Hi Panos and Scott, That was exactly what I was thinking. We have been working remotely.
One could have more than 300 kbytes for a pair of (public key + ciphertext and public key + sig). The latter public key may be replaced by a cert chain. The impact varies from one situation to another I think. Regards, Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco....@dmarc.ietf.org> Sent: Thursday, June 18, 2020 9:51 AM To: Panos Kampanakis (pkampana) <pkamp...@cisco.com>; Dang, Quynh H. (Fed) <quynh.d...@nist.gov>; Valery Smyslov <smyslov.i...@gmail.com>; 'ipsecme mailing list' <ipsec@ietf.org> Subject: RE: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Speaking as a previous IPsec implementor, the biggest concern I had over IKE performance was in the ‘flash crowd’ scenario; that is, you’re an IPsec-based security gateway, and then suddenly everyone wanted to negotiate with you. This can happen if it’s 8:00 AM (and everyone just arrived at work), or if you’re a back-up gateway, and then the primary gateway just failed. That scenario requires a rather lot of care to avoid “congestion”, that is, where you’re so busy answering IKE messages that you don’t get enough time to complete any exchange before the IKE exchange times out. What you end up doing is effectively triage; deliberately ignore some exchanges for the moment so that you can complete others. Now, if you have large key shares, what that would add to the scenario is memory management; while processing the requests, you need to buffer the received key shares, and so part of your triage needs to worry about memory consumption in addition to the computational costs. It’s not clear what complexity it would add; I would certainly be concerned if I were still an IPsec implementor… From: IPsec <ipsec-boun...@ietf.org> On Behalf Of Panos Kampanakis (pkampana) Sent: Thursday, June 18, 2020 9:32 AM To: Dang, Quynh H. (Fed) <quynh.dang=40nist....@dmarc.ietf.org>; Valery Smyslov <smyslov.i...@gmail.com>; 'ipsecme mailing list' <ipsec@ietf.org> Subject: Re: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Hi Quynh, > An obvious question is that what is the performance impact from this large > KEM using the approaches above when compared with a KEM (if its public key > and ciphertext are around 1,400-1,600 bytes in total) (assuming a pq > signature algorithm has a small signature and a small public key) which would > work well in a normal IKEv2's implementation ? > I guess the impact is small generally because an IPsec tunnel normally stays > up for a long time. Does my guess seem ok here ? > Would there be some noticeable impact on a high-volume connections VPN server > ? > An obvious question is that what is the performance impact from this large > KEM using the approaches above when compared with a KEM (if its public key > and ciphertext are around 1,400-1,600 bytes in total) (assuming a pq > signature algorithm has a small signature and a small public key) which would > work well in a normal IKEv2's implementation ? > I guess the impact is small generally because an IPsec tunnel normally stays > up for a long time. Does my guess seem ok here ? > Would there be some noticeable impact on a high-volume connections VPN server > ? We tested this in the context of TLS in https://eprint.iacr.org/2020/071<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2020%2F071&data=02%7C01%7Cquynh.dang%40nist.gov%7Ceb7f6d52110c4f293c6808d8138ecbb1%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637280851313023652&sdata=EB%2FUKHDskWiXpwz%2BamJIGcgp1820OOixHgxWx7s5EII%3D&reserved=0>. For a tunnel that stays up for a long time (not just a few seconds like HTTPS) and sends Megabytes of data or more, then the larger key+signatures size are amortized over the tunnel data. What becomes more important then is the keygen, encap, decap, sign/verify time. In other words, servers that terminate a lot of connections at the same time will be impacted by slower operations in the handshake (the server throughput drops), but their tunnels that send a few more kilobytes of handshake data and magnitudes more over the tunnel are not significantly affected especially if we are talking about UDP and not TCP (with congestion control slowing down the handshake). From: IPsec <ipsec-boun...@ietf.org<mailto:ipsec-boun...@ietf.org>> On Behalf Of Dang, Quynh H. (Fed) Sent: Wednesday, June 17, 2020 12:37 PM To: Valery Smyslov <smyslov.i...@gmail.com<mailto:smyslov.i...