IETF Logo Mail Archive

Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01

Joe Touch <touch@ISI.EDU> Mon, 28 July 2008 14:26 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 660D83A6895; Mon, 28 Jul 2008 07:26:05 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 339DF3A69EB for <tcpm@core3.amsl.com>; Mon, 28 Jul 2008 07:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.403
X-Spam-Level:
X-Spam-Status: No, score=-2.403 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjSVqK6C55Ke for <tcpm@core3.amsl.com>; Mon, 28 Jul 2008 07:25:57 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id E4CDB3A6895 for <tcpm@ietf.org>; Mon, 28 Jul 2008 07:25:56 -0700 (PDT)
Received: from [130.129.20.69] ([130.129.20.69]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m6SEPdiw004717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 28 Jul 2008 07:25:42 -0700 (PDT)
Message-ID: <488DD6C4.8070709@isi.edu>
Date: Mon, 28 Jul 2008 07:25:08 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <20080728042451.C7A174B7AD3@kilo.rtfm.com> <488D6968.9010102@isi.edu> <20080728130532.AB1A94B8883@kilo.rtfm.com>
In-Reply-To: <20080728130532.AB1A94B8883@kilo.rtfm.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Eric,

Eric Rescorla wrote:
| At Sun, 27 Jul 2008 23:38:32 -0700,
| Joe Touch wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Hi, Eric (et al.),
|>
|> We'll have time to discuss these issues in detail later today at the
|> TCPM meeting. Here is some potential context for that...
|
| I'm not in Dublin.

We can continue on the list in that case...

|> Eric Rescorla wrote:
|> | $Id: draft-ietf-tcpm-tcp-auth-01-rev.txt,v 1.1 2008/07/28 03:06:22 ekr
|> Exp $
|> |
|> | I've reviewed the latest version of this document and while it
|> | seems to incorporate some improvements over the -00 version,
|> | I still have a number of concerns:
|> |
|> | - The document seems to assume an (unspecified) external key management
|> | mechanism. That seems less than maximally useful
|>
|> The split of this work into separate key management and TCP extension
|> documents was a prerequisite to the design team's output. The WG chairs
|> and/or ADs can speak to it more directly.
|
| That may be so, but it seems to me that it's unwise regardless.  As I
| indicated in PHL, this protocol as it stands isn't really useful in
| the absence of a key management protocol.  Since no such protocol
| appears to be on the horizon... With that in mind, I've elided the
| detailed comments below relative to that.

My understanding is that this document will not move forward without a
companion keying document. Let's assume that and press on...

|> | S 1.1.
|> | I don't see a lot of value in pre-specifying two MAC algorithms
|> | as MTI. There's no reason to believe one isn't plenty, as used
|> | in other protocols.
|>
|> The need for two required algorithms mirrors the intent of RFC4305's
|> "SHOULD+", which requires one, but suggests that two algs may be
|> required in the future. The design team suggested that requiring two
|> algorithms now would be prudent, notably so that if one were compromised
|> (either entirely, or effectively weakened due to computational
|> exploits), the other would be pre-deployed. The two could also trade
|> strength for performance, depending on which algorithms are recommended
|> by SAAG.
|
| Yes, as I've now said several times, this strikes me as massive
| overkill. If SHA-1 is ever weakened to the point where HMAC-SHA1
| is implicated, we'll have problems far, far, more serious than
| the occasional attack on TCP AO.

It's trivial to resolve this via WG feedback and SAAG input. If one is
sufficient, so be it.

|> | S 2.2.
|> | Figure 2 is kind of hard to read since the length of the kind
|> | field is 16 bits, but kinds are 8 bits, rigth?
|>
|> The length of the field is wide due to the text; that will be fixed to
|> be proportional to the bit width (8 bits, as you note).
|>
|> | S 3.
|> |                >> At least one direction (inbound/outbound) SHOULD have
|> |                a non-NONE MAC in practice, but this MUST NOT be
strictly
|> |                required by an implementation.
|> |
|> | 1. This seems like a bad idea. It's very hard to analyze the security
|> | properties of a connection when only one side is protected. To take
|> | one case that is obviously bad, if you're worried about DoS attacks
|> | and you use TCP-AO, then forging packets in either direction can
|> | bring it down. I would reverse this and require MACs in both
directions.
|> |
|> | 2. Even if we stipulate that this might be an OK idea, it's not
|> | appropriate to require implementations to support it.
|>
|> We discussed the utility of asymmetry in Philadelphia last March. The
|> point is to require implementations to allow the user to request
|> connections configured this way; we can add that connections MUST
|> default to using a real MAC in both directions by default. Does that
|> address your concern?
|
| Well, as I recall, you asserted it the value of it and I disagreed.

I asserted the value of keeping it in for potential future use.

| As I recall, the example you offered was the one-way authentication in
| TLS, which is really not that apropos, since it only applies to the
| key management protocol, not to the data, which is authenticated in
| both directions.

We discussed that in Phila. I recall that we agreed that this wasn't
exactly like TLS. However, I preferred leaving it in for future use.

| Perhaps you could restate your rationale for this?

About 10 minutes into that future ;-), we were discussing (as I recall)
channel binding and connection latching, at which point someone (?)
suggested TCP-AO could start in NULL in one direction, and escalate via
enabling a new KeyID (and thus configuration) via in-band exchange. I
recall your noting that this was a good reason for asymmetry.

We could update the doc to include that rationale...

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiN1sQACgkQE5f5cImnZrs1EwCgn+BB/umHsrKOWGDI9fJi2/zL
LBYAn3tPQq57MNV+kIZV87gT9dGEIhWq
=K5o/
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email