Re: [secdir] review of draft-ietf-tcpm-tcp-auth-opt-10

Radia Perlman <> Sun, 07 March 2010 19:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 098C228C1CD; Sun, 7 Mar 2010 11:28:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ynRXhKB-FxCC; Sun, 7 Mar 2010 11:28:54 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D17593A8312; Sun, 7 Mar 2010 11:28:54 -0800 (PST)
Received: by pzk33 with SMTP id 33so392753pzk.5 for <multiple recipients>; Sun, 07 Mar 2010 11:28:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=wjHSQ3Q0l8T597RkwSsWXF1+IpY3jMWihU98Nl9XFSU=; b=BGmr/LzZtUlldjycUIZ3diakCZSVvtb7XiJ1/mOmFkdVj7U5dJNW/KEuCGAIBM/ufv nipo3jUNZS4pjbk2rcFkJ++4HX/NgAXToT34Pk1Ggwi0y0jI1Bb6j2er9An28Zr9z9W1 7zkxQ+EryD2sGqO81mQ6eutr2WprNvm9tDet0=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=gQ9X4n9Z/L2gFUQzta/80mrc36fKqBQLmEdVISoMIKA/lW7ZsY1X9m8GLRjy/enT41 STZ+4ymLWaHoaf3MerBNWprTGByyrlveh8ufOcvMcsHXMIsJ6XaBHdhxqhjh8ObPbuUd a5XvkA+GWNdR7OTWWOVIRfTyUIYbfHgEU4Ulo=
MIME-Version: 1.0
Received: by with SMTP id 19mr2562584wff.131.1267990135647; Sun, 07 Mar 2010 11:28:55 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Sun, 7 Mar 2010 11:28:55 -0800
Message-ID: <>
From: Radia Perlman <>
To: Joe Touch <>
Content-Type: multipart/alternative; boundary=00504502bc1f9d2f3304813af515
X-Mailman-Approved-At: Sun, 07 Mar 2010 11:39:13 -0800
Subject: Re: [secdir] review of draft-ietf-tcpm-tcp-auth-opt-10
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 19:28:57 -0000

re: all the opportunities for clarification: I certainly like documenting
clarifications and motivations, whether it be in the base document, or a
companion "tutorial/motivation" document.


On Sun, Mar 7, 2010 at 11:07 AM, Joe Touch <> wrote:

> Hi, Radia,
> Thanks for your comments. Some clarifications below.
> It would be useful to determine how to proceed on these issues.
> Joe
> Radia Perlman wrote:
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG.  These comments were written primarily for the benefit of the
> > security area directors.  Document editors and WG chairs should treat
> > these comments just like any other last call comments.
> > This protocol is essentially a lightweight special purpose version of
> > the Authentication Header (AH) protocol (RFC 4302). It is intended as a
> > generalization, improvement, and replacement of the TCP-MD5 protocol
> > documented in RFC2385. RFC2385 only proposed using TCP-MD5 for BGP,
> > which had certain unique requirements (like keeping a TCP connection up
> > through crashes of one or both endpoints). The proposal does not
> > explicitly limit the applicability.
> >
> > One question that leaps to mind is why there is both this and AH (not to
> > mention ESP).
> >
> > The primary differences between TCP-AO and AH are:
> >
> > TCP-AO can only be used to protect TCP connections (because the
> > integrity checksum is included in a TCP extension header).
> >
> > TCP-AO only increases the packet length by 16 bytes with default crypto
> > (AH adds 24 bytes with default crypto).
> The document contains a list of the differences. One other notable
> difference is that TCP-AO rekeys on each new TCP connection even when
> used with manual master keys, without requiring an in-band or
> out-of-band key negotation protocol.
> > While both are technically independent of any particular keying
> > mechanism, AH was designed to be keyed using IKE (RFC 4306) while TCP-AO
> > was designed for manual keying. In particular, TCP-AO includes an
> > in-band protocol for signally when a new key is available so that when
> > new keys are configured at the two ends of a connection, both ends will
> > start using the new key only when it is available at both ends.
> >
> > Review of the document:
> >
> > Section 4.2 under KeyID (and repeated in section 5.1 under IDs), the
> > document says that KeyID values are arbitrary. This is not quite true.
> > The same KeyID value cannot be used for two different valid keys. (So an
> > implementation must assure that all nodes have deconfigured or expired
> > keys with a particular KeyID value before assigning that KeyID value to
> > a new key.
> The same keyID can be used for different valid (master) keys, so long as
> they otherwise do not apply to the same TCP socket pair (connection), as
> noted in the following requirement in 5.1:
>   >> The IDs of MKTs MUST NOT overlap where their TCP connection
>   identifiers overlap.
> The primary reason for calling them "arbitrary" is to note that the
> values are not monotonically increasing, have no reserved values, and
> are otherwise not meaningful.
> Would it help to clarify that in the doc?
> > Section 4.2 also implies that the KeyID for the same master key used to
> > generate different encryption keys for the two different directions of
> > TCP can have different KeyIDs in the two different directions. That
> > seems like a useless generality.
> It specifically allows for at least two capabilities:
> 1) master keys can be installed on a set of devices without coordinating
> their keyIDs in advance
> 2) master keys can be installed on a set of devices, and new devices
> added to the set of keys later without requiring renumbering of keyIDs
> These two capabilities are particularly important when used with
> wildcards in the TCP socket pair of the master key tuple, i.e., when a
> key is used among a set of devices specified by a pattern.
> Would it be useful to add as motivation in the doc?
> > Section 8.1 specifies how to choose the key to use in a next packet
> > based on the RNextKeyID in the last received packet. It does not specify
> > how to choose the key when starting a new connection (i.e. sending a
> > SYN).
> 8.1 talks about how to use new keys in established connections.
> 9.4 addresses how to start a connection as follows:
>   1. Find the per-connection parameters for the segment:
>       a. If the segment is a SYN, then this is the first segment of a
>          new connection. Find the matching MKT for this segment based
>          on the segment's socket pair.
>           i. If there is no matching MKT, omit the TCP-AO option.
>               Proceed with transmitting the segment.
>          ii. If there is a matching MKT, then set the per-connection
>               parameters as needed (see Section 6). Proceed with the
>               step 2.
> This is enabled by the requirement that:
>   >> An outgoing TCP segment MUST match at most one desired MKT,
>   indicated by the segment's socket pair. The segment MAY match
>   multiple MKTs, provided that exactly one MKT is indicated as desired.
>                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   Other information in the segment MAY be used to determine the desired
>   MKT when multiple MKTs match; such information MUST NOT include
>   values in any TCP option fields.
> > I would assume that there is some non-connection state saved on
> > the node (and preserved across crashes) that remembers the last
> > RNextKeyID received on any connection, and this is used to open new
> > connections.
> There is no such state. New connections are opened by using the
> "desired" MKT for a socket pair (this is like setting one of the MKTs
> for a set of overlapping MKTs as "use first").
>  >The first time a connection is opened to a node that has
> > never successfully been connected to, the sender would cycle through all
> > valid keys until finding one the other end will accept. In any case, the
> > spec should say.
> Would it be useful, given the above already in the doc, to be more clear
> about the idea of "desired" MKTs, and how MKTs are selected when a
> connection is opened?
> > Section 8.2 paragraph 5 says the implementation of SNEs (extended
> > sequence numbers) is not specified in this document. This seems entirely
> > unacceptable, since the two ends must implement them identically for the
> > protocol to work and they aren't specified anywhere else. Further, it
> > appears that they *are* specified in the paragraphs that follow (though
> > stated as an example rather than a spec).
> The implementation is not specified. The code is one way to implement
> them, but not the only way. SNE properties are described throughout that
> section.
> We meant that to say more like "the requirements are specified in this
> section, but the implementation is up to the user".
> Does that address your concerns, or would it be useful to either update
> the text to require the algorithm indicated, or to be more clear about
> what is being required and what is offered as an example?
> > Sections 9.3-9.5 appear to be dealing with the case where one end of the
> > connection has been configured to use TCP-AO but the other has not.
> Section 9 as a whole describes how TCP-AO interacts with RFC 793. It
> deals with sent and received segments separately, because they are
> specified separately in 793, and typically implemented separately.
> None of this is specific to asymmetric use.
> > This
> > should probably be modeled as having a special "no authentication" key
> > configured as a valid key for the connection.
> In TCP-AO, the default is that all packets are allowed as having no
> authentication unless there is a key required. This differs from IPsec,
> in which all packets would be blocked until a "default pass" rule were
> installed.
> > The initiator would not
> > use that key when sending a SYN, but would switch to that key if he got
> > an unsigned ACK from the other end or he got an unsigned SYN from the
> > other end. There is an implication that existing implementations will
> > ignore the TCP-AO extension if they don't support TCP-AO. Is that true?
> Yes. This is consistent with RFC 793.
> > (When in this mode, there is no security, but it is a way to add initial
> > keys to the two endpoints without breaking connectivity during the
> > period when one end has been keyed and the other has not. Once both ends
> > have received a correctly signed message from the other end, they should
> > stop accepting unsigned ones.
> TCP-AO is not intended to 'startup' mid-connection. That would make the
> use of SNE impossible, among other things.
> > Section 10 says "TCP implementations MUST support TCP-AO". What does
> > this mean? Implementations of this spec MUST implement this spec. It is
> > not reasonable to expect *all* TCP implementations to support TCP-AO.
> I'll let the TSV ADs speak to this issue. I had thought we were
> intending this to be a MUST for all TCP implementations, to encourage
> its use. This would be in the spirit of IPsec being a MUST for IPv6 -
> even though there are IPv6 implementations that don't support IPsec.
> > Section 11.2 suggests use of IPsec NAT traversal instead of TCP-AO if
> > NATs are present, but does not suggest how that would be negotiated. Or
> > is this saying that IPsec NAT traversal is preferred in any scenario
> > where NAT traversal *might* be needed?
> We're trying to offer a path for NAT traversal; another path is the
> TCP-AO-nat extension, currently under ongoing discussion in the WG. The
> point is more "do NAT traversal *like* IPsec", not to use "IPsec NAT
> traversal" - i.e., traversal by UDP encapsulation.
> We can update the doc to make that more clear.
> The updates below would be useful to include, and the ADs can indicate
> when they should be done (e.g., now, or during AUTH48).
> > Typos:
> >
> > Page 4 2nd to last paragraph: There is a badly structured sentence that
> > could be fixed in multiple ways. One way would be: "This document
> > obsoletes the TCP MD5 option with a more general TCP Authentication
> > Option (TCP-AO). The new design supports the use of other (stronger)
> > hash functions, provides replay protection for long-lived connections
> > and across repeated instances of a single connection, coordinates key
> > changes between endpoints, and provides a more structured recommendation
> > for external key management."
> >
> > Section 3 paragraph 3: "proceeding -> preceding"
> >
> > Page 13 3rd to last line: "match at exactly" -> "match exactly"
> >
> > Page 21 3rd to last line: "when is" -> "when it is"
> >