Re: [HOKEY] [FW: New Version Notification for draft-ietf-hokey-key-mgm-02]
Charles Clancy <clancy@cs.umd.edu> Sun, 24 February 2008 01:14 UTC
Return-Path: <hokey-bounces@ietf.org>
X-Original-To: ietfarch-hokey-archive@core3.amsl.com
Delivered-To: ietfarch-hokey-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6D743A6BAB; Sat, 23 Feb 2008 17:14:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.153
X-Spam-Level:
X-Spam-Status: No, score=0.153 tagged_above=-999 required=5 tests=[AWL=-0.010, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_21=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhD2Xw-ss6r2; Sat, 23 Feb 2008 17:14:58 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 938D63A68E4; Sat, 23 Feb 2008 17:14:58 -0800 (PST)
X-Original-To: hokey@core3.amsl.com
Delivered-To: hokey@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC0CB3A68DB for <hokey@core3.amsl.com>; Sat, 23 Feb 2008 17:14:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OAt8OtEHLcv3 for <hokey@core3.amsl.com>; Sat, 23 Feb 2008 17:14:55 -0800 (PST)
Received: from bacon.cs.umd.edu (server-nat-2.cs.umd.edu [128.8.127.145]) by core3.amsl.com (Postfix) with ESMTP id 466023A68E4 for <hokey@ietf.org>; Sat, 23 Feb 2008 17:14:55 -0800 (PST)
Received: from [192.168.0.155] (pool-71-179-91-146.bltmmd.fios.verizon.net [71.179.91.146]) (authenticated bits=0) by bacon.cs.umd.edu (8.13.1/8.12.5) with ESMTP id m1O1ET0j026147 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 23 Feb 2008 20:14:34 -0500
Message-ID: <47C0C4F0.4080807@cs.umd.edu>
Date: Sat, 23 Feb 2008 20:14:24 -0500
From: Charles Clancy <clancy@cs.umd.edu>
User-Agent: Thunderbird 2.0.0.6 (X11/20071022)
MIME-Version: 1.0
To: Yoshihiro Ohba <yohba@tari.toshiba.com>
References: <20080131140327.GB2664@steelhead.localdomain> <47BA53F3.7010305@cs.umd.edu> <20080219150932.GO32166@steelhead.localdomain>
In-Reply-To: <20080219150932.GO32166@steelhead.localdomain>
X-CSD-MailScanner-Information: Please email staff@cs.umd.edu for more information
X-CSD-MailScanner: Found to be clean
X-CSD-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-4.399, required 5, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60)
X-CSD-MailScanner-From: clancy@cs.umd.edu
Cc: hokey@ietf.org
Subject: Re: [HOKEY] [FW: New Version Notification for draft-ietf-hokey-key-mgm-02]
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: hokey-bounces@ietf.org
Errors-To: hokey-bounces@ietf.org
Yoshi, I think there are multiple approaches for supporting both hop-by-hop and end-to-end security. I'd rather them be expressed as requirements on the transport protocol, rather than implemented directly within this document. For example, RADIUS keywrap allows you to securely encrypt information to transport over a AAA infrastructure. The keys used can either be end-to-end keys, or hop-by-hop keys. If end-to-end keys are used, then you get end-to-end security. If hop-by-hop keys are used, you don't. But, it's then up to the deployment to decide what type of keying they can support. It's up to us to document the ramifications of that decision in the security considerations section. My email that you cite below reflects the ability to easily provision end-to-end keys for use with keywrap, among other protocols. It would make it easier to support end-to-end security. -- t. charles clancy, ph.d. eng.umd.edu/~tcc electrical & computer engineering, university of maryland Yoshihiro Ohba wrote: > Charles, > > I don't agree with entirely removing end-to-end security feature by > entirely removing KIts and KCts and eliminating encryption and > integrity protection between third party and server within this > protocol. > > I stated my position relating to this in January: > http://www.ietf.org/mail-archive/web/hokey/current/msg00923.html > > Also, let me note your comment stating that end-to-end security would > be useful to many working groups and many protocols that operate over AAA: > http://www.ietf.org/mail-archive/web/hokey/current/msg01043.html > > Please see below for my other comments that are not relating to my > above disagreement. > > > On Mon, Feb 18, 2008 at 10:58:43PM -0500, Charles Clancy wrote: >> Yoshi, >> >> Thanks for putting together this update. We still have significant >> problems with this document. It's very much a 3-party key distribution >> document, and the WG consensus is to not do 3-party key distribution. If >> we can't get this document to match WG consensus, we'll need to toss it >> out and start with something else. Below are my specific comments on >> what I think needs to be done to get this document going in the right >> direction. Additionally, there are also significant grammatical >> problems with the document. >> >> I'd be happy to help with the editing, to possibly have a document that >> matches WG consensus by IETF 71. Let me know if you're interested. >> >> --------- >> Section 1 >> --------- >> >>> The purpose of this document is not to provide exact syntax for the >>> signaling, only the general semantics for the parameters involved are >>> defined. The exact syntax for these parameters when carried by >>> specific protocols, such as AAA protocols [RFC3579] [RFC4072] or EAP >>> protocols are out of scope of this document. >> I'm not sure this is correct. The goal of this document is to define a >> generic protocol and then describe exactly how to use specific protocols >> to transport keying material (e.g. ERX and