[tcpm] Review of draft-duan-tcpm-tcp-ao-rekeying-00
Eric Rescorla <ekr@rtfm.com> Sun, 21 March 2010 00:28 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26F963A6832 for <tcpm@core3.amsl.com>; Sat, 20 Mar 2010 17:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.852
X-Spam-Level: *
X-Spam-Status: No, score=1.852 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6tVP38ut+CV for <tcpm@core3.amsl.com>; Sat, 20 Mar 2010 17:28:41 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 179043A6767 for <tcpm@ietf.org>; Sat, 20 Mar 2010 17:28:41 -0700 (PDT)
Received: by gwaa11 with SMTP id a11so920837gwa.31 for <tcpm@ietf.org>; Sat, 20 Mar 2010 17:28:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.40.17 with SMTP id n17mr2528204agn.3.1269131332692; Sat, 20 Mar 2010 17:28:52 -0700 (PDT)
Date: Sat, 20 Mar 2010 17:28:52 -0700
Message-ID: <d3aa5d01003201728q17d18emd9fee70c59f17aea@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: tcpm@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [tcpm] Review of draft-duan-tcpm-tcp-ao-rekeying-00
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2010 00:28:42 -0000
$Id: draft-duan-tcpm-tcp-ao-rekeying-00-rev.txt 112 2010-03-21 00:28:12Z ekr $
In TCP-AO a receiver can signal that it is ready to receive authenticated
packets using a new key, but it cannot signal that it wishes to send
with a new key. This draft describes a mechanism to provide that
signaling.
It's unclear to me what benefit this draft provides. The basic principle
behind TCP-AO is that key changes are coordinated between the sides:
a new key cannot be used until it is known by both endpoints. At the
time when that key is established, the establishment process (likely
a phone call or email) can indicate that the new key is preferred,
in which case both sides will start advertising the ability to
receive it as soon as it is installed. Thus, this mechanism is
unnecessary. The authors argue that:
the RNextKeyID MKT when the RNextKeyID MKT is ready. It works well
for changing the incoming key. However, if a sender finds its MKT
which is used to authenticate outgoing segments has been attacked and
should change into a new one, it can do nothing but has to wait for
the receiver sending a segment which carries a different RNextKeyID.
In this case, the communication becomes dangerous probably because
the sender always authenticates outgoing segment by an attacked key
before the receiver changes the incoming key. This paper proposes a
method which the sender can trigger the other part to change the
RNextKeyID when the sender finds the former outgoing key is not safe
any longer.
I don't find this convincing. If you know your key has been compromised
you need to immediately notify your peers, who will want to promptly
disable it. I don't see that any new protocol mechanisms are needed.
Incidentally, the use of 0xff as a signal in the RNextKeyID field
clearly violates S 4.2 of TCP-AO:
o RNextKeyID: An unsigned 1-byte field indicating the MKT that the
sender is ready use to receive authenticated segments, i.e., the
desired 'receive next' keyID.
It supports efficient key change coordination, to be discussed
further in Section 8.1. Note that the RNextKeyID has no
cryptographic properties - it need not be random, nor are there
any reserved values.
-Ekr
- [tcpm] Review of draft-duan-tcpm-tcp-ao-rekeying-… Eric Rescorla