I-D ACTION:draft-ietf-ipsec-isakmp-oakley-02.txt
Internet-Drafts@ietf.org Thu, 21 November 1996 14:41 UTC
To: IETF-Announce@ietf.org
cc: ipsec@tis.com
From: Internet-Drafts@ietf.org
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-ipsec-isakmp-oakley-02.txt
Date: Thu, 21 Nov 1996 09:41:08 -0500
Sender: cclark@ietf.org
Message-ID: <9611210941.aa04456@ietf.org>
--NextPart A Revised Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : The resolution of ISAKMP with Oakley Author(s) : D. Harkins, D. Carrel Filename : draft-ietf-ipsec-isakmp-oakley-02.txt Pages : 27 Date : 11/20/1996 [MSST96] (ISAKMP) provides a framework for authentication and key exchange but does not define them. ISAKMP is designed to be key exchange independant; that is, it is designed to support many different key exchanges. [Orm96] (Oakley) describes a series of key exchanges-- called "modes"-- and details the services provided by each (e.g. perfect forward secrecy for keys, identity protection, and authentication). This document describes a proposal for using the Oakley Key Exchange Protocol in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-isakmp-oakley-02.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-isakmp-oakley-02.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: nic.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.au o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-isakmp-oakley-02.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ds.internic.net" Content-Type: text/plain Content-ID: <19961121090052.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-isakmp-oakley-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-isakmp-oakley-02.txt"; site="ds.internic.net"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19961121090052.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec Thu Nov 21 14:47:08 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA07165 for ipsec-outgoing; Thu, 21 Nov 1996 14:38:43 -0500 (EST) Message-Id: <3.0.32.19961121114020.00979840@earthlink.net> X-Sender: rmonsour@earthlink.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 21 Nov 1996 11:40:27 -0800 To: ipsec@tis.com From: Bob Monsour <rmonsour@earthlink.net> Subject: Packet-by-packet compression within IPSec Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@ex.tis.com Precedence: bulk Here's a recap of recent history on this topic and a specific proposal to bring the discussion to closure. In recent weeks there has been some good debate regarding the use of lossless data compression within the context of the IP security framework. Having reviewed the wg list comments, here's an extremely brief recap. [For those new to the list, please see the list archives for details.] 1. concept was initially embraced by a few 2. suggestion was made to add fields to ESP to support stateful compression (i.e., compression history retained across multiple IP datagrams) 3. some suggested the use of a separate compression header to support it (as opposed to fields within ESP) 4. stateful nature of compression raised some concerns 5. issue of a sequence counter, redundant with the replay ctr raised concerns 6. issue of the lossyness of the IP media raised concerns 7. need for negotiating SA parameters to support statefulness was stated 8. analysis of packet loss raised serious concerns over stateful compression 9. comments that stateless compression had benefit were stated 10. packet loss concerns seemed to depart in the face of stateless compression 11. proposal made to allow for stateless compression within ESP Since that time, there has been little or no additional comment on the subject. I would like to clarify my most recent proposal and provide specific language to support its implementation. I fully understand that the working group is moving full steam ahead to get the IPSec documents ready for the San Jose meeting and to move toward wide-spread interoperable deployments during the coming year. I do not believe that this proposal or its implementation will hinder those efforts and am willing to provide any support needed to assist. Before going into the specifics of my proposal, I would like to point out a subtlety involving the use of compression with encryption. The reduced payload resulting from compression also reduces the amount of work (i.e., CPU cycles) required for subsequent encryption operations. Clearly, the CPU cost of compression must be low enough to realize a net gain, but in our tests, this bears out in enough cases to make it interesting. This speaks directly to second paragraph of section 1.1 of the ESP draft regarding the increased communications latency expected due to the encryption and decryption operations. MY PROPOSAL The essence of my proposal is to add simple, straightforward language (provided below) to the ESP draft which allows compression to be performed on a packet-by-packet basis (keeping *NO* history or state information across packets). The use of compression would be negotiated as an security association parameter along with the algorithm to be employed. The ESP payload data would simply be either compressed or uncompressed and *NO* additional fields (in the header *OR* in the payload) would be required to support it. This is the simplest form of compression support. I would further suggest that, at some later time, the working group undertake the effort to examine methods for supporting stateful compression. Nothing in the proposed language is intended to preclude such efforts. SPECIFIC LANGUAGE The proposed changes are relative to draft-ietf-ipsec-payload-00.txt, dated June 6, 1996 by Ran Atkinson. I understand that a revisoion of the draft is in progress am confident that, given the nature of the changes specified below, they could be easily be mapped into the new draft. Section 1.1 (Overview) Add the following sentence to the end of the first paragraph: The encrypted user data portion of the payload may be compressed prior to encryption. Security association parameters, negotiated by the key management mechanism, are used to determine whether or not compression is used and which compression algorithm will be used. Section 3. (ENCAPSULATING SECURITY PAYLOAD SYNTAX) Add the following sentence to first paragraph, making it the second to the last sentence in the section (prior to "A high-level..."). The protected user data portion of the payload may be compressed prior to encryption. Immediately following the second ESP header diagram, change the sentence to read: Encryption, authentication and optional compression algorithms, and the precise... Section 4.1 (ESP in Tunnel-mode) Change the first sentence of the second paragraph to read: ...to locate the corect Security Association, optionally applies the appropriate compression transform, and then applies the appropriate encryption transform. Change the first sentence of the fifth paragraph to read: If decryption succeeds, optional decompression is performed as necessary, and the original IP datagram... Section 4.2 (ESP in Transport-mode) Change the first sentence of the second paragraph to read: ...to locate the corect Security Association, optionally applies the appropriate compression transform, and then applies the appropriate encryption transform. Change the first sentence of the fifth paragraph to read: If decryption succeeds, optional decompression is performed as necessary, and the original transport layer... We will be producing a draft compression transform which adheres to the proposed "new model" for transforms. It will contain no fields, but will simply specify how to transform a variabble sized data block from an uncompressed block to a compressed block. I would very much like to hear comments from those interested in the subject and from the authors and/or co-chairs of the group regarding their suggestions and guidance. Bob Monsour rmonsour@earthlink.net From owner-ipsec Thu Nov 21 15:26:01 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA07278 for ipsec-outgoing; Thu, 21 Nov 1996 15:25:13 -0500 (EST) Message-Id: <199611212023.PAA03158@raptor.research.att.com> To: Bob Monsour <rmonsour@earthlink.net> cc: ipsec@tis.com Subject: Re: Packet-by-packet compression within IPSec Date: Thu, 21 Nov 1996 15:23:00 -0500 From: Steven Bellovin <smb@research.att.com> Sender: owner-ipsec@ex.tis.com Precedence: bulk I think your proposal is quite acceptable. I'm willing to go a step further -- the key management protocol should allow for negotiation of currently-unspecified parameters for some future compression scheme. From owner-ipsec Thu Nov 21 16:36:58 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA07348 for ipsec-outgoing; Thu, 21 Nov 1996 16:35:14 -0500 (EST) Message-Id: <3.0b36.32.19961121163033.0093be20@pop3hub.is.chrysler.com> Reply-To: rgm3@chrysler.com X-Sender: rgm3@pop3hub.is.chrysler.com X-Mailer: Windows Eudora Pro Version 3.0b36 (32) Date: Thu, 21 Nov 1996 16:35:41 -0500 To: ipsec@tis.com From: Robert Moskowitz <rgm3@chrysler.com> Subject: IPsec Interoperability Week #1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by portal.ex.tis.com id QAA07345 Sender: owner-ipsec@ex.tis.com Precedence: bulk The following is a proposal from the AIAG to all IPSec implementors. We are very serious about getting product. To the extent that we will supply resources to get interoperablity. Below is the general plan for an interoperability week. Please discuss it here, amongst yourselves and with us. We are open to fleshing out (ie nailing down) what ever details are appropriate. Of course, I will be at IETF to take what ever blooding deemed appropriate, just remember that I have to leave on friday ;) IPsec Interoperability Week #1 TO: All implementers of the Ipsec protocols From: The Automotive Industry Action Group ANX Security work group What: 1st working session for IPsec interoperability Where: MCIs Richardson Texas test facilities When: January 6th - 10th, 1997 Participation Contact: fbowdon@mcimail.com (810 351-5124), cwinter@mcimail.com (810 351-5257) RSVP by: Dec 10th, 1997 Document Questions/Issues: rgm3@chrysler.com by Dec 6th, 1996 GOALS: Determine the current state of deployablity of IPsec components for the Auto industry. At this time, demonstration of Key management via Oakley/ISAKMP is very important to the ANX work group. The intention is to create as close to a real world inter-company environment for vendor testing. Multiple scenario testing will be desired. Work on the basis that firewalls, split DNS, and private addressing is common. Subsets of these situations will be documented. Participants minimally need to have product that uses RFCs 1825-9, Oakley aggressive or main mode with authentication with pre-shared keys Border-to-border via tunneling Consider access to trade zones or entire company network. Remote-to-border Remote-to-interior Interior-to-foreign border Through local border Interior-to-interior Technology to demonstrate interoperability: Basic IPsec protocols, emphasis on ESP-HMAC (add draft name here) Keying material for IPsec setup with Key Management exchange via Oakley/ISAKMP (Choice of ANX wg) (all three drafts) Proxy modes Please provide Oakley modes demonstrable at this time. Public key format of X.509v3 Keys can be cached X.509 key retrieval via LDAP CA will be provided for testing Subsets of these will be documented by product. A more compete testing matrix and success criteria will be developed between now and Dec 8th. Policy issues will be sorted out as well is operational: Unintended routing through multiple tunnels Access control granularity Oakley and ESP options as X.509 extensions Des vs 3Des, Compression supported, others The test facility will be connected to the Internet, so vendors unable to attend are encouraged to contact the MCI coordination team (TBN) to work out arrangements for remote participation. Follow up testing will be planned for 2Q97. Robert Moskowitz Chrysler Corporation (810) 758-8212 From owner-ipsec Thu Nov 21 17:25:25 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id RAA07423 for ipsec-outgoing; Thu, 21 Nov 1996 17:24:44 -0500 (EST) Message-Id: <2.2.16.19961121222412.2f57500c@pop3.pn.com> X-Sender: rodney@pop3.pn.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 21 Nov 1996 17:24:12 -0500 To: ipsec@tis.com From: Rodney Thayer <rodney@sabletech.com> Subject: compression transform conclusions Sender: owner-ipsec@ex.tis.com Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- [response to Bob Monsour's proposal] I believe his charactarization of the discussion so far is accurate. I believe it is the rough consensus of the group that compression should be part of the ESP transform, one way or the other, with or without statefulness, parameter negotiation, sequence numbers, etc. I myself think the ESP transform is excessively complex as it is, regardless of the compression features. I think this will interfere with deployment and will increase the risk of security problems due to buggy implementations. But, I do think Bob's proposal represents the view of the group, so I think that's what we should go with. -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition Comment: PGP by ViaCrypt iQCVAgUBMpTWPMKmlvJNktGxAQGoywQAgAhOO/aGTYhZsqfZvspaGq9Azcgrr+F6 ZeWZf08n157opre07UTVr98wujdJs+PFo0/1IWApGioQUwV4tV9tbN062SSu3+F1 x29e954kB5C801pA1IG1MwXa1vtdQsA8El4D5igRg4ug1iHCMaYags8frCgLP9co xxSXdN8qhFg= =Uq+S -----END PGP SIGNATURE----- Rodney Thayer <rodney@sabletech.com> +1 617 332 7292 Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA Fax: +1 617 332 7970 http://www.shore.net/~sable Communications Software Development From owner-ipsec Thu Nov 21 18:11:33 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA07449 for ipsec-outgoing; Thu, 21 Nov 1996 18:10:48 -0500 (EST) Message-ID: <3294E1E1.ABD@cs.umass.edu> Date: Thu, 21 Nov 1996 18:12:33 -0500 From: Lewis McCarthy <lmccarth@cs.umass.edu> Organization: Theoretical Computer Science Group, UMass-Amherst, <URL:http://www.cs.umass.edu/~thtml/> X-Mailer: Mozilla 3.0 (X11; I; OSF1 V3.2 alpha) MIME-Version: 1.0 To: Luis Saiz Gimeno <saiz@gc.ssr.upm.es> CC: ipsec@tis.com Subject: Re: Any work in IPsec multicast key management? References: <199611210942.AA25881@orfeo.gc.ssr.upm.es> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ipsec@ex.tis.com Precedence: bulk LUIS SAIZ GIMENO writes: > I would like to know if there is some work in progress in > multicast/anycast key management in this WG. Any idea about which > kind of cryptographic protocol is suitable to be adopted? The most recent mail I've seen about this on the list was from Ran on Sept.9 ("Subject: FYI: Multicast Key Management documents") -- check the archives. He mentions GKMP [Harney et al.] and RFC 1949 [Ballardie]. Ran Atkinson wrote on Sept. 9: >>> I'm told that work is underway at several places (e.g. ORNL) on a >>> PF_KEY-based freely distributable implementation of GKMP technology >>> inside the ISAKMP framework. The survey essay Secure Multicast [Pessi], <http://www.nixu.fi/~pnr/netsec-lopulliset/3-0-multicast.html>, is already rather out of date, but you might find the discussion of an old version of SKIP (draft-...