Re: [IPsec] Secure Crash Discovery for IKEv2
Tero Kivinen <kivinen@iki.fi> Tue, 19 August 2008 12:36 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66BBB3A6933; Tue, 19 Aug 2008 05:36:18 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E38F3A681B for <ipsec@core3.amsl.com>; Tue, 19 Aug 2008 05:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[AWL=0.332, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNUJqeJWPZkN for <ipsec@core3.amsl.com>; Tue, 19 Aug 2008 05:36:11 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 9EB5E3A6A4F for <ipsec@ietf.org>; Tue, 19 Aug 2008 05:36:10 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id m7JCXaD0004949 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Aug 2008 15:33:36 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id m7JCXW6J012879; Tue, 19 Aug 2008 15:33:32 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Message-ID: <18602.48540.840788.6761@fireball.kivinen.iki.fi>
Date: Tue, 19 Aug 2008 15:33:32 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Pratima Sethi <psethi@cisco.com>
In-Reply-To: <48AA8515.7020505@cisco.com>
References: <54B6B88E-C321-452D-9FAE-D9A48D6F3371@checkpoint.com> <1696498986EFEC4D9153717DA325CB72014C6295@vaebe104.NOE.Nokia.com> <18596.19057.198942.901238@fireball.kivinen.iki.fi> <1218743727.7492.167.camel@fdetienn-laptop> <18597.16630.682587.674433@fireball.kivinen.iki.fi> <48AA8515.7020505@cisco.com>
X-Mailer: VM 7.19 under Emacs 22.1.1
X-Edit-Time: 14 min
X-Total-Time: 17 min
Cc: ipsec@ietf.org, Pasi.Eronen@nokia.com, fd@cisco.com, ynir@checkpoint.com
Subject: Re: [IPsec] Secure Crash Discovery for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Pratima Sethi writes: > Is there a specification of Birth Certiifcates that you can point us > to ? No, that was never written to draft form of its own. It was presented on this list by Bill Sommerfeld long time ago. It has been explained in few drafts quite shortly, for example in the http://tools.ietf.org/html/draft-ietf-ipsec-soi-features-01 section 3.5: ---------------------------------------------------------------------- 3.5 Birth certificates Assume Alice and Bob have an SA established, and that Bob crashes and restarts. Alice will send a packet into an SA that Bob doesn't know about. Birth certificates are a method for letting Alice know that the SA is no longer alive. It is desirable that such a mechanism be inexpensive for Bob. If a mechanism required a lot of computation, for instance, having Bob sign a customized message saying, "This SA didn't decrypt properly. Perhaps it's because it's a reused SA number from before I crashed" or "unknown SPI", then there is an easy DOS attack on Bob's limited computation by sending him bogus messages. If Bob sends totally unauthenticated messages, it is difficult for Alice to act on them, since an active attacker could send her "no such SPI" messages to cause her to close connections. The idea of a birth certificate, originated in the IPsec Working Group by Bill Sommerfeld, is that Bob should have a monotonically increasing number that increases each time Bob restarts. When Bob restarts, he signs a message saying, "this is my incarnation number". When Bob creates an SA, Bob optionally sends his birth certificate. Alice can optionally keep this certificate with her SA. Then, if Alice ever receives an error message from Bob with a birth certificate with a higher incarnation number, she can remove all SAs associated with Bob's previous incarnation. This mechanism is somewhat overlapping with the "initial-contact" mechanism in IKEv2. Discussion in the WG suggested that birth certificates could replace initial-contact, but some people said that both were valuable. ---------------------------------------------------------------------- Or from http://tools.ietf.org/html/draft-ietf-ipsec-ikev2-rationale-00 section 3.1: ---------------------------------------------------------------------- - adding in Bill Sommerfeld's "birth certificate" idea. In this idea Bob keeps a number in nonvolatile memory that increments each time the node restarts. When Bob restarts, he signs a "birth certificate" stating what the value of that counter is. This birth certificate is transmitted as a payload in message 4. Alice keeps this value. If Bob ever receives an ESP packet that doesn't decrypt properly or with an unknown SPI, he responds to that packet with his birth certificate. If the recipient has an SA for Bob with an older birth certificate, this lets them know Bob has restarted