[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Final editing instructions for ikev2 document

Hi Charlie,

My apologies for the delaying in getting this document to you.  I had a
loss of state problem myself --- a literal hard drive accident that
caused me to lose all recent mail and other files on my hard drive since
my last backup.  (Which unfortunately was far too long ago....)

Anyway, I believe these are the final changes that need to be made to
the IKEv2 document based on discussions on the IPSEC mailing list after
wg last call.  After these changees are made and a new I-D submitted to
the secretariat, we should be ready to hand this off to the AD's for
progressing to IETF last call.  (And the angels started singing

						- Ted

1)  EAP non-kg security considerations

In section 2.16, in the second to last paragraph, which currently

    For EAP methods that create a shared key as a side effect of
    authentication, that shared key MUST be used by both the Initiator
    and Responder to generate an AUTH payload using the syntax for shared
    secrets specified in section 2.15. The shared key generated during an
    IKE exchange MUST NOT be used for any other purpose. For EAP methods
    that do not establish a shared key, there will be no AUTH payloads in
    the final messages.

Delete the last sentence, ("For EAP methods that do not establish...")
and add the following paragraph:

EAP methods that do not establish a shared key SHOULD NOT be used, as
they are subject a number of man-in-the-middle attacks if these EAP
methods are used in other protocols that do not use a
server-authenticated tunnel.  Please see the Security Considerations
section for more details.  If EAP methods that do not generate a
shared key are used, there will be no AUTH payloads in the final

In the security considerations section, replace the last paragraph
with the following text:

When using an EAP authentication method that does not generate a shared
key for protecting a subsequent AUTH payload, certain man-in-the-middle
and server impersonation attacks are possible.[EAPMITM]  These
vulnerabilities occur when EAP is also used in protocols which are not
protected within a secure tunnel.  Since EAP is a general-purpose
authentication protocol, which is often used to provide single-signon
facilities, a deployed IPSEC solution which relies on an EAP
authentication method that does not generate a shared key (also known as
a non-key-generating EAP method) can become compromised due to the
deployment of an entirely unrelated application that also happens to use
that same non-key-generating EAP method, but in an unprotected fashion.
Note that this vulnerability is not limited to just EAP, but can occur
in other scenarios where an authenticatoin infrastructure is reused.
For example, if the EAP mechanism used by IKEv2 utilizes a token
authenticator, and the enterprise deploys a non-encrypted web form which
accepts the input from the token authenticator, a man-in-the-middle
attacker could impersonate the web server, intercept the token
authentication exchange, and use it to initiate an IKEv2 connection.
For this reason, use of non-key-generating EAP methods SHOULD be avoided
where possible.  Where they are used, it is extremely important that all
usages of these EAP methods SHOULD utilize a protected tunnel, where the
initiator validates the responder's certificate before initiating the
EAP exchange.  Implementors SHOULD describe the vulnerabilities of using
non-key-generating EAP methods in the documentation of their
implementations so that the administrators deploying IPSEC solutions are
aware of these dangers.

Add the following reference:

[EAPMITM]   N. Asokan, Valtteri Nierni, and Kaisa Nyberg,
         "Man-in-the-Middle in Tunneled Authentication Protocols",
         http://eprint.iacr.org/2002/163, November 11, 2002.


2.  Rekeying clarifications

 From David Black's note of August 20, 2003:

Subject: RE: The remaining IKEv2 issues - #64
To: Charlie_Kaufman@xxxxxxxxxxxxxxxx


As part of this (unless I missed it), please add sentences
to make the following points:

- IKEv2 deliberately allows parallel SAs with the same traffic
         selectors between common endpoints.  One of the purposes of
         this is to support traffic QoS differences among the SAs;
         see Section 4.1 of RFC 2983 (informative reference).
- Hence unlike IKEv1, given two endpoints, traffic selectors need
         not uniquely identify an SA between those endpoints.
- Therefore the IKEv1 rekeying heuristic (use of same traffic
         selectors as an existing SA indicates rekeying, so existing
         SA should be deleted shortly after new one is up) SHOULD NOT
         be used, as it will result in unintended SA deletion.

This may help avoid some surprises arising from implementation code

Also, [RFC2401bis] needs to be added to the list of normative references.


3.  ECN clarifications:

Replace the text of section 2.24 with the following, per suggested
the rewording from David Black:

When IPsec tunnels behave as originally specified in [RFC 2401], ECN usage
is not appropriate for the outer IP headers because tunnel decapsulation
processing discards ECN congestion indications to the detriment of the
network.  ECN support for IPsec tunnels for IKEv1-based IPsec requires
multiple  operating modes and negotiation (see [RFC 3168]).  IKEv2
simplifies this situation requiring that ECN be usable in the outer IP
headers of all tunnel-mode IPsec SAs created by IKEv2.  Specifically,
tunnel encapsulators and decapsulators for all tunnel-mode Security
Associations (SAs) created by IKEv2 MUST support the ECN full-functionality
option for tunnels specified in [RFC3168] and MUST implement the tunnel
encapsulation and decapsulation processing specified in [RFC2401bis] to
prevent discarding of ECN congestion indications.

NB: [RFC 2401] reference is informative, [RFC 3168] and [2401bis] are


4.  Nat traversal clarification.

In section 2.23, Nat Traversal reads:

       There are cases where a NAT box decides to remove mappings that
       are still alive (for example, the keepalive interval is too long,
       or the NAT box is rebooted). To recover in these cases, hosts that
       are not behind a NAT SHOULD send all packets (including retried
       packets) to the IP address and port from the last valid
       authenticated packet from the other end. A host not behind a NAT
                                                       ^^^ typo, delete
       SHOULD NOT do this because it opens a DoS attack possibility. Any
       authenticated IKE packet or any authenticated IKE encapsulated ESP
                                                     ^^^ typo, 
						replace with UDP
       packet can be used to detect that the IP address or the port has


5.  Friends don't let friends use ASN.1

In section 3.6, certificate payload, the description of the ASN.1 for
a certificate bundle is ambiguous.

       Hash and URL of PKIX bundle (13) contains a 20 octet SHA-1 hash of
       a PKIX certificate bundle followed by a variable length URL the
       resolves to the BER encoded certificate bundle itself. The bundle
       is a BER encoded SEQUENCE of certificates and CRLs.

Use the following ASN.1 definition suggested by Nicholas Williams


    IMPORTS Certificate, CertificateList FROM PKIX1Explicit93

    CertificateOrCRL ::= CHOICE {
        cert [0] Certificate,
        crl  [1] CertificateList

    CertificateBundle ::= SEQUENCE OF CertificateOrCRL