Hi, I've published a new version of the draft. It addresses concerns raised during AD review. Summary of the changes:
- the way IKE_INTERMEDIATE exchanges are authenticated is changed to accommodate suggestions from Tobias Brunner (to make the size of the intermediate authentication values constant regardless the number of exchanges) and from Ben Kaduk (to add Message ID of the IKE_AUTH exchange to authentication to prevent truncation attacks) - text describing the authentication of IKE_INTERMEDIATE exchanges is expanded and a lot of clarifications are added - Security Considerations section is expanded by adding a text concerning possible DoS attack mounted by malicious initiator and recommendations how to deal with it - other comments from AD review are addressed - a lot of text improvements (many thanks to Ben for them) I had off the list mail exchange with Scott Fluhrer about the security of the modified authentication scheme suggested by Tobias, and Scott confirmed that this construction looks cryptographically sound. In particular he said (shared here with his permission): SRF: yes, it looks sound. The only possible issue (in use case 2 <When IKE_INTERMEDIATE is used for purposes other than PQ KE, so the keys are constant - VS>) would be if the attacker could learn of a second instance of PRF( key, [message] ) that could be reused in this context - I don't think that can happen in this case. Since the authentication scheme is changed, I'm not sure whether another WGLC is needed... Regards, Valery. > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the IP Security Maintenance and Extensions WG of > the IETF. > > Title : Intermediate Exchange in the IKEv2 Protocol > Author : Valery Smyslov > Filename : draft-ietf-ipsecme-ikev2-intermediate-08.txt > Pages : 15 > Date : 2022-02-02 > > Abstract: > This documents defines a new exchange, called Intermediate Exchange, > for the Internet Key Exchange protocol Version 2 (IKEv2). This > exchange can be used for transferring large amounts of data in the > process of IKEv2 Security Association (SA) establishment. > Introducing the Intermediate Exchange allows re-using the existing > IKE fragmentation mechanism, that helps to avoid IP fragmentation of > large IKE messages, but cannot be used in the initial IKEv2 exchange. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-intermediate/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-ikev2-intermediate-08 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-ikev2-intermediate-08 > > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
