IETF Logo Mail Archive

Re: [karp] Karp Agenda 2: KeyStore?

Vishwas Manral <vishwas.ietf@gmail.com> Tue, 23 March 2010 16:24 UTC

Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F6453A6C57 for <karp@core3.amsl.com>; Tue, 23 Mar 2010 09:24:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.235
X-Spam-Level: ***
X-Spam-Status: No, score=3.235 tagged_above=-999 required=5 tests=[AWL=3.464, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7mAjflahNq0 for <karp@core3.amsl.com>; Tue, 23 Mar 2010 09:24:00 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 47C283A6C45 for <karp@ietf.org>; Tue, 23 Mar 2010 09:22:57 -0700 (PDT)
Received: by gyh4 with SMTP id 4so3402326gyh.31 for <karp@ietf.org>; Tue, 23 Mar 2010 09:23:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9gS2Bo+IW/hFF44k61zRlpzjsApEzX8/3cTwLSys3Jg=; b=WIFlkTeczxgbkosmDo+Sk6oh0aqOspoekyvZlojGUlrLiaUxxPTTNpQ6Pts/MAdLfq /GoipTwJ1aVoiGZYeXYsmFKy9EmRlAxhZUF+cUJ6NzVtfi+4505IRDr9NncD4DWWwHIu kwqUtHZGIUvPsjzZlks3C9FvhKTLQgE8UK+Jc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=XgM8SVC7YxzmPTzQWOSHxqI51gPCVv+tRCqz+OUcP0eV41czRRm6LdIMAXMfQjPvXd a07K0HAekSz1SO8/kgTxlaX/496RKRzruCmDHbcCbPhOjUsjwZhh5ZyK2HWksaA1nyhZ YSFGOWa99KWO1gck0jqCsV64f9SoMCBd+rKv4=
MIME-Version: 1.0
Received: by 10.150.119.37 with SMTP id r37mr4611798ybc.17.1269361393050; Tue, 23 Mar 2010 09:23:13 -0700 (PDT)
In-Reply-To: <C7CE346A.14BD4%tim.polk@nist.gov>
References: <77ead0ec1003222230o4bcc3151qec58639c39efb377@mail.gmail.com> <C7CE346A.14BD4%tim.polk@nist.gov>
Date: Tue, 23 Mar 2010 09:23:13 -0700
Message-ID: <77ead0ec1003230923t693f60f0p788d94edca6319e3@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: "Polk, William T." <william.polk@nist.gov>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Russ Housley <housley@vigilsec.com>, "karp@ietf.org" <karp@ietf.org>
Subject: Re: [karp] Karp Agenda 2: KeyStore?
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 16:24:02 -0000

Hi Tim,

I guess we are in near unision now.
> I'm not sure I buy this.  I don't believe it matters whether the key
> is derived by an automated key management system, or shared
> through an out of band mechanism.  If the key is in the table, that
> means it is appropriate for use.
>
> Perhaps I am missing something, though.  What security
> aspects were you thinking of?
Well if the long term key is not a secure, the short term keys would
not be either. So it does matter how secure the Long term keys are.

>> May be there is a generic set of functions required for all routing
>> and signalling protocols (let us not preclude LDP, RSVP-TE,
>> CR-LDP, LMP and others from the discussion) which is
>> independent of the Routing protocol itself is how it finally will be.
>>
> Perhaps, but are they really functions of the keytable?
A routing protocol expects a certain set of functionality. The Key
table provides another. We could either incorporate the same in the
KeyTable or have it in some "Glue functions" which can be defined
seperately.

> Pretty close... The keytable draft could support protocols that
> routinely use different session keys in different directions, or
> protocols that use a single session key for traffic in both
> directions.  If the protocol demands a single uni-directional
> traffic key, and two keys have been simultaneously derived
> during simultaneous open, you either have to discard one key
> *or* discard both and start over.
>
> I can see that we need more text in this area...
Sounds correct.

