Re: [karp] Karp Agenda 2: KeyStore?
"Polk, William T." <william.polk@nist.gov> Tue, 23 March 2010 16:52 UTC
Return-Path: <william.polk@nist.gov>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE9893A6D37 for <karp@core3.amsl.com>; Tue, 23 Mar 2010 09:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.084
X-Spam-Level:
X-Spam-Status: No, score=-3.084 tagged_above=-999 required=5 tests=[AWL=1.145, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Z3Dea6GwY9F for <karp@core3.amsl.com>; Tue, 23 Mar 2010 09:52:02 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id 741DE3A6D24 for <karp@ietf.org>; Tue, 23 Mar 2010 09:51:36 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (wsxghub2.nist.gov [129.6.18.19]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id o2NGphfQ023805; Tue, 23 Mar 2010 12:51:43 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([2002:8106:1213::8106:1213]) with mapi; Tue, 23 Mar 2010 12:51:26 -0400
From: "Polk, William T." <william.polk@nist.gov>
To: Vishwas Manral <vishwas.ietf@gmail.com>, "Polk, William T." <william.polk@nist.gov>
Date: Tue, 23 Mar 2010 12:56:16 -0400
Thread-Topic: [karp] Karp Agenda 2: KeyStore?
Thread-Index: AcrKpS0NlgP/wnfsRuaYXrO3PYen/QABJNdt
Message-ID: <C7CE40C0.14BEB%tim.polk@nist.gov>
In-Reply-To: <77ead0ec1003230923t693f60f0p788d94edca6319e3@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: william.polk@nist.gov
Cc: Russ Housley <housley@vigilsec.com>, "karp@ietf.org" <karp@ietf.org>
Subject: Re: [karp] Karp Agenda 2: KeyStore?
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 16:52:05 -0000
On 3/23/10 9:23 AM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote: > Hi Tim, > > I guess we are in near unision now. >> I'm not sure I buy this. I don't believe it matters whether the key >> is derived by an automated key management system, or shared >> through an out of band mechanism. If the key is in the table, that >> means it is appropriate for use. >> >> Perhaps I am missing something, though. What security >> aspects were you thinking of? > Well if the long term key is not a secure, the short term keys would > not be either. So it does matter how secure the Long term keys are. > We are in absolute agreement. >>> May be there is a generic set of functions required for all routing >>> and signalling protocols (let us not preclude LDP, RSVP-TE, >>> CR-LDP, LMP and others from the discussion) which is >>> independent of the Routing protocol itself is how it finally will be. >>> >> Perhaps, but are they really functions of the keytable? > A routing protocol expects a certain set of functionality. The Key > table provides another. We could either incorporate the same in the > KeyTable or have it in some "Glue functions" which can be defined > seperately. > I would appreciate any insight into the expected functionality. I don't have the routing clue to compile this list myself. I suspect I will personally be more comfortable handling this in "glue functions", but will reserve judgment until I see the list. >> Pretty close... The keytable draft could support protocols that >> routinely use different session keys in different directions, or >> protocols that use a single session key for traffic in both >> directions. If the protocol demands a single uni-directional >> traffic key, and two keys have been simultaneously derived >> during simultaneous open, you either have to discard one key >> *or* discard both and start over. >> >> I can see that we need more text in this area... > Sounds correct. OK > > Thanks, > Vishwas > > On Tue, Mar 23, 2010 at 9:03 AM, Polk, William T. <william.polk@nist.gov> > wrote: >> >> On 3/22/10 10:30 PM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote: >> >>> Hi Tim/ Greg, >>> >>> I mostly agree with Greg. >>> >>> On Mon, Mar 22, 2010 at 10:13 PM, Gregory Lebovitz >>> <gregory.ietf@gmail.com> wrote: >>>> inline... >>>> >>>> On Mon, Mar 22, 2010 at 7:31 PM, Polk, William T. <william.polk@nist.gov> >>>> wrote: >>>>> >>>>> Hi Vishwas, >>>>> >>>>> Comments inline... >>>>> >>>>> On 3/22/10 4:12 PM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote: >>>>> >>>>>> Gregory/ Tim, >>>>>> >>>>>> I agree with Gregory regarding having the presentation at the KARP >>>>>> meeting. >>>>>> >>>>>> I scanned through the Polk draft. One comment is that the Long lived >>>>>> Crypto Keys stillneed to be changed manually. >>>>> >>>>> Glad to have a reader! >>>>> >>>>> Actually, the Long Lived Keys can be established manually *or* through an >>>>> Automated Key Management Protocol. (See Figure 1 in >>>>> draft-polk-saag-rtg-auth-keytable-02). This is a key concept for our >>>>> draft >>>>> - the routing protocol need not know (or care) how long lived keys were >>>>> established. This allows incremental introduction of automated key >>>>> management techniques seamlessly. >>>> >>>> I agree with this design "feature", that the RPD (routing protocol daemon) >>>> need not know or care how the keys were established. >>> RPD never does bother. However based on how the Key is derived we can >>> determite the security aspects of the protocol authentication >>> mechanism. >> >> I'm not sure I buy this. I don't believe it matters whether the key is >> derived by an automated key management system, or shared through an out of >> band mechanism. If the key is in the table, that means it is appropriate >> for use. >> >> Perhaps I am missing something, though. What security aspects were you >> thinking of? >> >>> >>>>> Removing keys from the document isn't covered, though. Should it be >>>>> added? >>>> >>>> I think so. For purposes of quick response when a key has been compromised, >>>> an admin is terminated, a business relationship terminates, etc. >>> I agree. >>> >>>>> Expiration of entries is covered in >>>>> draft-housley-saag-crypto-key-table-00, >>>>> but perhaps we need to discuss removal for other circumstances. (I'm >>>>> thinking of severing a business relationship, or deciding a long lived key >>>>> has been compromised before its expiration date.) I suspect that would be >>>>> a >>>>> manual process... >>>> >>>> Agreed that we need this. The process could be manual to start (given the >>>> goal of incremental deployability), but I could envision an end state when >>>> a >>>> simple execution command at the router's command line interface kicks-off a >>>> fully automated process of generating, distributing and employing new keys. >>> Agree again, though I still need to look at the Housely draft. >>> >>>>>> Another comment is Session Acceptance diagram has a Key Id while the >>>>>> Session Initiation does not. >>>>> >>>>> In our model, a session initiator is not concerned which long-lived key >>>>> they >>>>> get, only that the key is shared with the right peer(s) and intended for >>>>> use >>>>> with the right protocol. So, the initiator's request for a key does not >>>>> contain a KeyID. >>>> >>>> Might this leave us vulnerable to MitM run step-down attacks, i.e. to an >>>> old >>>> key (assuming said key was not properly discarded in a timely fashion)? >>> I did not understand how MITM would be an issue here? Could you explain? >>> >> >> I am with you on this one. As I said above, if the key is in the table, it >> is acceptable for use. If the key was not properly discarded (by *either* >> peer), that is a operational failure that is not going to be overcome by >> asserting KeyIDs. It would also mean that the routing protocol had to >> maintain a list of all the keys it can use (by ID). This is a nightmare, >> since we need to keep the keytable and the routing protocol's keyid table >> synchronized. Let's not go there. >> >>>>> When a peer accepts a session, the initiator has already selected a >>>>> long-lived key. The KeyID is essential in this case, or the peer will not >>>>> derive the right session key. >>>>> >>>>>> >>>>>> Some things to think of are what needs to be done when both sides >>>>>> initiate the connection at the same time. >>>>> >>>>> Won't different protocols handle this differently? I could envision >>>>> ending >>>>> up with two parallel (but authenticated) sessions, or the protocol could >>>>> attempt to resolve this into a single connection by selecting one peer as >>>>> the "initiator" and discard the session key material from the aborted >>>>> session. >>>>> >>>>>> The document also does not >>>>>> talk about how the short term keys are changed. >>>>> >>>>> The keytable does not force any key changes - it just lies there. >>>>> Generation of short term keys is entirely under the routing protocol's >>>>> control. >>>> >>>> Could be so. Or it could be a function of a KMP, one that is keeping the >>>> key >>>> life times and thus knowing when it's time to kick off the negotiation of a >>>> new security association, then install it for use. >>> May be there is a generic set of functions required for all routing >>> and signalling protocols (let us not preclude LDP, RSVP-TE, CR-LDP, >>> LMP and others from the discussion) which is independent of the >>> Routing protocol itself is how it finally will be. >>> >> >> Perhaps, but are they really functions of the keytable? >> >>>>> Some things to think of are what needs to be done when both sides >>>>> initiate the connection at the same time. >>>> Won't different protocols handle this differently? I could envision >>>> ending up with two parallel (but authenticated) sessions, or the >>>> protocol could attempt to resolve this into a single connection by >>>> selecting one peer as the "initiator" and discard the session key >>>> material from the aborted session. >>> That is interesting. So the assumption from your draft is the sender >>> and receiver keys can be seperate and if the protocol wants the same >>> in case I have mentioned they can probably drop one of the