[Sidr] Transport security
Iljitsch van Beijnum <iljitsch@muada.com> Tue, 04 July 2006 09:10 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxgvI-0007k4-UB; Tue, 04 Jul 2006 05:10:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxgvG-0007iw-P7 for sidr@ietf.org; Tue, 04 Jul 2006 05:10:22 -0400
Received: from [2001:1af8:2:5::2] (helo=sequoia.muada.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FxgtS-0005wX-2n for sidr@ietf.org; Tue, 04 Jul 2006 05:08:30 -0400
Received: from [IPv6:2001:1af8:6::20a:95ff:fef5:246e] (alumange.muada.com [IPv6:2001:1af8:6:0:20a:95ff:fef5:246e]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id k6498DVl078428 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO) for <sidr@ietf.org>; Tue, 4 Jul 2006 11:08:13 +0200 (CEST) (envelope-from iljitsch@muada.com)
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <6.2.0.14.2.20060704073602.02dbf8e8@kahuna.telstra.net>
References: <6.2.0.14.2.20060704073602.02dbf8e8@kahuna.telstra.net>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <0A31F26E-0E5F-48C3-9B4F-4CDD9E5E3043@muada.com>
Content-Transfer-Encoding: 7bit
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 04 Jul 2006 11:08:15 +0200
To: sidr@ietf.org
X-Mailer: Apple Mail (2.752.2)
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sequoia.muada.com
X-Spam-Score: -2.8 (--)
X-Scan-Signature: 8fbbaa16f9fd29df280814cb95ae2290
Subject: [Sidr] Transport security
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Errors-To: sidr-bounces@ietf.org
On 3-jul-2006, at 23:56, Geoff Huston wrote: > 3) Transport Security > Rekeying the TCP MD5 Option (Steve Bellovin) 20 minutes > "Key Change Strategies for TCP-MD5" > draft-bellovin-keyroll2385-00.txt > http://www.ietf.org/internet-drafts/draft-bellovin- > keyroll2385-00.txt > A New TCP Authentication Option (Ron Bonica) 20 minutes > "Authentication for TCP-based Routing and Management Protocols" > draft-bonica-tcp-auth-04.txt > http://www.ietf.org/internet-drafts/draft-bonica-tcp-auth-04.txt > Key Selection for TCP Authentication (Brian Weiss) 20 minutes > "Automated key selection extension for the TCP Authentication > Option" > draft-weis-tcp-auth-auto-ks-01.txt > http://www.ietf.org/internet-drafts/draft-weis-tcp-auth-auto- > ks-01.txt Three new drafts trying to improve on RFC 2385! There are some good ideas in there, but I see major problems. draft-bonica-tcp-auth-04.txt: However, TCP implementations MAY omit TCP Options from the MAC calculation. When implementation do so, they MUST set the T-bit in the TCP Enhanced Authentication Option. See Section 9 of this document for details. Huh? Why would this be necessary or useful? Seems to me this only adds unnecessary complexity. Using identifiers to identify MAC keys seems like a good idea, but it doesn't preclude two sides from entering different keys, and it only adds more stuff that must be agreed upon. To avoid these problems, I suggest using a hash of the key as the key id. Such a hash would be too long to include in a TCP option, but I don't think this is too much of a problem: rather than include the key id in every segment, implementations can agree on the key that's used in-band. draft-weis-tcp-auth-auto-ks-01.txt: This draft can use some more spelling and grammar checking. I also find the draft hard to follow. I'm not sure whether this is because of my relative unfamiliarity with the matters discussed, the frequent references to things defined elsewhere or because of poor organization. Using an additional four TCP option bytes for a sequence number dedicated to the MAC option is required in order to satisfy the cryptographic requirement of unique nonces. No other value in a TCP packet is guaranteed to be unique. At first glance, the TCP Sequence Number would appear to be suitable. However, the TCP Sequence Number can wrap, after which it increments back through the same sequence number space. Yes, after transmitting 4 GB worth of data... TCP already has a window system that makes sure only part of the sequence space is acceptable at any given time so it would be relatively simple to look at the TCP sequence number as a 64 bit or even longer value and keep the upper bits in sync with the other side when the lower 32 bits wrap with no need to actually transmit the upper bits. Is it worth all this complexity to avoid having to use the same actual MAC key for prolonged periods but rather use different MAC keys based on the same underlying key? In my not cryptographically trained opinion this is only the case when the MAC algorithm is significantly weaker than the encryption algorithm used to exchange new MAC keys. And _that_ should only be necessary when the encryption algorithm can't be used to generate a MAC or uses too much processing time. draft-bellovin-keyroll2385-00.txt: I have a big problem the notion of blindly switching to a new key at a predetermined time. If one side is unable to enter the key before that time, or one side enters the key incorrectly, the session will break at the moment that the switch to the new key happens. Since this happens some time _after_ both sides (are supposed to) have entered the new key, operators aren't actively monitoring the session at that moment, so there will be a delay before the problem can be corrected. I suggedsted this alternative approach on the north american network operators mailinglist: If you want benefits when only one end is upgraded, your mechanism for concurrent keys could be used like this: - the upgraded side installs the new key - the upgraded side keeps using the old key - the non-upgraded side installs the new key - the upgraded side detects that the other side uses the new key and switches over itself - the old key is removed from the upgraded side This way, it all goes down when the non-upgraded side installs the key: they can immediately see the problem if there is some kind of issue with the key (for instance someone entered it incorrectly). It still makes sense to add stuff that allows both ends to manage the key rollover when they're both upgraded (by adding a new BGP message to coordinate all of this in-band), since in that case something like the above won't work. I think something like this would work well: - announce key rollover capability at session connect - when a new key is configured, send a hash of it to the other side - other side doesn't have the key yet so says "reject" - other side is also configured with the new key, sends a hash - first side sees hashes match, starts sending with the new key and says "accept" Finally, as someone who works with BGP with MD5 passwords in practice, I can tell you that operators in general don't even think about changing keys. Yes, coordinating changing a key on both sides at the same time is a pain, but coordinating changing a key PERIOD is almost as big a pain because even ASes that aren't very big can easily have 100 peers or more and only the middle sized ones are easy to work with, the smaller ones barely have a clue and the larger ones have huge bureaucratic NOCs where it's hard to find the right person. And of course everything stretches across timezones and there are often language barriers. Exchanging the key securely is also a big problem. Making key rollover easier isn't going to change all that much here, and there is no perception of immediacy anyway. _______________________________________________ Sidr mailing list Sidr@ietf.org https://www1.ietf.org/mailman/listinfo/sidr
- [Sidr] Agenda for SIDR WG meeting at IETF 66 Geoff Huston
- [Sidr] Transport security Iljitsch van Beijnum
- Re: [Sidr] Transport security Pekka Savola
- Re: [Sidr] Transport security Tom Petch
- Re: [Sidr] Transport security Iljitsch van Beijnum
- Re: [Sidr] Transport security Tom Petch
- Re: [Sidr] Transport security Iljitsch van Beijnum
- Re: [Sidr] Transport security Tom Petch
- [Sidr] Minutes for SIDR WG meeting at IETF 66 Geoff Huston