-skip-03) w.r.t. multicast to be worth reading. -- Lewis http://www.cs.umass.edu/~lmccarth/lmkey.asc From owner-ipsec Thu Nov 21 18:23:55 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA07485 for ipsec-outgoing; Thu, 21 Nov 1996 18:23:51 -0500 (EST) X-Sender: kent@po1.bbn.com Message-Id: <v03007811aeba9476da70@[128.89.0.110]> In-Reply-To: <3.0.32.19961121114020.00979840@earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 21 Nov 1996 18:25:28 -0500 To: Bob Monsour <rmonsour@earthlink.net> From: Stephen Kent <kent@bbn.com> Subject: Re: Packet-by-packet compression within IPSec Cc: ipsec@tis.com Sender: owner-ipsec@ex.tis.com Precedence: bulk Bob, I have no objections to your proposal, and it certainly can be easily integrated into the newly revised ESP spec. We also can allow for an optional, variable length field in front of the payload, that contains any per-packet data needed for a specific algorithm. This is easy to include in the ESP spec, with SA negotiation determining the presence or absence of the field and its size. The only issue,is how we deal with the possible requirement to support any specific compression protocols. From an interoperability perspective, we need to address this aspect of the standards, and that, I believe, is the basis for concern in terms of delaying deployment of this technology. Steve From owner-ipsec Thu Nov 21 19:00:35 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA07513 for ipsec-outgoing; Thu, 21 Nov 1996 19:00:19 -0500 (EST) Message-Id: <199611211956.TAA15713@whydos.lkg.dec.com> X-Authentication-Warning: whydos.lkg.dec.com: Host localhost.lkg.dec.com didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: rgm3@chrysler.com Cc: ipsec@tis.com Subject: Re: IPsec Interoperability Week #1 In-Reply-To: Your message of "Thu, 21 Nov 1996 16:35:41 EST." <3.0b36.32.19961121163033.0093be20@pop3hub.is.chrysler.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 21 Nov 1996 19:56:21 +0000 From: Matt Thomas <matt@lkg.dec.com> Sender: owner-ipsec@ex.tis.com Precedence: bulk I don't about others but Jan 6th is effectively the week after next for me. Nov 25th Thanksgiving week Dec 2st UNH IPv6 testing Dec 9th the IETF in San Jose Dec 16th nothing Dec 23rd Christmas Dec 30th New Years Jan 6th IPsec testing To get travel, systems, etc. ready by Jan 6th is going to be difficult at best. I think you should really consider moving the testing date out 2 week if you can. -- Matt Thomas Internet: matt@lkg.dec.com IPv6 Kernel Grunt WWW URL: http://ftp.dec.com/%7Ethomas/ Digital Equipment Corporation Disclaimer: This message reflects my Littleton, MA own warped views, etc. From owner-ipsec Thu Nov 21 19:22:46 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA07538 for ipsec-outgoing; Thu, 21 Nov 1996 19:21:50 -0500 (EST) Message-Id: <3.0.32.19961121162316.00939ea0@earthlink.net> X-Sender: rmonsour@earthlink.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 21 Nov 1996 16:23:35 -0800 To: Stephen Kent <kent@bbn.com> From: Bob Monsour <rmonsour@earthlink.net> Subject: Re: Packet-by-packet compression within IPSec Cc: Bob Monsour <rmonsour@earthlink.net>, ipsec@tis.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@ex.tis.com Precedence: bulk At 06:25 PM 11/21/96 -0500, Stephen Kent wrote: >Bob, > > I have no objections to your proposal, and it certainly can be >easily integrated into the newly revised ESP spec. We also can allow for >an optional, variable length field in front of the payload, that contains >any per-packet data needed for a specific algorithm. This is easy to >include in the ESP spec, with SA negotiation determining the presence or >absence of the field and its size. Thanks. FYI, the only per-packet data I am imagining for our particular proposal would be a single byte to contain a compressed/uncompressed bit. This is needed to handle the case where the source data expands and you want to instead send the original uncompressed data. In this case, you would set the bit saying that the particular packet is uncompressed, even though the SPI specifies that compression is an active function for this channel. >The only issue,is how we deal with the >possible requirement to support any specific compression protocols. When you say, "...possible requirement to support any specific compression protocols.", I'm not sure I understand the issue. Do you mean the minimum or mandatory support levels for compression in IPSec/ESP? If so, I would expect that its optional nature precludes any such requirement. If you mean support for specific compression algorithms, I would suggest that we treat that issue in a similar manner as was done with PPP, where any number algorithms can be supported as long as there is a draft/standard document to describe how it is done in the context of IPSec/ESP. Since the specific compression algorithm that we will be proposing will be based on the LZS algorithm, it will ultimately result in an informational RFC (which is what happened in the PPP case for LZS as well). >From an interoperability perspective, we need to address this aspect of the >standards, and that, I believe, is the basis for concern in terms of >delaying deployment of this technology. Are you refering to the requirement for two interoperable implementations of compressed ESP before the document can be moved to the Draft Standard stage? Having done some recent homework on the IETF standards process, I'm guessing this is the concern. If that is indeed the case, I believe that we could easily achieve such a goal. -Bob From owner-ipsec Fri Nov 22 13:04:19 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA08702 for ipsec-outgoing; Fri, 22 Nov 1996 13:00:43 -0500 (EST) Message-Id: <2.2.32.19961122180014.00cab134@netcom8.netcom.com> X-Sender: dpalma@netcom8.netcom.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 22 Nov 1996 10:00:14 -0800 To: ipsec@neptune.hq.tis.com From: Derek Palma <dpalma@netcom.com> Subject: Unexpected silence (Test posting) Sender: owner-ipsec@ex.tis.com Precedence: bulk Either I am now longer receiving messages for this list or there is very little discussion before an IETF. This is a test! From owner-ipsec Fri Nov 22 16:06:41 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA09104 for ipsec-outgoing; Fri, 22 Nov 1996 16:01:10 -0500 (EST) Message-Id: <3.0.32.19961122125905.00e47f40@netcom8.netcom.com> X-Sender: dpalma@netcom8.netcom.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 22 Nov 1996 12:59:54 -0800 To: ipsec@tis.com From: Derek Palma <dpalma@netcom.com> Subject: Decoupling compression and security Cc: dpalma@netcom.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@ex.tis.com Precedence: bulk Some recent IPSEC implementation experiences and the current discussion has caused me to consider the virtues of coupling compression transforms with security. No doubt use of compression has benefits, even if only applied to a single packet. I see no problem with having compression be part of an SA. But I think it lacks some generality. The output of a compression algorithm can be larger than the input, the sender will no doubt like to selectively compress. This means the receiver must be able to receive compressed and uncompressed data. This seems independent from the SA. Howeverm, the SA setup can be used to select the compression algorithm. Generic (probably PPP like) compression transforms which stand on their own (apart from IPSEC) seemslike a more general solution. However, IPSEC is the only group who can justify using compression on a per packet basis. Would a set of IP-COMP transforms (vs IPSEC) be more appropriate? Derek From owner-ipsec Fri Nov 22 23:57:15 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id XAA09490 for ipsec-outgoing; Fri, 22 Nov 1996 23:54:51 -0500 (EST) Message-Id: <3.0.32.19961122205654.0099c100@earthlink.net> X-Sender: rmonsour@earthlink.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 22 Nov 1996 20:57:01 -0800 To: Derek Palma <dpalma@netcom.com> From: Bob Monsour <rmonsour@earthlink.net> Subject: Re: Decoupling compression and security Cc: ipsec@tis.com, dpalma@netcom.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@ex.tis.com Precedence: bulk At 12:59 PM 11/22/96 -0800, Derek Palma wrote: >Some recent IPSEC implementation experiences and the current discussion >has caused me to consider the virtues of coupling compression >transforms with security. No doubt use of compression has >benefits, even if only applied to a single packet. > >I see no problem with having compression be part of an SA. >But I think it lacks some generality. The output of a compression >algorithm can be larger than the input, the sender will no >doubt like to selectively compress. This means the receiver >must be able to receive compressed and uncompressed data. >This seems independent from the SA. Howeverm, the SA setup >can be used to select the compression algorithm. When using packet-by-packet compression within IPSec, while an SA parameter will exist to define the compression algorithm and whether or not compression is enabled for a particular sender to receiver, the sender (as you suggest) will not want to send data when it expands. We have suggested that each compressed payload include a bit (within a one-byte field) which indicates whether or not the IP datagram is compressed or not. So, in effect, the sender operates as follows: compress the packet if it gets smaller compressed = true send it compressed else compressed = false send the packet in uncompressed form On the reciever side, it just checks the compressed/uncompressed bit to decide whether or not to attempt decompression. >Generic (probably PPP like) compression transforms which stand >on their own (apart from IPSEC) seemslike a more general solution. >However, IPSEC is the only group who can justify using compression >on a per packet basis. Would a set of IP-COMP transforms (vs IPSEC) >be more appropriate? The attractive part of PPP-like compression solutions is that operate over a connection-oriented protocol and therefore can compress across multiple packets, realizing greater efficiencies than by doing it a packet at a time. Unfortunately, we don't have that luxury in IP. At an even higher layer, say SSL, there again is a connection-oriented protocol and compression can indeed be done over a series of transmitted packets. Once equipped with the packet-by-packet mode of compression, I would suspect that if there is sufficient interest and energy in the working group, some effort could be put forth to figure out how to reliably compress across multiple IP datagrams. How would you see an IP-COMP transform operating? Bob Monsour rmonsour@earthlink.net From owner-ipsec Sat Nov 23 16:25:14 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA09748 for ipsec-outgoing; Sat, 23 Nov 1996 16:18:53 -0500 (EST) Message-Id: <2.2.16.19961123211820.2e271408@pop3.pn.com> X-Sender: rodney@pop3.pn.