IETF Logo Mail Archive

Re: [karp] Karp Agenda 2: KeyStore?

"Polk, William T." <william.polk@nist.gov> Tue, 23 March 2010 16:52 UTC

Return-Path: <william.polk@nist.gov>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE9893A6D37 for <karp@core3.amsl.com>; Tue, 23 Mar 2010 09:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.084
X-Spam-Level:
X-Spam-Status: No, score=-3.084 tagged_above=-999 required=5 tests=[AWL=1.145, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Z3Dea6GwY9F for <karp@core3.amsl.com>; Tue, 23 Mar 2010 09:52:02 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id 741DE3A6D24 for <karp@ietf.org>; Tue, 23 Mar 2010 09:51:36 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (wsxghub2.nist.gov [129.6.18.19]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id o2NGphfQ023805; Tue, 23 Mar 2010 12:51:43 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([2002:8106:1213::8106:1213]) with mapi; Tue, 23 Mar 2010 12:51:26 -0400
From: "Polk, William T." <william.polk@nist.gov>
To: Vishwas Manral <vishwas.ietf@gmail.com>, "Polk, William T." <william.polk@nist.gov>
Date: Tue, 23 Mar 2010 12:56:16 -0400
Thread-Topic: [karp] Karp Agenda 2: KeyStore?
Thread-Index: AcrKpS0NlgP/wnfsRuaYXrO3PYen/QABJNdt
Message-ID: <C7CE40C0.14BEB%tim.polk@nist.gov>
In-Reply-To: <77ead0ec1003230923t693f60f0p788d94edca6319e3@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: william.polk@nist.gov
Cc: Russ Housley <housley@vigilsec.com>, "karp@ietf.org" <karp@ietf.org>
Subject: Re: [karp] Karp Agenda 2: KeyStore?
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 16:52:05 -0000

On 3/23/10 9:23 AM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote:

> Hi Tim,
> 
> I guess we are in near unision now.
>> I'm not sure I buy this.  I don't believe it matters whether the key
>> is derived by an automated key management system, or shared
>> through an out of band mechanism.  If the key is in the table, that
>> means it is appropriate for use.
>> 
>> Perhaps I am missing something, though.  What security
>> aspects were you thinking of?
> Well if the long term key is not a secure, the short term keys would
> not be either. So it does matter how secure the Long term keys are.
> 

We are in absolute agreement.

>>> May be there is a generic set of functions required for all routing
>>> and signalling protocols (let us not preclude LDP, RSVP-TE,
>>> CR-LDP, LMP and others from the discussion) which is
>>> independent of the Routing protocol itself is how it finally will be.
>>> 
>> Perhaps, but are they really functions of the keytable?
> A routing protocol expects a certain set of functionality. The Key
> table provides another. We could either incorporate the same in the
> KeyTable or have it in some "Glue functions" which can be defined
> seperately.
> 
I would appreciate any insight into the expected functionality.  I don't
have the routing clue to compile this list myself.

I suspect I will personally be more comfortable handling this in "glue
functions", but will reserve judgment until I see the list.

>> Pretty close... The keytable draft could support protocols that
>> routinely use different session keys in different directions, or
>> protocols that use a single session key for traffic in both
>> directions.  If the protocol demands a single uni-directional
>> traffic key, and two keys have been simultaneously derived
>> during simultaneous open, you either have to discard one key
>> *or* discard both and start over.
>> 
>> I can see that we need more text in this area...
> Sounds correct.