Keys. Is my >>> understanding correct? >>> >> >> Pretty close... The keytable draft could support protocols that routinely >> use different session keys in different directions, or protocols that use a >> single session key for traffic in both directions. If the protocol demands >> a single uni-directional traffic key, and two keys have been simultaneously >> derived during simultaneous open, you either have to discard one key *or* >> discard both and start over. >> >> I can see that we need more text in this area... >> >> Thanks, >> >> Tim >> >>> Thanks, >>> Vishwas >>> >>> ssion means a new short term key. That may be >>>>> enough for some protocols. For protocols with long-lived sessions, the >>>>> routing protocol can incorporate protocol specific mechanisms for changing >>>>> session keys during an existing session. >>> >>>>> >>>>> If these protocol specific mechanisms are designed such that the new >>>>> session >>>>> keys are derived from different long lived keys, the peer initiating the >>>>> transition requests new keys just as if it was initiating a new session. >>>>> The other peer would behave as if it was accepting a new session... >>>>> >>>>> We could add some text here if you would like. (I think a brief reference >>>>> to tcp-ao's mechanism for changing keys during sessions is all we have >>>>> now.) >>> >>> >>>>>> Thanks, >>>>>> Vishwas >>>>>> >>>>>> On Mon, Mar 22, 2010 at 2:38 PM, Gregory Lebovitz >>>>>> <gregory.ietf@gmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> On Mon, Mar 22, 2010 at 2:35 PM, Polk, William T. >>>>>>> <william.polk@nist.gov> >>>>>>> wrote: >>>>>>>> >>>>>>>> Gregory, >>>>>>>> >>>>>>>> There has really been no change to those documents since Hiroshima, so >>>>>>>> I >>>>>>>> did not suggest a presentation. (We simply haven¹t received any >>>>>>>> suggestion >>>>>>>> to change them.) I do have karp on my schedule and will be in the >>>>>>>> room. >>>>>>> >>>>>>> I'll leave it to the chairs to decide. Since the last preso was a BoF, >>>>>>> it >>>>>>> may make sense to do it again, if only to push people to read and >>>>>>> review and >>>>>>> provide input. >>>>>>> >>>>>>>> >>>>>>>> I think that maintaining them as separate documents is advisable, >>>>>>>> given >>>>>>>> their simplicity... >>>>>>> >>>>>>> If there is applicability outside of karp-framework, then I agree. If >>>>>>> the >>>>>>> applicability is only w/in the karp-framework, then I'd suggest we suck >>>>>>> it >>>>>>> into the "KeyStore" section of that document. But I haven't thought too >>>>>>> much >>>>>>> about it until just now, sitting here with Bill Atwood, working on >>>>>>> slides >>>>>>> and open issues / open sections. >>>>>>> Bill will have this as an open question on his slides and we can >>>>>>> discuss in >>>>>>> WG. WFY? >>>>>>> Gregory >>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Tim >>>>>>>> >>>>>>>> >>>>>>>> On 3/22/10 2:11 PM, "Gregory M. Lebovitz" <gregory.ietf@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> KARPies, Tim & Russ, >>>>>>>> I notice that the current agenda for KARP does NOT include a >>>>>>>> presentation >>>>>>>> by Tim/Russ on their documents that defines in more detail what >>>>>>>> draft-ietf-karp-framework calls the KeyStore. I'm thinking that would >>>>>>>> be a >>>>>>>> good thing to have presented again (it was presented at the BoF >>>>>>>> already >>>>>>>> once), because we need to decide if these become WG documents, or how >>>>>>>> to >>>>>>>> proceed them. >>>>>>>> >>>>>>>> Those documents are: >>>>>>>> draft-housley-saag-crypto-key-table-01 >>>>>>>> draft-polk-saag-rtg-auth-keytable-02 >>>>>>>> >>>>>>>> Another question is: "Do these documents serve better as stand-alone, >>>>>>>> or >>>>>>>> ought they be incorporated into the karp-framework document" >>>>>>>> >>>>>>>> Thoughts? >>>>>>>> >>>>>>>> Gregory. >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> ---- >>>>>>> IETF related email from >>>>>>> Gregory M. Lebovitz >>>>>>> Juniper Networks >>>>>>> >>>>>>> _______________________________________________ >>>>>>> karp mailing list >>>>>>> karp@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/karp >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> ---- >>>> IETF related email from >>>> Gregory M. Lebovitz >>>> Juniper Networks >>>> >>> >> >> >
- [karp] Karp Agenda 2: KeyStore? Gregory Lebovitz
- Re: [karp] Karp Agenda 2: KeyStore? Gregory Lebovitz
- Re: [karp] Karp Agenda 2: KeyStore? Polk, William T.
- Re: [karp] Karp Agenda 2: KeyStore? Vishwas Manral
- Re: [karp] Karp Agenda 2: KeyStore? Sean Turner
- Re: [karp] Karp Agenda 2: KeyStore? Gregory Lebovitz
- Re: [karp] Karp Agenda 2: KeyStore? Polk, William T.
- Re: [karp] Karp Agenda 2: KeyStore? Polk, William T.
- Re: [karp] Karp Agenda 2: KeyStore? Polk, William T.
- Re: [karp] Karp Agenda 2: KeyStore? Vishwas Manral
- Re: [karp] Karp Agenda 2: KeyStore? Polk, William T.