Re: [Lwip] Review of draft-ietf-lwig-minimal-esp-00
Hi Tero, Thanks for the comments. Please find below how I updated the text on my local copy and let me know if that addresses your concerns. Yours, Daniel On Fri, Oct 30, 2020 at 3:26 PM Tero Kivinen wrote: > Daniel Migault writes: > >value SN needs to be considered instead. Note that the limit of > >messages being sent is primary determined by the security associated > >to the key rather than the SN. The security of the key used to > >encrypt decreases with the each message being sent and a node MUST > >ensure the limit is not reached - even though the SN would permit it. > >In a constrained environment, it is likely that the implementation of > a > >rekey mechanism is preferred over the use of ESN. > > No. The security of the key does not decrease, but the ability for the > attacker to attack the key might incrase, and the value of attacking > that one key also increases when more data is encrypted with it. Also > with short block length algorithms there were stricter limits of data > that can be encrypted with one key. > Thanks. Here is the text I propose. The security of all data protected under a given key decreases slightly with each message and a node MUST ensure the limit is not reached - even though the SN would permit it. > -- > kivi...@iki.fi > -- Daniel Migault Ericsson ___ Lwip mailing list Lwip@ietf.org https://www.ietf.org/mailman/listinfo/lwip
Re: [Lwip] Review of draft-ietf-lwig-minimal-esp-00
Daniel Migault writes: > value SN needs to be considered instead. Note that the limit of > messages being sent is primary determined by the security associated > to the key rather than the SN. The security of the key used to > encrypt decreases with the each message being sent and a node MUST > ensure the limit is not reached - even though the SN would permit it. > In a constrained environment, it is likely that the implementation of a > rekey mechanism is preferred over the use of ESN. No. The security of the key does not decrease, but the ability for the attacker to attack the key might incrase, and the value of attacking that one key also increases when more data is encrypted with it. Also with short block length algorithms there were stricter limits of data that can be encrypted with one key. -- kivi...@iki.fi ___ Lwip mailing list Lwip@ietf.org https://www.ietf.org/mailman/listinfo/lwip
Re: [Lwip] Review of draft-ietf-lwig-minimal-esp-00
Hi Valery, Thank you very much for the review. Your review was very helpful to improve the draft and we believe the new version has taken the reviews into account. Please find a more detailed description of the updates led by your reviews. Yours, Daniel On Tue, Dec 3, 2019 at 8:08 AM Valery Smyslov wrote: > Hi, > > I reviewed draft-ietf-lwig-minimal-esp-00. In general I think that the > document > provides useful guidelines on how ESP can be implemented on constrained > devices. > > General comment: the draft uses RFC2119 requirement language in several > places, > and it is not always clear whether it is just a repetition of the RFC4301 > requirements > or a new requirement imposed by this document. In general, I think it's > better not to include > the existing RFC4301/4303 requirements in the draft or make it absolutely > clear that these are not > new requirements if you need to mention them (adding a reference to a > corresponding section > in the RFCs). > We initially took this text as an editorial choice to quote or refer to useful original text. I understand it brings some confusion - unless we read it very carefully. I am tempted to agree that it might be clearer now that we removed the quoted text. In fact it is just commented so it would be easy to move back, if that would raise any concerns. > > Another general comment: sections 3-7 discuss how the corresponding ESP > packet fields > can be tweaked to deal with low resource devices. I think that for the > sake of clarity > the suggested measures must be summarized in each of these sections. > Currently > these sections contain quite a lot of discussion and no clear conclusions > what > is OK to do and in what situations. I think document will be more clear if > such > conclusions are put at the end of each section (currently some advises are > spread > over them). > > We tried to clarify the text. One difficulty is that recommendations can easily change over the use cases. For section 3, we mentioned that tweak applies to constraint devices for which handling 32 bit random SPI would cause an issue. I think that is now clearer. We also re-order some of the paragraphs so the discussion of a specific use cases remains localized. For section 4 we mentioned the SN that has an always increasing source may take advantage of it. We clarified that other recommendations concern all devices. For section 5 - 6 - 7 seems relatively generic. If you believe we could improve this, feel free to let us know. > > Specific comments: > > Section 3. > >When fix SPI are used, >it is RECOMMENDED the constraint node has as many SPI values as ESP >session per host IP address, and that SA lookup includes the IP >addresses. > > This is probably wrong if we take into considerations that SA may be > rekeyed. > Some words should be added either prohibiting rekeying ESP SAs in this case > or discussing that in case of rekey one will consume additional SPI values > for in fact the same SA. > > I agree. We now clearly mention that the number of SPI a peer needs to handle depends on the number of session and the rekying of these SA. We also moved the discussion of fixed SPIs to something more generic in order to provide more generic guidances. We reinforced also the need to rekey - and managed the keys in the security consideration section. SPI section has been updated as follows: """ However, for some constrained nodes, generating and handling 32 bit random SPI may consume too much resource, in which case SPI can be generated using predictable functions or end up in a using a subset of the possible values for SPI. In fact, the SPI does not necessarily need to be randomly generated. A node provisioned with keys by a third party - e.g. that does not generate them - and that uses a transform that does not needs random data may not have such random generators. However, non random SPI and restricting their possible values MAY lead to privacy and security concerns. As a result, this alternative should be considered for devices that would be strongly impacted by the generation of a random SPI and after understanding the privacy and security impact of generating non random SPI. When a constrained node limits the number of possible SPIs this limit should both consider the number of inbound SAs - possibly per IP addresses - as well as the ability for the node to rekey. SPI can typically be used to proceed to clean key update and the SPI value may be used to indicate which key is being used. This can typically be implemented by a SPI being encoded with the SAD entry on a subset of bytes (for example 3 bytes), while the remaining byte is left to indicate the rekey index. """ The security consideration has been updated as follows: """ The security of a communication provided by ESP is closely related to the security associated to the management of that key. This usually include
Re: [Lwip] Review of draft-ietf-lwig-minimal-esp-00
Thank you Valery for the detailed review. That is really much appreciated. We will update the document accordingly by the next few weeks also considering the feed backs from Scott. Yours, Daniel On Tue, Dec 3, 2019 at 8:08 AM Valery Smyslov wrote: > Hi, > > I reviewed draft-ietf-lwig-minimal-esp-00. In general I think that the > document > provides useful guidelines on how ESP can be implemented on constrained > devices. > > General comment: the draft uses RFC2119 requirement language in several > places, > and it is not always clear whether it is just a repetition of the RFC4301 > requirements > or a new requirement imposed by this document. In general, I think it's > better not to include > the existing RFC4301/4303 requirements in the draft or make it absolutely > clear that these are not > new requirements if you need to mention them (adding a reference to a > corresponding section > in the RFCs). > > Another general comment: sections 3-7 discuss how the corresponding ESP > packet fields > can be tweaked to deal with low resource devices. I think that for the > sake of clarity > the suggested measures must be summarized in each of these sections. > Currently > these sections contain quite a lot of discussion and no clear conclusions > what > is OK to do and in what situations. I think document will be more clear if > such > conclusions are put at the end of each section (currently some advises are > spread > over them). > > > Specific comments: > > Section 3. > >When fix SPI are used, >it is RECOMMENDED the constraint node has as many SPI values as ESP >session per host IP address, and that SA lookup includes the IP >addresses. > > This is probably wrong if we take into considerations that SA may be > rekeyed. > Some words should be added either prohibiting rekeying ESP SAs in this case > or discussing that in case of rekey one will consume additional SPI values > for in fact the same SA. > >When used indoor, the privacy information is stored in the encrypted >data and as such does not leak privacy. > > I cannot parse this :-) > >Such packet will not be rejected due to an SPI mismatch, but instead >after the signature check which requires more resource and thus make >DoS more efficient, especially for devices powered by batteries. > > I think this a very good argument against fixed (predictable) SPIs. > In fact, after reading through this section it seems to me that the > conclusion must be - predictable (fixed) SPIs SHOULD NOT be used. > >Values 0-255 SHOULD NOT be used. > > I believe these values MUST NOT be used with IPsec ESP, no? > Why "SHOULD NOT"? The values from this range are reserved > for other protocols utilizing ESP (e.g. SPI (1) was used in SKIP). > > Section 4. > > I see no discussion regarding using ESN. I think there is generally no > point > to use ESN for constrained devices, but it can be useful if clock is used > to generate (E)SN, as suggested in the draft. In this case 64-bit numbers > can make sure that no two packets will be sent with the same ESN > (provided the clock has high resolution). > > Section 5. > >The purpose of padding is to respect the 32 bit alignment of ESP. > > It is not an accurate statement, the padding is also used when encryption > transform requires the input to be a multiple of some number of bytes. > Many modern transforms (based on GCM, CCM, CTR modes) don't have such > a requirement, but some (e.g. based on CBC mode) do have. > > Section 6. > >For interoperability, it is RECOMMENDED a minimal ESP >implementation discards dummy packets. > > I'm puzzled by this sentence. What else can the receiver do with dummy > packets other than discard? RFC4303 leaves him only this option :-) > > > Nits: > Throughout the text: > s/fix SPI/fixed SPI > s/constraint node/constrained node > s/algorythm/algorithm > > Section 2: > > s/IPsec suite protocol/IPsec protocol suite > > Section 3: > >However, for some constraint nodes, generating a random SPI may >consume to much resource, in which case SPI can be generated using >predictable functions or even a fix value. > > s/to/too > >When a constraint node uses fix value for SPIs, it imposes some >limitations on the number of inbound SA. This limitation can be >alleviate by how the SA look up is performed. When fix SPI are used, >it is RECOMMENDED the constraint node has as many SPI values as ESP >session per host IP address, and that SA lookup includes the IP >addresses. > > s/alleviate/alleviated > s/RECOMMENDED the/RECOMMENDED that the > >More specifically, traffic pattern MAY leak sufficient information in >itself. In other words, privacy leakage is a complex and the use of >random SPI is unlikely to be sufficient. > > s/MAY/may > >In addition, >predictable SPI enable an attacker to forge packets with a valid SPI. > > s/enable/enables > > Section 5: > >As a result, TFC cannot not be enabled with minimal,
