IETF Logo Mail Archive

[IPsec] Interoperability problem concerning RFC 7427

"Valery Smyslov" <svanru@gmail.com> Thu, 15 September 2016 15:27 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71FF712B85D for <ipsec@ietfa.amsl.com>; Thu, 15 Sep 2016 08:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.266
X-Spam-Level:
X-Spam-Status: No, score=0.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, STOX_REPLY_TYPE_WITHOUT_QUOTES=1.757] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4NDILQkaZea for <ipsec@ietfa.amsl.com>; Thu, 15 Sep 2016 08:27:39 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61F1C12B661 for <ipsec@ietf.org>; Thu, 15 Sep 2016 07:28:59 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id g62so37417918lfe.3 for <ipsec@ietf.org>; Thu, 15 Sep 2016 07:28:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-transfer-encoding; bh=Q9Vu5PS6VaiI7065tk6RUCw62U+DEIgKQUK9Y3igcZo=; b=Xg9iRmU3zfgtK+s4LslVAFdLHmtJxwOHsn7l2FDb0UdYr6XrFvKwXjVfEaVeoL3j4h lQ6p7OdOAMKi7yzb2gGLt2fV/FitdXPgI+ZH3Jo8KHt1RBFzoH9WEjoPb/03Ep5MitvO a6k5VEagyrcB2KygkuK92M21P3P2E9xPpf2lsyJFLaHmL0ayQTz/5wBZi6vvvaS/5PDC 7Ji1b7bti4wN7Pvs8yImTeWWvnestbT0omlBCkaYyx5XVj+He4rczcsa1neyBLPH26Qx 4gBJS4NgDVrYq5qFvYPlRrwEsf13U0qUTkZ8yt84lBsEfPaRW0NlIUEVenxIP/Ftl01n aVnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:references:subject:date :mime-version:content-transfer-encoding; bh=Q9Vu5PS6VaiI7065tk6RUCw62U+DEIgKQUK9Y3igcZo=; b=ONgd99is2XerLSQq/57MfsGdjC+KsV90KCjY5rydlSpVspMhAnkNrqwwZa+KvTjJZ2 QLsytFko64qBStdUCbI66W5yfWoOR46yoo35Ul89KnHf6XFCgekPlKC2ZOP5cHbbZQG8 Ca0q6wjyaT79WKbvn1uL2ThS4LUo6TzQ8J2Lw+dsXbnQ+atVRYLFB2dSqUj4iQM/DBvT HkBQNr9W2vK6TDC1e597amn/myoiqcxTSOK3BgF9XHnsF0LDy0VFBsUDvsiKXRrxlqRw HJQ8wKMNK3bTY0a/Gyk1809tl8Sp4cXMBBUNq7cSh7lsEu04ont9bho/Y1Orj4GssbYu XlAQ==
X-Gm-Message-State: AE9vXwOE18pqPDSItVxVhNaETC9ZjkLmVUa0jXEfMMUYpBIc7zYQ3zAPGguozBa+Z4TLDg==
X-Received: by 10.25.37.84 with SMTP id l81mr3818779lfl.41.1473949733751; Thu, 15 Sep 2016 07:28:53 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g38sm1063406ljg.24.2016.09.15.07.28.52 for <ipsec@ietf.org> (version=TLS1 cipher=DES-CBC3-SHA bits=112/168); Thu, 15 Sep 2016 07:28:53 -0700 (PDT)
Message-ID: <4413733F9BF24D94821C1814E88C3C26@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: IPsecME WG <ipsec@ietf.org>
References: <MWHPR09MB14403946B9D23FF98C744FBEF0E40@MWHPR09MB1440.namprd09.prod.outlook.com>
Date: Thu, 15 Sep 2016 17:28:53 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0XYpWpMrtU_IXmn_RxfWWvsXztM>
Subject: [IPsec] Interoperability problem concerning RFC 7427
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2016 15:27:44 -0000

Hi,

we recently ran into one interoperability problem that is concerned
with RFC 7427.

We start testing RSASSA-PSS with another vendor product and found, 
that while it supports Digital Signature authentication method, it seems
to not support RSASSA-PSS signatures in IKE. As a result, the SA 
is failed to be created if we use RSASSA-PSS (and we do use it
because we want to be compliant with RFC-to-be draft-ietf-ipsecme-rfc4307bis,
that states that with Digital Signature RSASSA-PSS-SHA256 is MUST).

The problem is that RFC7427 doesn't provide any means to find out
what kind of signatures peer supports. If you have RSA certificate,
you need somehow to guess whether you can use newer PSS signature
format or should stick to old PKCS 1 one. The SIGNATURE_HASH_ALGORITHMS
notification doesn't provide any information of this kind. RFC7427
is silent whether support for RSASSA-PSS is required to be compliant
with it, so I think it is absolutely legal now to have support for Digital Signature
authentication method and have no support for RSASSA-PSS 
(as in the product we have tested with).
The draft draft-ietf-ipsecme-rfc4307bis does requires that if
Digital Signatures are supported, then RSASSA-PSS with SHA2-256
MUST be supported. However, even if it becomes RFC in near future,
it'll take a couple of years before it is adopted by major vendors.

I think that it is a more fundamental problem: RFC7427 allows peers
to announce what hash functions they support, but the peers 
cannot announce what kinds of signatures (or what signature formats)
they support. Few years ago life was simpler: there were a couple
of widely used signature schemes and they use different types of
public keys. So, if you had RSA certificate, you could be sure that
RSA PKCS 1 signature format would be understood by anyone.
Now we have new incompatible RSA signature format - RSASSA-PSS
and mere having RSA certificate is not enough to choose right
signature format. I envision that similar situation can repeat
in the future with Elliptic Curve certificates. Now new kind of signature
is being developed for Edwards curve public keys - EDDSA.
However, as far as I anderstand, any Edwards curve key can
be converted to short Weierstrass's form and used in ECDSA.
So we'll probably have a mess when some implementations
support EDDSA, while some use Edwards keys in ECDSA
(at least for a while), that will result in interoperability problems.

So, my question is - what to do with all this.
1. Do nothing. Coming back to the interoperability problem we have,
    it is possible to find some workarounds:
    - don't use RSASSA-PSS until it becomes ubiquitous (however if everybody
        follows this way it'll never become ubiquitous)
    - it is possible for the initiator to restart exchange if it receives
       AUTHENTICATION_FAILED while using RSASSA_PSS
        and use RSA PKCS 1 in the new run. However, this approach
        will slow down connection setup and waste resources of
        both initiator and responder.
    - it is possible for responder to look at the format of signature 
        the initiator used and act in accordance - if the initiator
        doesn't use RSASSA-PSS then don't use it.
    These are all workarounds and they complicate implementations
    and waste resources for no good reason.
2. Add some indication of signature form/format the peers support.
    I can see two possible solutions.
    - define new entries in Hash Algorithms registry
        that are not hash functions but are rather signature formats.
        For example, add RSASSA_PSS. If it is included
        in SIGNATURE_HASH_ALGORITHMS notification.
        it will mean that this format is supported with any real hash
        algorithms that are included in this notification.
        It is clearly a hack of RFC 7427.
    - define new notification SIGNATURE_FORMATS, which
        will include supported signature forms/formats.
        It seems to be a most "proper" way, however 
        it is the slowest one (new RFC is needed).

What the WG thinks of all this?

Regards,
Valery.

v2.23.0 | Report a Bug | By Email