AAA). > > I am working on the next revision which will include exact syntax as a > generic protocol. If we consider distribution of DSRK, I believe UDP > transport is sufficient, since the DSRK distribution can happen after > the peer completes a full EAP authentication and establishes > connectivity to the network in a visited domain. Therefore, the > peer can directly communicate with DSR-KH over UDP. Extending ERX to > carry this protocol may not be a good idea. Note also that DSRK is > not specific to ERX. > >> --------- >> Section 3 >> --------- >> >>> However, since EMSK cannot be >>> exported from EAP server, such third parties need to request the EAP >>> server to generate the relevant root key (USRK, DSRK, or DSUSRK) from >>> the EMSK and deliver the requested key to them. >> The EAP server only generates USRKs and DSRKs. DSUSRKs are generated by >> AAA servers in a specific key management domain (or DSR-KH in your >> terminology). > > OK. > >>> The USR-KH by >>> definition is domain independent, which means the USR-KH can use >>> USRK to generate DSUSRK for each domain deploying that service. >> According to the current EMSK hierarchy, DSUSRKs cannot be derived from >> USRKs. A USR-KH can derive any keys it wants from the USRK, and they >> may be domain-specific, but they shouldn't be called DSUSRKs. > > We can simply remove the sentence. > >>> Security Requirements for >>> delivery of USRK from EAP server to a collocated USR-KH is >>> currently TBD. >> I don't think this is something we need to worry about. It should be >> consistent with how AAA keys are currently managed within a AAA server. > > We can remove this sentence as well. > >>> The DSR-KH is >>> possibly responsible for derivation and distribution of any child >>> keys derived from DSRK for that specific domain. >> More than "possibly responsible". It's "responsible". You should point >> out that these keys are DSUSRKs. > > OK. > >>> Regardless of the type of key being delivered, the model for EAP >>> based key derivation and delivery interface can be generalized as a 3 >>> party key distribution model >> I'd like to see a different terminology used. The WG consensus is to >> NOT use 3-party key distribution. References to "distribution to a >> third party" seem reasonable, but I'd prefer some other name. "3-party >> key distribution" is not okay, because it implies certain requirements >> that the WG has decided not to pursue. >> >> ----------- >> Section 3.1 >> ----------- >> >> KDE message 0 should be removed or at least made optional. It should be >> assumed that the peer already knows these identities. > > I agree with making KDE0 optional. > >> PRT: this message looks okay >> >> TRT: We don't assume the existence of KIts. The TRT should not have an >> integrity check on it. It should be assumed that the transport protocol >> will provide integrity protection and/or confidentiality of this >> message. In the transport section we'll deal more with how AAA can >> provide this necessary integrity protection. >> >> TOK: Again, we don't assume the existence of KIts or KCts. We need to >> place requirements on the transport to provide this confidentiality and >> integrity protection. >> >> SAT: this message looks okay >> >> ----------- >> Section 3.2 >> ----------- >> >> The KDRK can only be the EMSK (to deliver USRKs and DSRKs) or DSRK (to >> deliver DSUSRKs). Describe the CK and IK as USRKS and DSUSRKs. That >> is, if the KDRK is the EMSK, then: >> >> CK = USRK(usage="distribution cipher key") >> IK = USRK(usage="distribution integrity key") >> >> ... and if the KDRK is the DSRK for domain="example.net", then: >> >> CK = DSUSRK(usage="key distribution cipher key", domain="example.net") >> IK = DSUSRK(usage="key distribution integrity key", domain="example.net") >> >> ... rather than providing the exact PRF. The EMSK doc is normative on >> the PRF. > > OK. > >> ----------- >> Section 3.4 >> ----------- >> >> This section should be removed, since the KIts and KCts shouldn't exist. >> >> All references to Kerberos MUST be removed from this document. >> >> Talk about scenarios independently from HOKEY. Feel free to use ERX as >> an example protocol that could use the keys. >> >> -------------- >> Needed Section >> -------------- >> >> We need a section that provides the fundamental signaling. Specifically, >> how to map this to AAA, how to deal with proxies, and how to use AAA to >> provide some level of confidentiality and integrity for the PRT and TRT. >> >> We also need to define how ERX can carry PRK and SAT using their >> existing, extensible framework. >> >> I think draft-gaonkar-radext-erp-attrs-02 is a good start on how this >> can be accomplished. > > As I commented above, extending ERX to carry this protocol may not be > a good idea. The peer can directly communicate with DSR-KH over UDP. > Maybe what we can do is to identify several alternatives for the > signaling and discuss them in IETF71. > > Yoshihiro Ohba > _______________________________________________ HOKEY mailing list HOKEY@ietf.org http://www.ietf.org/mailman/listinfo/hokey
- [HOKEY] [FW: New Version Notification for draft-i… Yoshihiro Ohba
- Re: [HOKEY] [FW: New Version Notification for dra… Charles Clancy
- Re: [HOKEY] [FW: New Version Notification for dra… Yoshihiro Ohba
- Re: [HOKEY] [FW: New Version Notification for dra… Charles Clancy
- Re: [HOKEY] [FW: New Version Notification for dra… Yoshihiro Ohba