Skip to main content

Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
draft-ietf-ipsecme-dh-checks-05

Revision differences

Document history

Date Rev. By Action
2013-07-22
05 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2013-07-12
05 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2013-06-28
05 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2013-06-12
05 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2013-06-12
05 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2013-06-11
05 (System) IANA Action state changed to Waiting on Authors from In Progress
2013-06-06
05 Amy Vezza State changed to RFC Ed Queue from Approved-announcement sent
2013-06-06
05 (System) RFC Editor state changed to EDIT
2013-06-06
05 (System) Announcement was received by RFC Editor
2013-06-05
05 (System) IANA Action state changed to In Progress
2013-06-05
05 Amy Vezza State changed to Approved-announcement sent from Approved-announcement to be sent
2013-06-05
05 Amy Vezza IESG has approved the document
2013-06-05
05 Amy Vezza Closed "Approve" ballot
2013-06-05
05 Amy Vezza Ballot approval text was generated
2013-06-05
05 Amy Vezza Ballot writeup was changed
2013-06-05
05 Amy Vezza State changed to Approved-announcement to be sent from IESG Evaluation::AD Followup
2013-06-04
05 Yaron Sheffer IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2013-06-04
05 Yaron Sheffer New version available: draft-ietf-ipsecme-dh-checks-05.txt
2013-05-30
04 Cindy Morgan State changed to IESG Evaluation::AD Followup from IESG Evaluation
2013-05-30
04 Stephen Farrell
[Ballot comment]
- 2.4: code "MAY be modified" - even for me, that's a
2119 bogosity.

- 2.4: I'm curious (and haven't read the
references:-).  …
[Ballot comment]
- 2.4: code "MAY be modified" - even for me, that's a
2119 bogosity.

- 2.4: I'm curious (and haven't read the
references:-).  Why do MODP implementations that
re-use DH private values not need to be updated
because of 2.2?

- 2.5@ "INVALID_SYNTAX" ? Yuk. This is not
syntactical.  Is there no better error message to
pick?

- terminology nit: sometimes you say secret DH key and
sometimes (maybe only 4.2?) yoy say private DH keys.
My prefernce is to talk about public and private DH
values, but whatever.

- 4.3 the MUST here seems bogus and somewhat
optimistic
2013-05-30
04 Stephen Farrell [Ballot Position Update] Position for Stephen Farrell has been changed to No Objection from Discuss
2013-05-30
04 Gonzalo Camarillo [Ballot Position Update] New position, No Objection, has been recorded for Gonzalo Camarillo
2013-05-30
04 Ted Lemon
[Ballot comment]
+1 to Stephen Farrell's DISCUSS

Barry commented on the text I quote below, saying that it didn't seem like protocol behavior.  It makes …
[Ballot comment]
+1 to Stephen Farrell's DISCUSS

Barry commented on the text I quote below, saying that it didn't seem like protocol behavior.  It makes sense to me as protocol behavior, but I see why it might have raised a question:

  The recipient of a DH public key that fails one of the above tests
  can assume that the sender is either truly malicious or else it has a
  bug in its implementation.

It would probably be more clearly a protocol behavior if it said "must assume" rather than "can assume."  I assume that it doesn't say must because must could be taken as normative, but I think that's okay.  You could also say "assumes."

You should take out the second comma in this sentence, because the extra comma softens the connection between "is secure" and "in the sense," which is the opposite of what I think you are trying to convey:

  On the other hand, the error notification is secure, in the sense
  that no secret information is leaked.

I'm really happy to see this work being done—thanks for doing it!
2013-05-30
04 Ted Lemon [Ballot Position Update] New position, Yes, has been recorded for Ted Lemon
2013-05-30
04 Stephen Farrell
[Ballot discuss]

I'd be happy to ballot yes, but have a question about
the IPR declaration, which is RAND with possible
royalty/fee.  The write-up says …
[Ballot discuss]

I'd be happy to ballot yes, but have a question about
the IPR declaration, which is RAND with possible
royalty/fee.  The write-up says " There was no WG
discussion about any IPR disclosures regarding this
document." That's a bit surprising and potentially the
IPR might not e.g. apply to the MODP groups, so
shouldn't the WG have considered whether or not they
want to split that out or not? The IPR declaration
is also later than the write-up so its possible that
the WG have considered this since the above quote
was written.
2013-05-30
04 Stephen Farrell
[Ballot comment]

- 2.4: code "MAY be modified" - even for me, that's a
2119 bogosity.

- 2.4: I'm curious (and haven't read the
references:-).  …
[Ballot comment]

- 2.4: code "MAY be modified" - even for me, that's a
2119 bogosity.

- 2.4: I'm curious (and haven't read the
references:-).  Why do MODP implementations that
re-use DH private values not need to be updated
because of 2.2?

- 2.5@ "INVALID_SYNTAX" ? Yuk. This is not
syntactical.  Is there no better error message to
pick?

