multi-layer IPSEC draft
Yongguang Zhang <ygz@hrl.com> Wed, 27 October 1999 03:39 UTC
X-Persona: <a phoffman VPNC>
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA17617 for <paul.hoffman@vpnc.org>; Tue, 26 Oct 1999 20:39:04 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id WAA01906 Tue, 26 Oct 1999 22:13:08 -0400 (EDT)
Message-Id: <4.2.0.58.19991026190036.00a1be30@isl.hrl.hac.com>
X-Sender: ygz@isl.hrl.hac.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Tue, 26 Oct 1999 19:15:44 -0700
To: ipsec@lists.tislabs.com, tf-esp@research.att.com
From: Yongguang Zhang <ygz@hrl.com>
Subject: multi-layer IPSEC draft
In-Reply-To: <199910200150.VAA14041@tsx-prime.MIT.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
X-UIDL: c6159a70d55879d8272130482e3f221c
<x-flowed> Hi, all: This draft is a follow-up of my short presentation in last IETF. (I sent out last week but hasn't got response back from Internet-Draft.) But it is also available from my web site: http://www.wins.hrl.com/people/ygz/ml-ipsec/draft-zhang-ipsec-mlipsec-00.txt To repeat the concept, multi-layer IPSEC applies separate encryption/authentication with different keys on different parts of an IP datagram. It allows certain intermediate routers to have limited and controllable access to part of IP datagram (usually headers) but not the user data, for applications like flow classification, diffserv, TCPPEP, NAT, transparent proxy, etc. (and those "intelligent routing" that need access to higher-layer protocol headers). I'd like to hear your comments on this. Regards, Yongguang </x-flowed> From ???@??? Tue Oct 26 19:20:19 1999 X-Persona: <a phoffman VPNC> Received: from mail-green.research.att.com (H-135-207-30-103.research.att.com [135.207.30.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA13654 for <paul.hoffman@vpnc.org>; Tue, 26 Oct 1999 19:13:25 -0700 (PDT) Received: from akalice.research.att.com (akalice.research.att.com [135.207.26.22]) by mail-green.research.att.com (Postfix) with ESMTP id 6EB381E034; Tue, 26 Oct 1999 22:16:23 -0400 (EDT) Received: (from majordomo@localhost) by akalice.research.att.com (980427.SGI.8.8.8/8.8.7) id WAA69788 for tf-esp-list; Tue, 26 Oct 1999 22:15:46 -0400 (EDT) Received: from mail-green.research.att.com (mail-green.research.att.com [135.207.30.103]) by akalice.research.att.com (980427.SGI.8.8.8/8.8.7) with ESMTP id WAA71958 for <tf-esp@akalice.research.att.com>; Tue, 26 Oct 1999 22:15:45 -0400 (EDT) Received: by mail-green.research.att.com (Postfix) id 242BC1E030; Tue, 26 Oct 1999 22:15:45 -0400 (EDT) Delivered-To: tf-esp@research.att.com Received: from fw-es10.hac.com (fw-es10.HAC.COM [128.152.1.26]) by mail-green.research.att.com (Postfix) with ESMTP id 355BC1E029 for <tf-esp@research.att.com>; Tue, 26 Oct 1999 22:15:44 -0400 (EDT) Received: from malpha.hrl.hac.com ([192.27.95.96]) by fw-es10.hac.com (8.9.1/8.9.1) with SMTP id TAA06312 for <tf-esp@research.att.com>; Tue, 26 Oct 1999 19:15:45 -0700 (PDT) Received: from isl.hrl.hac.com by malpha.hrl.hac.com (5.65v4.0/1.1.19.2/28Dec98-0405PM) id AA03983; Tue, 26 Oct 1999 19:15:42 -0700 Received: from maygz by isl.hrl.hac.com (8.9.1b+Sun/SMI-SVR4) id TAA27872; Tue, 26 Oct 1999 19:14:25 -0700 (PDT) Message-Id: <4.2.0.58.19991026190036.00a1be30@isl.hrl.hac.com> X-Sender: ygz@isl.hrl.hac.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 26 Oct 1999 19:15:44 -0700 To: ipsec@lists.tislabs.com, tf-esp@research.att.com From: Yongguang Zhang <ygz@hrl.com> Subject: multi-layer IPSEC draft In-Reply-To: <199910200150.VAA14041@tsx-prime.MIT.