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 23 Nov 1996 16:18:20 -0500 To: dpalma@netcom.com From: Rodney Thayer <rodney@sabletech.com> Subject: Re: Decoupling compression and security Cc: ipsec@tis.com Sender: owner-ipsec@ex.tis.com Precedence: bulk Have you looked at the draft I did in July? What you're talking about sounds like the direction I was headed. How would you add/change what I proposed? >X-Sender: rmonsour@earthlink.net >Date: Fri, 22 Nov 1996 20:57:01 -0800 >To: Derek Palma <dpalma@netcom.com> >From: Bob Monsour <rmonsour@earthlink.net> >Subject: Re: Decoupling compression and security >Cc: ipsec@tis.com, dpalma@netcom.com >Sender: owner-ipsec@ex.tis.com > >At 12:59 PM 11/22/96 -0800, Derek Palma wrote: >>Some recent IPSEC implementation experiences and the current discussion >>has caused me to consider the virtues of coupling compression >>transforms with security. No doubt use of compression has >>benefits, even if only applied to a single packet. >> >>I see no problem with having compression be part of an SA. >>But I think it lacks some generality. The output of a compression >>algorithm can be larger than the input, the sender will no >>doubt like to selectively compress. This means the receiver >>must be able to receive compressed and uncompressed data. >>This seems independent from the SA. Howeverm, the SA setup >>can be used to select the compression algorithm. > >When using packet-by-packet compression within IPSec, while an SA parameter >will exist to define the compression algorithm and whether or not >compression is enabled for a particular sender to receiver, the sender (as >you suggest) will not want to send data when it expands. We have suggested >that each compressed payload include a bit (within a one-byte field) which >indicates whether or not the IP datagram is compressed or not. So, in >effect, the sender operates as follows: > > compress the packet > if it gets smaller > compressed = true > send it compressed > else > compressed = false > send the packet in uncompressed form > >On the reciever side, it just checks the compressed/uncompressed bit to >decide whether or not to attempt decompression. > >>Generic (probably PPP like) compression transforms which stand >>on their own (apart from IPSEC) seemslike a more general solution. >>However, IPSEC is the only group who can justify using compression >>on a per packet basis. Would a set of IP-COMP transforms (vs IPSEC) >>be more appropriate? > >The attractive part of PPP-like compression solutions is that operate over >a connection-oriented protocol and therefore can compress across multiple >packets, realizing greater efficiencies than by doing it a packet at a >time. Unfortunately, we don't have that luxury in IP. At an even higher >layer, say SSL, there again is a connection-oriented protocol and >compression can indeed be done over a series of transmitted packets. Once >equipped with the packet-by-packet mode of compression, I would suspect >that if there is sufficient interest and energy in the working group, some >effort could be put forth to figure out how to reliably compress across >multiple IP datagrams. > >How would you see an IP-COMP transform operating? > > >Bob Monsour >rmonsour@earthlink.net > > Rodney Thayer <rodney@sabletech.com> +1 617 332 7292 Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA Fax: +1 617 332 7970 http://www.shore.net/~sable Communications Software Development From owner-ipsec Mon Nov 25 03:40:13 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id DAA10369 for ipsec-outgoing; Mon, 25 Nov 1996 03:32:24 -0500 (EST) Date: Mon, 25 Nov 1996 10:34:24 +0200 (EET) From: Santeri Paavolainen <santtu@cs.hut.fi> X-Sender: santtu@hutcs To: ipsec@tis.com Subject: Re: Decoupling compression and security In-Reply-To: <3.0.32.19961122205654.0099c100@earthlink.net> Message-ID: <Pine.GSO.3.94.961125100351.29183A-100000@hutcs> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ipsec@ex.tis.com Precedence: bulk > When using packet-by-packet compression within IPSec, while an SA parameter > will exist to define the compression algorithm and whether or not > compression is enabled for a particular sender to receiver, the sender (as > you suggest) will not want to send data when it expands. We have suggested > that each compressed payload include a bit (within a one-byte field) which > indicates whether or not the IP datagram is compressed or not. So, in > effect, the sender operates as follows: > > compress the packet > if it gets smaller > compressed = true > send it compressed > else > compressed = false > send the packet in uncompressed form > > On the reciever side, it just checks the compressed/uncompressed bit to > decide whether or not to attempt decompression. If the compression was another IPSEC transformation there would be no need for such a "bit" in the actual _security_ transformation data. Have everybody forgotten that applying transformations on a packet is still optional? If I want an option of not applying a packet compression transformation I can just not apply it -- no need for any information bits in the packet. As an example, there is two transformations defined, COMP for compression and CRYPT for some crypto. If I get a acceptable compression ratio for a packet, I leave the compression transformation on and pass the packet to the rest of the transformation chain, finally giving a packet like CRYPT(COMP(packet)) OTOH, if the compression ratio is unacceptable, just leave the compression layer off: CRYPT(packet) Because the receiver sees only SPIs of the various layers, it will first decrypt and either get a regular (not compressed) packet, or a compressed packet which will then have to be uncompressed to gain the final packet. Of course, this would mean there is overhead of SPI vs. "bit", but I think the generality is a clear plus. What if you later find out the cryptographic transformation you have embedded the compression layer is not secure? Also, there is no clear way how to interoperate between different transformations which have the same compression engine (you must remember that each transformation should be self-contained from the coding point of view). Also, some persons might want compression, and only that. I imagine there would be plenty of situations (two computers connected by a secure network/line) where getting "compression" out of IPSEC layer could not be justified because of the extra costs because the compression would imply (cpu-intensive) cryptographic methods. Of course, it is another matter whether compression should be included in the IPSEC layer at all. PS. In the IP Authentication Header draft (4 June 1996, are there newer versions?) at chapter 3, the combination of AH(AH(...)) is said to be invalid at all times. Why? Take the following situation as an example where AH(AH(...)) could be used: A VPN network, eg. an intranet created by establishing a secure tunnel between two separate networks. Typically, the VPN routers apply some IPSEC AH+ESP transformation on a packet before sending it through the internet network. But, there can be a case when the VPN router does not want to encrypt a packet, but still requires authentication. If there are IPSEC-capable hosts within these two parts of the intranet talking to each other with some AH+ESP transformations the VPN routers will get packets in the form of AH(ESP(...)). If the VPN routers have knowledge about the used ESP (by acting as a middlemen in key management routine, for example) an deem it as "secure enough" they might not want to apply a second layer of ESP, because it would be unnecessary. Still they want to apply an AH, so that the other VPN router can confirm the authenticity of the packet coming from the internet (that it really is coming from the other VPN router). This leads to a situation where the packet would look like AH(AH(ESP(...))) when send to the internet. But this seems not to be allowed by the draft! -- sjpaavol@cc.Helsinki.FI I have become death, destroyer of the worlds. From owner-ipsec Mon Nov 25 07:20:22 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA10567 for ipsec-outgoing; Mon, 25 Nov 1996 07:18:20 -0500 (EST) Date: 25 Nov 96 09:27:26 +0300 From: "RIITTINEN HEIKKI" <heikki.riittinen@fin1401.icl.fi> Subject: RE:Packet-by-packet compression within IPSec Reply-To: heikki.riittinen@icl.fi In-Reply-To: Packet-by-packet compression within IPSec Message-Id: <9611250927.aa26@fin1401.icl.fi> To: ipsec@tis.com, rmonsour@earthlink.net Content-Type: text/plain; charset=US-ASCII Sender: owner-ipsec@ex.tis.com Precedence: bulk Bob Monsour: >MY PROPOSAL > >The essence of my proposal is to add simple, straightforward language >(provided below) to the ESP draft which allows compression to be performed >on a packet-by-packet basis (keeping *NO* history or state information >across packets). The use of compression would be negotiated as an security >association parameter along with the algorithm to be employed. The ESP >payload data would simply be either compressed or uncompressed and *NO* >additional fields (in the header *OR* in the payload) would be required to >support it. This is the simplest form of compression support. >Bob Monsour >rmonsour@earthlink.net I fully support the proposal. We have implemented a prototype of a proprietary "encryption" (stateless compression and standard encryption) that fulfills all the requirements set by the proposal. Heikki.Riittinen@teamw.com from Europe From owner-ipsec Mon Nov 25 10:06:21 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA11013 for ipsec-outgoing; Mon, 25 Nov 1996 10:02:53 -0500 (EST) Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:;;;;@tis.com@tis.com;;; From: Internet-Drafts@ietf.org cc: ipsec@tis.com Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-mcdonald-simple-ipsec-api-00.txt Date: Mon, 25 Nov 1996 09:38:09 -0500 Message-ID: <9611250938.aa05672@ietf.org> Sender: owner-ipsec@ex.tis.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : A Simple IP Security API Extension to BSD Sockets Author(s) : D. McDonald Filename : draft-mcdonald-simple-ipsec-api-00.txt Pages : 9 Date : 11/22/1996 In order to take advantage of the IP Security Architecture [Atk95], an application should be able to tell the system what IP-layer security services it needs to function with some degree of confidence. A simple API that also allows simple security association policy to be set is presented here. This document descends from earlier work performed in the U. S. Naval Research Laboratory's IPv6 and IP security implementation [AMPMC96]. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-mcdonald-simple-ipsec-api-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-mcdonald-simple-ipsec-api-00.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: nic.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.au o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-mcdonald-simple-ipsec-api-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ds.internic.net" Content-Type: text/plain Content-ID: <19961122151515.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-mcdonald-simple-ipsec-api-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-mcdonald-simple-ipsec-api-00.txt"; site="ds.internic.net"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19961122151515.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec Mon Nov 25 15:38:13 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA11709 for ipsec-outgoing; Mon, 25 Nov 1996 15:35:58 -0500 (EST) Message-ID: <329A0357.15FB@mit.edu> Date: Mon, 25 Nov 1996 15:36:39 -0500 From: "Jeffrey I. Schiller" <jis@MIT.EDU> Organization: Massachusetts Institute of Technology X-Mailer: Mozilla 3.0 (X11; U; IRIX 5.2 IP22) MIME-Version: 1.0 To: ipsec@tis.com Subject: Documents Approved at last IESG Telechat Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ipsec@ex.tis.com Precedence: bulk >From the IESG (as yet unpublished) minutes. This is an *unofficial* announcement: o The IESG approved publication of HMAC-MD5 IP Authentication with Replay Prevention <draft-ietf-ipsec-ah-hmac-md5-04.txt> as a Proposed Standard. Steve to send announcement. o The IESG approved publication of HMAC-SHA IP Authentication with Replay Prevention <draft-ietf-ipsec-ah-hmac-sha-04.txt> as a Proposed Standard. Steve to send announcement. o The IESG approved the reclassification of RFC1828, IP Authentication using Keyed MD5, from Proposed Standard to Historic status. o The IESG approved publication of HMAC: Keyed-Hashing for Message Authentication <draft-ietf-ipsec-hmac-md5-01.txt> as an Informational RFC. Steve to send announcement. -Jeff From owner-ipsec Tue Nov 26 07:24:44 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA12729 for ipsec-outgoing; Tue, 26 Nov 1996 07:18:40 -0500 (EST) Date: Mon, 25 Nov 96 18:59:16 EST From: "Whelan, Bill" <bwhelan@nei.com> Message-Id: <9610258489.AA848977264@netx.nei.com> To: ipsec@tis.com Subject: AH (without ESP) on a secure gateway Sender: owner-ipsec@ex.tis.com Precedence: bulk Last month there was a question regarding ESP and AH on a secure gateway as in the following model. secure (untrusted) secure hostA gatewayA---------------------------gatewayB hostB | | | | ---------- ----------- (trusted subnet) (trusted subnet) My question is whether AH on a secure gateway even makes sense at all if ESP is not being performed. Consider hostA sending a packet to hostB. If gatewayA places an AH on the packet, it would appear as if it was authenticated by hostA, not a good idea in my mind. How do other secure gateway implementations handle this situation? Bill Whelan From owner-ipsec Tue Nov 26 10:23:32 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA13855 for ipsec-outgoing; Tue, 26 Nov 1996 10:21:01 -0500 (EST) Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:;;;;@tis.com@tis.com;;; cc: ipsec@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-isakmp-06.txt, .ps Date: Tue, 26 Nov 1996 09:19:21 -0500 Message-ID: <9611260919.aa19100@ietf.org> Sender: owner-ipsec@ex.tis.com Precedence: bulk --NextPart A Revised Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Internet Security Association and Key Management Protocol (ISAKMP) Author(s) : D. Maughan, M. Schertler, M. Schneider, J. Turner Filename : draft-ietf-ipsec-isakmp-06.txt, .ps Pages : 78 Date : 11/25/1996 This memo describes a protocol utilizing security concepts necessary for establishing Security Associations (SA) and cryptographic keys in an Internet environment. A Security Association protocol that negotiates, establishes, modifies and deletes Security Associations and their attributes is required for an evolving Internet, where there will be numerous security mechanisms and several options for each security mechanism. The key management protocol must be robust in order to handle public key generation for the Internet community at large and private key requirements for those private networks with that requirement. The Internet Security Association and Key Management Protocol (ISAKMP) defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). All of these are necessary to establish and maintain secure communications (via IP Security Service or any other security protocol) in an Internet environment. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-isakmp-06.txt". Or "get draft-ietf-ipsec-isakmp-06.ps". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-isakmp-06.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: nic.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.au o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-isakmp-06.txt". Or "FILE /internet-drafts/draft-ietf-ipsec-isakmp-06.ps". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ds.internic.net" Content-Type: text/plain Content-ID: <19961125101043.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-isakmp-06.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-isakmp-06.txt"; site="ds.internic.net"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19961125101043.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec Tue Nov 26 10:28:38 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA13886 for ipsec-outgoing; Tue, 26 Nov 1996 10:28:30 -0500 (EST) Message-Id: <199611261528.KAA13886@portal.ex.tis.com> From: Greg Carter <carterg@entrust.com> To: "'ipsec@tis.com'" <ipsec@tis.com> Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com> Subject: PF_KEY Date: Tue, 26 Nov 1996 10:12:49 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Sender: owner-ipsec@ex.tis.com Precedence: bulk Hi All, Can anyone give me an idea of the exceptance of PF_KEY and the platforms it is/will be supported on. Thanks. ---- Greg Carter Nortel Secure Networks - Entrust carterg@entrust.com From owner-ipsec Tue Nov 26 11:11:22 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA14141 for ipsec-outgoing; Tue, 26 Nov 1996 11:11:02 -0500 (EST) Message-Id: <199611261611.LAA14141@portal.ex.tis.com> From: Greg Carter <carterg@entrust.com> To: "'ipsec@tis.com'" <ipsec@tis.com> Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com> Subject: sorry, spelling... Date: Tue, 26 Nov 1996 11:01:09 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Sender: owner-ipsec@ex.tis.com Precedence: bulk Obviously I can't spell and I should really reread before I hit send, I meant "acceptance" of PF_KEY. Bye. ---- Greg Carter Nortel Secure Networks - Entrust carterg@entrust.com From owner-ipsec Tue Nov 26 11:20:13 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA14229 for ipsec-outgoing; Tue, 26 Nov 1996 11:20:09 -0500 (EST) Message-Id: <96Nov26.112218est.30786-1@janus.border.com> To: ipsec@tis.com Subject: Re: I-D ACTION:draft-ipsec-ipsec-doi-01.txt References: <9611200956.aa14139@ietf.org> In-reply-to: Internet-Drafts's message of "Wed, 20 Nov 1996 09:56:50 -0500". <9611200956.aa14139@ietf.org> From: "C. Harald Koch" <chk@border.com> Organization: Secure Computing Canada Ltd. Phone: +1 416 368 7157 X-uri: <URL:http://www.eng.border.com/homes/chk/> X-Face: )@F:jK?*}hv!eJ}*r*0DD"k8x1.d#i>7`ETe2;hSD2T!:Fh#wu`0pW7lO|Dfe'AbyNy[\Pw z'.bAtgTM!+iq2$yXiv4gf<:D*rZ-|f$\YQi7"D"=CG!JB?[^_7v>8Mm;z:NJ7pss)l__Cw+.>xUJ) did@Pr9 Date: Tue, 26 Nov 1996 11:22:20 -0500 Sender: owner-ipsec@ex.tis.com Precedence: bulk Some quibbles regarding the IPsec DOI definitions, that I just tripped over while trying to define a text-based SA exchange format. Basically, if we're going to a) name and b) number protocol entities, we need to ensure that the list is both intelligible and complete. 4.4.3 IPSEC AH Transform Values Transform Value --------- ----- RESERVED 0 AH_1828 1 AH_HMAC_MD5_REPLAY 2 AH_MHAC_SHA_REPLAY 3 I object to the use of RFC numbers in the name of the transform; it's either meaningless or obscure, depending on who you ask. AH_MD5 would be better than AH_1828. The "AH_HMAC_MD5" transform is missing from the list. While this transform never became an RFC, it is in use by several vendors, and so needs an identifier for proper interoperability. (Yes, it's a proper subset of AH_HMAC_MD5_REPLAY, But to support historical implementations, I think it needs to be kept separate. I'm willing to negotiate on this one :-) 4.4.4 IPSEC ESP Transform Identifiers Transform ID Value ------------ ----- RESERVED 0 ESP_1829_TRANSPORT 1 ESP_1829_TUNNEL 2 ESP_DES_CBC_HMAC_REPLAY 3 Again, I object to the use of RFC numbers in the name; IMHO, these should be "ESP_DES_CBC_TRANSPORT" and "ESP_DES_CBC_TUNNEL". (And I though the "transport" v.s. "tunnel" distinction was an RFC 1827 thing; if so, shouldn't we be consistent here?) ESP_3DES_CBC is missing (RFC 1851). Again, there are vendors using this already; an ID and number are required for interoperability. </soapbox> :-) -- C. Harald Koch | Senior System Developer, Secure Computing Canada Ltd. chk@border.com | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8 +1 416 368 7157 (voice) | "Madness takes its toll. Please have exact change." +1 416 368 7789 (fax) | -Karen Murphy <karenm@descartes.com> From owner-ipsec Tue Nov 26 12:56:36 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA14512 for ipsec-outgoing; Tue, 26 Nov 1996 12:54:00 -0500 (EST) Date: Tue, 26 Nov 1996 11:24:51 -0600 (CST) From: Tom Markham <markham@sctc.com> Message-Id: <199611261724.LAA29519@jasmin.sctc.com> To: bwhelan@nei.com CC: ipsec@tis.com Subject: RE: AH (without ESP) on a secure gateway Sender: owner-ipsec@ex.tis.com Precedence: bulk Bill BW> Last month there was a question regarding ESP and AH on a secure gateway as in the following model. secure (untrusted) secure hostA gatewayA---------------------------gatewayB hostB | | | | ---------- ----------- (trusted subnet) (trusted subnet) BW> My question is whether AH on a secure gateway even makes sense at all if ESP is not being performed. Consider the case where one gateway is in a country like France which does not allow encryption. An organization could still use AH to authenticate that the source of the packets was another secure gateway belonging to the organization. BW> Consider hostA sending a packet to hostB. If gatewayA places an AH on the packet, it would appear as if it was authenticated by hostA, not a good idea in my mind. The receiving gateway/host knows (should know) that the AH keying material is held by Gateway A and not Host A. If the receiving gateway/host does not know which devices it shares keying material with, you have a key management problem. Tom Markham From owner-ipsec Tue Nov 26 13:01:17 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA14528 for ipsec-outgoing; Tue, 26 Nov 1996 13:01:00 -0500 (EST) Message-Id: <3.0.32.19961126100305.00987ae0@earthlink.net> X-Sender: rmonsour@earthlink.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 26 Nov 1996 10:03:12 -0800 To: Santeri Paavolainen <santtu@cs.hut.fi> From: Bob Monsour <rmonsour@earthlink.net> Subject: Re: Decoupling compression and security Cc: ipsec@tis.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@ex.tis.com Precedence: bulk At 10:34 AM 11/25/96 +0200, Santeri Paavolainen wrote: ... >If the compression was another IPSEC transformation there would be no >need for such a "bit" in the actual _security_ transformation >data. Have everybody forgotten that applying transformations on a >packet is still optional? If I want an option of not applying a packet >compression transformation I can just not apply it -- no need for any >information bits in the packet. As an example, > >there is two transformations defined, COMP for compression and CRYPT >for some crypto. If I get a acceptable compression ratio for a packet, >I leave the compression transformation on and pass the packet to the >rest of the transformation chain, finally giving a packet like > > CRYPT(COMP(packet)) > >OTOH, if the compression ratio is unacceptable, just leave the >compression layer off: > > CRYPT(packet) > >Because the receiver sees only SPIs of the various layers, it will >first decrypt and either get a regular (not compressed) packet, or a >compressed packet which will then have to be uncompressed to gain the >final packet. > >Of course, this would mean there is overhead of SPI vs. "bit", but I >think the generality is a clear plus. What if you later find out the >cryptographic transformation you have embedded the compression layer >is not secure? Also, there is no clear way how to interoperate between >different transformations which have the same compression engine (you >must remember that each transformation should be self-contained from >the coding point of view). ... This is more than just an issue of the overhead of an SPI vs. a "bit". Let me explain by way of example. Let's say that a security association has been set up for traffic traveling from a sender to a receiver. Thus the SPI for traffic in that direction is specified. Let's also say that the SPI specifies the use of a particular set of compression, encryption and authentication algorithms. Then, let's say that the sender wants to send a datagram to the receiver. Suppose the data expands. The sender would then want to send the original uncompressed form of the data. Under our proposal, all the sender would have to do is to change a bit at the start of the payload. Under what you propose, the SPI is no longer valid since the reciever will erroneously attempt to decompress raw data. Your method would thus require that a new SPI be used which would likely require some renegotiation between the sender and receiver as to which algorithms and modes are to be used for the connection. Bob Monsour rmonsour@earthlink.net From owner-ipsec Tue Nov 26 14:29:18 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA14778 for ipsec-outgoing; Tue, 26 Nov 1996 14:28:06 -0500 (EST) Message-Id: <199611261929.OAA01715@thunk.orchard.medford.ma.us> X-Authentication-Warning: thunk.orchard.medford.ma.us: sommerfeld owned process doing -bs To: "Whelan, Bill" <bwhelan@nei.com> Cc: ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: bwhelan's message of Mon, 25 Nov 1996 18:59:16 -0500. <9610258489.AA848977264@netx.nei.com> Date: Tue, 26 Nov 1996 14:28:31 -0500 From: Bill Sommerfeld <sommerfeld@apollo.hp.com> Sender: owner-ipsec@ex.tis.com Precedence: bulk > My question is whether AH on a secure gateway even makes sense at all > if ESP is not being performed. > > Consider hostA sending a packet to hostB. If gatewayA places an AH on > the packet, it would appear as if it was authenticated by hostA, not a > good idea in my mind. If a router places an AH on the packet, it must do so using an outbound SPI to some other host/router. The corresponding inbound SPI on that host should specify that the sender is a gateway, not a host. The "policy engines" on each end need to be sophisticated enough to deal with things like this. In particular, if ip-address based access controls are in use, then the policy engine should probably do consistency checks between the SPI and the source address.. - Bill From owner-ipsec Tue Nov 26 15:27:52 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA15076 for ipsec-outgoing; Tue, 26 Nov 1996 15:27:03 -0500 (EST) To: IETF-Announce:;;;;@tis.com@tis.com;;; Cc: RFC Editor <rfc-editor@isi.edu> Cc: Internet Architecture Board <iab@isi.edu> Cc: ipsec@tis.com From: The IESG <iesg-secretary@ietf.org> Subject: Protocol Action: HMAC-MD5 IP Authentication with Replay Prevention to Proposed Standard Date: Tue, 26 Nov 1996 13:09:54 -0500 Message-ID: <9611261309.aa11679@ietf.org> Sender: owner-ipsec@ex.tis.com Precedence: bulk The IESG has approved the Internet-Drafts 1. HMAC-MD5 IP Authentication with Replay Prevention <draft-ietf-ipsec-ah-hmac-md5-04.txt> and 2. HMAC-SHA IP Authentication with Replay Prevention <draft-ietf-ipsec-ah-hmac-sha-04.txt> as Proposed Standards. The IESG also approved the reclassification of RFC1828, IP Authentication using Keyed MD5, from Proposed Standard to Historic. These documents are the product of the IP Security Protocol Working Group. The IESG contact person is Jeffrey Schiller. Technical Summary These documents describe two similar Keyed Hashes (one based on MD5 and the other based on SHA) for use in IP Security's Authentication Header (both IPv4 and IPv6). Hashes such as MD5 and SHA were designed to be used as "keyless" hashes which can be used in digital signature systems such as the RSA system and the U.S. Digital Signature Standard (DSS). An obvious approach to using them as "keyed" hashes has involved either prepending the data to be hashed with a secret value (key) or appending the secret value after the data to be hashed (or both). However recently significant analysis work has been carried out by cryptographers as to security of keyed modes of these hashes. The keyed hash mechanism described in these documents benefits from this analytical experience and is therefore believed to be much stronger than the simplistic approaches taken to date in the Internet community (both in AH and SNMP). Working Group Summary These documents are the work product of the IP Security Working Group. The group has come to consensus that these hashes are good approaches to the keyed hash function required by the Authentication Header. Protocol Quality This protocol has been reviewed by Jeffrey I. Schiller, Security Area Director. From owner-ipsec Tue Nov 26 16:35:03 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA15139 for ipsec-outgoing; Tue, 26 Nov 1996 16:31:38 -0500 (EST) Message-Id: <9611262133.AA20640@hpcc103.corp.hp.com> To: Tom Markham <markham@sctc.com> Cc: ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: Your message of Tue, 26 Nov 1996 11:24:51 -0600. <199611261724.LAA29519@jasmin.sctc.com> Date: Tue, 26 Nov 1996 13:33:49 -0800 From: "\"\"Yan-Fa LI <yanfali@corp.hp.com>\"\"" <yanfali@hpcc103.corp.hp.com> Sender: owner-ipsec@ex.tis.com Precedence: bulk Hi Bill and Tom, > > Bill > > BW> Last month there was a question regarding ESP and AH on a secure > gateway as in the following model. > > > secure (untrusted) secure > hostA gatewayA---------------------------gatewayB