IETF Logo Mail Archive

Re: [IPsec] Secure Crash Discovery for IKEv2

Tero Kivinen <kivinen@iki.fi> Tue, 19 August 2008 12:36 UTC

Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66BBB3A6933; Tue, 19 Aug 2008 05:36:18 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E38F3A681B for <ipsec@core3.amsl.com>; Tue, 19 Aug 2008 05:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[AWL=0.332, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNUJqeJWPZkN for <ipsec@core3.amsl.com>; Tue, 19 Aug 2008 05:36:11 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 9EB5E3A6A4F for <ipsec@ietf.org>; Tue, 19 Aug 2008 05:36:10 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id m7JCXaD0004949 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Aug 2008 15:33:36 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id m7JCXW6J012879; Tue, 19 Aug 2008 15:33:32 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Message-ID: <18602.48540.840788.6761@fireball.kivinen.iki.fi>
Date: Tue, 19 Aug 2008 15:33:32 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Pratima Sethi <psethi@cisco.com>
In-Reply-To: <48AA8515.7020505@cisco.com>
References: <54B6B88E-C321-452D-9FAE-D9A48D6F3371@checkpoint.com> <1696498986EFEC4D9153717DA325CB72014C6295@vaebe104.NOE.Nokia.com> <18596.19057.198942.901238@fireball.kivinen.iki.fi> <1218743727.7492.167.camel@fdetienn-laptop> <18597.16630.682587.674433@fireball.kivinen.iki.fi> <48AA8515.7020505@cisco.com>
X-Mailer: VM 7.19 under Emacs 22.1.1
X-Edit-Time: 14 min
X-Total-Time: 17 min
Cc: ipsec@ietf.org, Pasi.Eronen@nokia.com, fd@cisco.com, ynir@checkpoint.com
Subject: Re: [IPsec] Secure Crash Discovery for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Pratima Sethi writes:
> Is there a specification of Birth Certiifcates that you can point us
> to ?

No, that was never written to draft form of its own. It was presented
on this list by Bill Sommerfeld long time ago. It has been explained
in few drafts quite shortly, for example in the
http://tools.ietf.org/html/draft-ietf-ipsec-soi-features-01 section
3.5:

----------------------------------------------------------------------
3.5 Birth certificates

Assume Alice and Bob have an SA established, and that Bob crashes and
restarts. Alice will send a packet into an SA that Bob doesn't know
about. Birth certificates are a method for letting Alice know that the
SA is no longer alive.

It is desirable that such a mechanism be inexpensive for Bob. If a
mechanism required a lot of computation, for instance, having Bob sign a
customized message saying, "This SA didn't decrypt properly. Perhaps
it's because it's a reused SA number from before I crashed" or "unknown
SPI", then there is an easy DOS attack on Bob's limited computation by
sending him bogus messages. If Bob sends totally unauthenticated
messages, it is difficult for Alice to act on them, since an active
attacker could send her "no such SPI" messages to cause her to close
connections.

The idea of a birth certificate, originated in the IPsec Working
Group by Bill Sommerfeld, is that Bob should have a monotonically
increasing number that increases each time Bob restarts. When Bob
restarts, he signs a message saying, "this is my incarnation number".
When Bob creates an SA, Bob optionally sends his birth certificate.
Alice can optionally keep this certificate with her SA. Then, if Alice
ever receives an error message from Bob with a birth certificate with a
higher incarnation number, she can remove all SAs associated with Bob's
previous incarnation.

This mechanism is somewhat overlapping with the "initial-contact"
mechanism in IKEv2. Discussion in the WG suggested that birth
certificates could replace initial-contact, but some people said that
both were valuable.
----------------------------------------------------------------------

Or from http://tools.ietf.org/html/draft-ietf-ipsec-ikev2-rationale-00
section 3.1:

----------------------------------------------------------------------
   - adding in Bill Sommerfeld's "birth certificate" idea. In this idea
   Bob keeps a number in nonvolatile memory that increments each time
   the node restarts. When Bob restarts, he signs a "birth certificate"
   stating what the value of that counter is. This birth certificate is
   transmitted as a payload in message 4. Alice keeps this value. If Bob
   ever receives an ESP packet that doesn't decrypt properly or with an
   unknown SPI, he responds to that packet with his birth certificate.
   If the recipient has an SA for Bob with an older birth certificate,
   this lets them know Bob has restarted and forgotten state for that
   SA. We decided not to add that to this version of the draft, although
   we think it is a good idea, until it's been written up in a separate
   draft and there has been an opportunity for people to understand it
   and give feedback.
----------------------------------------------------------------------

I think this was the original email message explaining them on the
ipsec-list http://www.vpnc.org/ietf-ipsec/00.ipsec/msg01415.html:

----------------------------------------------------------------------
Message-Id: <200008072309.e77N9oS111935@thunk.east.sun.com>
In-reply-to: Your message of "Mon, 07 Aug 2000 15:55:21 PDT."
             <398F3E59.2DBC13D2@cisco.com> 
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
To: Scott Fanning <sfanning@cisco.com>
cc: Derek Atkins <warlord@mit.edu>, sommerfeld@East.Sun.COM,
        "Scott G. Kelly" <skelly@redcreek.com>, Skip Booth <ebooth@cisco.com>,
        Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll 
Date: Mon, 07 Aug 2000 19:09:50 -0400
Reply-to: sommerfeld@East.Sun.COM

> Maybe we need a "death certificate" CA :-) 

Heh.  Actually, one of the ideas I'm kicking around:

If we have the system sign a "birth certificate" when it reboots
(including a reboot time or boot sequence number), we could include
that with a "bad spi" ICMP error and in the negotiation of the IKE SA.

This pushes the burden of reestablishing state to the end which
already thinks it has shared state and has traffic it wants to send.

The system which is receiving packets to unknown spi's merely has to
respond with a simple message which involves no real-time cryptography
(it should, of course, be rate limited).

The system receiving the error message can discard it if it doesn't
correspond to existing state or if it's "old news" (i.e., you get
replay protection); if it's not old news, you can rate-limit how often
you attempt to verify the signature.

I *think* this is relatively resistant to replay and DoS...

                                        - Bill
----------------------------------------------------------------------

>  From what I understand ,Bob generates a single certificate when he 
> reboots, and will add that as  a birth certificate payload, to the 
> invalid_spi notification. If  Bob only generates one certificate 
> independent of the client Alice, Mallet( the MitM) can snoop and learn 
> the birth certificate and replay this to any Alice connected to Bob. How 
> does Alice trust that the information is a fresh valid packet generated 
> by Bob and not a "constructed" packet from an attacker.

The Bob also sent that same certificate with the counter (or
timestamp) inside of it when it created the SA. The Alice will receive
the birth certificate, and first check if the counter is same than
before. If it is, then it knows this is old news, and it can simply
ignore the notification. If it has larger incarnation number than the
one used when creating the SA, then it can validate the signature of
the certificate and if that is valid, then it knows that Bob has
rebooted since they created the SA, thus Alice can safely remove all
IKE and IPsec SAs between her and Bob. As only Bob can create valid
signatures, and Bob only does that after reboot Alice can know for
sure that Bob has rebooted.

The incarnation number can be timestamp or simple running counter, the
only property that is required is that it cannot go backwards, and it
has bigger number than it had before every time the machine is booted.
As certificates do require clock or similar already, that same clock
can be used here too.
-- 
kivinen@safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email