OK
> 
> Thanks,
> Vishwas
> 
> On Tue, Mar 23, 2010 at 9:03 AM, Polk, William T. <william.polk@nist.gov>
> wrote:
>> 
>> On 3/22/10 10:30 PM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote:
>> 
>>> Hi Tim/ Greg,
>>> 
>>> I mostly agree with Greg.
>>> 
>>> On Mon, Mar 22, 2010 at 10:13 PM, Gregory Lebovitz
>>> <gregory.ietf@gmail.com> wrote:
>>>> inline...
>>>> 
>>>> On Mon, Mar 22, 2010 at 7:31 PM, Polk, William T. <william.polk@nist.gov>
>>>> wrote:
>>>>> 
>>>>> Hi Vishwas,
>>>>> 
>>>>> Comments inline...
>>>>> 
>>>>> On 3/22/10 4:12 PM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote:
>>>>> 
>>>>>> Gregory/ Tim,
>>>>>> 
>>>>>> I agree with Gregory regarding having the presentation at the KARP
>>>>>> meeting.
>>>>>> 
>>>>>> I scanned through the Polk draft. One comment is that the Long lived
>>>>>> Crypto Keys stillneed to be changed manually.
>>>>> 
>>>>> Glad to have a reader!
>>>>> 
>>>>> Actually, the Long Lived Keys can be established manually *or* through an
>>>>> Automated Key Management Protocol.  (See Figure 1 in
>>>>> draft-polk-saag-rtg-auth-keytable-02).  This is a key concept for our
>>>>> draft
>>>>> - the routing protocol need not know (or care) how long lived keys were
>>>>> established.  This allows incremental introduction of automated key
>>>>> management techniques seamlessly.
>>>> 
>>>> I agree with this design "feature", that the RPD (routing protocol daemon)
>>>> need not know or care how the keys were established.
>>> RPD never does bother. However based on how the Key is derived we can
>>> determite the security aspects of the protocol authentication
>>> mechanism.
>> 
>> I'm not sure I buy this.  I don't believe it matters whether the key is
>> derived by an automated key management system, or shared through an out of
>> band mechanism.  If the key is in the table, that means it is appropriate
>> for use.
>> 
>> Perhaps I am missing something, though.  What security aspects were you
>> thinking of?
>> 
>>> 
>>>>> Removing keys from the document isn't covered, though.  Should it be
>>>>> added?
>>>> 
>>>> I think so. For purposes of quick response when a key has been compromised,
>>>> an admin is terminated, a business relationship terminates, etc.
>>> I agree.
>>> 
>>>>> Expiration of entries is covered in
>>>>> draft-housley-saag-crypto-key-table-00,
>>>>> but perhaps we need to discuss removal for other circumstances.  (I'm
>>>>> thinking of severing a business relationship, or deciding a long lived key
>>>>> has been compromised before its expiration date.)  I suspect that would be
>>>>> a
>>>>> manual process...
>>>> 
>>>> Agreed that we need this. The process could be manual to start (given the
>>>> goal of incremental deployability), but I could envision an end state when
>>>> a
>>>> simple execution command at the router's command line interface kicks-off a
>>>> fully automated process of generating, distributing and employing new keys.
>>> Agree again, though I still need to look at the Housely draft.
>>> 
>>>>>> Another comment is Session Acceptance diagram has a Key Id while the
>>>>>> Session Initiation does not.
>>>>> 
>>>>> In our model, a session initiator is not concerned which long-lived key
>>>>> they
>>>>> get, only that the key is shared with the right peer(s) and intended for
>>>>> use
>>>>> with the right protocol.  So, the initiator's request for a key does not
>>>>> contain a KeyID.
>>>> 
>>>> Might this leave us vulnerable to MitM run step-down attacks, i.e. to an
>>>> old
>>>> key (assuming said key was not properly discarded in a timely fashion)?
>>> I did not understand how MITM would be an issue here? Could you explain?
>>> 
>> 
>> I am with you on this one.  As I said above, if the key is in the table, it
>> is acceptable for use.  If the key was not properly discarded (by *either*
>> peer), that is a operational failure that is not going to be overcome by
>> asserting KeyIDs.  It would also mean that the routing protocol had to
>> maintain a list of all the keys it can use (by ID).  This is a nightmare,
>> since we need to keep the keytable and the routing protocol's keyid table
>> synchronized.  Let's not go there.
>> 
>>>>> When a peer accepts a session, the initiator has already selected a
>>>>> long-lived key.  The KeyID is essential in this case, or the peer will not
>>>>> derive the right session key.
>>>>> 
>>>>>> 
>>>>>> Some things to think of are what needs to be done when both sides
>>>>>> initiate the connection at the same time.
>>>>> 
>>>>> Won't different protocols handle this differently?  I could envision
>>>>> ending
>>>>> up with two parallel (but authenticated) sessions, or the protocol could
>>>>> attempt to resolve this into a single connection by selecting one peer as
>>>>> the "initiator" and discard the session key material from the aborted
>>>>> session.
>>>>> 
>>>>>>                                           The document also does not
>>>>>> talk about how the short term keys are changed.
>>>>> 
>>>>> The keytable does not force any key changes - it just lies there.
>>>>> Generation of short term keys is entirely under the routing protocol's
>>>>> control.
>>>> 
>>>> Could be so. Or it could be a function of a KMP, one that is keeping the
>>>> key
>>>> life times and thus knowing when it's time to kick off the negotiation of a
>>>> new security association, then install it for use.
