IETF Logo Mail Archive

Re: [tcpm] question about TCP-AO and rekeying

Joe Touch <touch@ISI.EDU> Fri, 19 June 2009 17:06 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA6913A699C for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 10:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9eOKy+YEgd39 for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 10:06:41 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id E23C13A6837 for <tcpm@ietf.org>; Fri, 19 Jun 2009 10:06:40 -0700 (PDT)
Received: from [75.213.185.135] (135.sub-75-213-185.myvzw.com [75.213.185.135]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5JH6c1e000689; Fri, 19 Jun 2009 10:06:42 -0700 (PDT)
Message-ID: <4A3BC59C.9090200@isi.edu>
Date: Fri, 19 Jun 2009 10:06:36 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu> <20090617054551.A4E0C1BCA23@kilo.networkresonance.com> <4A388C37.3030703@isi.edu> <20090617140939.A3AB61BCC72@kilo.networkresonance.com> <4A390EC0.6070003@isi.edu> <20090617161518.5276C50822@romeo.rtfm.com> <4A3917B7.20301@isi.edu> <20090617232813.1C49D50822@romeo.rtfm.com> <4A39C800.2030901@isi.edu> <20090618051622.719361BDC6B@kilo.networkresonance.com> <4A39CE62.9050201@isi.edu> <20090618135721.164F31BDF06@kilo.networkresonance.com> <4A3A4A5D.2060504@isi.edu> <20090619043328.6C06E1BE12E@kilo.networkresonance.com> <4A3B3290.9020906@isi.edu> <20090619132135.0DF111BE198@kilo.networkresonance.com> <4A3BB16A.1000508@isi.edu> <20090619161614.EFC4850822@romeo.rtfm.com> <4A3BBC2E.9040100@isi.edu> <20090619164724.2353850822@romeo.rtfm.com>
In-Reply-To: <20090619164724.2353850822@romeo.rtfm.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2009 17:06:42 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Eric Rescorla wrote:
...
> OK, I fear we're talking past each other.
> 
> My claim is that the system must enforce the following invariant:
> 
> * There must be only one MKT defined that matches any given set
>   of parameters: (s-ip, d-ip, s-port, s-port, key-id).
> 
> This includes wildcards and ranges.

That one is a lot easier, since you're including the key-id. That's
available only for either established connections (e.g., bound to the
socket after connection establishment for outgoing, or indicated in the
segment for incoming).

For the initial outgoing SYNs from legacy applications, we need the MKT
match to be unique per:

	(s-ip, d-ip, s-port, d-port)

This is the case that's causing the problem for two cases:

a) overlapping MKT patterns, as would be used for catch-alls vs. more
specific patterns (which we could prohibit, but I would like to try not to)

b) identical MKT patterns, as would be used when a a primary and backups
are added

The TSAD/TAPD had a notion of grouping MKTs together when patterns
overlapped, so that (b) would allow selection of a 'currently designated
primary' to be used for outgoing SYNs. Getting rid of that structure -
which you claimed was an implementation issue - is omitting structure in
the key groupings that allows (b), and also enables (a).

If we omit the TSAD/TAPD, how do we express the notion that a given key
is preferred for outgoing SYNs?

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko7xZsACgkQE5f5cImnZrscrQCfYfhimRCWFDvpoFXfBrjTwaK6
HiwAn1EQpeYdIPdd6f+SCXG9cUkfDfnl
=jdMC
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email