[IPsec] Interoperability problem concerning RFC 7427
"Valery Smyslov" <svanru@gmail.com> Thu, 15 September 2016 15:27 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71FF712B85D for <ipsec@ietfa.amsl.com>; Thu, 15 Sep 2016 08:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.266
X-Spam-Level:
X-Spam-Status: No, score=0.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, STOX_REPLY_TYPE_WITHOUT_QUOTES=1.757] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4NDILQkaZea for <ipsec@ietfa.amsl.com>; Thu, 15 Sep 2016 08:27:39 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61F1C12B661 for <ipsec@ietf.org>; Thu, 15 Sep 2016 07:28:59 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id g62so37417918lfe.3 for <ipsec@ietf.org>; Thu, 15 Sep 2016 07:28:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-transfer-encoding; bh=Q9Vu5PS6VaiI7065tk6RUCw62U+DEIgKQUK9Y3igcZo=; b=Xg9iRmU3zfgtK+s4LslVAFdLHmtJxwOHsn7l2FDb0UdYr6XrFvKwXjVfEaVeoL3j4h lQ6p7OdOAMKi7yzb2gGLt2fV/FitdXPgI+ZH3Jo8KHt1RBFzoH9WEjoPb/03Ep5MitvO a6k5VEagyrcB2KygkuK92M21P3P2E9xPpf2lsyJFLaHmL0ayQTz/5wBZi6vvvaS/5PDC 7Ji1b7bti4wN7Pvs8yImTeWWvnestbT0omlBCkaYyx5XVj+He4rczcsa1neyBLPH26Qx 4gBJS4NgDVrYq5qFvYPlRrwEsf13U0qUTkZ8yt84lBsEfPaRW0NlIUEVenxIP/Ftl01n aVnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:references:subject:date :mime-version:content-transfer-encoding; bh=Q9Vu5PS6VaiI7065tk6RUCw62U+DEIgKQUK9Y3igcZo=; b=ONgd99is2XerLSQq/57MfsGdjC+KsV90KCjY5rydlSpVspMhAnkNrqwwZa+KvTjJZ2 QLsytFko64qBStdUCbI66W5yfWoOR46yoo35Ul89KnHf6XFCgekPlKC2ZOP5cHbbZQG8 Ca0q6wjyaT79WKbvn1uL2ThS4LUo6TzQ8J2Lw+dsXbnQ+atVRYLFB2dSqUj4iQM/DBvT HkBQNr9W2vK6TDC1e597amn/myoiqcxTSOK3BgF9XHnsF0LDy0VFBsUDvsiKXRrxlqRw HJQ8wKMNK3bTY0a/Gyk1809tl8Sp4cXMBBUNq7cSh7lsEu04ont9bho/Y1Orj4GssbYu XlAQ==
X-Gm-Message-State: AE9vXwOE18pqPDSItVxVhNaETC9ZjkLmVUa0jXEfMMUYpBIc7zYQ3zAPGguozBa+Z4TLDg==
X-Received: by 10.25.37.84 with SMTP id l81mr3818779lfl.41.1473949733751; Thu, 15 Sep 2016 07:28:53 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g38sm1063406ljg.24.2016.09.15.07.28.52 for <ipsec@ietf.org> (version=TLS1 cipher=DES-CBC3-SHA bits=112/168); Thu, 15 Sep 2016 07:28:53 -0700 (PDT)
Message-ID: <4413733F9BF24D94821C1814E88C3C26@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: IPsecME WG <ipsec@ietf.org>
References: <MWHPR09MB14403946B9D23FF98C744FBEF0E40@MWHPR09MB1440.namprd09.prod.outlook.com>
Date: Thu, 15 Sep 2016 17:28:53 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0XYpWpMrtU_IXmn_RxfWWvsXztM>
Subject: [IPsec] Interoperability problem concerning RFC 7427
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2016 15:27:44 -0000
Hi, we recently ran into one interoperability problem that is concerned with RFC 7427. We start testing RSASSA-PSS with another vendor product and found, that while it supports Digital Signature authentication method, it seems to not support RSASSA-PSS signatures in IKE. As a result, the SA is failed to be created if we use RSASSA-PSS (and we do use it because we want to be compliant with RFC-to-be draft-ietf-ipsecme-rfc4307bis, that states that with Digital Signature RSASSA-PSS-SHA256 is MUST). The problem is that RFC7427 doesn't provide any means to find out what kind of signatures peer supports. If you have RSA certificate, you need somehow to guess whether you can use newer PSS signature format or should stick to old PKCS 1 one. The SIGNATURE_HASH_ALGORITHMS notification doesn't provide any information of this kind. RFC7427 is silent whether support for RSASSA-PSS is required to be compliant with it, so I think it is absolutely legal now to have support for Digital Signature authentication method and have no support for RSASSA-PSS (as in the product we have tested with). The draft