[Cryptography] IPsec DH parameters, other flaws

[Dan McDonald]

Your story is missing a bit of credit-where-due, Bill.

> On Jul 6, 2020, at 9:13 AM, William Allen Simpson <william.allen.simpson at gmail.com> wrote:
> 

<SNIP!>

> Instead, all the IPsec design took place in the PIPE/SIP/SIPP WG.  None of the
> other IPng efforts required security.  (Needed it, but wouldn't require it.)

You're missing a part of, GASP, the US Government who actually had a practical mindset, and a mandate from TWO different sponsors (neither of whom were up the road on 295):  NRL.  There's a reason the 182x RFCs were Ran-only.  :)

I should point out here that while we were trying to get our work out, there were some license-purists who thought that, GASP, BSD licensing wasn't free enough.  This caused stinks that might've attracted the WRONG sort of scrutiny, and we were scare shitless about the up-the-road folks from putting the hammer down.

<SNIP!>

> Perry Metzger called me, and over 1994 Christmas week, we ported IPsec from
> IPv6 to IPv4.  We called these the "Troublemakers" drafts.

Oooh I do remember that.  I remember some crypto-centered cynics thought it couldn't be built, and then we had our wonder-intern port our IPv6 stuff to IPv4 quickly during the summer of 1995.  :)

> Institutionally.  IETF is an international organization, and members made
> some noise about requiring security.  But profits came before security.

That plus good old-fashioned hubris/NIH.  Moving forward to 1996, I had to fight a whole division of Sun (the ones who invented SKIP) while I was sitting mostly alone in Solaris Internet Engineering.

> Plus the US apparently bribed major corporations, and infiltrated moles into
> our institutions.

You've already name-dropped the biggest offender there.  I'd be very curious to know who else has been since detected.  BTW, that FUD was used against me during my first year at Sun (You can't trust Dan, he's an govt. plant!).  I have my own theories, of course.

And finally:  A lot of us knew Key Management in IPsec was completely fubar, and was a part to be experimented with.  APIs helped here, and honestly I'm surprised more people didn't take advantage of it.  See RFC 2367 (and its improved and better-documented version in https://illumos.org/man/7p/pf_key).

Now... on to the other note:

.  .  .

On Jul 6, 2020, at 9:58 PM, Paul Wouters <paul at cypherpunks.ca> wrote:
> 

<SNIP!>

> That was way before my time ..... But I got the impression that at least
> half of this was self-inflicted by the other IETF participants. And the
> infosec community is still doing  this do itself all the time.

Oh hell yes.  See my prior mention of SKIP.

> Yet still, all the TLS protocol attaks like logjam, beast lucky13,
> poodle, crime, none of them worked against IKE/IPsec. From a protcol
> level, IKE and ESP have never been broken. The only thing that was "too
> weak and shouldn't be used" was PSK with Aggressive Mode. And even there,
> when using real PSKs you are safe. It is just that humans never muster
> up the responsibility to do that. We are waiting on CFRG now to decide
> on the PAKE's and hope to be able to phase out most PSK for PAKE. The
> only other NSA attacks I know against IKE/IPsec were all based on
> vulnerable firmware compromise, and then stealing credentials and
> sessions keys.

FTR we never put Aggressive Mode into Solaris.  We OEMed the core of its IKEv1 (a well-written one too) because of the SKIP nonsense costing us over a year.  IKEv2 was started while OpenSolaris was still around, but finished during the Oracle <spit!> occupation.

> IKEv2 has its horrors too, don't get me wrong. Whoever in the IPsec
> WG thought that EAP-TLS over IKE using 8 RTT was a good idea was crazy.

Goddamned router vendors who wanted to put everything into more monolithic code-bases.  You should be splitting EAP into its own IPsec-protected exchange.  We had crudest versions of this working as a Test Tool that was also a Productivity Tool until Oracle <spit!> shut that tool down.

> As I said, I have never seen an actual protocol attack against IKE or
> ESP. I'd love to see one.

Only ones I ever saw were godawful corner cases using no integrity/authentication or authenticate-then-encrypt, which were either impossible or just really stupid to configure.  Kenny Paterson had a few in the 2007-ish timeframe.

My $0.02, because I refuse to be erased,
Dan