[Lwip] Review of draft-ietf-lwig-minimal-esp-00
Hi, I reviewed draft-ietf-lwig-minimal-esp-00. In general I think that the document provides useful guidelines on how ESP can be implemented on constrained devices. General comment: the draft uses RFC2119 requirement language in several places, and it is not always clear whether it is just a repetition of the RFC4301 requirements or a new requirement imposed by this document. In general, I think it's better not to include the existing RFC4301/4303 requirements in the draft or make it absolutely clear that these are not new requirements if you need to mention them (adding a reference to a corresponding section in the RFCs). Another general comment: sections 3-7 discuss how the corresponding ESP packet fields can be tweaked to deal with low resource devices. I think that for the sake of clarity the suggested measures must be summarized in each of these sections. Currently these sections contain quite a lot of discussion and no clear conclusions what is OK to do and in what situations. I think document will be more clear if such conclusions are put at the end of each section (currently some advises are spread over them). Specific comments: Section 3. When fix SPI are used, it is RECOMMENDED the constraint node has as many SPI values as ESP session per host IP address, and that SA lookup includes the IP addresses. This is probably wrong if we take into considerations that SA may be rekeyed. Some words should be added either prohibiting rekeying ESP SAs in this case or discussing that in case of rekey one will consume additional SPI values for in fact the same SA. When used indoor, the privacy information is stored in the encrypted data and as such does not leak privacy. I cannot parse this :-) Such packet will not be rejected due to an SPI mismatch, but instead after the signature check which requires more resource and thus make DoS more efficient, especially for devices powered by batteries. I think this a very good argument against fixed (predictable) SPIs. In fact, after reading through this section it seems to me that the conclusion must be - predictable (fixed) SPIs SHOULD NOT be used. Values 0-255 SHOULD NOT be used. I believe these values MUST NOT be used with IPsec ESP, no? Why "SHOULD NOT"? The values from this range are reserved for other protocols utilizing ESP (e.g. SPI (1) was used in SKIP). Section 4. I see no discussion regarding using ESN. I think there is generally no point to use ESN for constrained devices, but it can be useful if clock is used to generate (E)SN, as suggested in the draft. In this case 64-bit numbers can make sure that no two packets will be sent with the same ESN (provided the clock has high resolution). Section 5. The purpose of padding is to respect the 32 bit alignment of ESP. It is not an accurate statement, the padding is also used when encryption transform requires the input to be a multiple of some number of bytes. Many modern transforms (based on GCM, CCM, CTR modes) don't have such a requirement, but some (e.g. based on CBC mode) do have. Section 6. For interoperability, it is RECOMMENDED a minimal ESP implementation discards dummy packets. I'm puzzled by this sentence. What else can the receiver do with dummy packets other than discard? RFC4303 leaves him only this option :-) Nits: Throughout the text: s/fix SPI/fixed SPI s/constraint node/constrained node s/algorythm/algorithm Section 2: s/IPsec suite protocol/IPsec protocol suite Section 3: However, for some constraint nodes, generating a random SPI may consume to much resource, in which case SPI can be generated using predictable functions or even a fix value. s/to/too When a constraint node uses fix value for SPIs, it imposes some limitations on the number of inbound SA. This limitation can be alleviate by how the SA look up is performed. When fix SPI are used, it is RECOMMENDED the constraint node has as many SPI values as ESP session per host IP address, and that SA lookup includes the IP addresses. s/alleviate/alleviated s/RECOMMENDED the/RECOMMENDED that the More specifically, traffic pattern MAY leak sufficient information in itself. In other words, privacy leakage is a complex and the use of random SPI is unlikely to be sufficient. s/MAY/may In addition, predictable SPI enable an attacker to forge packets with a valid SPI. s/enable/enables Section 5: As a result, TFC cannot not be enabled with minimal, and communication protection that were relying on TFC will be more sensitive to traffic shaping. s/cannot not/cannot s/minimal/minimal ESP s/were relying/rely Section 7: Currently recommended [RFC8221] only recommend crypto-suites with an ICV which makes the ICV a mandatory field. s/recommend/recommends Section 8: The recommended suites to use are expect to evolve over time and implementer SHOULD follow the recommendations provided by [RFC