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-tf-esp@research.att.com Precedence: bulk X-UIDL: 009e3ee7667d30fce50b1455b27a24ca <x-flowed> Hi, all: This draft is a follow-up of my short presentation in last IETF. (I sent out last week but hasn't got response back from Internet-Draft.) But it is also available from my web site: http://www.wins.hrl.com/people/ygz/ml-ipsec/draft-zhang-ipsec-mlipsec-00.txt To repeat the concept, multi-layer IPSEC applies separate encryption/authentication with different keys on different parts of an IP datagram. It allows certain intermediate routers to have limited and controllable access to part of IP datagram (usually headers) but not the user data, for applications like flow classification, diffserv, TCPPEP, NAT, transparent proxy, etc. (and those "intelligent routing" that need access to higher-layer protocol headers). I'd like to hear your comments on this. Regards, Yongguang </x-flowed> From ???@??? Wed Oct 27 07:36:19 1999 X-Persona: <a phoffman VPNC> Received: by ns.secondary.com (8.9.3/8.9.3) id CAA26961 for ietf-ipsra-bks; Wed, 27 Oct 1999 02:44:53 -0700 (PDT) Received: from cale.checkpoint.com (ns.checkpoint.com [199.203.73.197]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA26957 for <ietf-ipsra@vpnc.org>; Wed, 27 Oct 1999 02:44:50 -0700 (PDT) Received: from checkpoint.com (gray.checkpoint.com [199.203.71.94]) by cale.checkpoint.com (8.9.1/8.9.1) with ESMTP id LAA04342; Wed, 27 Oct 1999 11:54:31 +0200 (IST) Message-ID: <3816CB1B.4167A880@checkpoint.com> Date: Wed, 27 Oct 1999 11:51:23 +0200 From: Moshe Litvin <moshe@checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Scott G. Kelly" <skelly@redcreek.com> CC: Stephane Beaulieu <sbeaulieu@TimeStep.com>, wprice@cyphers.net, ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org Subject: Re: Comments on CRACK References: <319A1C5F94C8D11192DE00805FBBADDFEC9812@exchange> <3815E0ED.F8C11745@redcreek.com> Content-Type: multipart/mixed; boundary="------------551C72AF621C0C49C1634ED7" Sender: owner-ietf-ipsra@mail.vpnc.org Precedence: bulk List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/> List-ID: <ietf-ipsra.vpnc.org> List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe> X-UIDL: ef65a9e9385238400d1d6b632e999c65 Scott, "Scott G. Kelly" wrote: > Stephane Beaulieu wrote: > > What would those be? > > > > I've heard... > > > > 1 - It encourages the use of weak pre-shared keys. - Perhaps, but this can > > easily be fixed in XAUTH. I would still like to get a concensus on this. > > This "easy" fix requires deployment of client certificates. Deployment of client certificates together with hardware tokens (preferably FIPS 140-1 level 4 certified) is the best fix. The easy secure fix is hybrid. > > 2 - It's too complicated to be secure... Please ! > > Prove to me that it's secure. Better review your predicate logic > first... Let's start from the beginning, all the suggested protocols are based on IKE, so we can start with a proof of security for IKE. Then we can try to give a proof in the same level for the other suggestions. > > 3 - Too much known plain text. - All three proposals (XAUTH, CRACK, and ULA > > have know plain text. > > None have the copious amounts of ASCII TEXT that xauth does. Some known > plaintext may be unavoidable, but xauth has a ridiculous amount. Know plain text is non-issue (BTW actually the largest amount of known plain text is with certificate, when the whole public certificate chain is being passed). Regards, Moshe Attachment Converted: "C:\Temp\moshe.vcf" From ???@??? Wed Oct 27 08:23:09 1999 X-Persona: <a phoffman VPNC> Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA06720 for <paul.hoffman@vpnc.org>; Wed, 27 Oct 1999 08:05:43 -0700 (PDT) Received: by lists.tislabs.com (8.9.1/8.9.1) id JAA04237 Wed, 27 Oct 1999 09:26:04 -0400 (EDT) Message-ID: <3816CB1B.4167A880@checkpoint.com> Date: Wed, 27 Oct 1999 11:51:23 +0200 From: Moshe Litvin <moshe@checkpoint.com> X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Scott G. Kelly" <skelly@redcreek.com> CC: Stephane Beaulieu <sbeaulieu@TimeStep.com>, wprice@cyphers.net, ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org Subject: Re: Comments on CRACK References: <319A1C5F94C8D11192DE00805FBBADDFEC9812@exchange> <3815E0ED.F8C11745@redcreek.com> Content-Type: multipart/mixed; boundary="------------551C72AF621C0C49C1634ED7" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk X-UIDL: 5fa9664ec0c1fecaf9fac01d2dacc615 Scott, "Scott G. Kelly" wrote: > Stephane Beaulieu wrote: > > What would those be? > > > > I've heard... > > > > 1 - It encourages the use of weak pre-shared keys. - Perhaps, but this can > > easily be fixed in XAUTH. I would still like to get a concensus on this. > > This "easy" fix requires deployment of client certificates. Deployment of client certificates together with hardware tokens (preferably FIPS 140-1 level 4 certified) is the best fix. The easy secure fix is hybrid. > > 2 - It's too complicated to be secure... Please ! > > Prove to me that it's secure. Better review your predicate logic > first... Let's start from the beginning, all the suggested protocols are based on IKE, so we can start with a proof of security for IKE. Then we can try to give a proof in the same level for the other suggestions. > > 3 - Too much known plain text. - All three proposals (XAUTH, CRACK, and ULA > > have know plain text. > > None have the copious amounts of ASCII TEXT that xauth does. Some known > plaintext may be unavoidable, but xauth has a ridiculous amount. Know plain text is non-issue (BTW actually the largest amount of known plain text is with certificate, when the whole public certificate chain is being passed). Regards, Moshe Attachment Converted: "C:\Temp\moshe2.vcf" From ???@??? Wed Oct 27 14:33:50 1999 X-Persona: <a phoffman VPNC> Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA13429 for <paul.hoffman@vpnc.org>; Wed, 27 Oct 1999 12:53:41 -0700 (PDT) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA05645 Wed, 27 Oct 1999 14:28:40 -0400 (EDT) Message-Id: <3.0.6.32.19991027121504.00acf380@127.0.0.1> X-Sender: rodney@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Wed, 27 Oct 1999 12:15:04 +0200 To: ipsec@lists.tislabs.com From: Rodney Thayer <rodney@ssh.fi> Subject: Re:-ipsec-pki-req-03 - intro Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@lists.tislabs.com Precedence: bulk X-UIDL: bba121d1f81db3873a73c61b65eb6ecb This is a DRAFT. It's not an RFC. It's not a BCP. One of the very disturbing things about the IPsec RFC's is that I find, in my travels, that there are people out there reading them as the gospel truth, including the really lame stuff. So, labelling this with the truth, i.e. the fact it's not terribly synchronized, is ADDING value for implementors, in that it tells them this is unstable. Many many many labor-hours were wasted over many years in the IPsec communities because drafts were unstable and therefore, we had implementations that were severely jerked around because of this sort of things. So I thing the addition of warning labels is appropriate. >From: Brian Korver <briank@network-alchemy.com> >Greg Carter writes: >> >From 1. Introduction, first paragraph: >> >> "Note that many IPsec implementers are not completely happy with the PKIX >> documents and procedures, but have agreed to use the PKIX protocols because >> they are supported in other contexts and have a significant market share." >> >> and last paragraph >> >> "(It is noted that the fact that the two documents differ does not give >> great confidence to the IPsec community or other users of the PKIX >> protocols.)" >> >> Both of these, whether or not true, are opinions and don't really do >> anything to help implementers beside adding confusion. I would suggest they >> be taken out for clarity.
- Call for Agenda Items Theodore Y. Ts'o
- multi-layer IPSEC draft Yongguang Zhang