[tcpm] Review of draft-duan-tcpm-tcp-ao-rekeying-00
Eric Rescorla <ekr@rtfm.com> Sun, 21 March 2010 00:28 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26F963A6832 for <tcpm@core3.amsl.com>; Sat, 20 Mar 2010 17:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.852
X-Spam-Level: *
X-Spam-Status: No, score=1.852 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6tVP38ut+CV for <tcpm@core3.amsl.com>; Sat, 20 Mar 2010 17:28:41 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 179043A6767 for <tcpm@ietf.org>; Sat, 20 Mar 2010 17:28:41 -0700 (PDT)
Received: by gwaa11 with SMTP id a11so920837gwa.31 for <tcpm@ietf.org>; Sat, 20 Mar 2010 17:28:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.40.17 with SMTP id n17mr2528204agn.3.1269131332692; Sat, 20 Mar 2010 17:28:52 -0700 (PDT)
Date: Sat, 20 Mar 2010 17:28:52 -0700
Message-ID: <d3aa5d01003201728q17d18emd9fee70c59f17aea@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: tcpm@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [tcpm] Review of draft-duan-tcpm-tcp-ao-rekeying-00
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2010 00:28:42 -0000
$Id: draft-duan-tcpm-tcp-ao-rekeying-00-rev.txt 112 2010-03-21 00:28:12Z ekr $ In TCP-AO a receiver can signal that it is ready to receive authenticated packets using a new key, but it cannot signal that it wishes to send with a new key. This draft describes a mechanism to provide that signaling. It's unclear to me what benefit this draft provides. The basic principle behind TCP-AO is that key changes are coordinated between the sides: a new key cannot be used until it is known by both endpoints. At the time when that key is established, the establishment process (likely a phone call or email) can indicate that the new key is preferred, in which case both sides will start advertising the ability to receive it as soon as it is installed. Thus, this mechanism is unnecessary. The authors argue that: the RNextKeyID MKT when the RNextKeyID MKT is ready. It works well for changing the incoming key. However, if a sender finds its MKT which is used to authenticate outgoing segments has been attacked and should change into a new one, it can do nothing but has to wait for the receiver sending a segment which carries a different RNextKeyID. In this case, the communication becomes dangerous probably because the sender always authenticates outgoing segment by an attacked key before the receiver changes the incoming key. This paper proposes a method which the sender can trigger the other part to change the RNextKeyID when the sender finds the former outgoing key is not safe any longer. I don't find this convincing. If you know your key has been compromised you need to immediately notify your peers, who will want to promptly disable it. I don't see that any new protocol mechanisms are needed. Incidentally, the use of 0xff as a signal in the RNextKeyID field clearly violates S 4.2 of TCP-AO: o RNextKeyID: An unsigned 1-byte field indicating the MKT that the sender is ready use to receive authenticated segments, i.e., the desired 'receive next' keyID. It supports efficient key change coordination, to be discussed further in Section 8.1. Note that the RNextKeyID has no cryptographic properties - it need not be random, nor are there any reserved values. -Ekr
- [tcpm] Review of draft-duan-tcpm-tcp-ao-rekeying-… Eric Rescorla