>>> May be there is a generic set of functions required for all routing
>>> and signalling protocols (let us not preclude LDP, RSVP-TE, CR-LDP,
>>> LMP and others from the discussion) which is independent of the
>>> Routing protocol itself is how it finally will be.
>>> 
>> 
>> Perhaps, but are they really functions of the keytable?
>> 
>>>>> Some things to think of are what needs to be done when both sides
>>>>> initiate the connection at the same time.
>>>> Won't different protocols handle this differently?  I could envision
>>>> ending up with two parallel (but authenticated) sessions, or the
>>>> protocol could attempt to resolve this into a single connection by
>>>> selecting one peer as the "initiator" and discard the session key
>>>> material from the aborted session.
>>> That is interesting. So the assumption from your draft is the sender
>>> and receiver keys can be seperate and if the protocol wants the same
>>> in case I have mentioned they can probably drop one of the Keys. Is my
>>> understanding correct?
>>> 
>> 
>> Pretty close... The keytable draft could support protocols that routinely
>> use different session keys in different directions, or protocols that use a
>> single session key for traffic in both directions.  If the protocol demands
>> a single uni-directional traffic key, and two keys have been simultaneously
>> derived during simultaneous open, you either have to discard one key *or*
>> discard both and start over.
>> 
>> I can see that we need more text in this area...
>> 
>> Thanks,
>> 
>> Tim
>> 
>>> Thanks,
>>> Vishwas
>>> 
>>> ssion means a new short term key. That may be
>>>>> enough for some protocols.  For protocols with long-lived sessions, the
>>>>> routing protocol can incorporate protocol specific mechanisms for changing
>>>>> session keys during an existing session.
>>> 
>>>>> 
>>>>> If these protocol specific mechanisms are designed such that the new
>>>>> session
>>>>> keys are derived from different long lived keys, the peer initiating the
>>>>> transition requests new keys just as if it was initiating a new session.
>>>>> The other peer would behave as if it was accepting a new session...
>>>>> 
>>>>> We could add some text here if you would like.  (I think a brief reference
>>>>> to tcp-ao's mechanism for changing keys during sessions is all we have
>>>>> now.)
>>> 
>>> 
>>>>>> Thanks,
>>>>>> Vishwas
>>>>>> 
>>>>>> On Mon, Mar 22, 2010 at 2:38 PM, Gregory Lebovitz
>>>>>> <gregory.ietf@gmail.com> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> On Mon, Mar 22, 2010 at 2:35 PM, Polk, William T.
>>>>>>> <william.polk@nist.gov>
>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> Gregory,
>>>>>>>> 
>>>>>>>> There has really been no change to those documents since Hiroshima, so
>>>>>>>> I
>>>>>>>> did not suggest a presentation.  (We simply haven¹t received any
>>>>>>>> suggestion
>>>>>>>> to change them.)  I do have karp on my schedule and will be in the
>>>>>>>> room.
>>>>>>> 
>>>>>>> I'll leave it to the chairs to decide. Since the last preso was a BoF,
>>>>>>> it
>>>>>>> may make sense to do it again, if only to push people to read and
>>>>>>> review and
>>>>>>> provide input.
>>>>>>> 
>>>>>>>> 
>>>>>>>> I think that maintaining them as separate documents is advisable,
>>>>>>>> given
>>>>>>>> their simplicity...
>>>>>>> 
>>>>>>> If there is applicability outside of karp-framework, then I agree. If
>>>>>>> the
>>>>>>> applicability is only w/in the karp-framework, then I'd suggest we suck
>>>>>>> it
>>>>>>> into the "KeyStore" section of that document. But I haven't thought too
>>>>>>> much
>>>>>>> about it until just now, sitting here with Bill Atwood, working on
>>>>>>> slides
>>>>>>> and open issues / open sections.
>>>>>>> Bill will have this as an open question on his slides and we can
>>>>>>> discuss in
>>>>>>> WG. WFY?
>>>>>>> Gregory
>>>>>>> 
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> 
>>>>>>>> Tim
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 3/22/10 2:11 PM, "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> KARPies, Tim & Russ,
>>>>>>>> I notice that the current agenda for KARP does NOT include a
>>>>>>>> presentation
>>>>>>>> by Tim/Russ on their documents that defines in more detail what
>>>>>>>> draft-ietf-karp-framework calls the KeyStore. I'm thinking that would
>>>>>>>> be a
>>>>>>>> good thing to have presented again (it was presented at the BoF
>>>>>>>> already
>>>>>>>> once), because we need to decide if these become WG documents, or how
>>>>>>>> to
>>>>>>>> proceed them.
>>>>>>>> 
>>>>>>>> Those documents are:
>>>>>>>> draft-housley-saag-crypto-key-table-01
>>>>>>>> draft-polk-saag-rtg-auth-keytable-02
>>>>>>>> 
>>>>>>>> Another question is:  "Do these documents serve better as stand-alone,
>>>>>>>> or
>>>>>>>> ought they be incorporated into the karp-framework document"
>>>>>>>> 
>>>>>>>> Thoughts?
>>>>>>>> 
>>>>>>>> Gregory.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> ----
>>>>>>> IETF related email from
>>>>>>> Gregory M. Lebovitz
>>>>>>> Juniper Networks
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> karp mailing list
>>>>>>> karp@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/karp
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> ----
>>>> IETF related email from
>>>> Gregory M. Lebovitz
>>>> Juniper Networks
>>>> 
>>> 
>> 
>> 
>

v2.23.0 | Report a Bug | By Email