IETF Logo Mail Archive

RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms

Sean Shuo Shen <sshen@huawei.com> Wed, 02 January 2008 04:42 UTC

Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J9vR3-0007d2-Af; Tue, 01 Jan 2008 23:42:33 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J9vR1-0007cs-8b for cfrg@ietf.org; Tue, 01 Jan 2008 23:42:31 -0500
Received: from szxga02-in.huawei.com ([61.144.161.54]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J9vQz-0003eJ-2Y for cfrg@ietf.org; Tue, 01 Jan 2008 23:42:31 -0500
Received: from huawei.com (szxga02-in [172.24.2.6]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JU0002LZ2DO08@szxga02-in.huawei.com> for cfrg@ietf.org; Wed, 02 Jan 2008 12:41:48 +0800 (CST)
Received: from huawei.com ([172.24.1.18]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JU00030G2DNMD@szxga02-in.huawei.com> for cfrg@ietf.org; Wed, 02 Jan 2008 12:41:48 +0800 (CST)
Received: from s102542 ([10.111.12.53]) by szxml03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0JU0004IC2DJ7O@szxml03-in.huawei.com> for cfrg@ietf.org; Wed, 02 Jan 2008 12:41:47 +0800 (CST)
Date: Wed, 02 Jan 2008 12:41:44 +0800
From: Sean Shuo Shen <sshen@huawei.com>
Subject: RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms
In-reply-to: <4775344B.7020105@isi.edu>
To: 'Joe Touch' <touch@isi.edu>
Message-id: <001901c84cf9$c6e6eed0$350c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: AchJeQ22h+aYLANbT/2nojmb9/a3MADas4Ag
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: saag@mit.edu, cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Hi, Joe

>> 
>> 1. interface:
>> I agree that MAC interface without a nonce may make implementation
easier.
>> But nonce may not expand the size of MAC because it can be generated by
both
>> sides of a TCP connection. For example, the nonce in UMAC can simply be a
>> counter from 0 to a certain upper bound. Even if nonce requires
randomness,
>> a PRFed value of a counter or sequence number (I remember Joe Touch
>> mentioned in Vancouver that key generation of TCP AO should not use any
>> bytes of TCP packets, but I think nonce should be ok.) can provide
>> randomness. Noticing the good performance of MACs like UMAC, maybe we
should
>> keep the door open to MACs with nonce.

>The TCP fields must not be used as a nonce for the MAC; although they do
>change, the ways they change are not ensured to be predictable (e.g.,
>TCP can validly send overlapping segments). As such, a per-packet nonce
>would need to be sent in the TCP option field, and there is insufficient
>space to do that on a per-packet basis (which is why there is no such
>field in TCP-AO).

I think I may need to clarify what I said: if a random nonce is needed for
TCP MAC, a PRFed value of sequence number provides randomness, for example:
nonce=F_K2(seq num), K2 is the key for the pseudo random function F. K2 is
different from the hash function key K1. (Actually, in UMAC, the nonce
itself does not require randomness at all, the nonce processing part of UMAC
already create randomness). The distribution/rekeying of K2 will be done
together with K1. 
I don't get why you hope sequence number be predictable here. Both sides
will know the sequence number from the TCP header and calculate the
nonce=F_K2(seq num), they are not predicting either the sequence number or
the nonce.

>> 2. incremental MAC
>> I understand the use of incrementality for virus protection but can not
see
>> the benefit of incrementality for TCP AO, at least in the BGP situation.
In
>> tcpm-tcp-auth-op, the MAC is computed over "TCP pseudo header + TCP
header +
>> TCP data", the first two parts (totally about 32 bytes or more for ipv4,
60
>> bytes or more for ipv6) are fixed for a connection, 

>The TCP sequence number varies during a connection, but it can wrap
>around. It's entirely possible to have two segments that have the same
>sequence number at different times in a connection, however. This is why
>we probably need to explicitly require that the connection key change
>whenever the sequence number rolls over (through the ISN).

Does this have anything to do with incrementality of MAC?  
The connection key (hash function key) should change whenever the sequence
number rolls over, so does the key for pseudorandom function, actually,
that's exactly what UMAC requires. The distribution/rekeying of PRF key
should be done together with the hash function key and it won't require much
work from future TCP-AO key management scheme (by the way, anything
available yet? ). 


Sean



_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email