[MSEC] Regarding GDOI GM rekey "receive window"
"Lewis Chen (lewisc)" <lewisc@cisco.com> Fri, 22 April 2011 17:26 UTC
Return-Path: <lewisc@cisco.com>
X-Original-To: msec@ietfc.amsl.com
Delivered-To: msec@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id C742CE06E9 for <msec@ietfc.amsl.com>; Fri, 22 Apr 2011 10:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcVhClnFKSec for <msec@ietfc.amsl.com>; Fri, 22 Apr 2011 10:26:09 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by ietfc.amsl.com (Postfix) with ESMTP id 84291E065A for <msec@ietf.org>; Fri, 22 Apr 2011 10:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lewisc@cisco.com; l=9064; q=dns/txt; s=iport; t=1303493169; x=1304702769; h=mime-version:subject:date:message-id:from:to; bh=1UGnKjfcKgrRGn/5DSylmO8OrO5lsZrL1mBhH1ie4Uo=; b=DAWMe/HdZpCMpRE8upRmtvQfeuIDSFoYTh3hj7HStgUEMkh4RqJQlbXy cuGboPS3q5OfykiY6hqfBqlM9pWOUtdtfT8vAP5N9iberuflGdxrV/HYi ms+AjWXKyqAB1x6tJITUN9aBMjhpCk+zbTgq2Xw254EuezfIKBFF3s4KP M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvcIAGG5sU2rRDoJ/2dsb2JhbACCYpUvhgwBhz93qHScTYV2BIV0jEc
X-IronPort-AV: E=Sophos; i="4.64,254,1301875200"; d="scan'208,217"; a="434969689"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by sj-iport-1.cisco.com with ESMTP; 22 Apr 2011 17:26:07 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p3MHQ7ZA006521 for <msec@ietf.org>; Fri, 22 Apr 2011 17:26:07 GMT
Received: from xmb-sjc-234.amer.cisco.com ([128.107.191.111]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 22 Apr 2011 10:26:07 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC0112.5D31211C"
Date: Fri, 22 Apr 2011 10:26:05 -0700
Message-ID: <4BC25C77619B1F4C870E08C2D78B475B0D3467E8@xmb-sjc-234.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Regarding GDOI GM rekey "receive window"
Thread-Index: AcwBElwY472FEFlKSYG1+JzM0DDOrg==
From: "Lewis Chen (lewisc)" <lewisc@cisco.com>
To: msec@ietf.org
X-OriginalArrivalTime: 22 Apr 2011 17:26:07.0449 (UTC) FILETIME=[5D5FA490:01CC0112]
Subject: [MSEC] Regarding GDOI GM rekey "receive window"
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2011 17:26:11 -0000
http://tools.ietf.org/html/draft-ietf-msec-gdoi-update-08 In Section 5.7 (Sequence Number Payload), it mentions the following: "The current value of the sequence number must be transmitted to group members as a part of the Registration SA payload. A group member must keep a sliding receive window. The window must be treated as in the ESP protocol [RFC4303 <http://tools.ietf.org/html/rfc4303> ] Section <http://tools.ietf.org/html/draft-ietf-msec-gdoi-update-08#section-> 3.4.3 <http://tools.ietf.org/html/draft-ietf-msec-gdoi-update-08#section-> ." In GDOI, implementing a sliding receive window for group member (GM) is risky because the rekey message contains relative SA lifetimes in it. Thus, GM accepting old rekey (due to the sliding receive window) may install SAs that are no longer part of the group policy, or will be used by the group member after the group policy changes. Therefore, group member should only accept a rekey message with a sequence number value larger than any previously received sequence number. In fact, in Section 7.3.4(Replay/Reflection Attack Protection), it describe the correct rekey acceptance criteria as below. " The GROUPKEY-PUSH message includes a monotonically increasing sequence number to protect against replay and reflection attacks. A group member will discard sequence numbers associated with the current KEK SPI that have the same or lower value as the most recently received replay number." Thanks, Lewis
- [MSEC] Regarding GDOI GM rekey "receive window" Lewis Chen (lewisc)
- Re: [MSEC] Regarding GDOI GM rekey "receive windo… Brian Weis