- terminology nit: sometimes you say secret DH key and
sometimes (maybe only 4.2?) yoy say private DH keys.
My prefernce is to talk about public and private DH
values, but whatever.

- 4.3 the MUST here seems bogus and somewhat
optimistic
2013-05-30
04 Stephen Farrell [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell
2013-05-29
04 Pete Resnick [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick
2013-05-29
04 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2013-05-29
04 Richard Barnes [Ballot Position Update] New position, No Objection, has been recorded for Richard Barnes
2013-05-29
04 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant
2013-05-28
04 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2013-05-27
04 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2013-05-27
04 Martin Stiemerling [Ballot comment]
all cleared. Thanks!
2013-05-27
04 Martin Stiemerling [Ballot Position Update] Position for Martin Stiemerling has been changed to No Objection from Discuss
2013-05-27
04 Sean Turner
This draft does include text from RFC 2412.  To avoid the pre-5378 boilerplate the author of RF 2412 was consulted and she was willing …
This draft does include text from RFC 2412.  To avoid the pre-5378 boilerplate the author of RF 2412 was consulted and she was willing to publish under RFC 5378 rules.
2013-05-27
04 Martin Stiemerling
[Ballot discuss]
I have no general objection to the publication of this draft, but one issue that can be easily solved.

The draft says "This …
[Ballot discuss]
I have no general objection to the publication of this draft, but one issue that can be easily solved.

The draft says "This additional material is  taken from [RFC2412]".

RFC 2412 pre-dates 10 November 2008 (pub date of RFC 5378) and therefore if text material out of RFC 2412 is reused, the draft has to use the pre-RFC 5378 boiler plate.

Does this draft re-use text out of RFC 2412?
2013-05-27
04 Martin Stiemerling [Ballot Position Update] New position, Discuss, has been recorded for Martin Stiemerling
2013-05-26
04 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel
2013-05-24
04 Benoît Claise [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise
2013-05-23
04 Barry Leiba
[Ballot comment]
-- Section 2.5 --

  The recipient of a DH public key that fails one of the above tests
  can assume that …
[Ballot comment]
-- Section 2.5 --

  The recipient of a DH public key that fails one of the above tests
  can assume that the sender is either truly malicious or else it has a
  bug in its implementation.

How is this "protocol behavior"?  How is the statement even helpful?

-- Section 7.2 --

In the reference for IANA-DH-Registry, IANA's preferred URL to publish omits the "xml" part.  Please use this:

http://www.iana.org/assignments/ikev2-parameters/#ikev2-parameters-8
2013-05-23
04 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2013-05-23
04 (System) IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed
2013-05-23
04 (System) IANA Review state changed to IANA - Review Needed from IANA OK - Actions Needed
2013-05-23
04 Brian Haberman [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman
2013-05-22
04 Sean Turner Ballot has been issued
2013-05-22
04 Sean Turner [Ballot Position Update] New position, Yes, has been recorded for Sean Turner
2013-05-22
04 Sean Turner Created "Approve" ballot
2013-05-22
04 Sean Turner Ballot writeup was changed
2013-05-22
04 Sean Turner Placed on agenda for telechat - 2013-05-30
2013-05-22
04 Sean Turner State changed to IESG Evaluation from Waiting for AD Go-Ahead
2013-05-20
04 (System) State changed to Waiting for AD Go-Ahead from In Last Call
2013-05-16
04 Tero Kivinen Request for Last Call review by SECDIR Completed: Ready. Reviewer: Leif Johansson.
2013-05-15
04 Amanda Baber
IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-ipsecme-dh-checks-04.txt.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon …
IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-ipsecme-dh-checks-04.txt.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

Upon approval of this document, IANA understands that there is a single IANA action that needs to be completed.

In the IKEv2 Transform Type 4 - Diffie Hellman Group Transform IDs subregistry of the Internet Key Exchange Version 2 registry located at:

http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml

a new column will be added to the subregistry called "Recipient Tests."

IANA understands that all future registrations in this subregistry will require this field to be populated.

For existing registrations in this subregistry, the column will be populated as follows:

Number Recipient Tests
-------+-----------------------------------
1 [ RFC-to-be ], Section 2.1
2 [ RFC-to-be ], Section 2.1
5 [ RFC-to-be ], Section 2.1
14 [ RFC-to-be ], Section 2.1
15 [ RFC-to-be ], Section 2.1
16 [ RFC-to-be ], Section 2.1
17 [ RFC-to-be ], Section 2.1
18 [ RFC-to-be ], Section 2.1
19 [ RFC-to-be ], Section 2.3
20 [ RFC-to-be ], Section 2.3
21 [ RFC-to-be ], Section 2.3
22 [ RFC-to-be ], Section 2.2
23 [ RFC-to-be ], Section 2.2
24 [ RFC-to-be ], Section 2.2
25 [ RFC-to-be ], Section 2.3
26 [ RFC-to-be ], Section 2.3

IANA NOTE: We understand that the registry expert is aware of this modification.

