Re: [MSEC] weis-esp-group-counter, was MSEC status update (fwd)
Brian Weis <bew@cisco.com> Wed, 07 February 2007 05:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HEfbd-00066B-Md; Wed, 07 Feb 2007 00:44:33 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HEfbc-00063B-Qo for msec@ietf.org; Wed, 07 Feb 2007 00:44:32 -0500
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HEfbb-0007XA-86 for msec@ietf.org; Wed, 07 Feb 2007 00:44:32 -0500
Received: from sj-dkim-5.cisco.com ([171.68.10.79]) by sj-iport-1.cisco.com with ESMTP; 06 Feb 2007 21:44:31 -0800
X-IronPort-AV: i="4.13,292,1167638400"; d="scan'208"; a="762010605:sNHT50203872"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-5.cisco.com (8.12.11/8.12.11) with ESMTP id l175iSX6016113; Tue, 6 Feb 2007 21:44:28 -0800
Received: from [10.32.244.213] (stealth-10-32-244-213.cisco.com [10.32.244.213]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id l175iSnF015571; Tue, 6 Feb 2007 21:44:28 -0800 (PST)
In-Reply-To: <S373524AbXBESa1/20070205183027Z+1280@ams004.ftl.affinity.com>
References: <S373524AbXBESa1/20070205183027Z+1280@ams004.ftl.affinity.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <EE8A84FC-F140-4BFE-956A-41DB215C8322@cisco.com>
Content-Transfer-Encoding: 7bit
From: Brian Weis <bew@cisco.com>
Subject: Re: [MSEC] weis-esp-group-counter, was MSEC status update (fwd)
Date: Tue, 06 Feb 2007 21:44:50 -0800
To: gmgietf@identaware.com
X-Mailer: Apple Mail (2.752.2)
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4973; t=1170827068; x=1171691068; c=relaxed/simple; s=sjdkim5002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[MSEC]=20weis-esp-group-counter, =20was=20MSEC=20statu s=20update=20(fwd) |Sender:=20; bh=m2qHMnjwz5aWGPbDcBR/3DNN1dLWbMHjajuJz+SqYvM=; b=uImQOP9xtSaqHoaka9eJuVjY4AtxwxGBJn2cw1GFmbJKSLP4C7Y1e5NbzmCtOg7RNNpInPkj mi3XWSsgEwKX+eiOERxv9oA6tgVx+7WVAotE6NInVBgP82/KULk7Aonf;
Authentication-Results: sj-dkim-5; header.From=bew@cisco.com; dkim=pass (sig from cisco.com/sjdkim5002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Cc: msec@ietf.org, George Gross <gmgross@identaware.com>
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
Errors-To: msec-bounces@ietf.org
Hi George, Thanks for your review. Some comments are embedded below. On Feb 5, 2007, at 10:30 AM, gmgietf@identaware.com wrote: > Hi Brian and Lakshminath, > <snip> >> V. >> New work (to be adopted after asking for group's opinion): > > <snip> >> draft-weis-esp-group-counter-cipher-00: Ditto. > > I do not have a strong objection to this draft being adopted as a > MSEC working group item. However, there are several questions > (problems?) that I wondered about when I did a quick superficial > review of this draft. > 1) A fundamental problem is nonce or IV re-use, as recently > discussed at length on CFRG. Wei Dai posted an good summary of > those discussions and what to do about this problem about a week > ago. I would suggest that this draft should include that guidance > in its security considerations. That said, I suspect the risk of > compromise is magnified in direct proportion to the size of the > group membership. Instead of two endpoints, there are "N" endpoints > that could accidently re-use a {SID, SSIV} pair, and this needs to > be emphasized by this draft. There were about two dozen CFRG e-mail > exchanges about random number generation, counter management, > virtual machine interactions, and re-boot scenarios. At the least, > the Sender-Specific IV (SSIV) field must be saved in a non-volatile > storage after each use to avoid the scenario where a re-boot causes > accidental {SID, SSIV} re-use. That way if a member re-boots then > re-joins the same group, then it MUST also restart its SSIV at the > last value used plus one. This is only one example. There are other > cases mentioned by CFRG that need documentation. Perhaps the SID > and SSIV must be qualified by a third field assigned by the GCKS, a > "registration instance" counter? I'm aware of the CRFG thread, and will review it for additional security considerations text as you suggest. Regarding re-use of the SSIV, your suggestion may not be appropriate as there are some devices for which frequent writes to non-volatile storage (e.g., NVRAM) are not appropriate. It was our intention that re-joins would be detected by the GCKS during re-registration, and that it would take appropriate action. I'll review Section 4 and clarify this. > 2) A second problem is the inability to scale to large groups > because the per sender state that receivers must maintain to > enforce anti-replay services. The draft does not mention anti- > replay service or how it interacts in this multi-sender group > scenario. The draft must state that anti-replay service is not > recommended, or else explain how it is done such that it scales to > a large group. Describing anti-replay services would make sense for a draft that is defining how multi-sender AH or ESP should be deployed. But his draft has a more modest goal of describing how multi-sender counter-mode ciphers can be deployed. The draft-ietf-msec-ipsec-extensions I-D gives the guidance you mention above. This guidance is certainly relevent to the esp-group-counter draft, but I don't think this document needs to do more than reference that I-D. I can add text pointing readers to that document for guidance on multi-sender SAs. > 3) The draft as written assumes that there is only a single > cryptographic group and a single omnipotent GCKS. It seems to > preclude any easy extension or accommodation for composite groups > or distributed S-GCKS operations. In particular, the requirements > in section 4 could be a source of complexity. Is an endpoint always > required to interact with the same S-GCKS? Are all S-GCKS expected > to know the SID of every potential group member? We didn't intend to make restrictions regarding composite groups or distributed S-GCKS operations. But this is hard to answer without knowing exactly how the distributed GCKS system in a particular deployment works. > 4) The assertion made in section 6, the Security Considerations, > that the security is equivalent to that of a single sender is not > true and should be replaced with text along the lines described above. The actual sentence is: "When [this document's] recommendations are followed, the security of the crypto algorithms is equivalent to the conventional case in which there is a single sender." We believe that this is a true statement as long as the IVs are not reused (i.e., the recommendations in this document). But we'll certainly add points made on the CFRG thread as well, as you suggest. Thanks, Brian > hth, > George > > _______________________________________________ > MSEC mailing list > MSEC@ietf.org > https://www1.ietf.org/mailman/listinfo/msec -- Brian Weis Advanced Security Development, Security Technology Group, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com _______________________________________________ MSEC mailing list MSEC@ietf.org https://www1.ietf.org/mailman/listinfo/msec