depth review and the many comments
that already result in many clarifications - at least I think so.

Yours,
Daniel

On Tue, Mar 30, 2021 at 10:45 PM Daniel Migault  wrote:

> Hi Nancy,
>
> Thank you very much for your review. Please see inline my responses. I
> believe all concerns raised have been addressed. I also believe the current
> text addresses some concerns also raised by Paul W.
>
> The current version can be found here:
>
> https://github.com/mglt/draft-mglt-lwig-minimal-esp/pull/1/commits/fb9393a246298e37adcf2683afa2061a40b4ed89
>
> I think there are however three remaining issues that might get further
> discussions. For all of these I provided a response, but I am unsure it
> really addresses the three concerns below:
>
> 
> ISSUE 1
> 
> - I might challenge due to potential collision attacks that at
> most, 2^32-1 packets may be sent before the SPI *must* rekey, so the SN
> and how
> it is used is part of the security context for the SPI/SA.  I might also
> challenge that a recommendation for using a rekey mechanism is warranted
> because constrained devices tend to stay up for very, very, very long
> periods
> of time and even with an ESN there can be exhaustion :-)
>
> I am missing the concern. I understand the first concern is that the
> current text seems to push the limit of packets being sent being determined
> by the SN as opposed to cryptographic properties. If my understanding is
> correct, I have the current text seems clear that crypto properties are
> given priorities. I suspect more guidance would be given. If that is the
> case, I find it difficult as these guidances are really based on the
> cryptographic algorithm and the key sizes. In any case, if I am
> missing something, feel free to propose some text.
>
> """
> Note that the limit of messages being sent is primarily determined by the
> security associated with the key rather than the SN.
> The security of all data protected under a given key decreases slightly
> with each message and a node MUST ensure the limit is not reached - even
> though the SN would permit it.
> """
>
> I understand the second concern as that current text is read as rekey
> mechanisms are recommended only when there is a risk the SN get exhausted.
> Our intention was to read the text as even if ESN raises the limit to an
> acceptable limit, it is preferred to have a rekey mechanism. I propose the
> following text to clarify the meaning:
>
> OLD:
> In a constrained environment, it is likely that the implementation of a
> 

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

[Tero Kivinen]

Bottorff, Paul writes:
> The RFC3948 specifies one pair of UDP ports 4500-4500.

No it does not. It says you must use same ports than what you do for
IKE traffic.

> Both the IKE flow and the ESP in UDP flow should use the same UDP
> flow. The draft seems to suggest new destination port and source
> ports are only for ESP? How would this change work with IKE? May you
> are not intending to use IKE?

The reason NAT-T uses same ports for both ESP and IKE is to make sure
that responder will know the port mapping from the IKE packets for ESP
packets too. If they would use different port numbers, then responder
would need to wait for first ESP packet to come in from the initiator
before it can send any ESP packets back, as it would be able to know
which port numbers to use for ESP traffic. Also keepalives would be
needed to do for both IKE and ESP separately. 

> PB>>Our use cases use IKE, however as stated in RFC3948 ESPinUDP does not 
> have to be tied to IKE, it is just advantageous to do so for the NAT case 
> since this allows a single mapping for both at the NAT rather than two 
> mappings.
> PB>>I've wondered why we could not use the RFC3948 encoding for ESPinUDP, but 
> allow the source port to be chosen differently than IKE. Perhaps Xu has some 
> thoughts on this. 
> <<

As there is no way for the responder to know whether the initiator
sent the packet out using source port of 4500 and then NAT changed it
to port number of , or whether the initiator sent the packet out
using port number of  himself, the RFC7296 do require that
responder MUST accept incoming packets regardless of the source port,
and MUST always respond back to exactly same IP and port than what was
in the source packet of the request:

>From the 2.11 of the RFC7296:

An implementation MUST
   accept incoming requests even if the source port is not 500 or 4500,
   and MUST respond to the address and port from which the request was
   received.  It MUST specify the address and port at which the request
   was received as the source address and port in the response.

There is text in 2.23 of the RFC7296 which do say:

For this
   reason, even though IKE packets MUST be sent to and from UDP port 500
   or 4500, they MUST be accepted coming from any port and responses
   MUST be sent to the port from whence they came.

Which is bit funny, as the "even though" claims that IKE packets must
be sent to and from UDP port 500 or 4500, and there is no such claim
anywhere else in the RFC7296. I think it was supposed to say that
"even though IKE packets are normally sent ...", as this is not
correct place to make this kind of new requirement.

So making IKE implementation which uses some other source port than
500 or 4500 is common way to force NAT-T traversal and UDP
encapsulation on, and in that way allow user mode IKE + IPsec to be
implemented without affecting the in kernel version of the IPsec in
the host. I.e., user mode application wanting to use IPsec in usermode
without affecting host IPsec in any ways can use any random port as
source port and port 4500 as the destination port, and make sure that
NAT_DETECTION_SOURCE_IP does not match, so responder will enable udp
encapsulation.

The responder MUST work even with that setup, so there is no reason
why there should be requirement for the oritinal sender should be
mandated to use source port 4500...

> PB>>We are mostly interested in data centre use cases which don't have 
> intervening NATs, however I believe SD-WAN cases could have NAT and FW 
> traversals between tunnel end points. As it stands 
> draft-xu-ipsecme-esp-in-udp-lb does not specify how the source port value is 
> determined. It seems like it could be based on a hash value within the ESP or 
> based on the SPI and IPs.
> <<
> 
> Should both sides use the same source port?

