Re: Slicing and dicing

Daniel Harkins <dharkins@cisco.com> Fri, 12 September 1997 22:40 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA10827 for ipsec-outgoing; Fri, 12 Sep 1997 18:40:40 -0400 (EDT)
Message-Id: <199709122250.PAA28343@dharkins-ss20>
X-Authentication-Warning: dharkins-ss20.cisco.com: Host localhost.cisco.com didn't use HELO protocol
To: Stephen Kent <kent@bbn.com>
Cc: Cheryl Madson <cmadson@cisco.com>, ipsec@tis.com
Subject: Re: Slicing and dicing
In-Reply-To: Your message of "Fri, 12 Sep 1997 16:31:27 EDT." <v03102816b03f554fed0a@[128.89.0.110]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 12 Sep 1997 15:50:31 -0700
From: Daniel Harkins <dharkins@cisco.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

  Steve,

  If a negotiated algorithm has a weak key and the check is not done then
there will be no rejection and hence no need for ISAKMP to support this
sort of notification. If the check is done then both sides will arrive at
the same conclusion and throw the thing away. Again, no need for such a
notification. If we decide to make things really ugly and allow a side to 
just decide to do a weak key check (did someone say "replay"?) then it can 
use a DELETE message to inform the other party that it didn't really like 
that SA and not to use it. (This can be used for other generic and probably 
more likely situations such as a malloc failing that results in the inability 
of KM to add the SA).

  Hence, there is no need for this. Of course, ISAKMP is sufficiently 
general that you can do this sort of thing in your implementation by using 
a private use notify number. That's the whole point. 

  It is possible, though, to add a new notify type and it's even possible 
to add a new negotiable attribute to say whether you do weak key checks and
also to add another payload in which you can specify the weak keys you 
check (with an algorithm field and a number of keys field). That way each 
side will have all the information on hand in case a weak key is found. But 
that is featureitis, a form of protocol cancer. 

  This whole discussion is evident of the problem of the IPSec WG. A question
is raised about confusing language in a draft-- do you check bytes 1-8 or
8-15 if bytes 0-7 are weak-- which then morphs into a discussion about whether
a popular book is wrong which morphs into statistical analysis of how often
weak keys are found which morphs into adding another feature into a protocol!

  We should all be ashamed. (And that's not neither the royal, medical, nor
law enfocement "we". I'm taking a heaping helping of blame).

  Dan.

> 	That defers the question of what to do for DES in CBC mode to the
> algorithm document itself.  Based on the current discussion, it looks like
> people are willing to just punt on this case, but I would likle to see a
> requirement in ISAKMP to support the generic rejection facility.  Is it
> reasonable to provide an error indication to the other end indicating the
> reason for the rejection, just in case implementations don't agree on the
> rejection (or at least for audit trail purposes)?