hostB > | | | | > ---------- ----------- > (trusted subnet) (trusted subnet) > > > BW> My question is whether AH on a secure gateway even makes sense at all > if ESP is not being performed. > > > Consider the case where one gateway is in a country like France which > does not allow encryption. An organization could still use AH to > authenticate that the source of the packets was another secure gateway > belonging to the organization. This is exactly what I would like AH only support for. It would give us the extra capabilities of Anti-Spoofing and Integrity checking which would be a big win over today's infrastructure. There are some instances where privacy is not a big deal, or where export/import usage restrictions forbid the use of strong cryptography. > > BW> Consider hostA sending a packet to hostB. If gatewayA places an AH on > the packet, it would appear as if it was authenticated by hostA, not a > good idea in my mind. > > The receiving gateway/host knows (should know) that the AH keying material > is held by Gateway A and not Host A. If the receiving gateway/host > does not know which devices it shares keying material with, you have a > key management problem. > > Tom Markham I don't believe this is the case in some of the gateway products which are available today. Some of the gateway products transparently proxy for hosts in the trusted network. This is the fundamental weak spot in gateway solutions. They assume: - your trusted network is secure - you do not have users spoofing the addresses of other users within the trusted network. The strength of this approach is you can support legacy devices without making any changes to them. Gateways are a compromise between security and medium-term implementation realities. Does anyone know if there are specific set up messages in the ISAKMP-OAKLEY protocol to identify which architectural case a pair of communicating peers is in ? i.e. Host-to-Host, Host-to-Gateway, and Gateway-to-Gateway. For example, if one knew the conversation was between two gateways, one could accept the risks of this architectural model and just negotiate a pair of SAs for the communication with all traffic between the networks being multiplexed over a single TCP/IP connection. Much more efficient for the gateways. However if we do this are we making it easier for an attacker to perform cryptanalysis on our connection ? If you implement the reverse situation, where a new SA pair is negotiated for every IP pair that attempts communication between the networks, this could quickly bog down the gateways while they authenticate public keys exchanges, context switch between secret session keys and encrypt and decrypt packets. One could argue that this will happen anyway in the Host-to-Gateway scenario, and one needs to engineer for this case, so why not make it the general one ? Right now, with gateway solutions, I think that Host-to-Host is how they operated. I would interested in finding out if there is a way to identify which model is in use. Also, if I have made any gross conceptual mistakes in this text, I would appreciate being helped to understand why. Thanks for your time. Sincerely, Yan ___________________________________________________________________ My views do not necessarily represent those of the Hewlett Packard Company and should be taken with a large dose of salt or whatever passes for sodium in your neck of the woods/universe/continuum/etc... ___________________________________________________________________ From owner-ipsec Tue Nov 26 16:53:00 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA15168 for ipsec-outgoing; Tue, 26 Nov 1996 16:51:34 -0500 (EST) Date: Tue, 26 Nov 96 13:44:00 PST From: John H Wilson <John_H_Wilson@ccm.jf.intel.com> Message-ID: <Tue, 26 Nov 96 13:53:21 PST_2@ccm.hf.intel.com> To: ipsec@tis.com Subject: ipsec implementations Sender: owner-ipsec@ex.tis.com Precedence: bulk I would like to get an idea of what Win95 or NT implementations of IPSEC are either planned or are available already..... ......Company, availability date, content, API, If any implementers would be willing to provide this type of information, I'd apreciate it. john_h_wilson@ccm.jf.intel.com From owner-ipsec Tue Nov 26 17:29:50 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id RAA15215 for ipsec-outgoing; Tue, 26 Nov 1996 17:28:04 -0500 (EST) Date: Tue, 26 Nov 1996 17:30:19 -0500 (EST) Message-Id: <199611262230.RAA27739@carp.morningstar.com> From: Ben Rogers <ben@morningstar.com> To: Bill Sommerfeld <sommerfeld@apollo.hp.com> Cc: "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: <199611261929.OAA01715@thunk.orchard.medford.ma.us> References: <9610258489.AA848977264@netx.nei.com> <199611261929.OAA01715@thunk.orchard.medford.ma.us> Reply-To: ben@ascend.com (Ben Rogers) Sender: owner-ipsec@ex.tis.com Precedence: bulk Bill Sommerfeld writes: > > My question is whether AH on a secure gateway even makes sense at all > > if ESP is not being performed. > > > > Consider hostA sending a packet to hostB. If gatewayA places an AH on > > the packet, it would appear as if it was authenticated by hostA, not a > > good idea in my mind. > It seems to me that gatewayA should never try to place an AH, nor do an ESP encapsulation on the packet using transport mode (assuming that gatewayA did not originate the packet). A gateway that put IPSEC headers on packets in transport mode would not only cause confusing problems like this, but would have severe problems dealing with fragmented packets. > The "policy engines" on each end need to be sophisticated enough to > deal with things like this. In particular, if ip-address based access > controls are in use, then the policy engine should probably do > consistency checks between the SPI and the source address.. Why? I believe the RFC states that the Security Association(SA) is chosen using only the destination address and the SPI. It doesn't seem to be illegal for several hosts to send us packets using the same Security Association (SPI). It makes sense to only check the headers on packets that are destined for the local machine. Otherwise, we would be intercepting (and probably modifying) packets not destined to that machine, and violating many of the ideas that make IP work. Thus, I don't see any reason that a gateway could use transport mode to tack on an AH to a packet from hostA to hostB. To address the original question, using the following scenario: > secure (untrusted) secure > hostA gatewayA---------------------------gatewayB hostB > | | | | > ---------- ----------- > (trusted subnet) (trusted subnet) the packets should look like (on the untrusted segment) hostA -> hostB : IP_HEADER(gateA->gateB) AH(gateA->gateB) IP_HEADER(hostA->gateB) AH(hostA->gateB) IP_HEADER(hostA->hostB) PACKET hostA -> gateB : IP_HEADER(gateA->gateB) AH(gateA->gateB) IP_HEADER(hostA->gateB) AH(hostA->gateB) PACKET or IP_HEADER(gateA->gateB) AH(gateA->gateB) IP_HEADER(hostA->gateB) AH(hostA->gateB) IP_HEADER(hostA->gateB) PACKET gateA -> gateB : IP_HEADER(gateA->gateB) AH(gateA->gateB) PACKET or IP_HEADER(gateA->gateB) AH(gateA->gateB) IP_HEADER(gateA->gateB) PACKET gateA -> hostB IP_HEADER(gateA->gateB) AH(gateA->gateB) IP_HEADER(gateA->hostB) PACKET to avoid any ambiguity. Note that this never allows AH, AH and assumes that no machine will attempt to de-encapsulate a packet whose destination address is not assigned to that machine. As a result, none of the machines ever has to make any complicated policy decisions (on whether to look at the AH, or how to handle the assignment of SPI's). I feel that this is the best way to handle all such multiple encapsulations. ben From owner-ipsec Tue Nov 26 18:02:29 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA15279 for ipsec-outgoing; Tue, 26 Nov 1996 18:00:36 -0500 (EST) Message-Id: <199611262302.SAA01876@thunk.orchard.medford.ma.us> X-Authentication-Warning: thunk.orchard.medford.ma.us: sommerfeld owned process doing -bs To: ben@ascend.com (Ben Rogers) Cc: "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: ben's message of Tue, 26 Nov 1996 17:30:19 -0500. <199611262230.RAA27739@carp.morningstar.com> Date: Tue, 26 Nov 1996 18:02:47 -0500 From: Bill Sommerfeld <sommerfeld@apollo.hp.com> Sender: owner-ipsec@ex.tis.com Precedence: bulk > > The "policy engines" on each end need to be sophisticated enough to > > deal with things like this. In particular, if ip-address based access > > controls are in use, then the policy engine should probably do > > consistency checks between the SPI and the source address.. > > Why? I believe the RFC states that the Security Association(SA) is > chosen using only the destination address and the SPI. It doesn't seem > to be illegal for several hosts to send us packets using the same > Security Association (SPI). All things which aren't illegal aren't necessarily also good ideas. > It makes sense to only check the headers on packets that are destined > for the local machine. Otherwise, we would be intercepting (and > probably modifying) packets not destined to that machine, and violating > many of the ideas that make IP work. Thus, I don't see any reason that > a gateway could use transport mode to tack on an AH to a packet from > hostA to hostB. Let's consider the case where you're attempting to add AH/ESP protection to an existing network which *currently uses IP-address based access controls*. Naturally, you don't want to create security holes while doing this. Let's assume you have a network of cooperating but mutually suspicious organizations, like the auto industry net which Bob Moskowitz is building. For simplicity, let's assume orgs A, B, and C, connected in a "full mesh" of leased lines (A-B, A-C, and B-C). Assume filtering routers on each leased line, so that C can't impersonate B when communicating with A. We now want to migrate to IPSEC without causing a flag day. Let's start by replacing the leased line between C and A with a tunnel over an untrusted network protected with AH or ESP. What stops C from tunnelling a packet to A with a source address on B's network? You need a policy check that the packet emerging from the tunnel is from a source address which is allowed to use that particular tunnel.. For a particularly extreme example, assume that A and B are divisions of the same company, and that C is a division of a different company which is simultaneously a supplier and a competitor of the first company. - Bill From owner-ipsec Tue Nov 26 18:19:11 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA15305 for ipsec-outgoing; Tue, 26 Nov 1996 18:19:05 -0500 (EST) Date: Tue, 26 Nov 1996 18:19:34 -0500 (EST) Message-Id: <199611262319.SAA27893@carp.morningstar.com> From: Ben Rogers <ben@morningstar.com> To: Bill Sommerfeld <sommerfeld@apollo.hp.com> Cc: ben@ascend.com (Ben Rogers), "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: <199611262302.SAA01876@thunk.orchard.medford.ma.us> References: <199611262230.RAA27739@carp.morningstar.com> <199611262302.SAA01876@thunk.orchard.medford.ma.us> Reply-To: ben@ascend.com (Ben Rogers) Sender: owner-ipsec@ex.tis.com Precedence: bulk Bill Sommerfeld writes: > > Why? I believe the RFC states that the Security Association(SA) is > > chosen using only the destination address and the SPI. It doesn't seem > > to be illegal for several hosts to send us packets using the same > > Security Association (SPI). > > All things which aren't illegal aren't necessarily also good ideas. Well... It seems to me that it might be a good idea to allow IPSEC to be used over multicast packets. Then, your destination address (that of the multicast group) would be constant, but there would be many source addresses. You would need to use an AH, but that should be sufficient to verify the sender. I don't see what security a check on source address of authenticated packets adds. Of course this all changes if you are talking about the packet after it has been extracted from the tunnel. > Let's consider the case where you're attempting to add AH/ESP > protection to an existing network which *currently uses IP-address > based access controls*. Naturally, you don't want to create security > holes while doing this. > > Let's assume you have a network of cooperating but mutually suspicious > organizations, like the auto industry net which Bob Moskowitz is > building. > > For simplicity, let's assume orgs A, B, and C, connected in a "full > mesh" of leased lines (A-B, A-C, and B-C). Assume filtering routers > on each leased line, so that C can't impersonate B when communicating > with A. We now want to migrate to IPSEC without causing a flag day. > > Let's start by replacing the leased line between C and A with a tunnel > over an untrusted network protected with AH or ESP. > > What stops C from tunnelling a packet to A with a source address on > B's network? You need a policy check that the packet emerging from > the tunnel is from a source address which is allowed to use that > particular tunnel.. Unfortunately, I misinterpreted this the first time it came around. I'll diagram several "packets" to illustrate : original packet : IP_HEADER(gateC->gateA) AH(gateC->gateA) IP_HEADER(hostB->hostA) PACKET de-encapsulated packet : IP_HEADER(hostB->hostA) PACKET There are no checks that we want to do on the original packet. I was assuming that you wanted to check the source address on the original packet, which is made immaterial by checking the AH. The policy decision you are talking about is on the source address of the de-encapsulated packet, which I agree is necessary. In most cases it wouldn't be necessary because you share the tunnel with a *trusted* gateway. But in this case, there is certainly need for additional machinery to do the policy work. ben From