Thanks,
Vishwas

On Tue, Mar 23, 2010 at 9:03 AM, Polk, William T. <william.polk@nist.gov> wrote:
>
> On 3/22/10 10:30 PM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote:
>
>> Hi Tim/ Greg,
>>
>> I mostly agree with Greg.
>>
>> On Mon, Mar 22, 2010 at 10:13 PM, Gregory Lebovitz
>> <gregory.ietf@gmail.com> wrote:
>>> inline...
>>>
>>> On Mon, Mar 22, 2010 at 7:31 PM, Polk, William T. <william.polk@nist.gov>
>>> wrote:
>>>>
>>>> Hi Vishwas,
>>>>
>>>> Comments inline...
>>>>
>>>> On 3/22/10 4:12 PM, "Vishwas Manral" <vishwas.ietf@gmail.com> wrote:
>>>>
>>>>> Gregory/ Tim,
>>>>>
>>>>> I agree with Gregory regarding having the presentation at the KARP
>>>>> meeting.
>>>>>
>>>>> I scanned through the Polk draft. One comment is that the Long lived
>>>>> Crypto Keys stillneed to be changed manually.
>>>>
>>>> Glad to have a reader!
>>>>
>>>> Actually, the Long Lived Keys can be established manually *or* through an
>>>> Automated Key Management Protocol.  (See Figure 1 in
>>>> draft-polk-saag-rtg-auth-keytable-02).  This is a key concept for our
>>>> draft
>>>> - the routing protocol need not know (or care) how long lived keys were
>>>> established.  This allows incremental introduction of automated key
>>>> management techniques seamlessly.
>>>
>>> I agree with this design "feature", that the RPD (routing protocol daemon)
>>> need not know or care how the keys were established.
>> RPD never does bother. However based on how the Key is derived we can
>> determite the security aspects of the protocol authentication
>> mechanism.
>
> I'm not sure I buy this.  I don't believe it matters whether the key is
> derived by an automated key management system, or shared through an out of
> band mechanism.  If the key is in the table, that means it is appropriate
> for use.
>
> Perhaps I am missing something, though.  What security aspects were you
> thinking of?
>
>>
>>>> Removing keys from the document isn't covered, though.  Should it be
>>>> added?
>>>
>>> I think so. For purposes of quick response when a key has been compromised,
>>> an admin is terminated, a business relationship terminates, etc.
>> I agree.
>>
>>>> Expiration of entries is covered in
>>>> draft-housley-saag-crypto-key-table-00,
>>>> but perhaps we need to discuss removal for other circumstances.  (I'm
>>>> thinking of severing a business relationship, or deciding a long lived key
>>>> has been compromised before its expiration date.)  I suspect that would be
>>>> a
>>>> manual process...
>>>
>>> Agreed that we need this. The process could be manual to start (given the
>>> goal of incremental deployability), but I could envision an end state when a
>>> simple execution command at the router's command line interface kicks-off a
>>> fully automated process of generating, distributing and employing new keys.
>> Agree again, though I still need to look at the Housely draft.
>>
>>>>> Another comment is Session Acceptance diagram has a Key Id while the
>>>>> Session Initiation does not.
>>>>
>>>> In our model, a session initiator is not concerned which long-lived key
>>>> they
>>>> get, only that the key is shared with the right peer(s) and intended for
>>>> use
>>>> with the right protocol.  So, the initiator's request for a key does not
>>>> contain a KeyID.
>>>
>>> Might this leave us vulnerable to MitM run step-down attacks, i.e. to an old
>>> key (assuming said key was not properly discarded in a timely fashion)?
>> I did not understand how MITM would be an issue here? Could you explain?
>>
>
> I am with you on this one.  As I said above, if the key is in the table, it
> is acceptable for use.  If the key was not properly discarded (by *either*
> peer), that is a operational failure that is not going to be overcome by
> asserting KeyIDs.  It would also mean that the routing protocol had to
> maintain a list of all the keys it can use (by ID).  This is a nightmare,
> since we need to keep the keytable and the routing protocol's keyid table
> synchronized.  Let's not go there.
>
>>>> When a peer accepts a session, the initiator has already selected a
>>>> long-lived key.  The KeyID is essential in this case, or the peer will not
>>>> derive the right session key.
>>>>
>>>>>
>>>>> Some things to think of are what needs to be done when both sides
>>>>> initiate the connection at the same time.
>>>>
>>>> Won't different protocols handle this differently?  I could envision
>>>> ending
>>>> up with two parallel (but authenticated) sessions, or the protocol could
>>>> attempt to resolve this into a single connection by selecting one peer as
>>>> the "initiator" and discard the session key material from the aborted
>>>> session.
>>>>
>>>>>                                           The document also does not
>>>>> talk about how the short term keys are changed.
>>>>
>>>> The keytable does not force any key changes - it just lies there.
>>>> Generation of short term keys is entirely under the routing protocol's
>>>> control.
>>>
>>> Could be so. Or it could be a function of a KMP, one that is keeping the key
>>> life times and thus knowing when it's time to kick off the negotiation of a
>>> new security association, then install it for use.
