IETF Logo Mail Archive

Re: [karp] KARP-KMP for pair wise routing protocols (traffic selectors)

Uma Chunduri <uma.chunduri@ericsson.com> Mon, 26 September 2011 18:47 UTC

Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6208721F8D19 for <karp@ietfa.amsl.com>; Mon, 26 Sep 2011 11:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.321
X-Spam-Level:
X-Spam-Status: No, score=-6.321 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJ96HOQV0OuX for <karp@ietfa.amsl.com>; Mon, 26 Sep 2011 11:47:37 -0700 (PDT)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id AFA2C21F8CDE for <karp@ietf.org>; Mon, 26 Sep 2011 11:47:37 -0700 (PDT)
Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id p8QInfxD017161; Mon, 26 Sep 2011 13:50:20 -0500
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.158]) by eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) with mapi; Mon, 26 Sep 2011 14:50:02 -0400
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Date: Mon, 26 Sep 2011 14:50:00 -0400
Thread-Topic: [karp] KARP-KMP for pair wise routing protocols (traffic selectors)
Thread-Index: Acx8a1t/9kuDlzywSaOm6VmjbDZpOgADJcJg
Message-ID: <D1D8138DDF34B34B8BC68A11262D107912E88E9E5F@EUSAACMS0701.eamcs.ericsson.se>
References: <D1D8138DDF34B34B8BC68A11262D107912E8635F0C@EUSAACMS0701.eamcs.ericsson.se> <tslaa9rqmqa.fsf@mit.edu>
In-Reply-To: <tslaa9rqmqa.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "karp@ietf.org" <karp@ietf.org>
Subject: Re: [karp] KARP-KMP for pair wise routing protocols (traffic selectors)
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 18:47:38 -0000

    Uma> Apart from the protocol ID to differentiate multiple child SA's
    Uma> (BGP, LDP) between the same peers, it's possible there could be
    Uma> multiple TCP connections between the same peers for the same
    Uma> routing protocol.  Please refer IDR WG draft:
    Uma> http://datatracker.ietf.org/doc/
    Uma> draft-ietf-idr-bgp-multisession/ So all these BGP connections
    Uma> between same peers can be differentiated by source port, which
    Uma> is part of the traffic selectors.
 
    Uma> If it is not already considered, probably traffic selectors
    Uma> need to be considered in the next revision of the combined
    Uma> IKEv2 based KMP draft.

We agree there will be multiple TCP connections.  However, I've yet to see an argument for you need different outputs from the KDF in this instance. If all the TCP connections are between the same authenticated peers and have the same access control requirements, why do we need different SAs?  TCP-AO will give us different traffic keys in this instance even if it is the same SA.

Put another way, is the SA between BGP on peer A and BGP on peer B, or does the SA refer to BGP session x on peer A talking to BGP session y on peer B.
The second is more complex in terms of the interface between the KMP and routing protocol.
My opinion is that unless the second provides security value, we should take the simpler approach.
====
[Uma]
You raised an important point. I would say, the second solution is not necessarily complex but it's the opposite. 
Think of it- your KMP is capable and it's giving unique session keys to protect underlying session that 
could be multiple sessions between the same end points (our case of discussion) or different end points.
In this case TCP-AO which is the eventual user of the keys, need not do extra KDF to get the session keys 
(just directly use the KMP keys). 

The advantage os this approach:
	- Each underlying session has the capability to choose session parameter more granularly 
               - E.g.: Life time even AUTH algo (BGP may select one and LDP can select different) 
      - Limited damage in case of a key compromise (limited to the life time of one session)
      - and as I mentioned I  would argue integration with KMP is rather more easier
              - Remember, in your case what KMP is giving to TCP-AO is KMP's traffic key (CHILD_SA key)
                to generate multiple traffic keys to protect multiple sessions between same peers. 

If we think more, the reason for KDF and key derivation in TCP-AO is for inter-session replay protection and this
Is extremely relevant to manual keys but not keys generated with re-key capable KMP.

But, I recognize today TCP-AO can't consume direct traffic keys from KMP, but this can be changed if one see there 
is value in it. I will pause here and would listen on what do you think.

v2.23.0 | Report a Bug | By Email