[Cryptography] IKE/ISAKMP/IPsec complexity by design
Paul Wouters
paul at cypherpunks.ca
Tue Sep 18 14:06:32 EDT 2018
On Mon, 10 Sep 2018, William Allen Simpson wrote:
> On 9/9/18 12:17 PM, Randy Bush wrote:
>> ipsec implementations are sooooo compatible that someone wrote a
>> compiler to deal with the complex and disasterous mess.
>>
>> https://mice.cs.columbia.edu/getTechreport.php?techreportID=1433
That's pretty silly. The same could be done for any DNS server, DHCP
server, BGP server, WWW server, TLS server... etc In fact, the TLS
options in apache are way more convoluted then IKE options :P
> Some of us remember that somebody from Boston with a 4-character
> surname was known to be communicating with "Other Agency" to
> prevent publication of IETF security protocols.
Do you have written text or anything that would confirm that? I am pretty
sure NSA/USG wanted and needed IPsec as well. While I know the author
in question has links to NSA (like most of the TLS hotshots have too!),
I am not convinced the "complexity" was intented to weaken, rather
intended to let NSA/USG have their required (defensive) use cases. Also,
keep in mind the difference between WireGuard and ESP with AES_GCM isn't
that great, because both protocols need to do basically the same thing.
Note that unlike TLS, the ESP and IKE protocols have had no protocol
breakage. So while everyone is free to complain about the complexity of
code involved, you can't argue that the designed-by-committe IKE/IPsec
protocols are insecure. They haven't been broken in 25 years.
> And providing the
> FBI with information to investigate those of us promoting IETF
> security protocols.
I'd love to see references of this. I mean the Crypto War I was ugly,
and the attempt to force US citizens to not export strong crypto was
foolish and futile, I can see how events of those days were more
related to those political battles rather then some specific IKE/IPsec
attack.
> Some of us remember that the person (from Boston with a 4-character
> surname) who took over the IPsec editor role didn't actually write
> his own drafts, and refused to disclose who was writing them.
And the best we can ever do, is use technical arguments to defend or
reject proposed changes to security items in our drafts and RFCs. For
example, I did ask for the reasoning behind DH22, DH23, DH24, and when
former IPsec WG chairs and the author you mention as having a 4 letter
name on RFC 5114 defining these groups could not come up with sound
technical arguments for these groups or present any origin of magic
numbers involved, we killed these groups in software and in protocol
with RFC 8247. So yes, I welcome the participations of the Five Eyes,
Russia and China in designing international crypto protocols at the same
time as I trust neither of them.
> Has anybody already written an academic (or otherwise) critique of
> the complexity of IKE/ISAKMP/IPsec, resulting in difficulty to
> implement and deploy?
Your critique would be weak. A simpler yet still overly complicated
protocol like TLS has now been broken like 3 times or more. Not to
mention it has only seen serious PFS deployment for just a few meagre
years, whereas IKE/IPsec has done PFS for decades. IKE/IPsec might be
an old work horse, but it is _still_ getting the job done securely.
It has seen 20+ years of people trying to attack it, and the only
attacks to date have been to compromise the endpoint or for proprietary
vendors to screw up (and/or intensionally backdoor( their default random
number generations.
Paul
More information about the cryptography
mailing list