>> May be there is a generic set of functions required for all routing
>> and signalling protocols (let us not preclude LDP, RSVP-TE, CR-LDP,
>> LMP and others from the discussion) which is independent of the
>> Routing protocol itself is how it finally will be.
>>
>
> Perhaps, but are they really functions of the keytable?
>
>>>> Some things to think of are what needs to be done when both sides
>>>> initiate the connection at the same time.
>>> Won't different protocols handle this differently?  I could envision
>>> ending up with two parallel (but authenticated) sessions, or the
>>> protocol could attempt to resolve this into a single connection by
>>> selecting one peer as the "initiator" and discard the session key
>>> material from the aborted session.
>> That is interesting. So the assumption from your draft is the sender
>> and receiver keys can be seperate and if the protocol wants the same
>> in case I have mentioned they can probably drop one of the Keys. Is my
>> understanding correct?
>>
>
> Pretty close... The keytable draft could support protocols that routinely
> use different session keys in different directions, or protocols that use a
> single session key for traffic in both directions.  If the protocol demands
> a single uni-directional traffic key, and two keys have been simultaneously
> derived during simultaneous open, you either have to discard one key *or*
> discard both and start over.
>
> I can see that we need more text in this area...
>
> Thanks,
>
> Tim
>
>> Thanks,
>> Vishwas
>>
>> ssion means a new short term key. That may be
>>>> enough for some protocols.  For protocols with long-lived sessions, the
>>>> routing protocol can incorporate protocol specific mechanisms for changing
>>>> session keys during an existing session.
>>
>>>>
>>>> If these protocol specific mechanisms are designed such that the new
>>>> session
>>>> keys are derived from different long lived keys, the peer initiating the
>>>> transition requests new keys just as if it was initiating a new session.
>>>> The other peer would behave as if it was accepting a new session...
>>>>
>>>> We could add some text here if you would like.  (I think a brief reference
>>>> to tcp-ao's mechanism for changing keys during sessions is all we have
>>>> now.)
>>
>>
>>>>> Thanks,
>>>>> Vishwas
>>>>>
>>>>> On Mon, Mar 22, 2010 at 2:38 PM, Gregory Lebovitz
>>>>> <gregory.ietf@gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>> On Mon, Mar 22, 2010 at 2:35 PM, Polk, William T.
>>>>>> <william.polk@nist.gov>
>>>>>> wrote:
>>>>>>>
>>>>>>> Gregory,
>>>>>>>
>>>>>>> There has really been no change to those documents since Hiroshima, so
>>>>>>> I
>>>>>>> did not suggest a presentation.  (We simply haven¹t received any
>>>>>>> suggestion
>>>>>>> to change them.)  I do have karp on my schedule and will be in the
>>>>>>> room.
>>>>>>
>>>>>> I'll leave it to the chairs to decide. Since the last preso was a BoF,
>>>>>> it
>>>>>> may make sense to do it again, if only to push people to read and
>>>>>> review and
>>>>>> provide input.
>>>>>>
>>>>>>>
>>>>>>> I think that maintaining them as separate documents is advisable,
>>>>>>> given
>>>>>>> their simplicity...
>>>>>>
>>>>>> If there is applicability outside of karp-framework, then I agree. If
>>>>>> the
>>>>>> applicability is only w/in the karp-framework, then I'd suggest we suck
>>>>>> it
>>>>>> into the "KeyStore" section of that document. But I haven't thought too
>>>>>> much
>>>>>> about it until just now, sitting here with Bill Atwood, working on
>>>>>> slides
>>>>>> and open issues / open sections.
>>>>>> Bill will have this as an open question on his slides and we can
>>>>>> discuss in
>>>>>> WG. WFY?
>>>>>> Gregory
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Tim
>>>>>>>
>>>>>>>
>>>>>>> On 3/22/10 2:11 PM, "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> KARPies, Tim & Russ,
>>>>>>> I notice that the current agenda for KARP does NOT include a
>>>>>>> presentation
>>>>>>> by Tim/Russ on their documents that defines in more detail what
>>>>>>> draft-ietf-karp-framework calls the KeyStore. I'm thinking that would
>>>>>>> be a
>>>>>>> good thing to have presented again (it was presented at the BoF
>>>>>>> already
>>>>>>> once), because we need to decide if these become WG documents, or how
>>>>>>> to
>>>>>>> proceed them.
>>>>>>>
>>>>>>> Those documents are:
>>>>>>> draft-housley-saag-crypto-key-table-01
>>>>>>> draft-polk-saag-rtg-auth-keytable-02
>>>>>>>
>>>>>>> Another question is:  "Do these documents serve better as stand-alone,
>>>>>>> or
>>>>>>> ought they be incorporated into the karp-framework document"
>>>>>>>
>>>>>>> Thoughts?
>>>>>>>
>>>>>>> Gregory.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> ----
>>>>>> IETF related email from
>>>>>> Gregory M. Lebovitz
>>>>>> Juniper Networks
>>>>>>
>>>>>> _______________________________________________
>>>>>> karp mailing list
>>>>>> karp@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/karp
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> ----
>>> IETF related email from
>>> Gregory M. Lebovitz
>>> Juniper Networks
>>>
>>
>
>

v2.23.0 | Report a Bug | By Email