owner-ipsec Tue Nov 26 18:28:40 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA15319 for ipsec-outgoing; Tue, 26 Nov 1996 18:28:36 -0500 (EST) Date: Tue, 26 Nov 1996 15:29:12 -0800 Message-Id: <199611262329.PAA21941@spud.ascend.com> From: Karl Fox <karl@ascend.com> To: Bill Sommerfeld <sommerfeld@apollo.hp.com> Cc: ben@ascend.com (Ben Rogers), "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: <199611262302.SAA01876@thunk.orchard.medford.ma.us> References: <199611262230.RAA27739@carp.morningstar.com> <199611262302.SAA01876@thunk.orchard.medford.ma.us> Reply-To: Karl Fox <karl@ascend.com> Organization: Ascend Communications Sender: owner-ipsec@ex.tis.com Precedence: bulk Bill Sommerfeld writes: > For simplicity, let's assume orgs A, B, and C, connected in a "full > mesh" of leased lines (A-B, A-C, and B-C). Assume filtering routers > on each leased line, so that C can't impersonate B when communicating > with A. We now want to migrate to IPSEC without causing a flag day. > > Let's start by replacing the leased line between C and A with a tunnel > over an untrusted network protected with AH or ESP. > > What stops C from tunnelling a packet to A with a source address on > B's network? You need a policy check that the packet emerging from > the tunnel is from a source address which is allowed to use that > particular tunnel.. Yes, that's indeed what we do. Any encrypting gateway that didn't would have a huge hole in it. I assume we're not alone in anticipating this. -- Karl Fox, servant of God, employee of Ascend Communications 3518 Riverside Drive, Suite 101, Columbus, Ohio 43221 +1 614 326 6841 From owner-ipsec Tue Nov 26 19:11:04 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA15395 for ipsec-outgoing; Tue, 26 Nov 1996 19:10:35 -0500 (EST) Message-Id: <96Nov26.191251est.30786-1@janus.border.com> To: ben@ascend.com (Ben Rogers) cc: Bill Sommerfeld <sommerfeld@apollo.hp.com>, "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway References: <9610258489.AA848977264@netx.nei.com> <199611261929.OAA01715@thunk.orchard.medford.ma.us> <199611262230.RAA27739@carp.morningstar.com> In-reply-to: ben's message of "Tue, 26 Nov 1996 17:30:19 -0500". <199611262230.RAA27739@carp.morningstar.com> From: "C. Harald Koch" <chk@border.com> Organization: Secure Computing Canada Ltd. Phone: +1 416 368 7157 X-uri: <URL:http://www.eng.border.com/homes/chk/> X-Face: )@F:jK?*}hv!eJ}*r*0DD"k8x1.d#i>7`ETe2;hSD2T!:Fh#wu`0pW7lO|Dfe'AbyNy[\Pw z'.bAtgTM!+iq2$yXiv4gf<:D*rZ-|f$\YQi7"D"=CG!JB?[^_7v>8Mm;z:NJ7pss)l__Cw+.>xUJ) did@Pr9 Date: Tue, 26 Nov 1996 19:12:50 -0500 Sender: owner-ipsec@ex.tis.com Precedence: bulk In message <199611262230.RAA27739@carp.morningstar.com>, Ben Rogers writes: > > It seems to me that gatewayA should never try to place an AH, nor do an > ESP encapsulation on the packet using transport mode (assuming that > gatewayA did not originate the packet). A gateway that put IPSEC > headers on packets in transport mode would not only cause confusing > problems like this, but would have severe problems dealing with > fragmented packets. and > It makes sense to only check the headers on packets that are destined > for the local machine. Otherwise, we would be intercepting (and > probably modifying) packets not destined to that machine, and violating > many of the ideas that make IP work. Thus, I don't see any reason that > a gateway could use transport mode to tack on an AH to a packet from > hostA to hostB. I disagree. The counter example: firewalls (or John Gilmore's "cryptowalls"). I see an incredible advantage for firewalls to add IPsec information to packets, acting as proxies for the machines they're protecting. Keeps all your Security Association information in one place, where it can be easily configured and monitored. People aren't going to start ripping out their firewalls just because they have IPsec support on their hosts; firewalls allow much more security control than IPsec does. (Analogy: you don't unlock the front door just because everyone can lock their own filing cabinets). You also write: > Why? I believe the RFC states that the Security Association(SA) is > chosen using only the destination address and the SPI. It doesn't seem > to be illegal for several hosts to send us packets using the same > Security Association (SPI). A security association is *indexed* by destination address and SPI. However, It can include information about the source, including strong authentication checks, and instructions to reject packets from an invalid IP address. It's not illegal for several hosts to using the same SPI, but it's also not secure (it would allow all hosts with the same keying information to spoof each other, for example). I think it's much more likely that a host would enforce the use of different SPIs (and different keys) for each different source host. -- C. Harald Koch | Senior System Developer, Secure Computing Canada Ltd. chk@border.com | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8 +1 416 368 7157 (voice) | "Madness takes its toll. Please have exact change." +1 416 368 7789 (fax) | -Karen Murphy <karenm@descartes.com> From owner-ipsec Tue Nov 26 20:45:13 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA15500 for ipsec-outgoing; Tue, 26 Nov 1996 20:43:37 -0500 (EST) Message-Id: <199611270145.UAA06847@amaterasu.sandelman.ottawa.on.ca> To: ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST." <199611262302.SAA01876@thunk.orchard.medford.ma.us> Date: Tue, 26 Nov 1996 20:44:51 -0500 From: Michael Richardson <mcr@sandelman.ottawa.on.ca> Sender: owner-ipsec@ex.tis.com Precedence: bulk >>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes: Bill> Let's consider the case where you're attempting to add Bill> AH/ESP protection to an existing network which *currently Bill> uses IP-address based access controls*. Naturally, you Bill> don't want to create security holes while doing this. Bill> Let's assume you have a network of cooperating but mutually Bill> suspicious organizations, like the auto industry net which Bill> Bob Moskowitz is building. Let's not forget that Bob's problem is more complicated that you actually describe :-) [Bob said he was going to write a requirements document up in June. Did anyone see this from him?] But it is a good problem. Bill> What stops C from tunnelling a packet to A with a source Bill> address on B's network? You need a policy check that the Bill> packet emerging from the tunnel is from a source address Bill> which is allowed to use that particular tunnel.. The way I like to do this is to consider all tunnels to be virtual interfaces. You can make add routes, etc.. Alas, I still haven't had a chance to investigate how close that aspect (the "route add -net x.y tunnel q.r") of the NRL code is to this assumption. IP spoof checks (which you say are already in place) can handle this case without a problem. Good IP spoof checks are essentially: 1. if1 = calculate route to take to reach ip->ip_src if we had to reply. 2. if interface we received ip on == if1, then okay, otherwise it is a spoof. These checks would have to be done anyway for the leased line case for your assumption (C can not impersonate A to B) to be true. :!mcr!: | Network security consulting and Michael Richardson | contract programming WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available. From owner-ipsec Tue Nov 26 20:46:39 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA15516 for ipsec-outgoing; Tue, 26 Nov 1996 20:46:36 -0500 (EST) Message-Id: <199611270148.UAA07307@amaterasu.sandelman.ottawa.on.ca> To: ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST." <199611262302.SAA01876@thunk.orchard.medford.ma.us> Date: Tue, 26 Nov 1996 20:48:27 -0500 From: Michael Richardson <mcr@sandelman.ottawa.on.ca> Sender: owner-ipsec@ex.tis.com Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes: Bill> Let's consider the case where you're attempting to add Bill> AH/ESP protection to an existing network which *currently Bill> uses IP-address based access controls*. Naturally, you Bill> don't want to create security holes while doing this. Bill> Let's assume you have a network of cooperating but mutually Bill> suspicious organizations, like the auto industry net which Bill> Bob Moskowitz is building. Let's not forget that Bob's problem is more complicated that you actually describe :-) [Bob said he was going to write a requirements document up in June. Did anyone see this from him?] But it is a good problem. Bill> What stops C from tunnelling a packet to A with a source Bill> address on B's network? You need a policy check that the Bill> packet emerging from the tunnel is from a source address Bill> which is allowed to use that particular tunnel.. The way I like to do this is to consider all tunnels to be virtual interfaces. You can make add routes, etc.. Alas, I still haven't had a chance to investigate how close that aspect (the "route add -net x.y tunnel q.r") of the NRL code is to this assumption. IP spoof checks (which you say are already in place) can handle this case without a problem. Good IP spoof checks are essentially: 1. if1 = calculate route to take to reach ip->ip_src if we had to reply. 2. if interface we received ip on == if1, then okay, otherwise it is a spoof. These checks would have to be done anyway for the leased line case for your assumption (C can not impersonate A to B) to be true. :!mcr!: | Network security consulting and Michael Richardson | contract programming WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQBVAwUBMpudONTTll4efmtZAQHP2wIAlMI3CxpmJQAJJjGO6L7M3HhsLgudhr3L i8x4jUusxwi52NOKYvOlANCxknTLrLtxuV6N58UFFBl29v7Z9btUCQ== =bQB3 -----END PGP SIGNATURE----- From owner-ipsec Tue Nov 26 21:35:52 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id VAA15576 for ipsec-outgoing; Tue, 26 Nov 1996 21:35:20 -0500 (EST) Message-Id: <9611270235.AA11031@sol.hq.tis.com> To: cat-ietf@MIT.EDU, e-payment@bellcore.com, firewalls@greatcircle.com, ids@uow.edu.au, ietf-otp@bellcore.com, ietf-pkix@tandem.com, ietf-tls@w3.org, ietf@cnri.reston.va.us, ipsec@ans.net, pem-dev@tis.com, psrg@isi.edu, sndss-authors@isi.edu, sndss-chairs@tis.com, spki@c2.net, virus-l@lehigh.edu, www-buyinfo@allegra.att.com, www-security@ns2.rutgers.edu Subject: ANNOUNCEMENT: ISOC 1997 SYMPOSIUM NETWORK & DISTRIBUTED SYSTEM SECURITY Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <11027.849062106.1@tis.com> Date: Tue, 26 Nov 1996 21:35:11 -0500 From: "David M. Balenson" <balenson@tis.com> Sender: owner-ipsec@ex.tis.com Precedence: bulk --------------------------------------------------------------------------- THE INTERNET SOCIETY 1997 SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY (NDSS '97) 10-11 FEBRUARY 1997 SAN DIEGO PRINCESS RESORT, SAN DIEGO, CALIFORNIA This fourth annual symposium will bring together researchers, implementors, and users of network and distributed system security technologies to discuss today's important security issues and challenges. It will provide a mix of technical papers and panel presentations that describe promising new approaches to security problems that are practical, and to the extent possible, have been implemented. We hope to foster the exchange of technical information and encourage the Internet community to deploy available security technologies and develop new solutions to unsolved problems. WHY YOU SHOULD ATTEND The use of the Internet is rapidly growing and expanding into all aspects of our society. Commercial organizations are coming under increasing pressure to make their services available on-line. This in turn is increasing the need for rapid and widespread deployment of usable and effective network and distributed system security technologies. High visibility attacks on the Internet underscore the vulnerabilities of the Internet and the need to solve its security problems. There is growing concern for securing the network infrastructure itself. Recent trends in software distribution (such as Java and ActiveX technologies) have made certain attacks easier to carry out. Privacy has become an important issue for the Internet. NDSS '97 will bring together researchers, implementors, and users of network and distributed system technologies to discuss today's important security issues and challenges. We have selected the technical papers and panel presentations that describe promising new approaches to security problems that are practical, and to the extent possible, have been implemented. Topics to be addressed include Internet infrastructure and routing security, security for the World Wide Web, Java and ActiveX security, cryptographic protocols, public key management, and protection of privacy. The symposium will have a positive impact on the state of Internet security. You will have the opportunity to actively participate in the dialog. Ask questions of the speakers, raise your important issues during the panel sessions, and let other participants know of your requirements, observations, and experience in this important area. We hope to encourage the wide-scale deployment of security technologies and to promote new research that can address the currently unmet security needs of the Internet community. CONTENTS Preliminary Program Organizing Committee San Diego Princess Resort Registration Information Registration Form --------------------------------------------------------------------------- P R E L I M I N A R Y P R O G R A M SUNDAY, FEBRUARY 9 6:00 P.M. - 8:00 P.M. RECEPTION - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - MONDAY, FEBRUARY 10 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. OPENING REMARKS 9:00 A.M. SESSION 1: THINGS THAT GO BUMP IN THE NET Chair: Stephen T. Kent (BBN Corporation, USA) Experimental Results of Covert Channel