IANA understand that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.
2013-05-15
04 (System) IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed
2013-05-13
04 Dan Romascanu Request for Last Call review by GENART Completed: Ready. Reviewer: Dan Romascanu.
2013-05-09
04 Jean Mahoney Request for Last Call review by GENART is assigned to Dan Romascanu
2013-05-09
04 Jean Mahoney Request for Last Call review by GENART is assigned to Dan Romascanu
2013-05-09
(System) Posted related IPR disclosure: Certicom Corporation's Statement about IPR related to draft-ietf-ipsecme-dh-checks-04
2013-05-07
04 Tero Kivinen Request for Last Call review by SECDIR is assigned to Leif Johansson
2013-05-07
04 Tero Kivinen Request for Last Call review by SECDIR is assigned to Leif Johansson
2013-05-06
04 Amy Vezza IANA Review state changed to IANA - Review Needed
2013-05-06
04 Amy Vezza
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Additional Diffie-Hellman Tests for IKEv2) …
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Additional Diffie-Hellman Tests for IKEv2) to Proposed Standard


The IESG has received a request from the IP Security Maintenance and
Extensions WG (ipsecme) to consider the following document:
- 'Additional Diffie-Hellman Tests for IKEv2'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-05-20. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document adds a small number of mandatory tests required for the
  secure operation of IKEv2 with elliptic curve groups.  No change is
  required to IKE implementations that use modular exponential groups,
  other than a few rarely used so-called DSA groups.  This document
  updates the IKEv2 protocol, RFC 5996.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-ipsecme-dh-checks/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-ipsecme-dh-checks/ballot/


No IPR declarations have been submitted directly on this I-D.


2013-05-06
04 Amy Vezza State changed to In Last Call from Last Call Requested
2013-05-06
04 Amy Vezza Last call announcement was generated
2013-05-06
04 Sean Turner Last call was requested
2013-05-06
04 Sean Turner Ballot approval text was generated
2013-05-06
04 Sean Turner Ballot writeup was generated
2013-05-06
04 Sean Turner State changed to Last Call Requested from AD Evaluation::AD Followup
2013-05-05
04 Sean Turner Last call announcement was generated
2013-05-04
04 (System) Sub state has been changed to AD Followup from Revised ID Needed
2013-05-04
04 Yaron Sheffer New version available: draft-ietf-ipsecme-dh-checks-04.txt
2013-04-30
03 Sean Turner Here's a link to my AD review:
https://www.ietf.org/mail-archive/web/ipsec/current/msg08370.html
2013-04-30
03 Sean Turner State changed to AD Evaluation::Revised I-D Needed from AD Evaluation
2013-04-24
03 Sean Turner State changed to AD Evaluation from Publication Requested
2013-04-24
03 Sean Turner Document shepherd changed to Paul Hoffman
2013-04-24
03 Sean Turner Changed document writeup
2013-04-22
03 Cindy Morgan
1. Summary

This is a document writeup for draft-ietf-ipsecme-dh-checks-03, prepared by Paul Hoffman for Sean Turner.

The document corrects a problem found well after …
1. Summary

This is a document writeup for draft-ietf-ipsecme-dh-checks-03, prepared by Paul Hoffman for Sean Turner.

The document corrects a problem found well after RFC 5996 was published. Implementations that support elliptic curves and DSA, and also reuse private keys, are vulnerable to some attacks that can be prevented by some simple checking. This document specifies the circumstances where the attack might happen and how to prevent them.

This document is appropriate for Standards Track because, if the attack had been known and understood when RFC 5996 was written, it would certainly have been part of that document.

2. Review and Consensus

The document was reviewed by enough active developers and cryptographically-inclined participants to be sufficient for Standards Track. There is definite consensus to publish.

3. Intellectual Property

Both authors have stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79. There was no WG discussion about any IPR disclosures regarding this document.
2013-04-22
03 Cindy Morgan Note added 'Paul Hoffman (paul.hoffman@vpnc.org) is the document shepherd.'
2013-04-22
03 Cindy Morgan Intended Status changed to Proposed Standard
2013-04-22
03 Cindy Morgan IESG process started in state Publication Requested
2013-04-22
03 (System) Earlier history may be found in the Comment Log for draft-sheffer-ipsecme-dh-checks
2013-04-22
03 Yaron Sheffer New version available: draft-ietf-ipsecme-dh-checks-03.txt
2013-04-20
02 Yaron Sheffer New version available: draft-ietf-ipsecme-dh-checks-02.txt
2013-04-01
01 Yaron Sheffer New version available: draft-ietf-ipsecme-dh-checks-01.txt
2013-01-29
00 Yaron Sheffer New version available: draft-ietf-ipsecme-dh-checks-00.txt