For the load balancing I think it is enough for just one of the ports
to be different, thus initiator could simply allocate n random source
port numbers, and initiate IKE from each of them to responder, and
then create SAs for each of them separately, thus allowing load
balancing using UDP encapsulation using existing hardware.

The real issue is that if you do not want to create n separate IKE
SAs, then you need to do something special, and there are other things
that needs to be considered then. 
-- 
kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

[Paul Wouters]

On Thu, 1 Apr 2021, Antony Antony wrote:


In my experience it would work well when there is no NAT. When there
there is NAT the IKE and ESP in UDP should use same ports, otherwise
IKE will get established and ESP packets could get dropped in one
direction. When there is NAT it would look more like a client-to-server
than a peer-to-peer.


One idea could be to use MOBIKE probes (without UPDATE_SA) by the
initiator behind NAT to get multiple NAT mappings? It might require
kernel changes depending on how it implements NAT updates :/


I implemented a proof concept - UDP source port set to 16bit hash of out going 
SPI.
Then it occurred to me the hash could collide with other well
known UDP ports e.g. hash of an SPI or/and IP address could be 53(DNS).
Some admins may not be happy to see source port 53 for ESP in UDP traffic.


I seen this in the wild already with a large VPN provider blocking port
19 (chargen) and NAT gateways picking port 19 as source port. While this
could be an attack to try and trigger chargen responses from a spoofed
packet, I don't think it is. It might work for TCP, but not really for
UDP as a DoS attack. I think in the end, sadly, we have to expect every port
to be used by badly designed NAT gateways.

However, it would still be a good design to keep UDP source ports in the
ephemeral ranges. This also helps against local policy enforcements,
such as Linux's SElinux policies.


If you choose ephemeral source ports both sides should know the source
ports otherwise SADB remap will be generated. If we disable that real NAT
would break...
So far I don't have a clean solution which would work with NAT and without NAT
for our use case.


That is indeed the real problem to solve. I have to do some more
testingwith MOBIKE probes on the same IP with only port differences
and see if the kernel acts like these are port updates or not if it
is only IKEinUDP and not ESPinUDP.

Paul

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

[Antony Antony]

On Wed, Mar 31, 2021 at 23:38:01 +, Bottorff, Paul wrote:
> Hi Antony:
> 
> Below,
> 
> Cheers,
> 
> Paul
> 
> 
> 
> -Original Message-
> From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Antony Antony
> Sent: Wednesday, March 31, 2021 3:32 AM
> To: Bottorff, Paul ; IPsec 
> Cc: antony.ant...@secunet.com
> Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
> 
> Hi,
> 
> This is an interesting draft. I would love to see a generic solution for 
> network paths and receiver use cases, such as RSS.
> 
> PB>> Can you explain your use case for RSS a little more? I'd guess you are 
> looking at LB around the RSS queues to get better distribution for the 
> decodes.
> <<

We are using muliple SAs, with identical Traffic Selectors, to
load balance IPsec traffic between IPsec peers.
https://datatracker.ietf.org/doc/draft-pwouters-multi-sa-performance/

This should improve multi-core-cpu utilization and IPsec throughput. The 
receiver
should distribute the flows, based on SPI, to different CPUs for decryption.
Ideally the NIC should support a ntuple flow distribution using SPI.
It is not yet widely supported, and also not compatible with older NICs.
Now we are thinking of ESP in UDP with different source ports. Just like the 
draft
proposed for ECMP and LAG.
When implementing it I ran into issues with NAT and SAD remapping messages 
which update IKE.
I am using strongSWAN for IKE and Linux XFRM for ESP.

> The RFC3948 specifies one pair of UDP ports 4500-4500.
> Both the IKE flow and the ESP in UDP flow should use the same UDP flow.
> The draft seems to suggest new destination port and source ports are only for 
> ESP? How would this change work with IKE?
> May you are not intending to use IKE?

PB> Our use cases use IKE, however as stated in RFC3948 ESPinUDP does not have 
to be
PB> tied to IKE, it is just advantageous to do so for the NAT case since this 
allows
PB> a single mapping for both at the NAT rather than two mappings.


PB> I've wondered why we could not use the RFC3948 encoding for ESPinUDP, but 
allow 
PB> the source port to be chosen differently than IKE. Perhaps Xu has some 
thoughts on this. 

In my experience it would work well when there is no NAT. When there
there is NAT the IKE and ESP in UDP should use same ports, otherwise
IKE will get established and ESP packets could get dropped in one
direction. When there is NAT it would look more like a client-to-server
than a peer-to-peer.

> How would the new ESP flow work when there is a NAT gateway along the path?
> I ran into issues with both sides choosing different source ports.
> It would cause SADB mapping changes which force changes IKE flows. One coul 
> disable
> SADB mapping changes. However, that would break real NAT changes.
>
PB> We are mostly interested in data centre use cases which don't have 
intervening NATs,
PB> however I believe SD-WAN cases could have NAT and FW traversals between 
tunnel end
PB> points. As it stands draft-xu-ipsecme-esp-in-udp-lb does not specify how 
the source port PB> value is determined. It seems like it could be based on a 
hash value within the ESP or
PB> based on the SPI and IPs.

I implemented a proof concept - UDP source port set to 16bit hash of out going 
SPI.
Then it occurred to me the hash could collide with other well
known UDP ports e.g. hash of an SPI or/and IP address could be 53(DNS).
Some admins may not be happy to see source port 53 for ESP in UDP traffic.

If you choose ephemeral source ports both sides should know the source
ports otherwise SADB remap will be generated. If we disable that real NAT
would break...
So far I don't have a clean solution which would work with NAT and without NAT
for our use case.

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec