I-D ACTION:draft-ietf-ipsec-isakmp-oakley-02.txt
Internet-Drafts@ietf.org Thu, 21 November 1996 14:41 UTC
To: IETF-Announce@ietf.org
cc: ipsec@tis.com
From: Internet-Drafts@ietf.org
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-ipsec-isakmp-oakley-02.txt
Date: Thu, 21 Nov 1996 09:41:08 -0500
Sender: cclark@ietf.org
Message-ID: <9611210941.aa04456@ietf.org>
--NextPart
A Revised Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the IP Security Protocol Working
Group of the IETF.
Title : The resolution of ISAKMP with Oakley
Author(s) : D. Harkins, D. Carrel
Filename : draft-ietf-ipsec-isakmp-oakley-02.txt
Pages : 27
Date : 11/20/1996
[MSST96] (ISAKMP) provides a framework for authentication and key
exchange but does not define them. ISAKMP is designed to be
key exchange independant; that is, it is designed to support many
different key exchanges.
[Orm96] (Oakley) describes a series of key exchanges-- called "modes"-- and
details the services provided by each (e.g. perfect forward secrecy for
keys, identity protection, and authentication).
This document describes a proposal for using the Oakley Key Exchange
Protocol in conjunction with ISAKMP to obtain authenticated keying
material for use with ISAKMP, and for other security associations
such as AH and ESP for the IETF IPsec DOI.
Internet-Drafts are available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-ipsec-isakmp-oakley-02.txt".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-isakmp-oakley-02.txt
Internet-Drafts directories are located at:
o Africa: ftp.is.co.za
o Europe: nic.nordu.net
ftp.nis.garr.it
o Pacific Rim: munnari.oz.au
o US East Coast: ds.internic.net
o US West Coast: ftp.isi.edu
Internet-Drafts are also available by mail.
Send a message to: mailserv@ds.internic.net. In the body type:
"FILE /internet-drafts/draft-ietf-ipsec-isakmp-oakley-02.txt".
NOTE: The mail server at ds.internic.net can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e., documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version
of the Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ds.internic.net"
Content-Type: text/plain
Content-ID: <19961121090052.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-ipsec-isakmp-oakley-02.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-ipsec-isakmp-oakley-02.txt";
site="ds.internic.net";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <19961121090052.I-D@ietf.org>
--OtherAccess--
--NextPart--
From owner-ipsec Thu Nov 21 14:47:08 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA07165 for ipsec-outgoing; Thu, 21 Nov 1996 14:38:43 -0500 (EST)
Message-Id: <3.0.32.19961121114020.00979840@earthlink.net>
X-Sender: rmonsour@earthlink.net
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 21 Nov 1996 11:40:27 -0800
To: ipsec@tis.com
From: Bob Monsour <rmonsour@earthlink.net>
Subject: Packet-by-packet compression within IPSec
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Here's a recap of recent history on this topic and a specific proposal to
bring the
discussion to closure.
In recent weeks there has been some good debate regarding the use of
lossless data compression within the context of the IP security framework.
Having reviewed the wg list comments, here's an extremely brief recap. [For
those new to the list, please see the list archives for details.]
1. concept was initially embraced by a few
2. suggestion was made to add fields to ESP to support stateful compression
(i.e., compression history retained across multiple IP datagrams)
3. some suggested the use of a separate compression header to support it
(as opposed to fields within ESP)
4. stateful nature of compression raised some concerns
5. issue of a sequence counter, redundant with the replay ctr raised concerns
6. issue of the lossyness of the IP media raised concerns
7. need for negotiating SA parameters to support statefulness was stated
8. analysis of packet loss raised serious concerns over stateful compression
9. comments that stateless compression had benefit were stated
10. packet loss concerns seemed to depart in the face of stateless compression
11. proposal made to allow for stateless compression within ESP
Since that time, there has been little or no additional comment on the
subject. I would like to clarify my most recent proposal and provide
specific language to support its implementation.
I fully understand that the working group is moving full steam ahead to get
the IPSec documents ready for the San Jose meeting and to move toward
wide-spread interoperable deployments during the coming year. I do not
believe that this proposal or its implementation will hinder those efforts
and am willing to provide any support needed to assist.
Before going into the specifics of my proposal, I would like to point out a
subtlety involving the use of compression with encryption. The reduced
payload resulting from compression also reduces the amount of work (i.e.,
CPU cycles) required for subsequent encryption operations. Clearly, the CPU
cost of compression must be low enough to realize a net gain, but in our
tests, this bears out in enough cases to make it interesting. This speaks
directly to second paragraph of section 1.1 of the ESP draft regarding the
increased communications latency expected due to the encryption and
decryption operations.
MY PROPOSAL
The essence of my proposal is to add simple, straightforward language
(provided below) to the ESP draft which allows compression to be performed
on a packet-by-packet basis (keeping *NO* history or state information
across packets). The use of compression would be negotiated as an security
association parameter along with the algorithm to be employed. The ESP
payload data would simply be either compressed or uncompressed and *NO*
additional fields (in the header *OR* in the payload) would be required to
support it. This is the simplest form of compression support. I would
further suggest that, at some later time, the working group undertake the
effort to examine methods for supporting stateful compression. Nothing in
the proposed language is intended to preclude such efforts.
SPECIFIC LANGUAGE
The proposed changes are relative to draft-ietf-ipsec-payload-00.txt, dated
June
6, 1996 by Ran Atkinson. I understand that a revisoion of the draft is in
progress am confident that, given the nature of the changes specified
below, they could be easily be mapped into the new draft.
Section 1.1 (Overview)
Add the following sentence to the end of the first paragraph:
The encrypted user data portion of the payload may be compressed
prior to encryption. Security association parameters, negotiated
by the key management mechanism, are used to determine whether or
not compression is used and which compression algorithm will be used.
Section 3. (ENCAPSULATING SECURITY PAYLOAD SYNTAX)
Add the following sentence to first paragraph, making it the second to the
last sentence in the section (prior to "A high-level...").
The protected user data portion of the payload may be compressed
prior to encryption.
Immediately following the second ESP header diagram, change the sentence to
read:
Encryption, authentication and optional compression algorithms, and
the precise...
Section 4.1 (ESP in Tunnel-mode)
Change the first sentence of the second paragraph to read:
...to locate the corect Security Association, optionally applies the
appropriate compression transform, and then applies the appropriate
encryption transform.
Change the first sentence of the fifth paragraph to read:
If decryption succeeds, optional decompression is performed as necessary,
and the original IP datagram...
Section 4.2 (ESP in Transport-mode)
Change the first sentence of the second paragraph to read:
...to locate the corect Security Association, optionally applies the
appropriate compression transform, and then applies the appropriate
encryption transform.
Change the first sentence of the fifth paragraph to read:
If decryption succeeds, optional decompression is performed as necessary,
and the original transport layer...
We will be producing a draft compression transform which adheres to the
proposed "new model" for transforms. It will contain no fields, but will
simply specify how to transform a variabble sized data block from an
uncompressed block to a compressed block.
I would very much like to hear comments from those interested in the
subject and from the authors and/or co-chairs of the group regarding their
suggestions and guidance.
Bob Monsour
rmonsour@earthlink.net
From owner-ipsec Thu Nov 21 15:26:01 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA07278 for ipsec-outgoing; Thu, 21 Nov 1996 15:25:13 -0500 (EST)
Message-Id: <199611212023.PAA03158@raptor.research.att.com>
To: Bob Monsour <rmonsour@earthlink.net>
cc: ipsec@tis.com
Subject: Re: Packet-by-packet compression within IPSec
Date: Thu, 21 Nov 1996 15:23:00 -0500
From: Steven Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I think your proposal is quite acceptable. I'm willing to go a step
further -- the key management protocol should allow for negotiation
of currently-unspecified parameters for some future compression scheme.
From owner-ipsec Thu Nov 21 16:36:58 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA07348 for ipsec-outgoing; Thu, 21 Nov 1996 16:35:14 -0500 (EST)
Message-Id: <3.0b36.32.19961121163033.0093be20@pop3hub.is.chrysler.com>
Reply-To: rgm3@chrysler.com
X-Sender: rgm3@pop3hub.is.chrysler.com
X-Mailer: Windows Eudora Pro Version 3.0b36 (32)
Date: Thu, 21 Nov 1996 16:35:41 -0500
To: ipsec@tis.com
From: Robert Moskowitz <rgm3@chrysler.com>
Subject: IPsec Interoperability Week #1
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by portal.ex.tis.com id QAA07345
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
The following is a proposal from the AIAG to all IPSec implementors.
We are very serious about getting product. To the extent that we will
supply resources to get interoperablity.
Below is the general plan for an interoperability week. Please discuss it
here, amongst yourselves and with us. We are open to fleshing out (ie
nailing down) what ever details are appropriate. Of course, I will be at
IETF to take what ever blooding deemed appropriate, just remember that I
have to leave on friday ;)
IPsec Interoperability Week #1
TO: All implementers of the Ipsec protocols
From: The Automotive Industry Action Group
ANX Security work group
What: 1st working session for IPsec interoperability
Where: MCIs Richardson Texas test facilities
When: January 6th - 10th, 1997
Participation Contact: fbowdon@mcimail.com (810 351-5124),
cwinter@mcimail.com (810 351-5257)
RSVP by: Dec 10th, 1997
Document Questions/Issues: rgm3@chrysler.com by Dec 6th, 1996
GOALS:
Determine the current state of deployablity of IPsec components for the
Auto industry. At this time, demonstration of Key management via
Oakley/ISAKMP is very important to the ANX work group. The intention is to
create as close to a real world inter-company environment for vendor
testing. Multiple scenario testing will be desired. Work on the basis
that firewalls, split DNS, and private addressing is common. Subsets of
these situations will be documented.
Participants minimally need to have product that uses RFCs 1825-9, Oakley
aggressive or main mode with authentication with pre-shared keys
Border-to-border via tunneling
Consider access to trade zones or entire company network.
Remote-to-border
Remote-to-interior
Interior-to-foreign border
Through local border
Interior-to-interior
Technology to demonstrate interoperability:
Basic IPsec protocols, emphasis on ESP-HMAC
(add draft name here)
Keying material for IPsec setup with Key Management exchange via
Oakley/ISAKMP (Choice of ANX wg)
(all three drafts)
Proxy modes
Please provide Oakley modes demonstrable at this time.
Public key format of X.509v3
Keys can be cached
X.509 key retrieval via LDAP
CA will be provided for testing
Subsets of these will be documented by product. A more compete testing
matrix and success criteria will be developed between now and Dec 8th.
Policy issues will be sorted out as well is operational:
Unintended routing through multiple tunnels
Access control granularity
Oakley and ESP options as X.509 extensions
Des vs 3Des, Compression supported, others
The test facility will be connected to the Internet, so vendors unable to
attend are encouraged to contact the MCI coordination team (TBN) to work
out arrangements for remote participation.
Follow up testing will be planned for 2Q97.
Robert Moskowitz
Chrysler Corporation
(810) 758-8212
From owner-ipsec Thu Nov 21 17:25:25 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id RAA07423 for ipsec-outgoing; Thu, 21 Nov 1996 17:24:44 -0500 (EST)
Message-Id: <2.2.16.19961121222412.2f57500c@pop3.pn.com>
X-Sender: rodney@pop3.pn.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 21 Nov 1996 17:24:12 -0500
To: ipsec@tis.com
From: Rodney Thayer <rodney@sabletech.com>
Subject: compression transform conclusions
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
-----BEGIN PGP SIGNED MESSAGE-----
[response to Bob Monsour's proposal]
I believe his charactarization of the discussion so far is accurate.
I believe it is the rough consensus of the group that compression
should be part of the ESP transform, one way or the other, with or
without statefulness, parameter negotiation, sequence numbers, etc.
I myself think the ESP transform is excessively complex as it is,
regardless of the compression features. I think this will interfere
with deployment and will increase the risk of security problems due
to buggy implementations.
But, I do think Bob's proposal represents the view of the group, so
I think that's what we should go with.
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
Comment: PGP by ViaCrypt
iQCVAgUBMpTWPMKmlvJNktGxAQGoywQAgAhOO/aGTYhZsqfZvspaGq9Azcgrr+F6
ZeWZf08n157opre07UTVr98wujdJs+PFo0/1IWApGioQUwV4tV9tbN062SSu3+F1
x29e954kB5C801pA1IG1MwXa1vtdQsA8El4D5igRg4ug1iHCMaYags8frCgLP9co
xxSXdN8qhFg=
=Uq+S
-----END PGP SIGNATURE-----
Rodney Thayer <rodney@sabletech.com> +1 617 332 7292
Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA
Fax: +1 617 332 7970 http://www.shore.net/~sable
Communications Software Development
From owner-ipsec Thu Nov 21 18:11:33 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA07449 for ipsec-outgoing; Thu, 21 Nov 1996 18:10:48 -0500 (EST)
Message-ID: <3294E1E1.ABD@cs.umass.edu>
Date: Thu, 21 Nov 1996 18:12:33 -0500
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Organization: Theoretical Computer Science Group, UMass-Amherst, <URL:http://www.cs.umass.edu/~thtml/>
X-Mailer: Mozilla 3.0 (X11; I; OSF1 V3.2 alpha)
MIME-Version: 1.0
To: Luis Saiz Gimeno <saiz@gc.ssr.upm.es>
CC: ipsec@tis.com
Subject: Re: Any work in IPsec multicast key management?
References: <199611210942.AA25881@orfeo.gc.ssr.upm.es>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
LUIS SAIZ GIMENO writes:
> I would like to know if there is some work in progress in
> multicast/anycast key management in this WG. Any idea about which
> kind of cryptographic protocol is suitable to be adopted?
The most recent mail I've seen about this on the list was from Ran on
Sept.9 ("Subject: FYI: Multicast Key Management documents") -- check
the archives. He mentions GKMP [Harney et al.] and RFC 1949 [Ballardie].
Ran Atkinson wrote on Sept. 9:
>>> I'm told that work is underway at several places (e.g. ORNL) on a
>>> PF_KEY-based freely distributable implementation of GKMP technology
>>> inside the ISAKMP framework.
The survey essay Secure Multicast [Pessi],
<http://www.nixu.fi/~pnr/netsec-lopulliset/3-0-multicast.html>,
is already rather out of date, but you might find the discussion of
an old version of SKIP (draft-...-skip-03) w.r.t. multicast to be
worth reading.
--
Lewis http://www.cs.umass.edu/~lmccarth/lmkey.asc
From owner-ipsec Thu Nov 21 18:23:55 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA07485 for ipsec-outgoing; Thu, 21 Nov 1996 18:23:51 -0500 (EST)
X-Sender: kent@po1.bbn.com
Message-Id: <v03007811aeba9476da70@[128.89.0.110]>
In-Reply-To: <3.0.32.19961121114020.00979840@earthlink.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 21 Nov 1996 18:25:28 -0500
To: Bob Monsour <rmonsour@earthlink.net>
From: Stephen Kent <kent@bbn.com>
Subject: Re: Packet-by-packet compression within IPSec
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Bob,
I have no objections to your proposal, and it certainly can be
easily integrated into the newly revised ESP spec. We also can allow for
an optional, variable length field in front of the payload, that contains
any per-packet data needed for a specific algorithm. This is easy to
include in the ESP spec, with SA negotiation determining the presence or
absence of the field and its size. The only issue,is how we deal with the
possible requirement to support any specific compression protocols. From
an interoperability perspective, we need to address this aspect of the
standards, and that, I believe, is the basis for concern in terms of
delaying deployment of this technology.
Steve
From owner-ipsec Thu Nov 21 19:00:35 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA07513 for ipsec-outgoing; Thu, 21 Nov 1996 19:00:19 -0500 (EST)
Message-Id: <199611211956.TAA15713@whydos.lkg.dec.com>
X-Authentication-Warning: whydos.lkg.dec.com: Host localhost.lkg.dec.com didn't use HELO protocol
X-Mailer: exmh version 1.6.5 12/11/95
To: rgm3@chrysler.com
Cc: ipsec@tis.com
Subject: Re: IPsec Interoperability Week #1
In-Reply-To: Your message of "Thu, 21 Nov 1996 16:35:41 EST."
<3.0b36.32.19961121163033.0093be20@pop3hub.is.chrysler.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 21 Nov 1996 19:56:21 +0000
From: Matt Thomas <matt@lkg.dec.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I don't about others but Jan 6th is effectively the week after
next for me.
Nov 25th Thanksgiving week
Dec 2st UNH IPv6 testing
Dec 9th the IETF in San Jose
Dec 16th nothing
Dec 23rd Christmas
Dec 30th New Years
Jan 6th IPsec testing
To get travel, systems, etc. ready by Jan 6th is going to be
difficult at best. I think you should really consider moving
the testing date out 2 week if you can.
--
Matt Thomas Internet: matt@lkg.dec.com
IPv6 Kernel Grunt WWW URL: http://ftp.dec.com/%7Ethomas/
Digital Equipment Corporation Disclaimer: This message reflects my
Littleton, MA own warped views, etc.
From owner-ipsec Thu Nov 21 19:22:46 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA07538 for ipsec-outgoing; Thu, 21 Nov 1996 19:21:50 -0500 (EST)
Message-Id: <3.0.32.19961121162316.00939ea0@earthlink.net>
X-Sender: rmonsour@earthlink.net
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 21 Nov 1996 16:23:35 -0800
To: Stephen Kent <kent@bbn.com>
From: Bob Monsour <rmonsour@earthlink.net>
Subject: Re: Packet-by-packet compression within IPSec
Cc: Bob Monsour <rmonsour@earthlink.net>, ipsec@tis.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
At 06:25 PM 11/21/96 -0500, Stephen Kent wrote:
>Bob,
>
> I have no objections to your proposal, and it certainly can be
>easily integrated into the newly revised ESP spec. We also can allow for
>an optional, variable length field in front of the payload, that contains
>any per-packet data needed for a specific algorithm. This is easy to
>include in the ESP spec, with SA negotiation determining the presence or
>absence of the field and its size.
Thanks. FYI, the only per-packet data I am imagining for our particular
proposal would be a single byte to contain a compressed/uncompressed bit.
This is needed to handle the case where the source data expands and you
want to instead send the original uncompressed data. In this case, you
would set the bit saying that the particular packet is uncompressed, even
though the SPI specifies that compression is an active function for this
channel.
>The only issue,is how we deal with the
>possible requirement to support any specific compression protocols.
When you say, "...possible requirement to support any specific compression
protocols.", I'm not sure I understand the issue. Do you mean the minimum
or mandatory support levels for compression in IPSec/ESP? If so, I would
expect that its optional nature precludes any such requirement. If you mean
support for specific compression algorithms, I would suggest that we treat
that issue in a similar manner as was done with PPP, where any number
algorithms can be supported as long as there is a draft/standard document
to describe how it is done in the context of IPSec/ESP. Since the specific
compression algorithm that we will be proposing will be based on the LZS
algorithm, it will ultimately result in an informational RFC (which is what
happened in the PPP case for LZS as well).
>From an interoperability perspective, we need to address this aspect of the
>standards, and that, I believe, is the basis for concern in terms of
>delaying deployment of this technology.
Are you refering to the requirement for two interoperable implementations
of compressed ESP before the document can be moved to the Draft Standard
stage? Having done some recent homework on the IETF standards process, I'm
guessing this is the concern. If that is indeed the case, I believe that we
could easily achieve such a goal.
-Bob
From owner-ipsec Fri Nov 22 13:04:19 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA08702 for ipsec-outgoing; Fri, 22 Nov 1996 13:00:43 -0500 (EST)
Message-Id: <2.2.32.19961122180014.00cab134@netcom8.netcom.com>
X-Sender: dpalma@netcom8.netcom.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 22 Nov 1996 10:00:14 -0800
To: ipsec@neptune.hq.tis.com
From: Derek Palma <dpalma@netcom.com>
Subject: Unexpected silence (Test posting)
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Either I am now longer receiving messages for this list
or there is very little discussion before an IETF.
This is a test!
From owner-ipsec Fri Nov 22 16:06:41 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA09104 for ipsec-outgoing; Fri, 22 Nov 1996 16:01:10 -0500 (EST)
Message-Id: <3.0.32.19961122125905.00e47f40@netcom8.netcom.com>
X-Sender: dpalma@netcom8.netcom.com (Unverified)
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Fri, 22 Nov 1996 12:59:54 -0800
To: ipsec@tis.com
From: Derek Palma <dpalma@netcom.com>
Subject: Decoupling compression and security
Cc: dpalma@netcom.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Some recent IPSEC implementation experiences and the current discussion
has caused me to consider the virtues of coupling compression
transforms with security. No doubt use of compression has
benefits, even if only applied to a single packet.
I see no problem with having compression be part of an SA.
But I think it lacks some generality. The output of a compression
algorithm can be larger than the input, the sender will no
doubt like to selectively compress. This means the receiver
must be able to receive compressed and uncompressed data.
This seems independent from the SA. Howeverm, the SA setup
can be used to select the compression algorithm.
Generic (probably PPP like) compression transforms which stand
on their own (apart from IPSEC) seemslike a more general solution.
However, IPSEC is the only group who can justify using compression
on a per packet basis. Would a set of IP-COMP transforms (vs IPSEC)
be more appropriate?
Derek
From owner-ipsec Fri Nov 22 23:57:15 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id XAA09490 for ipsec-outgoing; Fri, 22 Nov 1996 23:54:51 -0500 (EST)
Message-Id: <3.0.32.19961122205654.0099c100@earthlink.net>
X-Sender: rmonsour@earthlink.net
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Fri, 22 Nov 1996 20:57:01 -0800
To: Derek Palma <dpalma@netcom.com>
From: Bob Monsour <rmonsour@earthlink.net>
Subject: Re: Decoupling compression and security
Cc: ipsec@tis.com, dpalma@netcom.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
At 12:59 PM 11/22/96 -0800, Derek Palma wrote:
>Some recent IPSEC implementation experiences and the current discussion
>has caused me to consider the virtues of coupling compression
>transforms with security. No doubt use of compression has
>benefits, even if only applied to a single packet.
>
>I see no problem with having compression be part of an SA.
>But I think it lacks some generality. The output of a compression
>algorithm can be larger than the input, the sender will no
>doubt like to selectively compress. This means the receiver
>must be able to receive compressed and uncompressed data.
>This seems independent from the SA. Howeverm, the SA setup
>can be used to select the compression algorithm.
When using packet-by-packet compression within IPSec, while an SA parameter
will exist to define the compression algorithm and whether or not
compression is enabled for a particular sender to receiver, the sender (as
you suggest) will not want to send data when it expands. We have suggested
that each compressed payload include a bit (within a one-byte field) which
indicates whether or not the IP datagram is compressed or not. So, in
effect, the sender operates as follows:
compress the packet
if it gets smaller
compressed = true
send it compressed
else
compressed = false
send the packet in uncompressed form
On the reciever side, it just checks the compressed/uncompressed bit to
decide whether or not to attempt decompression.
>Generic (probably PPP like) compression transforms which stand
>on their own (apart from IPSEC) seemslike a more general solution.
>However, IPSEC is the only group who can justify using compression
>on a per packet basis. Would a set of IP-COMP transforms (vs IPSEC)
>be more appropriate?
The attractive part of PPP-like compression solutions is that operate over
a connection-oriented protocol and therefore can compress across multiple
packets, realizing greater efficiencies than by doing it a packet at a
time. Unfortunately, we don't have that luxury in IP. At an even higher
layer, say SSL, there again is a connection-oriented protocol and
compression can indeed be done over a series of transmitted packets. Once
equipped with the packet-by-packet mode of compression, I would suspect
that if there is sufficient interest and energy in the working group, some
effort could be put forth to figure out how to reliably compress across
multiple IP datagrams.
How would you see an IP-COMP transform operating?
Bob Monsour
rmonsour@earthlink.net
From owner-ipsec Sat Nov 23 16:25:14 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA09748 for ipsec-outgoing; Sat, 23 Nov 1996 16:18:53 -0500 (EST)
Message-Id: <2.2.16.19961123211820.2e271408@pop3.pn.com>
X-Sender: rodney@pop3.pn.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 23 Nov 1996 16:18:20 -0500
To: dpalma@netcom.com
From: Rodney Thayer <rodney@sabletech.com>
Subject: Re: Decoupling compression and security
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Have you looked at the draft I did in July? What you're talking about
sounds like the direction I was headed. How would you add/change what I
proposed?
>X-Sender: rmonsour@earthlink.net
>Date: Fri, 22 Nov 1996 20:57:01 -0800
>To: Derek Palma <dpalma@netcom.com>
>From: Bob Monsour <rmonsour@earthlink.net>
>Subject: Re: Decoupling compression and security
>Cc: ipsec@tis.com, dpalma@netcom.com
>Sender: owner-ipsec@ex.tis.com
>
>At 12:59 PM 11/22/96 -0800, Derek Palma wrote:
>>Some recent IPSEC implementation experiences and the current discussion
>>has caused me to consider the virtues of coupling compression
>>transforms with security. No doubt use of compression has
>>benefits, even if only applied to a single packet.
>>
>>I see no problem with having compression be part of an SA.
>>But I think it lacks some generality. The output of a compression
>>algorithm can be larger than the input, the sender will no
>>doubt like to selectively compress. This means the receiver
>>must be able to receive compressed and uncompressed data.
>>This seems independent from the SA. Howeverm, the SA setup
>>can be used to select the compression algorithm.
>
>When using packet-by-packet compression within IPSec, while an SA parameter
>will exist to define the compression algorithm and whether or not
>compression is enabled for a particular sender to receiver, the sender (as
>you suggest) will not want to send data when it expands. We have suggested
>that each compressed payload include a bit (within a one-byte field) which
>indicates whether or not the IP datagram is compressed or not. So, in
>effect, the sender operates as follows:
>
> compress the packet
> if it gets smaller
> compressed = true
> send it compressed
> else
> compressed = false
> send the packet in uncompressed form
>
>On the reciever side, it just checks the compressed/uncompressed bit to
>decide whether or not to attempt decompression.
>
>>Generic (probably PPP like) compression transforms which stand
>>on their own (apart from IPSEC) seemslike a more general solution.
>>However, IPSEC is the only group who can justify using compression
>>on a per packet basis. Would a set of IP-COMP transforms (vs IPSEC)
>>be more appropriate?
>
>The attractive part of PPP-like compression solutions is that operate over
>a connection-oriented protocol and therefore can compress across multiple
>packets, realizing greater efficiencies than by doing it a packet at a
>time. Unfortunately, we don't have that luxury in IP. At an even higher
>layer, say SSL, there again is a connection-oriented protocol and
>compression can indeed be done over a series of transmitted packets. Once
>equipped with the packet-by-packet mode of compression, I would suspect
>that if there is sufficient interest and energy in the working group, some
>effort could be put forth to figure out how to reliably compress across
>multiple IP datagrams.
>
>How would you see an IP-COMP transform operating?
>
>
>Bob Monsour
>rmonsour@earthlink.net
>
>
Rodney Thayer <rodney@sabletech.com> +1 617 332 7292
Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA
Fax: +1 617 332 7970 http://www.shore.net/~sable
Communications Software Development
From owner-ipsec Mon Nov 25 03:40:13 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id DAA10369 for ipsec-outgoing; Mon, 25 Nov 1996 03:32:24 -0500 (EST)
Date: Mon, 25 Nov 1996 10:34:24 +0200 (EET)
From: Santeri Paavolainen <santtu@cs.hut.fi>
X-Sender: santtu@hutcs
To: ipsec@tis.com
Subject: Re: Decoupling compression and security
In-Reply-To: <3.0.32.19961122205654.0099c100@earthlink.net>
Message-ID: <Pine.GSO.3.94.961125100351.29183A-100000@hutcs>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> When using packet-by-packet compression within IPSec, while an SA parameter
> will exist to define the compression algorithm and whether or not
> compression is enabled for a particular sender to receiver, the sender (as
> you suggest) will not want to send data when it expands. We have suggested
> that each compressed payload include a bit (within a one-byte field) which
> indicates whether or not the IP datagram is compressed or not. So, in
> effect, the sender operates as follows:
>
> compress the packet
> if it gets smaller
> compressed = true
> send it compressed
> else
> compressed = false
> send the packet in uncompressed form
>
> On the reciever side, it just checks the compressed/uncompressed bit to
> decide whether or not to attempt decompression.
If the compression was another IPSEC transformation there would be no
need for such a "bit" in the actual _security_ transformation
data. Have everybody forgotten that applying transformations on a
packet is still optional? If I want an option of not applying a packet
compression transformation I can just not apply it -- no need for any
information bits in the packet. As an example,
there is two transformations defined, COMP for compression and CRYPT
for some crypto. If I get a acceptable compression ratio for a packet,
I leave the compression transformation on and pass the packet to the
rest of the transformation chain, finally giving a packet like
CRYPT(COMP(packet))
OTOH, if the compression ratio is unacceptable, just leave the
compression layer off:
CRYPT(packet)
Because the receiver sees only SPIs of the various layers, it will
first decrypt and either get a regular (not compressed) packet, or a
compressed packet which will then have to be uncompressed to gain the
final packet.
Of course, this would mean there is overhead of SPI vs. "bit", but I
think the generality is a clear plus. What if you later find out the
cryptographic transformation you have embedded the compression layer
is not secure? Also, there is no clear way how to interoperate between
different transformations which have the same compression engine (you
must remember that each transformation should be self-contained from
the coding point of view).
Also, some persons might want compression, and only that. I imagine
there would be plenty of situations (two computers connected by a
secure network/line) where getting "compression" out of IPSEC layer
could not be justified because of the extra costs because the
compression would imply (cpu-intensive) cryptographic methods.
Of course, it is another matter whether compression should be included
in the IPSEC layer at all.
PS. In the IP Authentication Header draft (4 June 1996, are there
newer versions?) at chapter 3, the combination of AH(AH(...)) is said
to be invalid at all times. Why? Take the following situation as an
example where AH(AH(...)) could be used:
A VPN network, eg. an intranet created by establishing a secure tunnel
between two separate networks. Typically, the VPN routers apply some
IPSEC AH+ESP transformation on a packet before sending it through the
internet network. But, there can be a case when the VPN router does
not want to encrypt a packet, but still requires authentication.
If there are IPSEC-capable hosts within these two parts of the
intranet talking to each other with some AH+ESP transformations the
VPN routers will get packets in the form of AH(ESP(...)). If the VPN
routers have knowledge about the used ESP (by acting as a middlemen in
key management routine, for example) an deem it as "secure enough"
they might not want to apply a second layer of ESP, because it would
be unnecessary.
Still they want to apply an AH, so that the other VPN router can
confirm the authenticity of the packet coming from the internet (that
it really is coming from the other VPN router). This leads to a
situation where the packet would look like AH(AH(ESP(...))) when send
to the internet. But this seems not to be allowed by the draft!
--
sjpaavol@cc.Helsinki.FI I have become death, destroyer of the worlds.
From owner-ipsec Mon Nov 25 07:20:22 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA10567 for ipsec-outgoing; Mon, 25 Nov 1996 07:18:20 -0500 (EST)
Date: 25 Nov 96 09:27:26 +0300
From: "RIITTINEN HEIKKI" <heikki.riittinen@fin1401.icl.fi>
Subject: RE:Packet-by-packet compression within IPSec
Reply-To: heikki.riittinen@icl.fi
In-Reply-To: Packet-by-packet compression within IPSec
Message-Id: <9611250927.aa26@fin1401.icl.fi>
To: ipsec@tis.com, rmonsour@earthlink.net
Content-Type: text/plain; charset=US-ASCII
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Bob Monsour:
>MY PROPOSAL
>
>The essence of my proposal is to add simple, straightforward language
>(provided below) to the ESP draft which allows compression to be performed
>on a packet-by-packet basis (keeping *NO* history or state information
>across packets). The use of compression would be negotiated as an security
>association parameter along with the algorithm to be employed. The ESP
>payload data would simply be either compressed or uncompressed and *NO*
>additional fields (in the header *OR* in the payload) would be required to
>support it. This is the simplest form of compression support.
>Bob Monsour
>rmonsour@earthlink.net
I fully support the proposal. We have implemented a prototype
of a proprietary "encryption" (stateless compression and standard
encryption) that fulfills all the requirements set by the proposal.
Heikki.Riittinen@teamw.com from Europe
From owner-ipsec Mon Nov 25 10:06:21 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA11013 for ipsec-outgoing; Mon, 25 Nov 1996 10:02:53 -0500 (EST)
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: IETF-Announce:;;;;@tis.com@tis.com;;;
From: Internet-Drafts@ietf.org
cc: ipsec@tis.com
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-mcdonald-simple-ipsec-api-00.txt
Date: Mon, 25 Nov 1996 09:38:09 -0500
Message-ID: <9611250938.aa05672@ietf.org>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : A Simple IP Security API Extension to BSD Sockets
Author(s) : D. McDonald
Filename : draft-mcdonald-simple-ipsec-api-00.txt
Pages : 9
Date : 11/22/1996
In order to take advantage of the IP Security Architecture [Atk95], an
application should be able to tell the system what IP-layer security
services it needs to function with some degree of confidence. A simple
API that also allows simple security association policy to be set is
presented here. This document descends from earlier work performed in the
U. S. Naval Research Laboratory's IPv6 and IP security implementation
[AMPMC96].
Internet-Drafts are available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-mcdonald-simple-ipsec-api-00.txt".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-mcdonald-simple-ipsec-api-00.txt
Internet-Drafts directories are located at:
o Africa: ftp.is.co.za
o Europe: nic.nordu.net
ftp.nis.garr.it
o Pacific Rim: munnari.oz.au
o US East Coast: ds.internic.net
o US West Coast: ftp.isi.edu
Internet-Drafts are also available by mail.
Send a message to: mailserv@ds.internic.net. In the body type:
"FILE /internet-drafts/draft-mcdonald-simple-ipsec-api-00.txt".
NOTE: The mail server at ds.internic.net can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e., documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version
of the Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ds.internic.net"
Content-Type: text/plain
Content-ID: <19961122151515.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-mcdonald-simple-ipsec-api-00.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-mcdonald-simple-ipsec-api-00.txt";
site="ds.internic.net";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <19961122151515.I-D@ietf.org>
--OtherAccess--
--NextPart--
From owner-ipsec Mon Nov 25 15:38:13 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA11709 for ipsec-outgoing; Mon, 25 Nov 1996 15:35:58 -0500 (EST)
Message-ID: <329A0357.15FB@mit.edu>
Date: Mon, 25 Nov 1996 15:36:39 -0500
From: "Jeffrey I. Schiller" <jis@MIT.EDU>
Organization: Massachusetts Institute of Technology
X-Mailer: Mozilla 3.0 (X11; U; IRIX 5.2 IP22)
MIME-Version: 1.0
To: ipsec@tis.com
Subject: Documents Approved at last IESG Telechat
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
>From the IESG (as yet unpublished) minutes. This is an *unofficial*
announcement:
o The IESG approved publication of HMAC-MD5 IP Authentication with
Replay Prevention <draft-ietf-ipsec-ah-hmac-md5-04.txt> as a
Proposed Standard. Steve to send announcement.
o The IESG approved publication of HMAC-SHA IP Authentication with
Replay Prevention <draft-ietf-ipsec-ah-hmac-sha-04.txt> as a
Proposed Standard. Steve to send announcement.
o The IESG approved the reclassification of RFC1828, IP
Authentication using Keyed MD5, from Proposed Standard to Historic
status.
o The IESG approved publication of HMAC: Keyed-Hashing for Message
Authentication <draft-ietf-ipsec-hmac-md5-01.txt> as an
Informational RFC. Steve to send announcement.
-Jeff
From owner-ipsec Tue Nov 26 07:24:44 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA12729 for ipsec-outgoing; Tue, 26 Nov 1996 07:18:40 -0500 (EST)
Date: Mon, 25 Nov 96 18:59:16 EST
From: "Whelan, Bill" <bwhelan@nei.com>
Message-Id: <9610258489.AA848977264@netx.nei.com>
To: ipsec@tis.com
Subject: AH (without ESP) on a secure gateway
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Last month there was a question regarding ESP and AH on a secure
gateway as in the following model.
secure (untrusted) secure
hostA gatewayA---------------------------gatewayB hostB
| | | |
---------- -----------
(trusted subnet) (trusted subnet)
My question is whether AH on a secure gateway even makes sense at all
if ESP is not being performed.
Consider hostA sending a packet to hostB. If gatewayA places an AH on
the packet, it would appear as if it was authenticated by hostA, not a
good idea in my mind.
How do other secure gateway implementations handle this situation?
Bill Whelan
From owner-ipsec Tue Nov 26 10:23:32 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA13855 for ipsec-outgoing; Tue, 26 Nov 1996 10:21:01 -0500 (EST)
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: IETF-Announce:;;;;@tis.com@tis.com;;;
cc: ipsec@tis.com
From: Internet-Drafts@ietf.org
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-ipsec-isakmp-06.txt, .ps
Date: Tue, 26 Nov 1996 09:19:21 -0500
Message-ID: <9611260919.aa19100@ietf.org>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
--NextPart
A Revised Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the IP Security Protocol Working
Group of the IETF.
Title : Internet Security Association and Key Management
Protocol (ISAKMP)
Author(s) : D. Maughan, M. Schertler, M. Schneider, J. Turner
Filename : draft-ietf-ipsec-isakmp-06.txt, .ps
Pages : 78
Date : 11/25/1996
This memo describes a protocol utilizing security concepts necessary for
establishing Security Associations (SA) and cryptographic keys in an
Internet environment. A Security Association protocol that negotiates,
establishes, modifies and deletes Security Associations and their
attributes is required for an evolving Internet, where there will be
numerous security mechanisms and several options for each security
mechanism. The key management protocol must be robust in order to handle
public key generation for the Internet community at large and private key
requirements for those private networks with that requirement.
The Internet Security Association and Key Management Protocol (ISAKMP)
defines the procedures for authenticating a communicating peer, creation and
management of Security Associations, key generation techniques, and threat
mitigation (e.g. denial of service and replay attacks). All of these are
necessary to establish and maintain secure communications (via IP Security
Service or any other security protocol) in an Internet environment.
Internet-Drafts are available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-ipsec-isakmp-06.txt".
Or
"get draft-ietf-ipsec-isakmp-06.ps".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-isakmp-06.txt
Internet-Drafts directories are located at:
o Africa: ftp.is.co.za
o Europe: nic.nordu.net
ftp.nis.garr.it
o Pacific Rim: munnari.oz.au
o US East Coast: ds.internic.net
o US West Coast: ftp.isi.edu
Internet-Drafts are also available by mail.
Send a message to: mailserv@ds.internic.net. In the body type:
"FILE /internet-drafts/draft-ietf-ipsec-isakmp-06.txt".
Or
"FILE /internet-drafts/draft-ietf-ipsec-isakmp-06.ps".
NOTE: The mail server at ds.internic.net can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e., documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version
of the Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ds.internic.net"
Content-Type: text/plain
Content-ID: <19961125101043.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-ipsec-isakmp-06.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-ipsec-isakmp-06.txt";
site="ds.internic.net";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <19961125101043.I-D@ietf.org>
--OtherAccess--
--NextPart--
From owner-ipsec Tue Nov 26 10:28:38 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA13886 for ipsec-outgoing; Tue, 26 Nov 1996 10:28:30 -0500 (EST)
Message-Id: <199611261528.KAA13886@portal.ex.tis.com>
From: Greg Carter <carterg@entrust.com>
To: "'ipsec@tis.com'" <ipsec@tis.com>
Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com>
Subject: PF_KEY
Date: Tue, 26 Nov 1996 10:12:49 -0500
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Hi All,
Can anyone give me an idea of the exceptance of PF_KEY and the
platforms it is/will be supported on.
Thanks.
----
Greg Carter
Nortel Secure Networks - Entrust
carterg@entrust.com
From owner-ipsec Tue Nov 26 11:11:22 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA14141 for ipsec-outgoing; Tue, 26 Nov 1996 11:11:02 -0500 (EST)
Message-Id: <199611261611.LAA14141@portal.ex.tis.com>
From: Greg Carter <carterg@entrust.com>
To: "'ipsec@tis.com'" <ipsec@tis.com>
Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com>
Subject: sorry, spelling...
Date: Tue, 26 Nov 1996 11:01:09 -0500
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Obviously I can't spell and I should really reread before I hit send, I
meant "acceptance" of PF_KEY.
Bye.
----
Greg Carter
Nortel Secure Networks - Entrust
carterg@entrust.com
From owner-ipsec Tue Nov 26 11:20:13 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA14229 for ipsec-outgoing; Tue, 26 Nov 1996 11:20:09 -0500 (EST)
Message-Id: <96Nov26.112218est.30786-1@janus.border.com>
To: ipsec@tis.com
Subject: Re: I-D ACTION:draft-ipsec-ipsec-doi-01.txt
References: <9611200956.aa14139@ietf.org>
In-reply-to: Internet-Drafts's message of "Wed, 20 Nov 1996 09:56:50 -0500".
<9611200956.aa14139@ietf.org>
From: "C. Harald Koch" <chk@border.com>
Organization: Secure Computing Canada Ltd.
Phone: +1 416 368 7157
X-uri: <URL:http://www.eng.border.com/homes/chk/>
X-Face: )@F:jK?*}hv!eJ}*r*0DD"k8x1.d#i>7`ETe2;hSD2T!:Fh#wu`0pW7lO|Dfe'AbyNy[\Pw
z'.bAtgTM!+iq2$yXiv4gf<:D*rZ-|f$\YQi7"D"=CG!JB?[^_7v>8Mm;z:NJ7pss)l__Cw+.>xUJ)
did@Pr9
Date: Tue, 26 Nov 1996 11:22:20 -0500
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Some quibbles regarding the IPsec DOI definitions, that I just tripped over
while trying to define a text-based SA exchange format. Basically, if we're
going to a) name and b) number protocol entities, we need to ensure that the
list is both intelligible and complete.
4.4.3 IPSEC AH Transform Values
Transform Value
--------- -----
RESERVED 0
AH_1828 1
AH_HMAC_MD5_REPLAY 2
AH_MHAC_SHA_REPLAY 3
I object to the use of RFC numbers in the name of the transform; it's
either meaningless or obscure, depending on who you ask. AH_MD5 would be
better than AH_1828.
The "AH_HMAC_MD5" transform is missing from the list. While this transform
never became an RFC, it is in use by several vendors, and so needs an
identifier for proper interoperability. (Yes, it's a proper subset of
AH_HMAC_MD5_REPLAY, But to support historical implementations, I think it
needs to be kept separate. I'm willing to negotiate on this one :-)
4.4.4 IPSEC ESP Transform Identifiers
Transform ID Value
------------ -----
RESERVED 0
ESP_1829_TRANSPORT 1
ESP_1829_TUNNEL 2
ESP_DES_CBC_HMAC_REPLAY 3
Again, I object to the use of RFC numbers in the name; IMHO, these should be
"ESP_DES_CBC_TRANSPORT" and "ESP_DES_CBC_TUNNEL". (And I though the
"transport" v.s. "tunnel" distinction was an RFC 1827 thing; if so,
shouldn't we be consistent here?)
ESP_3DES_CBC is missing (RFC 1851). Again, there are vendors using this
already; an ID and number are required for interoperability.
</soapbox> :-)
--
C. Harald Koch | Senior System Developer, Secure Computing Canada Ltd.
chk@border.com | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8
+1 416 368 7157 (voice) | "Madness takes its toll. Please have exact change."
+1 416 368 7789 (fax) | -Karen Murphy <karenm@descartes.com>
From owner-ipsec Tue Nov 26 12:56:36 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA14512 for ipsec-outgoing; Tue, 26 Nov 1996 12:54:00 -0500 (EST)
Date: Tue, 26 Nov 1996 11:24:51 -0600 (CST)
From: Tom Markham <markham@sctc.com>
Message-Id: <199611261724.LAA29519@jasmin.sctc.com>
To: bwhelan@nei.com
CC: ipsec@tis.com
Subject: RE: AH (without ESP) on a secure gateway
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Bill
BW> Last month there was a question regarding ESP and AH on a secure
gateway as in the following model.
secure (untrusted) secure
hostA gatewayA---------------------------gatewayB hostB
| | | |
---------- -----------
(trusted subnet) (trusted subnet)
BW> My question is whether AH on a secure gateway even makes sense at all
if ESP is not being performed.
Consider the case where one gateway is in a country like France which
does not allow encryption. An organization could still use AH to
authenticate that the source of the packets was another secure gateway
belonging to the organization.
BW> Consider hostA sending a packet to hostB. If gatewayA places an AH on
the packet, it would appear as if it was authenticated by hostA, not a
good idea in my mind.
The receiving gateway/host knows (should know) that the AH keying material
is held by Gateway A and not Host A. If the receiving gateway/host
does not know which devices it shares keying material with, you have a
key management problem.
Tom Markham
From owner-ipsec Tue Nov 26 13:01:17 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA14528 for ipsec-outgoing; Tue, 26 Nov 1996 13:01:00 -0500 (EST)
Message-Id: <3.0.32.19961126100305.00987ae0@earthlink.net>
X-Sender: rmonsour@earthlink.net
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 26 Nov 1996 10:03:12 -0800
To: Santeri Paavolainen <santtu@cs.hut.fi>
From: Bob Monsour <rmonsour@earthlink.net>
Subject: Re: Decoupling compression and security
Cc: ipsec@tis.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
At 10:34 AM 11/25/96 +0200, Santeri Paavolainen wrote:
...
>If the compression was another IPSEC transformation there would be no
>need for such a "bit" in the actual _security_ transformation
>data. Have everybody forgotten that applying transformations on a
>packet is still optional? If I want an option of not applying a packet
>compression transformation I can just not apply it -- no need for any
>information bits in the packet. As an example,
>
>there is two transformations defined, COMP for compression and CRYPT
>for some crypto. If I get a acceptable compression ratio for a packet,
>I leave the compression transformation on and pass the packet to the
>rest of the transformation chain, finally giving a packet like
>
> CRYPT(COMP(packet))
>
>OTOH, if the compression ratio is unacceptable, just leave the
>compression layer off:
>
> CRYPT(packet)
>
>Because the receiver sees only SPIs of the various layers, it will
>first decrypt and either get a regular (not compressed) packet, or a
>compressed packet which will then have to be uncompressed to gain the
>final packet.
>
>Of course, this would mean there is overhead of SPI vs. "bit", but I
>think the generality is a clear plus. What if you later find out the
>cryptographic transformation you have embedded the compression layer
>is not secure? Also, there is no clear way how to interoperate between
>different transformations which have the same compression engine (you
>must remember that each transformation should be self-contained from
>the coding point of view).
...
This is more than just an issue of the overhead of an SPI vs. a "bit". Let
me explain by way of example. Let's say that a security association has
been set up for traffic traveling from a sender to a receiver. Thus the SPI
for traffic in that direction is specified. Let's also say that the SPI
specifies the use of a particular set of compression, encryption and
authentication algorithms. Then, let's say that the sender wants to send a
datagram to the receiver. Suppose the data expands. The sender would then
want to send the original uncompressed form of the data. Under our
proposal, all the sender would have to do is to change a bit at the start
of the payload. Under what you propose, the SPI is no longer valid since
the reciever will erroneously attempt to decompress raw data. Your method
would thus require that a new SPI be used which would likely require some
renegotiation between the sender and receiver as to which algorithms and
modes are to be used for the connection.
Bob Monsour
rmonsour@earthlink.net
From owner-ipsec Tue Nov 26 14:29:18 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA14778 for ipsec-outgoing; Tue, 26 Nov 1996 14:28:06 -0500 (EST)
Message-Id: <199611261929.OAA01715@thunk.orchard.medford.ma.us>
X-Authentication-Warning: thunk.orchard.medford.ma.us: sommerfeld owned process doing -bs
To: "Whelan, Bill" <bwhelan@nei.com>
Cc: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: bwhelan's message of Mon, 25 Nov 1996 18:59:16 -0500.
<9610258489.AA848977264@netx.nei.com>
Date: Tue, 26 Nov 1996 14:28:31 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> My question is whether AH on a secure gateway even makes sense at all
> if ESP is not being performed.
>
> Consider hostA sending a packet to hostB. If gatewayA places an AH on
> the packet, it would appear as if it was authenticated by hostA, not a
> good idea in my mind.
If a router places an AH on the packet, it must do so using an
outbound SPI to some other host/router.
The corresponding inbound SPI on that host should specify that the
sender is a gateway, not a host.
The "policy engines" on each end need to be sophisticated enough to
deal with things like this. In particular, if ip-address based access
controls are in use, then the policy engine should probably do
consistency checks between the SPI and the source address..
- Bill
From owner-ipsec Tue Nov 26 15:27:52 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA15076 for ipsec-outgoing; Tue, 26 Nov 1996 15:27:03 -0500 (EST)
To: IETF-Announce:;;;;@tis.com@tis.com;;;
Cc: RFC Editor <rfc-editor@isi.edu>
Cc: Internet Architecture Board <iab@isi.edu>
Cc: ipsec@tis.com
From: The IESG <iesg-secretary@ietf.org>
Subject: Protocol Action: HMAC-MD5 IP Authentication with Replay Prevention
to Proposed Standard
Date: Tue, 26 Nov 1996 13:09:54 -0500
Message-ID: <9611261309.aa11679@ietf.org>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
The IESG has approved the Internet-Drafts
1. HMAC-MD5 IP Authentication with Replay Prevention
<draft-ietf-ipsec-ah-hmac-md5-04.txt> and
2. HMAC-SHA IP Authentication with Replay Prevention
<draft-ietf-ipsec-ah-hmac-sha-04.txt>
as Proposed Standards.
The IESG also approved the reclassification of RFC1828, IP
Authentication using Keyed MD5, from Proposed Standard to Historic.
These documents are the product of the IP Security Protocol Working
Group. The IESG contact person is Jeffrey Schiller.
Technical Summary
These documents describe two similar Keyed Hashes (one based on MD5
and the other based on SHA) for use in IP Security's Authentication
Header (both IPv4 and IPv6). Hashes such as MD5 and SHA were
designed to be used as "keyless" hashes which can be used in digital
signature systems such as the RSA system and the U.S. Digital
Signature Standard (DSS).
An obvious approach to using them as "keyed" hashes has involved
either prepending the data to be hashed with a secret value (key) or
appending the secret value after the data to be hashed (or both).
However recently significant analysis work has been carried out by
cryptographers as to security of keyed modes of these hashes.
The keyed hash mechanism described in these documents benefits from
this analytical experience and is therefore believed to be much
stronger than the simplistic approaches taken to date in the
Internet community (both in AH and SNMP).
Working Group Summary
These documents are the work product of the IP Security Working
Group. The group has come to consensus that these hashes are good
approaches to the keyed hash function required by the Authentication
Header.
Protocol Quality
This protocol has been reviewed by Jeffrey I. Schiller, Security
Area Director.
From owner-ipsec Tue Nov 26 16:35:03 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA15139 for ipsec-outgoing; Tue, 26 Nov 1996 16:31:38 -0500 (EST)
Message-Id: <9611262133.AA20640@hpcc103.corp.hp.com>
To: Tom Markham <markham@sctc.com>
Cc: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: Your message of Tue, 26 Nov 1996 11:24:51 -0600.
<199611261724.LAA29519@jasmin.sctc.com>
Date: Tue, 26 Nov 1996 13:33:49 -0800
From: "\"\"Yan-Fa LI <yanfali@corp.hp.com>\"\"" <yanfali@hpcc103.corp.hp.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Hi Bill and Tom,
>
> Bill
>
> BW> Last month there was a question regarding ESP and AH on a secure
> gateway as in the following model.
>
>
> secure (untrusted) secure
> hostA gatewayA---------------------------gatewayB hostB
> | | | |
> ---------- -----------
> (trusted subnet) (trusted subnet)
>
>
> BW> My question is whether AH on a secure gateway even makes sense at all
> if ESP is not being performed.
>
>
> Consider the case where one gateway is in a country like France which
> does not allow encryption. An organization could still use AH to
> authenticate that the source of the packets was another secure gateway
> belonging to the organization.
This is exactly what I would like AH only support for. It would give us
the extra capabilities of Anti-Spoofing and Integrity checking which
would be a big win over today's infrastructure. There are some instances
where privacy is not a big deal, or where export/import usage
restrictions forbid the use of strong cryptography.
>
> BW> Consider hostA sending a packet to hostB. If gatewayA places an AH on
> the packet, it would appear as if it was authenticated by hostA, not a
> good idea in my mind.
>
> The receiving gateway/host knows (should know) that the AH keying material
> is held by Gateway A and not Host A. If the receiving gateway/host
> does not know which devices it shares keying material with, you have a
> key management problem.
>
> Tom Markham
I don't believe this is the case in some of the gateway products which
are available today. Some of the gateway products transparently proxy
for hosts in the trusted network. This is the fundamental weak spot in
gateway solutions. They assume:
- your trusted network is secure
- you do not have users spoofing the addresses of other users
within the trusted network.
The strength of this approach is you can support legacy devices without
making any changes to them. Gateways are a compromise between security
and medium-term implementation realities.
Does anyone know if there are specific set up messages in the
ISAKMP-OAKLEY protocol to identify which architectural case a pair of
communicating peers is in ? i.e. Host-to-Host, Host-to-Gateway, and
Gateway-to-Gateway.
For example, if one knew the conversation was between two gateways, one
could accept the risks of this architectural model and just negotiate a
pair of SAs for the communication with all traffic between the networks
being multiplexed over a single TCP/IP connection. Much more efficient
for the gateways. However if we do this are we making it easier for
an attacker to perform cryptanalysis on our connection ?
If you implement the reverse situation, where a new SA pair is negotiated
for every IP pair that attempts communication between the networks,
this could quickly bog down the gateways while they authenticate
public keys exchanges, context switch between secret session keys and
encrypt and decrypt packets.
One could argue that this will happen anyway in the Host-to-Gateway
scenario, and one needs to engineer for this case, so why not make
it the general one ? Right now, with gateway solutions, I think
that Host-to-Host is how they operated. I would interested in
finding out if there is a way to identify which model is in use.
Also, if I have made any gross conceptual mistakes in this text,
I would appreciate being helped to understand why. Thanks for your
time.
Sincerely,
Yan
___________________________________________________________________
My views do not necessarily represent those of the Hewlett Packard
Company and should be taken with a large dose of salt or whatever
passes for sodium in your neck of the woods/universe/continuum/etc...
___________________________________________________________________
From owner-ipsec Tue Nov 26 16:53:00 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA15168 for ipsec-outgoing; Tue, 26 Nov 1996 16:51:34 -0500 (EST)
Date: Tue, 26 Nov 96 13:44:00 PST
From: John H Wilson <John_H_Wilson@ccm.jf.intel.com>
Message-ID: <Tue, 26 Nov 96 13:53:21 PST_2@ccm.hf.intel.com>
To: ipsec@tis.com
Subject: ipsec implementations
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I would like to get an idea of what Win95 or NT implementations of IPSEC
are either planned or are available already.....
......Company, availability date, content, API,
If any implementers would be willing to provide this type of
information, I'd apreciate it.
john_h_wilson@ccm.jf.intel.com
From owner-ipsec Tue Nov 26 17:29:50 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id RAA15215 for ipsec-outgoing; Tue, 26 Nov 1996 17:28:04 -0500 (EST)
Date: Tue, 26 Nov 1996 17:30:19 -0500 (EST)
Message-Id: <199611262230.RAA27739@carp.morningstar.com>
From: Ben Rogers <ben@morningstar.com>
To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Cc: "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: <199611261929.OAA01715@thunk.orchard.medford.ma.us>
References: <9610258489.AA848977264@netx.nei.com>
<199611261929.OAA01715@thunk.orchard.medford.ma.us>
Reply-To: ben@ascend.com (Ben Rogers)
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Bill Sommerfeld writes:
> > My question is whether AH on a secure gateway even makes sense at all
> > if ESP is not being performed.
> >
> > Consider hostA sending a packet to hostB. If gatewayA places an AH on
> > the packet, it would appear as if it was authenticated by hostA, not a
> > good idea in my mind.
>
It seems to me that gatewayA should never try to place an AH, nor do an
ESP encapsulation on the packet using transport mode (assuming that
gatewayA did not originate the packet). A gateway that put IPSEC
headers on packets in transport mode would not only cause confusing
problems like this, but would have severe problems dealing with
fragmented packets.
> The "policy engines" on each end need to be sophisticated enough to
> deal with things like this. In particular, if ip-address based access
> controls are in use, then the policy engine should probably do
> consistency checks between the SPI and the source address..
Why? I believe the RFC states that the Security Association(SA) is
chosen using only the destination address and the SPI. It doesn't seem
to be illegal for several hosts to send us packets using the same
Security Association (SPI).
It makes sense to only check the headers on packets that are destined
for the local machine. Otherwise, we would be intercepting (and
probably modifying) packets not destined to that machine, and violating
many of the ideas that make IP work. Thus, I don't see any reason that
a gateway could use transport mode to tack on an AH to a packet from
hostA to hostB.
To address the original question, using the following scenario:
> secure (untrusted) secure
> hostA gatewayA---------------------------gatewayB hostB
> | | | |
> ---------- -----------
> (trusted subnet) (trusted subnet)
the packets should look like (on the untrusted segment)
hostA -> hostB :
IP_HEADER(gateA->gateB)
AH(gateA->gateB)
IP_HEADER(hostA->gateB)
AH(hostA->gateB)
IP_HEADER(hostA->hostB)
PACKET
hostA -> gateB :
IP_HEADER(gateA->gateB)
AH(gateA->gateB)
IP_HEADER(hostA->gateB)
AH(hostA->gateB)
PACKET
or
IP_HEADER(gateA->gateB)
AH(gateA->gateB)
IP_HEADER(hostA->gateB)
AH(hostA->gateB)
IP_HEADER(hostA->gateB)
PACKET
gateA -> gateB :
IP_HEADER(gateA->gateB)
AH(gateA->gateB)
PACKET
or
IP_HEADER(gateA->gateB)
AH(gateA->gateB)
IP_HEADER(gateA->gateB)
PACKET
gateA -> hostB
IP_HEADER(gateA->gateB)
AH(gateA->gateB)
IP_HEADER(gateA->hostB)
PACKET
to avoid any ambiguity. Note that this never allows AH, AH and assumes
that no machine will attempt to de-encapsulate a packet whose
destination address is not assigned to that machine. As a result, none
of the machines ever has to make any complicated policy decisions (on
whether to look at the AH, or how to handle the assignment of SPI's). I
feel that this is the best way to handle all such multiple
encapsulations.
ben
From owner-ipsec Tue Nov 26 18:02:29 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA15279 for ipsec-outgoing; Tue, 26 Nov 1996 18:00:36 -0500 (EST)
Message-Id: <199611262302.SAA01876@thunk.orchard.medford.ma.us>
X-Authentication-Warning: thunk.orchard.medford.ma.us: sommerfeld owned process doing -bs
To: ben@ascend.com (Ben Rogers)
Cc: "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: ben's message of Tue, 26 Nov 1996 17:30:19 -0500.
<199611262230.RAA27739@carp.morningstar.com>
Date: Tue, 26 Nov 1996 18:02:47 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> > The "policy engines" on each end need to be sophisticated enough to
> > deal with things like this. In particular, if ip-address based access
> > controls are in use, then the policy engine should probably do
> > consistency checks between the SPI and the source address..
>
> Why? I believe the RFC states that the Security Association(SA) is
> chosen using only the destination address and the SPI. It doesn't seem
> to be illegal for several hosts to send us packets using the same
> Security Association (SPI).
All things which aren't illegal aren't necessarily also good ideas.
> It makes sense to only check the headers on packets that are destined
> for the local machine. Otherwise, we would be intercepting (and
> probably modifying) packets not destined to that machine, and violating
> many of the ideas that make IP work. Thus, I don't see any reason that
> a gateway could use transport mode to tack on an AH to a packet from
> hostA to hostB.
Let's consider the case where you're attempting to add AH/ESP
protection to an existing network which *currently uses IP-address
based access controls*. Naturally, you don't want to create security
holes while doing this.
Let's assume you have a network of cooperating but mutually suspicious
organizations, like the auto industry net which Bob Moskowitz is
building.
For simplicity, let's assume orgs A, B, and C, connected in a "full
mesh" of leased lines (A-B, A-C, and B-C). Assume filtering routers
on each leased line, so that C can't impersonate B when communicating
with A. We now want to migrate to IPSEC without causing a flag day.
Let's start by replacing the leased line between C and A with a tunnel
over an untrusted network protected with AH or ESP.
What stops C from tunnelling a packet to A with a source address on
B's network? You need a policy check that the packet emerging from
the tunnel is from a source address which is allowed to use that
particular tunnel..
For a particularly extreme example, assume that A and B are divisions
of the same company, and that C is a division of a different company
which is simultaneously a supplier and a competitor of the first
company.
- Bill
From owner-ipsec Tue Nov 26 18:19:11 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA15305 for ipsec-outgoing; Tue, 26 Nov 1996 18:19:05 -0500 (EST)
Date: Tue, 26 Nov 1996 18:19:34 -0500 (EST)
Message-Id: <199611262319.SAA27893@carp.morningstar.com>
From: Ben Rogers <ben@morningstar.com>
To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Cc: ben@ascend.com (Ben Rogers), "Whelan, Bill" <bwhelan@nei.com>,
ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: <199611262302.SAA01876@thunk.orchard.medford.ma.us>
References: <199611262230.RAA27739@carp.morningstar.com>
<199611262302.SAA01876@thunk.orchard.medford.ma.us>
Reply-To: ben@ascend.com (Ben Rogers)
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Bill Sommerfeld writes:
> > Why? I believe the RFC states that the Security Association(SA) is
> > chosen using only the destination address and the SPI. It doesn't seem
> > to be illegal for several hosts to send us packets using the same
> > Security Association (SPI).
>
> All things which aren't illegal aren't necessarily also good ideas.
Well... It seems to me that it might be a good idea to allow IPSEC to
be used over multicast packets. Then, your destination address (that of
the multicast group) would be constant, but there would be many source
addresses. You would need to use an AH, but that should be sufficient
to verify the sender. I don't see what security a check on source
address of authenticated packets adds. Of course this all changes if
you are talking about the packet after it has been extracted from the
tunnel.
> Let's consider the case where you're attempting to add AH/ESP
> protection to an existing network which *currently uses IP-address
> based access controls*. Naturally, you don't want to create security
> holes while doing this.
>
> Let's assume you have a network of cooperating but mutually suspicious
> organizations, like the auto industry net which Bob Moskowitz is
> building.
>
> For simplicity, let's assume orgs A, B, and C, connected in a "full
> mesh" of leased lines (A-B, A-C, and B-C). Assume filtering routers
> on each leased line, so that C can't impersonate B when communicating
> with A. We now want to migrate to IPSEC without causing a flag day.
>
> Let's start by replacing the leased line between C and A with a tunnel
> over an untrusted network protected with AH or ESP.
>
> What stops C from tunnelling a packet to A with a source address on
> B's network? You need a policy check that the packet emerging from
> the tunnel is from a source address which is allowed to use that
> particular tunnel..
Unfortunately, I misinterpreted this the first time it came around.
I'll diagram several "packets" to illustrate :
original packet :
IP_HEADER(gateC->gateA)
AH(gateC->gateA)
IP_HEADER(hostB->hostA)
PACKET
de-encapsulated packet :
IP_HEADER(hostB->hostA)
PACKET
There are no checks that we want to do on the original packet. I was
assuming that you wanted to check the source address on the original
packet, which is made immaterial by checking the AH. The policy
decision you are talking about is on the source address of the
de-encapsulated packet, which I agree is necessary.
In most cases it wouldn't be necessary because you share the tunnel with
a *trusted* gateway. But in this case, there is certainly need for
additional machinery to do the policy work.
ben
From owner-ipsec Tue Nov 26 18:28:40 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA15319 for ipsec-outgoing; Tue, 26 Nov 1996 18:28:36 -0500 (EST)
Date: Tue, 26 Nov 1996 15:29:12 -0800
Message-Id: <199611262329.PAA21941@spud.ascend.com>
From: Karl Fox <karl@ascend.com>
To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Cc: ben@ascend.com (Ben Rogers), "Whelan, Bill" <bwhelan@nei.com>,
ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: <199611262302.SAA01876@thunk.orchard.medford.ma.us>
References: <199611262230.RAA27739@carp.morningstar.com>
<199611262302.SAA01876@thunk.orchard.medford.ma.us>
Reply-To: Karl Fox <karl@ascend.com>
Organization: Ascend Communications
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Bill Sommerfeld writes:
> For simplicity, let's assume orgs A, B, and C, connected in a "full
> mesh" of leased lines (A-B, A-C, and B-C). Assume filtering routers
> on each leased line, so that C can't impersonate B when communicating
> with A. We now want to migrate to IPSEC without causing a flag day.
>
> Let's start by replacing the leased line between C and A with a tunnel
> over an untrusted network protected with AH or ESP.
>
> What stops C from tunnelling a packet to A with a source address on
> B's network? You need a policy check that the packet emerging from
> the tunnel is from a source address which is allowed to use that
> particular tunnel..
Yes, that's indeed what we do. Any encrypting gateway that didn't
would have a huge hole in it. I assume we're not alone in
anticipating this.
--
Karl Fox, servant of God, employee of Ascend Communications
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221 +1 614 326 6841
From owner-ipsec Tue Nov 26 19:11:04 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA15395 for ipsec-outgoing; Tue, 26 Nov 1996 19:10:35 -0500 (EST)
Message-Id: <96Nov26.191251est.30786-1@janus.border.com>
To: ben@ascend.com (Ben Rogers)
cc: Bill Sommerfeld <sommerfeld@apollo.hp.com>,
"Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
References: <9610258489.AA848977264@netx.nei.com> <199611261929.OAA01715@thunk.orchard.medford.ma.us>
<199611262230.RAA27739@carp.morningstar.com>
In-reply-to: ben's message of "Tue, 26 Nov 1996 17:30:19 -0500".
<199611262230.RAA27739@carp.morningstar.com>
From: "C. Harald Koch" <chk@border.com>
Organization: Secure Computing Canada Ltd.
Phone: +1 416 368 7157
X-uri: <URL:http://www.eng.border.com/homes/chk/>
X-Face: )@F:jK?*}hv!eJ}*r*0DD"k8x1.d#i>7`ETe2;hSD2T!:Fh#wu`0pW7lO|Dfe'AbyNy[\Pw
z'.bAtgTM!+iq2$yXiv4gf<:D*rZ-|f$\YQi7"D"=CG!JB?[^_7v>8Mm;z:NJ7pss)l__Cw+.>xUJ)
did@Pr9
Date: Tue, 26 Nov 1996 19:12:50 -0500
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
In message <199611262230.RAA27739@carp.morningstar.com>, Ben Rogers writes:
>
> It seems to me that gatewayA should never try to place an AH, nor do an
> ESP encapsulation on the packet using transport mode (assuming that
> gatewayA did not originate the packet). A gateway that put IPSEC
> headers on packets in transport mode would not only cause confusing
> problems like this, but would have severe problems dealing with
> fragmented packets.
and
> It makes sense to only check the headers on packets that are destined
> for the local machine. Otherwise, we would be intercepting (and
> probably modifying) packets not destined to that machine, and violating
> many of the ideas that make IP work. Thus, I don't see any reason that
> a gateway could use transport mode to tack on an AH to a packet from
> hostA to hostB.
I disagree. The counter example: firewalls (or John Gilmore's "cryptowalls").
I see an incredible advantage for firewalls to add IPsec information to
packets, acting as proxies for the machines they're protecting. Keeps all
your Security Association information in one place, where it can be easily
configured and monitored.
People aren't going to start ripping out their firewalls just because they
have IPsec support on their hosts; firewalls allow much more security
control than IPsec does. (Analogy: you don't unlock the front door just
because everyone can lock their own filing cabinets).
You also write:
> Why? I believe the RFC states that the Security Association(SA) is
> chosen using only the destination address and the SPI. It doesn't seem
> to be illegal for several hosts to send us packets using the same
> Security Association (SPI).
A security association is *indexed* by destination address and SPI. However,
It can include information about the source, including strong authentication
checks, and instructions to reject packets from an invalid IP address. It's
not illegal for several hosts to using the same SPI, but it's also not
secure (it would allow all hosts with the same keying information to spoof
each other, for example).
I think it's much more likely that a host would enforce the use of different
SPIs (and different keys) for each different source host.
--
C. Harald Koch | Senior System Developer, Secure Computing Canada Ltd.
chk@border.com | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8
+1 416 368 7157 (voice) | "Madness takes its toll. Please have exact change."
+1 416 368 7789 (fax) | -Karen Murphy <karenm@descartes.com>
From owner-ipsec Tue Nov 26 20:45:13 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA15500 for ipsec-outgoing; Tue, 26 Nov 1996 20:43:37 -0500 (EST)
Message-Id: <199611270145.UAA06847@amaterasu.sandelman.ottawa.on.ca>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST."
<199611262302.SAA01876@thunk.orchard.medford.ma.us>
Date: Tue, 26 Nov 1996 20:44:51 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
Bill> Let's consider the case where you're attempting to add
Bill> AH/ESP protection to an existing network which *currently
Bill> uses IP-address based access controls*. Naturally, you
Bill> don't want to create security holes while doing this.
Bill> Let's assume you have a network of cooperating but mutually
Bill> suspicious organizations, like the auto industry net which
Bill> Bob Moskowitz is building.
Let's not forget that Bob's problem is more complicated that you
actually describe :-) [Bob said he was going to write a requirements
document up in June. Did anyone see this from him?]
But it is a good problem.
Bill> What stops C from tunnelling a packet to A with a source
Bill> address on B's network? You need a policy check that the
Bill> packet emerging from the tunnel is from a source address
Bill> which is allowed to use that particular tunnel..
The way I like to do this is to consider all tunnels to be virtual
interfaces. You can make add routes, etc.. Alas, I still haven't had a
chance to investigate how close that aspect (the "route add -net x.y
tunnel q.r") of the NRL code is to this assumption.
IP spoof checks (which you say are already in place) can handle this
case without a problem.
Good IP spoof checks are essentially:
1. if1 = calculate route to take to reach ip->ip_src if
we had to reply.
2. if interface we received ip on == if1, then okay,
otherwise it is a spoof.
These checks would have to be done anyway for the leased line case
for your assumption (C can not impersonate A to B) to be true.
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
From owner-ipsec Tue Nov 26 20:46:39 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA15516 for ipsec-outgoing; Tue, 26 Nov 1996 20:46:36 -0500 (EST)
Message-Id: <199611270148.UAA07307@amaterasu.sandelman.ottawa.on.ca>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST."
<199611262302.SAA01876@thunk.orchard.medford.ma.us>
Date: Tue, 26 Nov 1996 20:48:27 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
Bill> Let's consider the case where you're attempting to add
Bill> AH/ESP protection to an existing network which *currently
Bill> uses IP-address based access controls*. Naturally, you
Bill> don't want to create security holes while doing this.
Bill> Let's assume you have a network of cooperating but mutually
Bill> suspicious organizations, like the auto industry net which
Bill> Bob Moskowitz is building.
Let's not forget that Bob's problem is more complicated that you
actually describe :-) [Bob said he was going to write a requirements
document up in June. Did anyone see this from him?]
But it is a good problem.
Bill> What stops C from tunnelling a packet to A with a source
Bill> address on B's network? You need a policy check that the
Bill> packet emerging from the tunnel is from a source address
Bill> which is allowed to use that particular tunnel..
The way I like to do this is to consider all tunnels to be virtual
interfaces. You can make add routes, etc.. Alas, I still haven't had a
chance to investigate how close that aspect (the "route add -net x.y
tunnel q.r") of the NRL code is to this assumption.
IP spoof checks (which you say are already in place) can handle this
case without a problem.
Good IP spoof checks are essentially:
1. if1 = calculate route to take to reach ip->ip_src if
we had to reply.
2. if interface we received ip on == if1, then okay,
otherwise it is a spoof.
These checks would have to be done anyway for the leased line case
for your assumption (C can not impersonate A to B) to be true.
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQBVAwUBMpudONTTll4efmtZAQHP2wIAlMI3CxpmJQAJJjGO6L7M3HhsLgudhr3L
i8x4jUusxwi52NOKYvOlANCxknTLrLtxuV6N58UFFBl29v7Z9btUCQ==
=bQB3
-----END PGP SIGNATURE-----
From owner-ipsec Tue Nov 26 21:35:52 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id VAA15576 for ipsec-outgoing; Tue, 26 Nov 1996 21:35:20 -0500 (EST)
Message-Id: <9611270235.AA11031@sol.hq.tis.com>
To: cat-ietf@MIT.EDU, e-payment@bellcore.com, firewalls@greatcircle.com,
ids@uow.edu.au, ietf-otp@bellcore.com, ietf-pkix@tandem.com,
ietf-tls@w3.org, ietf@cnri.reston.va.us, ipsec@ans.net,
pem-dev@tis.com, psrg@isi.edu, sndss-authors@isi.edu,
sndss-chairs@tis.com, spki@c2.net, virus-l@lehigh.edu,
www-buyinfo@allegra.att.com, www-security@ns2.rutgers.edu
Subject: ANNOUNCEMENT: ISOC 1997 SYMPOSIUM NETWORK & DISTRIBUTED SYSTEM SECURITY
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Id: <11027.849062106.1@tis.com>
Date: Tue, 26 Nov 1996 21:35:11 -0500
From: "David M. Balenson" <balenson@tis.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
---------------------------------------------------------------------------
THE INTERNET SOCIETY 1997 SYMPOSIUM ON
NETWORK AND DISTRIBUTED SYSTEM SECURITY
(NDSS '97)
10-11 FEBRUARY 1997
SAN DIEGO PRINCESS RESORT, SAN DIEGO, CALIFORNIA
This fourth annual symposium will bring together researchers,
implementors, and users of network and distributed system security
technologies to discuss today's important security issues and
challenges. It will provide a mix of technical papers and panel
presentations that describe promising new approaches to security
problems that are practical, and to the extent possible, have
been implemented. We hope to foster the exchange of technical
information and encourage the Internet community to deploy
available security technologies and develop new solutions to
unsolved problems.
WHY YOU SHOULD ATTEND
The use of the Internet is rapidly growing and expanding into
all aspects of our society. Commercial organizations are coming
under increasing pressure to make their services available on-line.
This in turn is increasing the need for rapid and widespread
deployment of usable and effective network and distributed system
security technologies. High visibility attacks on the Internet
underscore the vulnerabilities of the Internet and the need to
solve its security problems. There is growing concern for securing
the network infrastructure itself. Recent trends in software
distribution (such as Java and ActiveX technologies) have made
certain attacks easier to carry out. Privacy has become an
important issue for the Internet.
NDSS '97 will bring together researchers, implementors, and users
of network and distributed system technologies to discuss today's
important security issues and challenges. We have selected the
technical papers and panel presentations that describe promising
new approaches to security problems that are practical, and to
the extent possible, have been implemented. Topics to be addressed
include Internet infrastructure and routing security, security
for the World Wide Web, Java and ActiveX security, cryptographic
protocols, public key management, and protection of privacy.
The symposium will have a positive impact on the state of Internet
security. You will have the opportunity to actively participate
in the dialog. Ask questions of the speakers, raise your important
issues during the panel sessions, and let other participants know
of your requirements, observations, and experience in this
important area. We hope to encourage the wide-scale deployment
of security technologies and to promote new research that can
address the currently unmet security needs of the Internet
community.
CONTENTS
Preliminary Program
Organizing Committee
San Diego Princess Resort
Registration Information
Registration Form
---------------------------------------------------------------------------
P R E L I M I N A R Y P R O G R A M
SUNDAY, FEBRUARY 9
6:00 P.M. - 8:00 P.M.
RECEPTION
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MONDAY, FEBRUARY 10
7:30 A.M.
CONTINENTAL BREAKFAST
8:30 A.M.
OPENING REMARKS
9:00 A.M.
SESSION 1: THINGS THAT GO BUMP IN THE NET
Chair: Stephen T. Kent (BBN Corporation, USA)
Experimental Results of Covert Channel Elimination in One-Way
Communication Systems, Nick Ogurtsov, Hilarie Orman, Richard
Schroeppel, Sean O'Malley, and Oliver Spatscheck (University
of Arizona, USA)
Blocking Java Applets at the Firewall, David M. Martin Jr.,
Sivaramakrishnan Rajagopalan and Aviel D. Rubin (Bellcore, USA)
Continuous Assessment of a Unix Configuration: Integrating
Intrusion Detection & Configuration Analysis, Abdelaziz Mounji
and Baudouin Le Charlier (Institut D'Informatique, Namur,
BELGIUM)
10:30 A.M.
BREAK
11:00 A.M.
SESSION 2: PANEL: SECURITY OF DOWNLOADABLE EXECUTABLE CONTENT
Chair: Aviel Rubin (Bellcore, USA)
12:30 NOON
LUNCH
2:00 P.M.
SESSION 3: PROTOCOL IMPLEMENTATION AND ANALYSIS
Chair: Christoph Schuba (Purdue University, USA)
An Interface Specification Language for Automatically Analyzing
Cryptographic Protocols, Stephen H. Brackin (Arca Systems, USA)
Probable Plaintext Cryptanalysis of the IP Security Protocols,
Steven M. Bellovin (AT&T Research, USA)
Misplaced Trust: Kerberos Version 4 Session Keys, Bryn Dole (Sun
Microsystems), Steve Lodin (Delco Electronics), and Eugene Spafford
(Purdue University, USA)
3:30 P.M.
BREAK
4:00 P.M.
SESSION 4: PANEL: SECURITY OF THE INTERNET INFRASTRUCTURE
Chair: Russ Mundy (Trusted Information Systems, USA)
7:00 P.M.
DINNER BANQUET
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TUESDAY, FEBRUARY 11
7:30 A.M.
CONTINENTAL BREAKFAST
8:30 A.M.
SESSION 5: ROUTING SECURITY
Chair: Hilarie Orman (DARPA, USA)
Securing the Nimrod Routing Architecture, Karen E. Sirois and
Stephen T. Kent (BBN Corporation, USA)
Securing Distance-Vector Routing Protocols, Bradley R. Smith,
Shree Murthy and J.J. Garcia-Luna-Aceves (University of California
Santa Cruz, USA)
Reducing the Cost of Security in Link-State Routing, R. Hauser,
A. Przygienda and G. Tsudik (IBM and USC/ISI, USA)
10:00 A.M.
BREAK
10:30 A.M.
SESSION 6: SECURITY FOR THE WORLD WIDE WEB
Chair: Win Treese (OpenMarket, USA)
Securing Web Access with DCE, Brian C. Schimpf (Gradient
Technologies, USA)
PANEL: SECURITY FOR THE WORLD WIDE WEB
Chair: Win Treese (OpenMarket, USA)
12:00 A.M.
LUNCH
1:30 P.M.
SESSION 7: PUBLIC KEY MANAGEMENT
Chair: Jonathan Trostle (CyberSafe, USA)
Hierarchical Organization of Certification Authorities for
Secure Environments, Lourdes Lopez (Universidad Politecnica de
Madrid, SPAIN)
Trust Models in ICE-TEL, Andrew Young and Nada Kapidzic Cicovic
(Univeristy of Salford, UNITED KINGDOM)
Distributed Authentication in Kerberos Using Public Key
Cryptography, Marvin Sirbu and John Chung-I Chuang (Carnegie
Mellon University, USA)
3:00 P.M.
BREAK
3:30 P.M.
SESSION 8: PANEL: WEB PRIVACY AND ANONYMITY
Chair: (To Be Determined)
---------------------------------------------------------------------------
O R G A N I Z I N G C O M M I T T E E
GENERAL CHAIR
David Balenson, Trusted Information Systems
PROGRAM CHAIRS
Clifford Neuman, USC Information Sciences Institute
Matt Bishop, University of California at Davis
PROGRAM COMMITTEE
Steve Bellovin, AT&T Research
Tom Berson, Anagram Laboratories
Doug Engert, Argonne National Laboratory
Warwick Ford, Verisign
Richard Graveman, Bellcore
Li Gong, JavaSoft
Burt Kaliski, RSA Laboratories
Steve Kent, BBN Corporation
Tom Longstaff, CERT
Doug Maughan, National Security Agency
Dan Nessett, 3Com Corporation
Hilarie Orman, DARPA/ITO
Michael Roe, University of Cambridge
Christoph Schuba, Purdue University
Jonathan Trostle, CyberSafe
Theodore Ts'o, Massachusetts Institute of Technology
Doug Tygar, Carnegie Mellon University
Vijay Varadharajan, University of W. Sydney
Roberto Zamparo, Telia Research
PUBLICATIONS CHAIR
Steve Welke, Institute for Defense Analyses
LOCAL ARRANGEMENTS CHAIR
Thomas Hutton, San Diego Supercomputer Center
REGISTRATIONS CHAIR
Torryn Brazell, Internet Society
STEERING GROUP
Internet Research Task Force, Privacy and Security Research Group
SPONSORED BY THE INTERNET SOCIETY
Donald M. Heath, President & CEO
Martin Burack, Executive Director
---------------------------------------------------------------------------
S A N D I E G O P R I N C E S S R E S O R T
LOCATION
The Symposium venue is the San Diego Princess Resort, a tropical
paradise on a forty-four acre island in Mission Bay, ten minutes
from the international airport. Lush gardens landscaped with
hundreds of species of tropical and subtropical plants are
always ablaze with color and perfect for themed group events.
Charming pathways wander among sparkling waterfalls, across
quaint footbridges and sleepy lagoons filled with water lilies
and waterfowl. A white sand beach curves around the island
for over a mile, and the award-winning grounds encompass five
swimming pools and six lighted tennis courts.
Spouses and family members can catch a convenient Harbor Hopper
for a quick trip to Sea World. Plan to visit La Jolla, the world
famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley.
HOUSING INFORMATION
We have reserved a special block of sleeping rooms at the San Diego
Princess Resort at the following rates:
Lanai Patio Rooms $ 81*
Lanai Garden Rooms $114
* This represents the Government Rate for San Diego. A limited
number of rooms are available at this rate. Reservations must
be made no later than January 13, 1997. You must present a
valid government id upon check-in.
Based on room type and space availability, the special group
rates are applicable two days prior to and two days after the
symposium. Current Room Tax is 10.5%.
Check-in availability cannot be committed prior to 4:00 p.m.
Check-out time is 12:00 noon. The San Diego Princess Resort
will make every effort to accommodate any early arrivals, so
make sure you give them your arrival time when you make your
reservation.
TO MAKE A RESERVATION
Contact the San Diego Princess Resort at +1-800-344-2626
(+1-619-274-4630 if outside the United States). To receive
the special group rates, reservations must be made no later
than January 20, 1997. To receive the special goverment
rate, you must make your reservation by January 13, 1997.
CLIMATE
February weather in San Diego is normally very pleasant. Early
morning temperatures average 55 degrees while afternoon
temperatures average 67 degrees. Generally, a light jacket or
sweater is adequate, although, occasionally it rains.
---------------------------------------------------------------------------
R E G I S T R A T I O N I N F O R M A T I O N
FEES ISOC Non-
Members Member*
Early registration
(postmarked on/before Jan. 22) $305 $345
Late registration $375 $415
REGISTRATION INCLUDES
- Attendance - Symposium Proceedings - Two luncheons
- Reception - Banquet - Coffee Breaks
* Non-Member fee includes one year Internet Society membership.
FOR MORE INFORMATION
Contact Carol Gray at the Internet Society at +1-703-648-9888
or send E-mail to Ndss97reg@isoc.org.
WEB PAGE
Additional information about the symposium and San Diego, plus
on-line registration, are available via the Web at:
http://www.isoc.org/conferences/ndss97
SPONSORSHIP OPPORTUNITIES AVAILABLE!
Contact Torryn Brazell at the Internet Society at +1-703-648-9888
or send E-mail to Ndss97reg@isoc.org.
---------------------------------------------------------------------------
R E G I S T R A T I O N F O R M
INTERNET SOCIETY SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY
10-11 FEBRUARY, 1997 SAN DIEGO, CALIFORNIA, USA
Fill out this form and FAX it to NDSS'97 Registration at +1-703-648-9887,
send it via E-mail to Ndss97reg@isoc.org, or mail it to NDSS97,
12020 Sunrise Valley Drive, Suite 210, Reston, VA, 20191, USA
PERSONAL INFORMATION
__Mr __Ms __Mrs __Dr __Prof __M __Prof Dr __Dip Ing __Ing __Miss __Mlle
First Name: ________________________________ MI: ____________________
Family Name: ___________________________________ __Sr __Jr __II __III
Badge Name: __________________________________________________________
Please enter your name as you would like it to appear on your name tag.
CONTACT INFORMATION
Title: _______________________________________________________________
Organization: ________________________________________________________
Street address: ______________________________________________________
______________________________________________________________________
City: ________________________________________________________________
State/Province: ___________________________ Postal Code: ____________
Country: _____________________________________________________________
Telephone Number (work): _____________________________________________
Telephone Number (home): _____________________________________________
Fax Number: __________________________________________________________
E-mail address: ______________________________________________________
SPECIAL NEEDS? (Vegetarian meals, wheelchair access, etc?)
______________________________________________________________________
______________________________________________________________________
APPEAR ON REGISTRANTS LIST?
___ Please check here if you would NOT like your name included
in the list of registrants.
PAYMENT INFORMATION
All Payments must be in United States Dollars.
Conference Fee
--------------
If you are an Internet Society member, you are eligible for a
reduced conference registration fee. Non-member symposium
attendees will receive a one year Internet Society membership
as part of the non-member registration fees.
Check one: On/Before After
January 22 January 22
---------- ----------
___ Internet Society Member Fee US$ 305.00 US$ 375.00
___ Non-Member Fee US$ 345.00 US$ 415.00
Method of Payment
-----------------
Payment must be received on/before February 7, 1997 or we will
be unable to pre-register you.
1. ___ Check. Make payable to the Internet Society.
2. ___ Credit Card. ___ American Express ___ Visa ___ Mastercard
Name on Credit Card: ____________________________________
Credit Card Number: _____________________________________
Expiration Date: ________________________________________
3. ___ CyberCash. Account Number: _____________________________
4. ___ First Virtual. Account Number: _________________________
5. ___ Wire Transfer*
Bank ABA Number: 054000030
Account Number: Internet Society 148 387 10
Riggs National Bank of Virginia
950 Herndon Parkway
Herndon, VA 20171 USA
Wire Transfer Confirmation Number: ______________________
* Please process wire transfer before sending registration
form.
6. ___ U.S. Government Purchase Order*
P.O. Number: ____________________________________________
* Please fax or mail a copy of your purchase order along
with your registration form.
Cancellation Policy
-------------------
Refunds (less a $25 processing fee) will be issued for cancellations
received on/before February 7, 1997. No refunds will be issued
after February 7, 1997.
------------------------------------------------------------------------
From owner-ipsec Wed Nov 27 07:25:54 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA15967 for ipsec-outgoing; Wed, 27 Nov 1996 07:20:51 -0500 (EST)
To: IETF-Announce:;
Cc: RFC Editor <rfc-editor@isi.edu>
Cc: Internet Architecture Board <iab@isi.edu>
Cc: ipsec@tis.com
From: The IESG <iesg-secretary@ietf.org>
Subject: Document Action: HMAC-MD5: Keyed-MD5 for Message Authentication to
Informational
Date: Tue, 26 Nov 1996 13:13:51 -0500
Message-ID: <9611261313.aa11926@ietf.org>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
The IESG has reviewed the Internet-Draft "HMAC: Keyed-Hashing for
Message Authentication" <draft-ietf-ipsec-hmac-md5-01.txt> and
recommends that it be published by the RFC Editor as an Informational
RFC. This document is the product of the IP Security Protocol Working
Group. The IESG contact person is Jeffrey Schiller.
--
John C. Kelley
System Administrator (301) 854-6889
Trusted Information Systems, Inc. (301) 854-5363 FAX
3060 Washington Road johnk@tis.com (work)
Glenwood, MD 21738 johnk@radix.net (play)
From owner-ipsec Wed Nov 27 11:29:19 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA17029 for ipsec-outgoing; Wed, 27 Nov 1996 11:23:12 -0500 (EST)
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: IETF-Announce:;;;;@tis.com@tis.com;;;
cc: ipsec@tis.com
From: Internet-Drafts@ietf.org
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-ipsec-inline-isakmp-00.txt
Date: Wed, 27 Nov 1996 10:17:08 -0500
Message-ID: <9611271017.aa24153@ietf.org>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the IP Security Protocol Working
Group of the IETF.
Title : Inline Keying within the ISAKMP Framework.
Author(s) : B. Sommerfeld
Filename : draft-ietf-ipsec-inline-isakmp-00.txt
Pages : 9
Date : 11/26/1996
The current proposal for IP-layer key management [ISAKMP, OAKLEY, ISAOAK]
has fairly high overhead. Before a security association can be
established, at least one pair of messages need to be exchanged between the
communicating peers. For efficiency, this suggests that ISAKMP setup
should be infrequent. However, general principles of key management
suggest that individual keys should be used as little as practical and
changed as frequently as possible. Steve Bellovin has suggested that,
ideally, different security associations should be used for each different
transport-level connection[BADESP].
This document discusses different ways of structuring a protocol to
permit this to happen with minimal overhead, both in round-trip delay
at connection setup, and in bandwidth once the connection is established.
Portions of this protocol have been inspired by SKIP, which is
fundamentally built around the concept of inline keying[SKIP].
SKIP's approach is burdened by the addition of an extra intermediate
header of perhaps 20 to 28 bytes to every protected packet, essentially
doubling the overhead of protected traffic compared with ESP
with manual keying.
Ideally, an inline keying header would be used only until the desired
security association is established, at which point the peers will
fall back to pure ESP/AH.
Internet-Drafts are available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-ipsec-inline-isakmp-00.txt".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-inline-isakmp-00.txt
Internet-Drafts directories are located at:
o Africa: ftp.is.co.za
o Europe: nic.nordu.net
ftp.nis.garr.it
o Pacific Rim: munnari.oz.au
o US East Coast: ds.internic.net
o US West Coast: ftp.isi.edu
Internet-Drafts are also available by mail.
Send a message to: mailserv@ds.internic.net. In the body type:
"FILE /internet-drafts/draft-ietf-ipsec-inline-isakmp-00.txt".
NOTE: The mail server at ds.internic.net can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e., documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version
of the Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ds.internic.net"
Content-Type: text/plain
Content-ID: <19961126110919.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-ipsec-inline-isakmp-00.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-ipsec-inline-isakmp-00.txt";
site="ds.internic.net";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <19961126110919.I-D@ietf.org>
--OtherAccess--
--NextPart--
From owner-ipsec Wed Nov 27 13:07:01 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA17200 for ipsec-outgoing; Wed, 27 Nov 1996 13:02:25 -0500 (EST)
Date: Wed, 27 Nov 1996 13:02:52 -0500 (EST)
Message-Id: <199611271802.NAA29680@carp.morningstar.com>
From: Ben Rogers <ben@morningstar.com>
To: "C. Harald Koch" <chk@border.com>
Cc: Bill Sommerfeld <sommerfeld@apollo.hp.com>,
"Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-Reply-To: <96Nov26.191251est.30786-1@janus.border.com>
References: <9610258489.AA848977264@netx.nei.com>
<199611261929.OAA01715@thunk.orchard.medford.ma.us>
<199611262230.RAA27739@carp.morningstar.com>
<96Nov26.191251est.30786-1@janus.border.com>
Reply-To: ben@ascend.com (Ben Rogers)
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
C. Harald Koch writes:
> In message <199611262230.RAA27739@carp.morningstar.com>, Ben Rogers writes:
> >
> > It seems to me that gatewayA should never try to place an AH, nor do an
> > ESP encapsulation on the packet using transport mode (assuming that
> > gatewayA did not originate the packet). A gateway that put IPSEC
> > headers on packets in transport mode would not only cause confusing
> > problems like this, but would have severe problems dealing with
> > fragmented packets.
>
> and
>
> > It makes sense to only check the headers on packets that are destined
> > for the local machine. Otherwise, we would be intercepting (and
> > probably modifying) packets not destined to that machine, and violating
> > many of the ideas that make IP work. Thus, I don't see any reason that
> > a gateway could use transport mode to tack on an AH to a packet from
> > hostA to hostB.
>
> I disagree. The counter example: firewalls (or John Gilmore's "cryptowalls").
>
> I see an incredible advantage for firewalls to add IPsec information to
> packets, acting as proxies for the machines they're protecting. Keeps all
> your Security Association information in one place, where it can be easily
> configured and monitored.
>
> People aren't going to start ripping out their firewalls just because they
> have IPsec support on their hosts; firewalls allow much more security
> control than IPsec does. (Analogy: you don't unlock the front door just
> because everyone can lock their own filing cabinets).
Hmmm.... This statement doesn't seem to disagree with my original
statement. I said that the gateway should never do encapsulation in
*transport* mode. Tunnel mode is still acceptable, and would be the
perfect thing to use in this case -- the "cryptowall" would ben one of
the tunnel endpoints.
The problem in using transport mode on a gateway lies mainly in the
fragmentation of packets. Imagine that the "cryptowall" receives a 1500
byte fragment, and adds a header to it. The authenticated packet is
then again too big to send out on ether, and so it must be fragmented
again. The problem is that we changed the size of the total packet by
adding the AH to it. You *cannot* calculate fragment offsets in an
unambiguous manner without keeping the enough state to calculate new
offsets for all the other fragments.
> You also write:
>
> > Why? I believe the RFC states that the Security Association(SA) is
> > chosen using only the destination address and the SPI. It doesn't seem
> > to be illegal for several hosts to send us packets using the same
> > Security Association (SPI).
>
> A security association is *indexed* by destination address and SPI. However,
> It can include information about the source, including strong authentication
> checks, and instructions to reject packets from an invalid IP address. It's
> not illegal for several hosts to using the same SPI, but it's also not
> secure (it would allow all hosts with the same keying information to spoof
> each other, for example).
>
> I think it's much more likely that a host would enforce the use of different
> SPIs (and different keys) for each different source host.
This is definitely the more secure method, and should be used when you
are dealing with untrustworthy peers. However, if you trust your peers,
there is no reason to disallow a priori several "source" hosts sending
you packets on the same security association. If all you want to do is
to authenticate that someone sending to the multicast address is allowed
to, and not to authenticate their individual identity, then this should
be sufficient, and should save space (in not having to have seperate
security associations for a large number of "identical" peers).
You can still check on source address if you want (for example, in a
"cryptowall"), but it seems that this should be a policy decision, and
should be separated from plain vanilla IP security.
ben
From owner-ipsec Wed Nov 27 15:14:07 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA17538 for ipsec-outgoing; Wed, 27 Nov 1996 15:10:28 -0500 (EST)
Message-Id: <s29c3023.082@novell.com>
X-Mailer: Novell GroupWise 4.1
Date: Wed, 27 Nov 1996 12:11:44 -0800
From: CJ Lee <CJ_LEE@novell.com>
To: ipsec@tis.com
Subject: Re: replay counter size
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Derrell Piper wrote sometime back:
> The latest HMAC AH draft (the one following
Montreal) specifies a 64-bit
> replay field. The latest Combined ESP draft uses
only a 32-bit field.
>
> Jim, was it your intention for these specs to diverge
like this? I
> would like to understand why these fields need to be
different for AH
> and ESP. I would rather see them be the same. I
personally believe that
> 2^32 packets is too much data to encrypt under one
key anyway, so I
> think 32-bits is the right number. But I'm more
concerned that AH and
> ESP be equally protected.
>
> I recall some discussion in Montreal about the
performance of replay
> window checks being dependent on the underlying
hardware register size,
> which supports our desire to make this
implementation dependent. I do
> not recall discussing changing the replay counter
from 32 to 64 bits,
> though I confess to being a bit late for the first
working group meeting,
> due to not being able to get into the room due to
overcrowding.
I don't remember that I saw an explanation about the
question on the
mailing list. To me, different replay counter size for
different AH/ESP
transforms would definitely complicate an IPsec
implementation in terms
of storing and using the per session (SA) replay
checking state - the
largest counter seen so far. I'd appreciate that
someone could enlighten
me on this.
CJ Lee (cj_lee@novell.com)
From owner-ipsec Wed Nov 27 15:48:50 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA17619 for ipsec-outgoing; Wed, 27 Nov 1996 15:48:21 -0500 (EST)
From: pau@watson.ibm.com
Date: Wed, 27 Nov 1996 15:53:29 -0500
Message-Id: <9611272053.AA22380@secpwr.watson.ibm.com>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
Cc: isakmp-oakley@cisco.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Md5: b4Ny6eHOqoEJQTvjvj0zEA==
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by portal.ex.tis.com id PAA17616
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
I have a question triggered by the discussion :
If two firewalls (gateways), IDii and IDir, did a successful ISAKMP
phase-II proxy negotiation for IDui and IDur. Then, which one is the
right usage of the SA resulting from the negotiation :
1. The SA is shared between IDii and IDir (the gateways), and IDii
IDir are performing IPSEC protection on traffic between IDui and
IDur. In this case, IDui and IDur are unware of the IPSEC protection.
2. The SA is shared between IDui and IDur and IDui and IDur perform IPSEC
by themselves. IDii and IDir (the gateways) become more or less (IPSEC)
transparent.
Pau-Chen
From owner-ipsec Wed Nov 27 16:20:30 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA17662 for ipsec-outgoing; Wed, 27 Nov 1996 16:18:18 -0500 (EST)
Message-Id: <199611272118.QAA17662@portal.ex.tis.com>
From: Greg Carter <carterg@entrust.com>
To: "'ipsec@tis.com'" <ipsec@tis.com>
Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com>
Subject: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate Authorities
Date: Wed, 27 Nov 1996 15:50:35 -0500
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Questions on ISAKMP draft:
Can Notify Payloads be sent in any exchange or are they valid only in
Informational Exchanges?
What action should be taken when a Notify Payload is received and the
Message Type is not known. i.e. My ISAKMP server is using some of the
private Message Types to exchange Environment information, but the peer
ISAKMP server has no concept of this info (and hence the private message
types).
Section 3.10 Certificate Request Payload of ISAKMP - draft 6
For the Certificate Authorities field it references the IPSEC DOI
document, however I couldn't find any reference to 'Distinguished Name
Attribute Type' value in the IPSEC DOI doc.
Could someone expand on this?
Thanks.
----
Greg Carter
Nortel Secure Networks - Entrust
carterg@entrust.com
From owner-ipsec Fri Nov 29 11:37:15 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA19253 for ipsec-outgoing; Fri, 29 Nov 1996 11:24:00 -0500 (EST)
Message-ID: <c=CA%a=_%p=NorTel_Secure_Ne%l=GRANNY-961129161634Z-9550@bwdldb.ott.bnr.ca>
From: Greg Carter <carterg@entrust.com>
To: "'ipsec@tis.com'" <ipsec@tis.com>
Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com>
Subject: Certificate Request Payload
Date: Fri, 29 Nov 1996 11:16:34 -0500
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
>From draft 6 of ISAKMP
3.10 Certificate Request Payload
..."The responder to the Certificate Request payload MUST send its
immediate certificate,
if certificates are supported, and SHOULD send as much of its
certificate chain as possible."
As part of the certificate chain can we send Certificate Revocation
Lists (CRL) and Authority Revocation
Lists (ARL)?
Or was it intended that the certificate chain only include the immediate
certificates of the users/CAs in
question?
Thanks
----
Greg Carter
Nortel Secure Networks - Entrust
carterg@entrust.com
From owner-ipsec Sat Nov 30 19:18:17 1996
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA19768 for ipsec-outgoing; Sat, 30 Nov 1996 19:09:29 -0500 (EST)
Message-Id: <3.0.32.19961130161135.0093ca00@earthlink.net>
X-Sender: rmonsour@earthlink.net
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Sat, 30 Nov 1996 16:11:40 -0800
To: ipsec@tis.com
From: Bob Monsour <rmonsour@earthlink.net>
Subject: I-D ACTION:draft-sabin-lzs-payload-00.txt
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
For those on the list who might not be on the "announce" list.
-Bob
>To: IETF-Announce: ;
>Sender: ietf-announce-request@ietf.org
>From: Internet-Drafts@ietf.org
>Reply-to: Internet-Drafts@ietf.org
>Subject: I-D ACTION:draft-sabin-lzs-payload-00.txt
>Date: Wed, 27 Nov 1996 10:18:23 -0500
>X-Orig-Sender: cclark@ietf.org
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
> Title : LZS Payload Compression Transform for ESP
> Author(s) : M. Sabin, R. Monsour
> Filename : draft-sabin-lzs-payload-00.txt
> Pages : 7
> Date : 11/26/1996
>
>This memo proposes a "payload compression transform" based on the LZS
>compression algorithm. The transform can be used to compress the payload
>field of an IP datagram that uses the Encapsulating Security Payload (ESP)
>format. The compression transform proposed here is stateless, meaning that
>a datagram can be decompressed independently of any other datagram.
>Compression is performed prior to the encryption operation of ESP, which
>has the side benefit of reducing the amount of data that must be encrypted.
>
>This memo anticipates a forthcoming draft of ESP that will supercede
>[Atkins96]. The forthcoming draft will allow for ESP payloads to be
>compressed via transforms such as the one described in this memo.
>
>Internet-Drafts are available by anonymous FTP. Login with the username
>"anonymous" and a password of your e-mail address. After logging in,
>type "cd internet-drafts" and then
> "get draft-sabin-lzs-payload-00.txt".
>A URL for the Internet-Draft is:
>ftp://ds.internic.net/internet-drafts/draft-sabin-lzs-payload-00.txt
>
>Internet-Drafts directories are located at:
>
> o Africa: ftp.is.co.za
>
> o Europe: nic.nordu.net
> ftp.nis.garr.it
>
> o Pacific Rim: munnari.oz.au
>
> o US East Coast: ds.internic.net
>
> o US West Coast: ftp.isi.edu
>
>Internet-Drafts are also available by mail.
>
>Send a message to: mailserv@ds.internic.net. In the body type:
> "FILE /internet-drafts/draft-sabin-lzs-payload-00.txt".
>
>NOTE: The mail server at ds.internic.net can return the document in
> MIME-encoded form by using the "mpack" utility. To use this
> feature, insert the command "ENCODING mime" before the "FILE"
> command. To decode the response(s), you will need "munpack" or
> a MIME-compliant mail reader. Different MIME-compliant mail readers
> exhibit different behavior, especially when dealing with
> "multipart" MIME messages (i.e., documents which have been split
> up into multiple messages), so check your local documentation on
> how to manipulate these messages.
>
>
>
>Below is the data which will enable a MIME compliant mail reader
>implementation to automatically retrieve the ASCII version
>of the Internet-Draft.
>
><ftp://ds.internic.net/internet-drafts/draft-sabin-lzs-payload-00.txt>
>
- I-D ACTION:draft-ietf-ipsec-isakmp-oakley-02.txt Internet-Drafts