Re: [MSEC] Regarding GDOI GM rekey "receive window"
Brian Weis <bew@cisco.com> Wed, 27 April 2011 18:36 UTC
Return-Path: <bew@cisco.com>
X-Original-To: msec@ietfa.amsl.com
Delivered-To: msec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 085E9E07C9 for <msec@ietfa.amsl.com>; Wed, 27 Apr 2011 11:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Level:
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFtJON96-sWI for <msec@ietfa.amsl.com>; Wed, 27 Apr 2011 11:36:25 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by ietfa.amsl.com (Postfix) with ESMTP id 0BBBEE076A for <msec@ietf.org>; Wed, 27 Apr 2011 11:36:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=14107; q=dns/txt; s=iport; t=1303929384; x=1305138984; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=U85bHKAmw80teFg+iRlcNZDgJO2J4hwuGC7I0qKkNUc=; b=idWc8COW9rrUcPsPMKJAO7Vc9mGjWhBexOySEXoVnswgwTsGFBg7XKTd 8GlxjSoXq0ZM0RrfbPUGW5x8+p9Q4+KaF+6GfUlbf3phx5sAELl+fVeVK yLXEirY1pps70iDBmYpwq6fv3pGVGvWq8fQ2pOT9XWIRECq2+GK9wlgYV k=;
X-IronPort-AV: E=Sophos; i="4.64,275,1301875200"; d="scan'208,217"; a="688194258"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by sj-iport-6.cisco.com with ESMTP; 27 Apr 2011 18:36:24 +0000
Received: from npanitch-w2k.cisco.com (npanitch-w2k.cisco.com [128.107.147.73]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p3RIaO0F017434; Wed, 27 Apr 2011 18:36:24 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-6--795329397"
From: Brian Weis <bew@cisco.com>
In-Reply-To: <4BC25C77619B1F4C870E08C2D78B475B0D3467E8@xmb-sjc-234.amer.cisco.com>
Date: Wed, 27 Apr 2011 11:36:24 -0700
Message-Id: <EC0A255B-2BB7-4DE6-9A4D-F135E0DCAC1A@cisco.com>
References: <4BC25C77619B1F4C870E08C2D78B475B0D3467E8@xmb-sjc-234.amer.cisco.com>
To: Lewis Chen <lewisc@cisco.com>
X-Mailer: Apple Mail (2.1084)
Cc: msec@ietf.org
Subject: Re: [MSEC] Regarding GDOI GM rekey "receive window"
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2011 18:36:26 -0000
Hi Lewis, Thanks for pointing this out ... in the absence of any objections we'll plan to fix this in the next version of the I-D. Brian On Apr 22, 2011, at 10:26 AM, Lewis Chen (lewisc) wrote: > http://tools.ietf.org/html/draft-ietf-msec-gdoi-update-08 > > In Section 5.7 (Sequence Number Payload), it mentions the following: > > “The current value of the sequence number > must be transmitted to group members as a part of the Registration SA > payload. A group member must keep a sliding receive window. The > window must be treated as in the ESP protocol [RFC4303] Section > 3.4.3.” > > > In GDOI, implementing a sliding receive window for group member (GM) is risky because the rekey message contains relative SA lifetimes in it. Thus, GM accepting old rekey (due to the sliding receive window) may install SAs that are no longer part of the group policy, or will be used by the group member after the group policy changes. Therefore, group member should only accept a rekey message with a sequence number value larger than any previously received sequence number. > > > In fact, in Section 7.3.4(Replay/Reflection Attack Protection), it describe the correct rekey acceptance criteria as below. > > > “ The GROUPKEY-PUSH message includes a monotonically increasing > sequence number to protect against replay and reflection attacks. A > group member will discard sequence numbers associated with the > current KEK SPI that have the same or lower value as the most > recently received replay number.” > > > > Thanks, > Lewis > > > > > _______________________________________________ > MSEC mailing list > MSEC@ietf.org > https://www.ietf.org/mailman/listinfo/msec -- Brian Weis Security Standards and Technology, SRTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com
- [MSEC] Regarding GDOI GM rekey "receive window" Lewis Chen (lewisc)
- Re: [MSEC] Regarding GDOI GM rekey "receive windo… Brian Weis