and forgotten state for that SA. We decided not to add that to this version of the draft, although we think it is a good idea, until it's been written up in a separate draft and there has been an opportunity for people to understand it and give feedback. ---------------------------------------------------------------------- I think this was the original email message explaining them on the ipsec-list http://www.vpnc.org/ietf-ipsec/00.ipsec/msg01415.html: ---------------------------------------------------------------------- Message-Id: <200008072309.e77N9oS111935@thunk.east.sun.com> In-reply-to: Your message of "Mon, 07 Aug 2000 15:55:21 PDT." <398F3E59.2DBC13D2@cisco.com> From: Bill Sommerfeld <sommerfeld@East.Sun.COM> To: Scott Fanning <sfanning@cisco.com> cc: Derek Atkins <warlord@mit.edu>, sommerfeld@East.Sun.COM, "Scott G. Kelly" <skelly@redcreek.com>, Skip Booth <ebooth@cisco.com>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com Subject: Re: Heartbeats Straw Poll Date: Mon, 07 Aug 2000 19:09:50 -0400 Reply-to: sommerfeld@East.Sun.COM > Maybe we need a "death certificate" CA :-) Heh. Actually, one of the ideas I'm kicking around: If we have the system sign a "birth certificate" when it reboots (including a reboot time or boot sequence number), we could include that with a "bad spi" ICMP error and in the negotiation of the IKE SA. This pushes the burden of reestablishing state to the end which already thinks it has shared state and has traffic it wants to send. The system which is receiving packets to unknown spi's merely has to respond with a simple message which involves no real-time cryptography (it should, of course, be rate limited). The system receiving the error message can discard it if it doesn't correspond to existing state or if it's "old news" (i.e., you get replay protection); if it's not old news, you can rate-limit how often you attempt to verify the signature. I *think* this is relatively resistant to replay and DoS... - Bill ---------------------------------------------------------------------- > From what I understand ,Bob generates a single certificate when he > reboots, and will add that as a birth certificate payload, to the > invalid_spi notification. If Bob only generates one certificate > independent of the client Alice, Mallet( the MitM) can snoop and learn > the birth certificate and replay this to any Alice connected to Bob. How > does Alice trust that the information is a fresh valid packet generated > by Bob and not a "constructed" packet from an attacker. The Bob also sent that same certificate with the counter (or timestamp) inside of it when it created the SA. The Alice will receive the birth certificate, and first check if the counter is same than before. If it is, then it knows this is old news, and it can simply ignore the notification. If it has larger incarnation number than the one used when creating the SA, then it can validate the signature of the certificate and if that is valid, then it knows that Bob has rebooted since they created the SA, thus Alice can safely remove all IKE and IPsec SAs between her and Bob. As only Bob can create valid signatures, and Bob only does that after reboot Alice can know for sure that Bob has rebooted. The incarnation number can be timestamp or simple running counter, the only property that is required is that it cannot go backwards, and it has bigger number than it had before every time the machine is booted. As certificates do require clock or similar already, that same clock can be used here too. -- kivinen@safenet-inc.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Pasi.Eronen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Lakshminath Dondeti
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Frederic Detienne
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Frederic Detienne
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Pratima Sethi
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Pratima Sethi
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Stephen Bevan
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- [IPsec] Topics allowed on the mailing list Paul Hoffman
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Yoav Nir
- Re: [IPsec] Secure Crash Discovery for IKEv2 Scott C Moonen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Tero Kivinen
- Re: [IPsec] Secure Crash Discovery for IKEv2 Stephen Bevan
- Re: [IPsec] Secure Crash Discovery for IKEv2 Stephen Bevan
- Re: [IPsec] Secure Crash Discovery for IKEv2 Stephen Bevan