Elimination in One-Way Communication Systems, Nick Ogurtsov, Hilarie Orman, Richard Schroeppel, Sean O'Malley, and Oliver Spatscheck (University of Arizona, USA) Blocking Java Applets at the Firewall, David M. Martin Jr., Sivaramakrishnan Rajagopalan and Aviel D. Rubin (Bellcore, USA) Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection & Configuration Analysis, Abdelaziz Mounji and Baudouin Le Charlier (Institut D'Informatique, Namur, BELGIUM) 10:30 A.M. BREAK 11:00 A.M. SESSION 2: PANEL: SECURITY OF DOWNLOADABLE EXECUTABLE CONTENT Chair: Aviel Rubin (Bellcore, USA) 12:30 NOON LUNCH 2:00 P.M. SESSION 3: PROTOCOL IMPLEMENTATION AND ANALYSIS Chair: Christoph Schuba (Purdue University, USA) An Interface Specification Language for Automatically Analyzing Cryptographic Protocols, Stephen H. Brackin (Arca Systems, USA) Probable Plaintext Cryptanalysis of the IP Security Protocols, Steven M. Bellovin (AT&T Research, USA) Misplaced Trust: Kerberos Version 4 Session Keys, Bryn Dole (Sun Microsystems), Steve Lodin (Delco Electronics), and Eugene Spafford (Purdue University, USA) 3:30 P.M. BREAK 4:00 P.M. SESSION 4: PANEL: SECURITY OF THE INTERNET INFRASTRUCTURE Chair: Russ Mundy (Trusted Information Systems, USA) 7:00 P.M. DINNER BANQUET - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TUESDAY, FEBRUARY 11 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. SESSION 5: ROUTING SECURITY Chair: Hilarie Orman (DARPA, USA) Securing the Nimrod Routing Architecture, Karen E. Sirois and Stephen T. Kent (BBN Corporation, USA) Securing Distance-Vector Routing Protocols, Bradley R. Smith, Shree Murthy and J.J. Garcia-Luna-Aceves (University of California Santa Cruz, USA) Reducing the Cost of Security in Link-State Routing, R. Hauser, A. Przygienda and G. Tsudik (IBM and USC/ISI, USA) 10:00 A.M. BREAK 10:30 A.M. SESSION 6: SECURITY FOR THE WORLD WIDE WEB Chair: Win Treese (OpenMarket, USA) Securing Web Access with DCE, Brian C. Schimpf (Gradient Technologies, USA) PANEL: SECURITY FOR THE WORLD WIDE WEB Chair: Win Treese (OpenMarket, USA) 12:00 A.M. LUNCH 1:30 P.M. SESSION 7: PUBLIC KEY MANAGEMENT Chair: Jonathan Trostle (CyberSafe, USA) Hierarchical Organization of Certification Authorities for Secure Environments, Lourdes Lopez (Universidad Politecnica de Madrid, SPAIN) Trust Models in ICE-TEL, Andrew Young and Nada Kapidzic Cicovic (Univeristy of Salford, UNITED KINGDOM) Distributed Authentication in Kerberos Using Public Key Cryptography, Marvin Sirbu and John Chung-I Chuang (Carnegie Mellon University, USA) 3:00 P.M. BREAK 3:30 P.M. SESSION 8: PANEL: WEB PRIVACY AND ANONYMITY Chair: (To Be Determined) --------------------------------------------------------------------------- O R G A N I Z I N G C O M M I T T E E GENERAL CHAIR David Balenson, Trusted Information Systems PROGRAM CHAIRS Clifford Neuman, USC Information Sciences Institute Matt Bishop, University of California at Davis PROGRAM COMMITTEE Steve Bellovin, AT&T Research Tom Berson, Anagram Laboratories Doug Engert, Argonne National Laboratory Warwick Ford, Verisign Richard Graveman, Bellcore Li Gong, JavaSoft Burt Kaliski, RSA Laboratories Steve Kent, BBN Corporation Tom Longstaff, CERT Doug Maughan, National Security Agency Dan Nessett, 3Com Corporation Hilarie Orman, DARPA/ITO Michael Roe, University of Cambridge Christoph Schuba, Purdue University Jonathan Trostle, CyberSafe Theodore Ts'o, Massachusetts Institute of Technology Doug Tygar, Carnegie Mellon University Vijay Varadharajan, University of W. Sydney Roberto Zamparo, Telia Research PUBLICATIONS CHAIR Steve Welke, Institute for Defense Analyses LOCAL ARRANGEMENTS CHAIR Thomas Hutton, San Diego Supercomputer Center REGISTRATIONS CHAIR Torryn Brazell, Internet Society STEERING GROUP Internet Research Task Force, Privacy and Security Research Group SPONSORED BY THE INTERNET SOCIETY Donald M. Heath, President & CEO Martin Burack, Executive Director --------------------------------------------------------------------------- S A N D I E G O P R I N C E S S R E S O R T LOCATION The Symposium venue is the San Diego Princess Resort, a tropical paradise on a forty-four acre island in Mission Bay, ten minutes from the international airport. Lush gardens landscaped with hundreds of species of tropical and subtropical plants are always ablaze with color and perfect for themed group events. Charming pathways wander among sparkling waterfalls, across quaint footbridges and sleepy lagoons filled with water lilies and waterfowl. A white sand beach curves around the island for over a mile, and the award-winning grounds encompass five swimming pools and six lighted tennis courts. Spouses and family members can catch a convenient Harbor Hopper for a quick trip to Sea World. Plan to visit La Jolla, the world famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley. HOUSING INFORMATION We have reserved a special block of sleeping rooms at the San Diego Princess Resort at the following rates: Lanai Patio Rooms $ 81* Lanai Garden Rooms $114 * This represents the Government Rate for San Diego. A limited number of rooms are available at this rate. Reservations must be made no later than January 13, 1997. You must present a valid government id upon check-in. Based on room type and space availability, the special group rates are applicable two days prior to and two days after the symposium. Current Room Tax is 10.5%. Check-in availability cannot be committed prior to 4:00 p.m. Check-out time is 12:00 noon. The San Diego Princess Resort will make every effort to accommodate any early arrivals, so make sure you give them your arrival time when you make your reservation. TO MAKE A RESERVATION Contact the San Diego Princess Resort at +1-800-344-2626 (+1-619-274-4630 if outside the United States). To receive the special group rates, reservations must be made no later than January 20, 1997. To receive the special goverment rate, you must make your reservation by January 13, 1997. CLIMATE February weather in San Diego is normally very pleasant. Early morning temperatures average 55 degrees while afternoon temperatures average 67 degrees. Generally, a light jacket or sweater is adequate, although, occasionally it rains. --------------------------------------------------------------------------- R E G I S T R A T I O N I N F O R M A T I O N FEES ISOC Non- Members Member* Early registration (postmarked on/before Jan. 22) $305 $345 Late registration $375 $415 REGISTRATION INCLUDES - Attendance - Symposium Proceedings - Two luncheons - Reception - Banquet - Coffee Breaks * Non-Member fee includes one year Internet Society membership. FOR MORE INFORMATION Contact Carol Gray at the Internet Society at +1-703-648-9888 or send E-mail to Ndss97reg@isoc.org. WEB PAGE Additional information about the symposium and San Diego, plus on-line registration, are available via the Web at: http://www.isoc.org/conferences/ndss97 SPONSORSHIP OPPORTUNITIES AVAILABLE! Contact Torryn Brazell at the Internet Society at +1-703-648-9888 or send E-mail to Ndss97reg@isoc.org. --------------------------------------------------------------------------- R E G I S T R A T I O N F O R M INTERNET SOCIETY SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY 10-11 FEBRUARY, 1997 SAN DIEGO, CALIFORNIA, USA Fill out this form and FAX it to NDSS'97 Registration at +1-703-648-9887, send it via E-mail to Ndss97reg@isoc.org, or mail it to NDSS97, 12020 Sunrise Valley Drive, Suite 210, Reston, VA, 20191, USA PERSONAL INFORMATION __Mr __Ms __Mrs __Dr __Prof __M __Prof Dr __Dip Ing __Ing __Miss __Mlle First Name: ________________________________ MI: ____________________ Family Name: ___________________________________ __Sr __Jr __II __III Badge Name: __________________________________________________________ Please enter your name as you would like it to appear on your name tag. CONTACT INFORMATION Title: _______________________________________________________________ Organization: ________________________________________________________ Street address: ______________________________________________________ ______________________________________________________________________ City: ________________________________________________________________ State/Province: ___________________________ Postal Code: ____________ Country: _____________________________________________________________ Telephone Number (work): _____________________________________________ Telephone Number (home): _____________________________________________ Fax Number: __________________________________________________________ E-mail address: ______________________________________________________ SPECIAL NEEDS? (Vegetarian meals, wheelchair access, etc?) ______________________________________________________________________ ______________________________________________________________________ APPEAR ON REGISTRANTS LIST? ___ Please check here if you would NOT like your name included in the list of registrants. PAYMENT INFORMATION All Payments must be in United States Dollars. Conference Fee -------------- If you are an Internet Society member, you are eligible for a reduced conference registration fee. Non-member symposium attendees will receive a one year Internet Society membership as part of the non-member registration fees. Check one: On/Before After January 22 January 22 ---------- ---------- ___ Internet Society Member Fee US$ 305.00 US$ 375.00 ___ Non-Member Fee US$ 345.00 US$ 415.00 Method of Payment ----------------- Payment must be received on/before February 7, 1997 or we will be unable to pre-register you. 1. ___ Check. Make payable to the Internet Society. 2. ___ Credit Card. ___ American Express ___ Visa ___ Mastercard Name on Credit Card: ____________________________________ Credit Card Number: _____________________________________ Expiration Date: ________________________________________ 3. ___ CyberCash. Account Number: _____________________________ 4. ___ First Virtual. Account Number: _________________________ 5. ___ Wire Transfer* Bank ABA Number: 054000030 Account Number: Internet Society 148 387 10 Riggs National Bank of Virginia 950 Herndon Parkway Herndon, VA 20171 USA Wire Transfer Confirmation Number: ______________________ * Please process wire transfer before sending registration form. 6. ___ U.S. Government Purchase Order* P.O. Number: ____________________________________________ * Please fax or mail a copy of your purchase order along with your registration form. Cancellation Policy ------------------- Refunds (less a $25 processing fee) will be issued for cancellations received on/before February 7, 1997. No refunds will be issued after February 7, 1997. ------------------------------------------------------------------------ From owner-ipsec Wed Nov 27 07:25:54 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA15967 for ipsec-outgoing; Wed, 27 Nov 1996 07:20:51 -0500 (EST) To: IETF-Announce:; Cc: RFC Editor <rfc-editor@isi.edu> Cc: Internet Architecture Board <iab@isi.edu> Cc: ipsec@tis.com From: The IESG <iesg-secretary@ietf.org> Subject: Document Action: HMAC-MD5: Keyed-MD5 for Message Authentication to Informational Date: Tue, 26 Nov 1996 13:13:51 -0500 Message-ID: <9611261313.aa11926@ietf.org> Sender: owner-ipsec@ex.tis.com Precedence: bulk The IESG has reviewed the Internet-Draft "HMAC: Keyed-Hashing for Message Authentication" <draft-ietf-ipsec-hmac-md5-01.txt> and recommends that it be published by the RFC Editor as an Informational RFC. This document is the product of the IP Security Protocol Working Group. The IESG contact person is Jeffrey Schiller. -- John C. Kelley System Administrator (301) 854-6889 Trusted Information Systems, Inc. (301) 854-5363 FAX 3060 Washington Road johnk@tis.com (work) Glenwood, MD 21738 johnk@radix.net (play) From owner-ipsec Wed Nov 27 11:29:19 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA17029 for ipsec-outgoing; Wed, 27 Nov 1996 11:23:12 -0500 (EST) Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:;;;;@tis.com@tis.com;;; cc: ipsec@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsec-inline-isakmp-00.txt Date: Wed, 27 Nov 1996 10:17:08 -0500 Message-ID: <9611271017.aa24153@ietf.org> Sender: owner-ipsec@ex.tis.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Protocol Working Group of the IETF. Title : Inline Keying within the ISAKMP Framework. Author(s) : B. Sommerfeld Filename : draft-ietf-ipsec-inline-isakmp-00.txt Pages : 9 Date : 11/26/1996 The current proposal for IP-layer key management [ISAKMP, OAKLEY, ISAOAK] has fairly high overhead. Before a security association can be established, at least one pair of messages need to be exchanged between the communicating peers. For efficiency, this suggests that ISAKMP setup should be infrequent. However, general principles of key management suggest that individual keys should be used as little as practical and changed as frequently as possible. Steve Bellovin has suggested that, ideally, different security associations should be used for each different transport-level connection[BADESP]. This document discusses different ways of structuring a protocol to permit this to happen with minimal overhead, both in round-trip delay at connection setup, and in bandwidth once the connection is established. Portions of this protocol have been inspired by SKIP, which is fundamentally built around the concept of inline keying[SKIP]. SKIP's approach is burdened by the addition of an extra intermediate header of perhaps 20 to 28 bytes to every protected packet, essentially doubling the overhead of protected traffic compared with ESP with manual keying. Ideally, an inline keying header would be used only until the desired security association is established, at which point the peers will fall back to pure ESP/AH. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsec-inline-isakmp-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-inline-isakmp-00.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: nic.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.au o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-ietf-ipsec-inline-isakmp-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ds.internic.net" Content-Type: text/plain Content-ID: <19961126110919.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsec-inline-isakmp-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsec-inline-isakmp-00.txt"; site="ds.internic.net"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19961126110919.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec Wed Nov 27 13:07:01 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA17200 for ipsec-outgoing; Wed, 27 Nov 1996 13:02:25 -0500 (EST) Date: Wed, 27 Nov 1996 13:02:52 -0500 (EST) Message-Id: <199611271802.NAA29680@carp.morningstar.com> From: Ben Rogers <ben@morningstar.com> To: "C. Harald Koch" <chk@border.com> Cc: Bill Sommerfeld <sommerfeld@apollo.hp.com>, "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway In-Reply-To: <96Nov26.191251est.30786-1@janus.border.com> References: <9610258489.AA848977264@netx.nei.com> <199611261929.OAA01715@thunk.orchard.medford.ma.us> <199611262230.RAA27739@carp.morningstar.com> <96Nov26.191251est.30786-1@janus.border.com> Reply-To: ben@ascend.com (Ben Rogers) Sender: owner-ipsec@ex.tis.com Precedence: bulk C. Harald Koch writes: > In message <199611262230.RAA27739@carp.morningstar.com>, Ben Rogers writes: > > > > It seems to me that gatewayA should never try to place an AH, nor do an > > ESP encapsulation on the packet using transport mode (assuming that > > gatewayA did not originate the packet). A gateway that put IPSEC > > headers on packets in transport mode would not only cause confusing > > problems like this, but would have severe problems dealing with > > fragmented packets. > > and > > > It makes sense to only check the headers on packets that are destined > > for the local machine. Otherwise, we would be intercepting (and > > probably modifying) packets not destined to that machine, and violating > > many of the ideas that make IP work. Thus, I don't see any reason that > > a gateway could use transport mode to tack on an AH to a packet from > > hostA to hostB. > > I disagree. The counter example: firewalls (or John Gilmore's "cryptowalls"). > > I see an incredible advantage for firewalls to add IPsec information to > packets, acting as proxies for the machines they're protecting. Keeps all > your Security Association information in one place, where it can be easily > configured and monitored. > > People aren't going to start ripping out their firewalls just because they > have IPsec support on their hosts; firewalls allow much more security > control than IPsec does. (Analogy: you don't unlock the front door just > because everyone can lock their own filing cabinets). Hmmm.... This statement doesn't seem to disagree with my original statement. I said that the gateway should never do encapsulation in *transport* mode. Tunnel mode is still acceptable, and would be the perfect thing to use in this case -- the "cryptowall" would ben one of the tunnel endpoints. The problem in using transport mode on a gateway lies mainly in the fragmentation of packets. Imagine that the "cryptowall" receives a 1500 byte fragment, and adds a header to it. The authenticated packet is then again too big to send out on ether, and so it must be fragmented again. The problem is that we changed the size of the total packet by adding the AH to it. You *cannot* calculate fragment offsets in an unambiguous manner without keeping the enough state to calculate new offsets for all the other fragments. > You also write: > > > Why? I believe the RFC states that the Security Association(SA) is > > chosen using only the destination address and the SPI. It doesn't seem > > to be illegal for several hosts to send us packets using the same > > Security Association (SPI). > > A security association is *indexed* by destination address and SPI. However, > It can include information about the source, including strong authentication > checks, and instructions to reject packets from an invalid IP address. It's > not illegal for several hosts to using the same SPI, but it's also not > secure (it would allow all hosts with the same keying information to spoof > each other, for example). > > I think it's much more likely that a host would enforce the use of different > SPIs (and different keys) for each different source host. This is definitely the more secure method, and should be used when you are dealing with untrustworthy peers. However, if you trust your peers, there is no reason to disallow a priori several "source" hosts sending you packets on the same security association. If all you want to do is to authenticate that someone sending to the multicast address is allowed to, and not to authenticate their individual identity, then this should be sufficient, and should save space (in not having to have seperate security associations for a large number of "identical" peers). You can still check on source address if you want (for example, in a "cryptowall"), but it seems that this should be a policy decision, and should be separated from plain vanilla IP security. ben From owner-ipsec Wed Nov 27 15:14:07 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA17538 for ipsec-outgoing; Wed, 27 Nov 1996 15:10:28 -0500 (EST) Message-Id: <s29c3023.082@novell.com> X-Mailer: Novell GroupWise 4.1 Date: Wed, 27 Nov 1996 12:11:44 -0800 From: CJ Lee <CJ_LEE@novell.com> To: ipsec@tis.com Subject: Re: replay counter size Sender: owner-ipsec@ex.tis.com Precedence: bulk Derrell Piper wrote sometime back: > The latest HMAC AH draft (the one following Montreal) specifies a 64-bit > replay field. The latest Combined ESP draft uses only a 32-bit field. > > Jim, was it your intention for these specs to diverge like this? I > would like to understand why these fields need to be different for AH > and ESP. I would rather see them be the same. I personally believe that > 2^32 packets is too much data to encrypt under one key anyway, so I > think 32-bits is the right number. But I'm more concerned that AH and > ESP be equally protected. > > I recall some discussion in Montreal about the performance of replay > window checks being dependent on the underlying hardware register size, > which supports our desire to make this implementation dependent. I do > not recall discussing changing the replay counter from 32 to 64 bits, > though I confess to being a bit late for the first working group meeting, > due to not being able to get into the room due to overcrowding. I don't remember that I saw an explanation about the question on the mailing list. To me, different replay counter size for different AH/ESP transforms would definitely complicate an IPsec implementation in terms of storing and using the per session (SA) replay checking state - the largest counter seen so far. I'd appreciate that someone could enlighten me on this. CJ Lee (cj_lee@novell.com) From owner-ipsec Wed Nov 27 15:48:50 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA17619 for ipsec-outgoing; Wed, 27 Nov 1996 15:48:21 -0500 (EST) From: pau@watson.ibm.com Date: Wed, 27 Nov 1996 15:53:29 -0500 Message-Id: <9611272053.AA22380@secpwr.watson.ibm.com> To: ipsec@tis.com Subject: Re: AH (without ESP) on a secure gateway Cc: isakmp-oakley@cisco.com Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Md5: b4Ny6eHOqoEJQTvjvj0zEA== Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by portal.ex.tis.com id PAA17616 Sender: owner-ipsec@ex.tis.com Precedence: bulk I have a question triggered by the discussion : If two firewalls (gateways), IDii and IDir, did a successful ISAKMP phase-II proxy negotiation for IDui and IDur. Then, which one is the right usage of the SA resulting from the negotiation : 1. The SA is shared between IDii and IDir (the gateways), and IDii IDir are performing IPSEC protection on traffic between IDui and IDur. In this case, IDui and IDur are unware of the IPSEC protection. 2. The SA is shared between IDui and IDur and IDui and IDur perform IPSEC by themselves. IDii and IDir (the gateways) become more or less (IPSEC) transparent. Pau-Chen From owner-ipsec Wed Nov 27 16:20:30 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA17662 for ipsec-outgoing; Wed, 27 Nov 1996 16:18:18 -0500 (EST) Message-Id: <199611272118.QAA17662@portal.ex.tis.com> From: Greg Carter <carterg@entrust.com> To: "'ipsec@tis.com'" <ipsec@tis.com> Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com> Subject: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate Authorities Date: Wed, 27 Nov 1996 15:50:35 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Sender: owner-ipsec@ex.tis.com Precedence: bulk Questions on ISAKMP draft: Can Notify Payloads be sent in any exchange or are they valid only in Informational Exchanges? What action should be taken when a Notify Payload is received and the Message Type is not known. i.e. My ISAKMP server is using some of the private Message Types to exchange Environment information, but the peer ISAKMP server has no concept of this info (and hence the private message types). Section 3.10 Certificate Request Payload of ISAKMP - draft 6 For the Certificate Authorities field it references the IPSEC DOI document, however I couldn't find any reference to 'Distinguished Name Attribute Type' value in the IPSEC DOI doc. Could someone expand on this? Thanks. ---- Greg Carter Nortel Secure Networks - Entrust carterg@entrust.com From owner-ipsec Fri Nov 29 11:37:15 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA19253 for ipsec-outgoing; Fri, 29 Nov 1996 11:24:00 -0500 (EST) Message-ID: <c=CA%a=_%p=NorTel_Secure_Ne%l=GRANNY-961129161634Z-9550@bwdldb.ott.bnr.ca> From: Greg Carter <carterg@entrust.com> To: "'ipsec@tis.com'" <ipsec@tis.com> Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com> Subject: Certificate Request Payload Date: Fri, 29 Nov 1996 11:16:34 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Sender: owner-ipsec@ex.tis.com Precedence: bulk >From draft 6 of ISAKMP 3.10 Certificate Request Payload ..."The responder to the Certificate Request payload MUST send its immediate certificate, if certificates are supported, and SHOULD send as much of its certificate chain as possible." As part of the certificate chain can we send Certificate Revocation Lists (CRL) and Authority Revocation Lists (ARL)? Or was it intended that the certificate chain only include the immediate certificates of the users/CAs in question? Thanks ---- Greg Carter Nortel Secure Networks - Entrust carterg@entrust.com From owner-ipsec Sat Nov 30 19:18:17 1996 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA19768 for ipsec-outgoing; Sat, 30 Nov 1996 19:09:29 -0500 (EST) Message-Id: <3.0.32.19961130161135.0093ca00@earthlink.net> X-Sender: rmonsour@earthlink.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 30 Nov 1996 16:11:40 -0800 To: ipsec@tis.com From: Bob Monsour <rmonsour@earthlink.net> Subject: I-D ACTION:draft-sabin-lzs-payload-00.txt Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ipsec@ex.tis.com Precedence: bulk For those on the list who might not be on the "announce" list. -Bob >To: IETF-Announce: ; >Sender: ietf-announce-request@ietf.org >From: Internet-Drafts@ietf.org >Reply-to: Internet-Drafts@ietf.org >Subject: I-D ACTION:draft-sabin-lzs-payload-00.txt >Date: Wed, 27 Nov 1996 10:18:23 -0500 >X-Orig-Sender: cclark@ietf.org > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > Title : LZS Payload Compression Transform for ESP > Author(s) : M. Sabin, R. Monsour > Filename : draft-sabin-lzs-payload-00.txt > Pages : 7 > Date : 11/26/1996 > >This memo proposes a "payload compression transform" based on the LZS >compression algorithm. The transform can be used to compress the payload >field of an IP datagram that uses the Encapsulating Security Payload (ESP) >format. The compression transform proposed here is stateless, meaning that >a datagram can be decompressed independently of any other datagram. >Compression is performed prior to the encryption operation of ESP, which >has the side benefit of reducing the amount of data that must be encrypted. > >This memo anticipates a forthcoming draft of ESP that will supercede >[Atkins96]. The forthcoming draft will allow for ESP payloads to be >compressed via transforms such as the one described in this memo. > >Internet-Drafts are available by anonymous FTP. Login with the username >"anonymous" and a password of your e-mail address. After logging in, >type "cd internet-drafts" and then > "get draft-sabin-lzs-payload-00.txt". >A URL for the Internet-Draft is: >ftp://ds.internic.net/internet-drafts/draft-sabin-lzs-payload-00.txt > >Internet-Drafts directories are located at: > > o Africa: ftp.is.co.za > > o Europe: nic.nordu.net > ftp.nis.garr.it > > o Pacific Rim: munnari.oz.au > > o US East Coast: ds.internic.net > > o US West Coast: ftp.isi.edu > >Internet-Drafts are also available by mail. > >Send a message to: mailserv@ds.internic.net. In the body type: > "FILE /internet-drafts/draft-sabin-lzs-payload-00.txt". > >NOTE: The mail server at ds.internic.net can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e., documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > >Below is the data which will enable a MIME compliant mail reader >implementation to automatically retrieve the ASCII version >of the Internet-Draft. > ><ftp://ds.internic.net/internet-drafts/draft-sabin-lzs-payload-00.txt> >
- I-D ACTION:draft-ietf-ipsec-isakmp-oakley-02.txt Internet-Drafts