@gmail.com>>; 'ipsecme mailing list' <ipsec@ietf.org<mailto:ipsec@ietf.org>> Subject: Re: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Thank you Valery and thank you everyone who responded to me. The approaches in the drafts https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-multiple-ke-00#section-1.1<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-ikev2-multiple-ke-00%23section-1.1&data=02%7C01%7Cquynh.dang%40nist.gov%7Ceb7f6d52110c4f293c6808d8138ecbb1%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637280851313023652&sdata=58PKy1NE4RndDS%2Fwrja1JLuKBQ4gpqhBnF1YI%2Bo95D0%3D&reserved=0> and https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-intermediate-04<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-ikev2-intermediate-04&data=02%7C01%7Cquynh.dang%40nist.gov%7Ceb7f6d52110c4f293c6808d8138ecbb1%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637280851313033608&sdata=Ve8c0u6vMFtddB%2FFP4I34vt%2FQYvSqHfSFfJxnNN8cCo%3D&reserved=0> look good to me.. It looks like if/when someone implements them and adds a large key and/or ciphertext KEM, the maximum IKEv2 message size must be adjusted if the existing implementation does not already support the corresponding message size with the new KEM ( for an ephemeral key exchange, it contains a public key and a ciphertext) because I don't see any mentioning of the maximum IKEv2 message size (it is an implementation specific issue). Let's say after 10 or 15 years from now, the group trusts the security of some PQ KEM and signature algorithms and would like to use them in normal IKEv2 without the 2 methods above. In that situation, if the KEM has large public key and/or ciphtertext would have the IP fragmentation and packet drop issues. So, this KEM should use the approaches in the drafts above to deal with these issues. An obvious question is that what is the performance impact from this large KEM using the approaches above when compared with a KEM (if its public key and ciphertext are around 1,400-1,600 bytes in total) (assuming a pq signature algorithm has a small signature and a small public key) which would work well in a normal IKEv2's implementation ? I guess the impact is small generally because an IPsec tunnel normally stays up for a long time. Does my guess seem ok here ? Would there be some noticeable impact on a high-volume connections VPN server ? Regards, Quynh. draft-ietf-ipsecme-ikev2-intermediate-04 - Intermediate Exchange in the IKEv2 Protocol<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ipsecme-ikev2-intermediate-04&data=02%7C01%7Cquynh.dang%40nist.gov%7Ceb7f6d52110c4f293c6808d8138ecbb1%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637280851313033608&sdata=Ve8c0u6vMFtddB%2FFP4I34vt%2FQYvSqHfSFfJxnNN8cCo%3D&reserved=0> This documents defines a new exchange, called Intermediate Exchange, for the Internet Key Exchange protocol Version 2 (IKEv2). This exchange can be used for transferring large amount of data in the process of IKEv2 Security Association (SA) establishment. Introducing Intermediate Exchange allows re-using existing IKE Fragmentation mechanism, that helps to avoid IP fragmentation of large IKE ... tools.ietf.org ________________________________ From: Valery Smyslov <smyslov.i...@gmail.com<mailto:smyslov.i...@gmail.com>> Sent: Wednesday, June 17, 2020 9:57 AM To: Dang, Quynh H. (Fed) <quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>>; 'ipsecme mailing list' <ipsec@ietf.org<mailto:ipsec@ietf.org>> Subject: RE: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Hi Quinh, please look at the draft-ietf-ipsecme-ikev2-multiple-ke-00. It specifically addresses your concern about large public keys of PQ KE methods. Actually, it’s generally OK to have public keys/signatures up to 64Kbytes.. If you need to deal with larger keys, then some update of the specs is needed. Regards, Valery.. From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Dang, Quynh H. (Fed) Sent: Wednesday, June 17, 2020 4:49 PM To: ipsecme mailing list Subject: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Hi everyone, I am interested in knowing what are typical maximum sizes for IKEv2 messages and UDP messages in implementations. The reason is that the IKEv2's spec has a must and a should being 1280 and 3000 bytes respectively for IKEv2 messages, but does not have a maximum limit. As you know some of the post quantum cryptographic candidates in our standardization process have large or very large public key , signature and/or ciphertext sizes. My guess is that some updates to the spec and/or implementations would make them work. Your data points and discussions are appreciated. Regards, Quynh.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
