IETF Logo Mail Archive

Re: [MSEC] weis-esp-group-counter, was MSEC status update (fwd)

Brian Weis <bew@cisco.com> Wed, 07 February 2007 05:44 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HEfbd-00066B-Md; Wed, 07 Feb 2007 00:44:33 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HEfbc-00063B-Qo for msec@ietf.org; Wed, 07 Feb 2007 00:44:32 -0500
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HEfbb-0007XA-86 for msec@ietf.org; Wed, 07 Feb 2007 00:44:32 -0500
Received: from sj-dkim-5.cisco.com ([171.68.10.79]) by sj-iport-1.cisco.com with ESMTP; 06 Feb 2007 21:44:31 -0800
X-IronPort-AV: i="4.13,292,1167638400"; d="scan'208"; a="762010605:sNHT50203872"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-5.cisco.com (8.12.11/8.12.11) with ESMTP id l175iSX6016113; Tue, 6 Feb 2007 21:44:28 -0800
Received: from [10.32.244.213] (stealth-10-32-244-213.cisco.com [10.32.244.213]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id l175iSnF015571; Tue, 6 Feb 2007 21:44:28 -0800 (PST)
In-Reply-To: <S373524AbXBESa1/20070205183027Z+1280@ams004.ftl.affinity.com>
References: <S373524AbXBESa1/20070205183027Z+1280@ams004.ftl.affinity.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <EE8A84FC-F140-4BFE-956A-41DB215C8322@cisco.com>
Content-Transfer-Encoding: 7bit
From: Brian Weis <bew@cisco.com>
Subject: Re: [MSEC] weis-esp-group-counter, was MSEC status update (fwd)
Date: Tue, 06 Feb 2007 21:44:50 -0800
To: gmgietf@identaware.com
X-Mailer: Apple Mail (2.752.2)
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4973; t=1170827068; x=1171691068; c=relaxed/simple; s=sjdkim5002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[MSEC]=20weis-esp-group-counter, =20was=20MSEC=20statu s=20update=20(fwd) |Sender:=20; bh=m2qHMnjwz5aWGPbDcBR/3DNN1dLWbMHjajuJz+SqYvM=; b=uImQOP9xtSaqHoaka9eJuVjY4AtxwxGBJn2cw1GFmbJKSLP4C7Y1e5NbzmCtOg7RNNpInPkj mi3XWSsgEwKX+eiOERxv9oA6tgVx+7WVAotE6NInVBgP82/KULk7Aonf;
Authentication-Results: sj-dkim-5; header.From=bew@cisco.com; dkim=pass (sig from cisco.com/sjdkim5002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Cc: msec@ietf.org, George Gross <gmgross@identaware.com>
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
Errors-To: msec-bounces@ietf.org

Hi George,

Thanks for your review. Some comments are embedded below.

On Feb 5, 2007, at 10:30 AM, gmgietf@identaware.com wrote:

> Hi Brian and Lakshminath,
> <snip>
>> V.
>> New work (to be adopted after asking for group's opinion):
>
> <snip>
>> draft-weis-esp-group-counter-cipher-00: Ditto.
>
> I do not have a strong objection to this draft being adopted as a  
> MSEC working group item. However, there are several questions  
> (problems?) that I wondered about when I did a quick superficial  
> review of this draft.
> 1) A fundamental problem is nonce or IV re-use, as recently  
> discussed at length on CFRG. Wei Dai posted an good summary of  
> those discussions and what to do about this problem about a week  
> ago. I would suggest that this draft should include that guidance  
> in its security considerations. That said, I suspect the risk of  
> compromise is magnified in direct proportion to the size of the  
> group membership. Instead of two endpoints, there are "N" endpoints  
> that could accidently re-use a {SID, SSIV} pair, and this needs to  
> be emphasized by this draft. There were about two dozen CFRG e-mail  
> exchanges about random number generation, counter management,  
> virtual machine interactions, and re-boot scenarios. At the least,  
> the Sender-Specific IV (SSIV) field must be saved in a non-volatile  
> storage after each use to avoid the scenario where a re-boot causes  
> accidental {SID, SSIV} re-use. That way if a member re-boots then  
> re-joins the same group, then it MUST also restart its SSIV at the  
> last value used plus one. This is only one example. There are other  
> cases mentioned by CFRG that need documentation. Perhaps the SID  
> and SSIV must be qualified by a third field assigned by the GCKS, a  
> "registration instance" counter?

I'm aware of the CRFG thread, and will review it for additional  
security considerations text as you suggest. Regarding re-use of the  
SSIV, your suggestion may not be appropriate as there are some  
devices for which frequent writes to non-volatile storage (e.g.,  
NVRAM) are not appropriate. It was our intention that re-joins would  
be detected by the GCKS during re-registration, and that it would  
take appropriate action. I'll review Section 4 and clarify this.

> 2) A second problem is the inability to scale to large groups  
> because the per sender state that receivers must maintain to  
> enforce anti-replay services. The draft does not mention anti- 
> replay service or how it interacts in this multi-sender group  
> scenario. The draft must state that anti-replay service is not  
> recommended, or else explain how it is done such that it scales to  
> a large group.

Describing anti-replay services would make sense for a draft that is  
defining how multi-sender AH or ESP should be deployed. But his draft  
has a more modest goal of describing how multi-sender counter-mode  
ciphers can be deployed. The draft-ietf-msec-ipsec-extensions I-D  
gives the guidance you mention above. This guidance is certainly  
relevent to the esp-group-counter draft, but I don't think this  
document needs to do more than reference that I-D. I can add text  
pointing readers to that document for guidance on multi-sender SAs.

> 3) The draft as written assumes that there is only a single  
> cryptographic group and a single omnipotent GCKS. It seems to  
> preclude any easy extension or accommodation for composite groups  
> or distributed S-GCKS operations. In particular, the requirements  
> in section 4 could be a source of complexity. Is an endpoint always  
> required to interact with the same S-GCKS? Are all S-GCKS expected  
> to know the SID of every potential group member?

We didn't intend to make restrictions regarding composite groups or  
distributed S-GCKS operations. But this is hard to answer without  
knowing exactly how the distributed GCKS system in a particular  
deployment works.

> 4) The assertion made in section 6, the Security Considerations,  
> that the security is equivalent to that of a single sender is not  
> true and should be replaced with text along the lines described above.

The actual sentence is: "When [this document's] recommendations are  
followed, the security of the crypto algorithms is equivalent to the  
conventional case in which there is a single sender." We believe that  
this is a true statement as long as the IVs are not reused (i.e., the  
recommendations in this document). But we'll certainly add points  
made on the CFRG thread as well, as you suggest.

Thanks,
Brian

> hth,
>  George
>
> _______________________________________________
> MSEC mailing list
> MSEC@ietf.org
> https://www1.ietf.org/mailman/listinfo/msec

-- 
Brian Weis
Advanced Security Development, Security Technology Group, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com

_______________________________________________
MSEC mailing list
MSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/msec

v2.23.0 | Report a Bug | By Email