draft-ietf-ipsecme-rfc4307bis does requires that if Digital Signatures are supported, then RSASSA-PSS with SHA2-256 MUST be supported. However, even if it becomes RFC in near future, it'll take a couple of years before it is adopted by major vendors. I think that it is a more fundamental problem: RFC7427 allows peers to announce what hash functions they support, but the peers cannot announce what kinds of signatures (or what signature formats) they support. Few years ago life was simpler: there were a couple of widely used signature schemes and they use different types of public keys. So, if you had RSA certificate, you could be sure that RSA PKCS 1 signature format would be understood by anyone. Now we have new incompatible RSA signature format - RSASSA-PSS and mere having RSA certificate is not enough to choose right signature format. I envision that similar situation can repeat in the future with Elliptic Curve certificates. Now new kind of signature is being developed for Edwards curve public keys - EDDSA. However, as far as I anderstand, any Edwards curve key can be converted to short Weierstrass's form and used in ECDSA. So we'll probably have a mess when some implementations support EDDSA, while some use Edwards keys in ECDSA (at least for a while), that will result in interoperability problems. So, my question is - what to do with all this. 1. Do nothing. Coming back to the interoperability problem we have, it is possible to find some workarounds: - don't use RSASSA-PSS until it becomes ubiquitous (however if everybody follows this way it'll never become ubiquitous) - it is possible for the initiator to restart exchange if it receives AUTHENTICATION_FAILED while using RSASSA_PSS and use RSA PKCS 1 in the new run. However, this approach will slow down connection setup and waste resources of both initiator and responder. - it is possible for responder to look at the format of signature the initiator used and act in accordance - if the initiator doesn't use RSASSA-PSS then don't use it. These are all workarounds and they complicate implementations and waste resources for no good reason. 2. Add some indication of signature form/format the peers support. I can see two possible solutions. - define new entries in Hash Algorithms registry that are not hash functions but are rather signature formats. For example, add RSASSA_PSS. If it is included in SIGNATURE_HASH_ALGORITHMS notification. it will mean that this format is supported with any real hash algorithms that are included in this notification. It is clearly a hack of RFC 7427. - define new notification SIGNATURE_FORMATS, which will include supported signature forms/formats. It seems to be a most "proper" way, however it is the slowest one (new RFC is needed). What the WG thinks of all this? Regards, Valery.
- [IPsec] IPsecME Status update 2016-09-02 Waltermire, David A. (Fed)
- [IPsec] Interoperability problem concerning RFC 7… Valery Smyslov
- Re: [IPsec] Interoperability problem concerning R… Valery Smyslov
- [IPsec] Interoperability problem concerning RFC 7… Tero Kivinen
- Re: [IPsec] Interoperability problem concerning R… Yoav Nir
- Re: [IPsec] Interoperability problem concerning R… Valery Smyslov
- Re: [IPsec] Interoperability problem concerning R… Paul Wouters
- Re: [IPsec] Interoperability problem concerning R… Valery Smyslov
- Re: [IPsec] Interoperability problem concerning R… Yoav Nir
- Re: [IPsec] Interoperability problem concerning R… Valery Smyslov
- Re: [IPsec] Interoperability problem concerning R… Tero Kivinen
- Re: [IPsec] Interoperability problem concerning R… Valery Smyslov
- Re: [IPsec] Interoperability problem concerning R… Tero Kivinen
- Re: [IPsec] Interoperability problem concerning R… Valery Smyslov