Re: [secdir] review of draft-ietf-tcpm-tcp-auth-opt-10
Joe Touch <touch@ISI.EDU> Sun, 07 March 2010 19:46 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0A1228C1E9; Sun, 7 Mar 2010 11:46:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39Tos+2Ie7xD; Sun, 7 Mar 2010 11:46:56 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 87C1628C17E; Sun, 7 Mar 2010 11:46:56 -0800 (PST)
Received: from [192.168.1.95] (pool-71-106-88-10.lsanca.dsl-w.verizon.net [71.106.88.10]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id o27JiDOI029107 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 7 Mar 2010 11:44:15 -0800 (PST)
Message-ID: <4B94020D.8090209@isi.edu>
Date: Sun, 07 Mar 2010 11:44:13 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Radia Perlman <radiaperlman@gmail.com>
References: <c09b97ef1003062130y5c83f334x796ee9243d61fed2@mail.gmail.com> <4B93F955.3000002@isi.edu> <c09b97ef1003071128t3c8c99d9tfdf7829237c7e318@mail.gmail.com>
In-Reply-To: <c09b97ef1003071128t3c8c99d9tfdf7829237c7e318@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigD6E40A591AF966B3039D9FDC"
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: rbonica@juniper.net, mankin@psg.com, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] review of draft-ietf-tcpm-tcp-auth-opt-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 19:46:58 -0000
Hi, Radia (et al.), I expect that this will be 'documented' not only as an RFC, but as a published paper elsewhere; that paper might provide the context, but it won't be citable in the RFC (not ready yet). I don't see the need for that as an RFC per se - it's more useful as advertisement to the community at large, IMO, so I'd like to seek a wider venue for that. Joe Radia Perlman wrote: > re: all the opportunities for clarification: I certainly like > documenting clarifications and motivations, whether it be in the base > document, or a companion "tutorial/motivation" document. > > Radia > > On Sun, Mar 7, 2010 at 11:07 AM, Joe Touch <touch@isi.edu > <mailto:touch@isi.edu>> wrote: > > Hi, Radia, > > Thanks for your comments. Some clarifications below. > > It would be useful to determine how to proceed on these issues. > > Joe > > Radia Perlman wrote: > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > This protocol is essentially a lightweight special purpose version of > > the Authentication Header (AH) protocol (RFC 4302). It is intended > as a > > generalization, improvement, and replacement of the TCP-MD5 protocol > > documented in RFC2385. RFC2385 only proposed using TCP-MD5 for BGP, > > which had certain unique requirements (like keeping a TCP > connection up > > through crashes of one or both endpoints). The proposal does not > > explicitly limit the applicability. > > > > One question that leaps to mind is why there is both this and AH > (not to > > mention ESP). > > > > The primary differences between TCP-AO and AH are: > > > > TCP-AO can only be used to protect TCP connections (because the > > integrity checksum is included in a TCP extension header). > > > > TCP-AO only increases the packet length by 16 bytes with default > crypto > > (AH adds 24 bytes with default crypto). > > The document contains a list of the differences. One other notable > difference is that TCP-AO rekeys on each new TCP connection even when > used with manual master keys, without requiring an in-band or > out-of-band key negotation protocol. > > > While both are technically independent of any particular keying > > mechanism, AH was designed to be keyed using IKE (RFC 4306) while > TCP-AO > > was designed for manual keying. In particular, TCP-AO includes an > > in-band protocol for signally when a new key is available so that when > > new keys are configured at the two ends of a connection, both ends > will > > start using the new key only when it is available at both ends. > > > > Review of the document: > > > > Section 4.2 under KeyID (and repeated in section 5.1 under IDs), the > > document says that KeyID values are arbitrary. This is not quite true. > > The same KeyID value cannot be used for two different valid keys. > (So an > > implementation must assure that all nodes have deconfigured or expired > > keys with a particular KeyID value before assigning that KeyID > value to > > a new key. > > The same keyID can be used for different valid (master) keys, so long as > they otherwise do not apply to the same TCP socket pair (connection), as > noted in the following requirement in 5.1: > > >> The IDs of MKTs MUST NOT overlap where their TCP connection > identifiers overlap. > > The primary reason for calling them "arbitrary" is to note that the > values are not monotonically increasing, have no reserved values, and > are otherwise not meaningful. > > Would it help to clarify that in the doc? > > > Section 4.2 also implies that the KeyID for the same master key > used to > > generate different encryption keys for the two different directions of > > TCP can have different KeyIDs in the two different directions. That > > seems like a useless generality. > > It specifically allows for at least two capabilities: > > 1) master keys can be installed on a set of devices without coordinating > their keyIDs in advance > > 2) master keys can be installed on a set of devices, and new devices > added to the set of keys later without requiring renumbering of keyIDs > > These two capabilities are particularly important when used with > wildcards in the TCP socket pair of the master key tuple, i.e., when a > key is used among a set of devices specified by a pattern. > > Would it be useful to add as motivation in the doc? > > > Section 8.1 specifies how to choose the key to use in a next packet > > based on the RNextKeyID in the last received packet. It does not > specify > > how to choose the key when starting a new connection (i.e. sending a > > SYN). > > 8.1 talks about how to use new keys in established connections. > > 9.4 addresses how to start a connection as follows: > > 1. Find the per-connection parameters for the segment: > > a. If the segment is a SYN, then this is the first segment of a > new connection. Find the matching MKT for this segment based > on the segment's socket pair. > > i. If there is no matching MKT, omit the TCP-AO option. > Proceed with transmitting the segment. > > ii. If there is a matching MKT, then set the per-connection > parameters as needed (see Section 6). Proceed with the > step 2. > > This is enabled by the requirement that: > > >> An outgoing TCP segment MUST match at most one desired MKT, > indicated by the segment's socket pair. The segment MAY match > multiple MKTs, provided that exactly one MKT is indicated as desired. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Other information in the segment MAY be used to determine the desired > MKT when multiple MKTs match; such information MUST NOT include > values in any TCP option fields. > > > > I would assume that there is some non-connection state saved on > > the node (and preserved across crashes) that remembers the last > > RNextKeyID received on any connection, and this is used to open new > > connections. > > There is no such state. New connections are opened by using the > "desired" MKT for a socket pair (this is like setting one of the MKTs > for a set of overlapping MKTs as "use first"). > > >The first time a connection is opened to a node that has > > never successfully been connected to, the sender would cycle > through all > > valid keys until finding one the other end will accept. In any > case, the > > spec should say. > > Would it be useful, given the above already in the doc, to be more clear > about the idea of "desired" MKTs, and how MKTs are selected when a > connection is opened? > > > Section 8.2 paragraph 5 says the implementation of SNEs (extended > > sequence numbers) is not specified in this document. This seems > entirely > > unacceptable, since the two ends must implement them identically > for the > > protocol to work and they aren't specified anywhere else. Further, it > > appears that they *are* specified in the paragraphs that follow > (though > > stated as an example rather than a spec). > > The implementation is not specified. The code is one way to implement > them, but not the only way. SNE properties are described throughout that > section. > > We meant that to say more like "the requirements are specified in this > section, but the implementation is up to the user". > > Does that address your concerns, or would it be useful to either update > the text to require the algorithm indicated, or to be more clear about > what is being required and what is offered as an example? > > > Sections 9.3-9.5 appear to be dealing with the case where one end > of the > > connection has been configured to use TCP-AO but the other has not. > > Section 9 as a whole describes how TCP-AO interacts with RFC 793. It > deals with sent and received segments separately, because they are > specified separately in 793, and typically implemented separately. > > None of this is specific to asymmetric use. > > > This > > should probably be modeled as having a special "no authentication" key > > configured as a valid key for the connection. > > In TCP-AO, the default is that all packets are allowed as having no > authentication unless there is a key required. This differs from IPsec, > in which all packets would be blocked until a "default pass" rule were > installed. > > > The initiator would not > > use that key when sending a SYN, but would switch to that key if > he got > > an unsigned ACK from the other end or he got an unsigned SYN from the > > other end. There is an implication that existing implementations will > > ignore the TCP-AO extension if they don't support TCP-AO. Is that > true? > > Yes. This is consistent with RFC 793. > > > (When in this mode, there is no security, but it is a way to add > initial > > keys to the two endpoints without breaking connectivity during the > > period when one end has been keyed and the other has not. Once > both ends > > have received a correctly signed message from the other end, they > should > > stop accepting unsigned ones. > > TCP-AO is not intended to 'startup' mid-connection. That would make the > use of SNE impossible, among other things. > > > Section 10 says "TCP implementations MUST support TCP-AO". What does > > this mean? Implementations of this spec MUST implement this spec. > It is > > not reasonable to expect *all* TCP implementations to support TCP-AO. > > I'll let the TSV ADs speak to this issue. I had thought we were > intending this to be a MUST for all TCP implementations, to encourage > its use. This would be in the spirit of IPsec being a MUST for IPv6 - > even though there are IPv6 implementations that don't support IPsec. > > > Section 11.2 suggests use of IPsec NAT traversal instead of TCP-AO if > > NATs are present, but does not suggest how that would be > negotiated. Or > > is this saying that IPsec NAT traversal is preferred in any scenario > > where NAT traversal *might* be needed? > > We're trying to offer a path for NAT traversal; another path is the > TCP-AO-nat extension, currently under ongoing discussion in the WG. The > point is more "do NAT traversal *like* IPsec", not to use "IPsec NAT > traversal" - i.e., traversal by UDP encapsulation. > > We can update the doc to make that more clear. > > The updates below would be useful to include, and the ADs can indicate > when they should be done (e.g., now, or during AUTH48). > > > > Typos: > > > > Page 4 2nd to last paragraph: There is a badly structured sentence > that > > could be fixed in multiple ways. One way would be: "This document > > obsoletes the TCP MD5 option with a more general TCP Authentication > > Option (TCP-AO). The new design supports the use of other (stronger) > > hash functions, provides replay protection for long-lived connections > > and across repeated instances of a single connection, coordinates key > > changes between endpoints, and provides a more structured > recommendation > > for external key management." > > > > Section 3 paragraph 3: "proceeding -> preceding" > > > > Page 13 3rd to last line: "match at exactly" -> "match exactly" > > > > Page 21 3rd to last line: "when is" -> "when it is" > > > >
- [secdir] review of draft-ietf-tcpm-tcp-auth-opt-10 Radia Perlman
- Re: [secdir] review of draft-ietf-tcpm-tcp-auth-o… Joe Touch
- Re: [secdir] review of draft-ietf-tcpm-tcp-auth-o… Radia Perlman
- Re: [secdir] review of draft-ietf-tcpm-tcp-auth-o… Joe Touch