Re: [tcpm] TCP-AO: Text for New_Key Process
Brian Weis <bew@cisco.com> Fri, 30 January 2009 00:17 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9A383A68DC; Thu, 29 Jan 2009 16:17:27 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE89228C185 for <tcpm@core3.amsl.com>; Thu, 29 Jan 2009 16:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.037
X-Spam-Level:
X-Spam-Status: No, score=-6.037 tagged_above=-999 required=5 tests=[AWL=-0.562, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SORTED_RECIPS=1.125]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPeWgKE7cioy for <tcpm@core3.amsl.com>; Thu, 29 Jan 2009 16:17:25 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id C0A1C3A69B6 for <tcpm@ietf.org>; Thu, 29 Jan 2009 16:17:25 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.37,347,1231113600"; d="scan'208";a="135424793"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 30 Jan 2009 00:17:07 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n0U0H7I3017651; Thu, 29 Jan 2009 16:17:07 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n0U0H4YM004862; Fri, 30 Jan 2009 00:17:07 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Jan 2009 16:17:07 -0800
Received: from [128.107.163.184] ([128.107.163.184]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Jan 2009 16:17:07 -0800
In-Reply-To: <20090128162756.3799450822@romeo.rtfm.com>
References: <7.1.0.9.2.20081219010400.02bfd3d8@gmail.com> <496d9941.18038e0a.5558.ffffd3a6@mx.google.com> <497F7DDC.70309@isi.edu> <20090128162756.3799450822@romeo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <B33C7F84-66B7-4F2C-9B04-2BC1716C7994@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Thu, 29 Jan 2009 16:18:26 -0800
To: Eric Rescorla <ekr@networkresonance.com>
X-Mailer: Apple Mail (2.753.1)
X-OriginalArrivalTime: 30 Jan 2009 00:17:07.0115 (UTC) FILETIME=[15D74FB0:01C98270]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5770; t=1233274627; x=1234138627; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20TCP-AO=3A=20Text=20for=20New_Key=20Proc ess |Sender:=20; bh=LdJ69LZ5KswC/VEWMyH3Q2VEnjZquDmIYHcOk/oqBHg=; b=IJeOFapkTeI4X5sWBxeHfv+8BtWpIvYO87ULmSBO/LyuTVaXvl90++NcCD YOw+7C9QprVVl0BS4GFfErcvoUhYW1I6V1N5Yt9O6EBWnbJUORYtOBT5U1rf 1VS+ZnPxG0;
Authentication-Results: sj-dkim-3; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: tcpm@ietf.org, Allison Mankin <mankin@psg.com>, Joe Touch <touch@ISI.EDU>, skonduru@juniper.net
Subject: Re: [tcpm] TCP-AO: Text for New_Key Process
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
The message below summarizes the problem nicely. On Jan 28, 2009, at 8:27 AM, Eric Rescorla wrote: > At Tue, 27 Jan 2009 13:34:20 -0800, > Joe Touch wrote: >> I'll kick off discussion on this point on the list. >> >> IMO, this mechanism is not viable for TCP-AO; it requires generating >> (and consuming) TCP segments that a native TCP would not generate. >> I was >> under the assumption that our design space was as close to TCP MD5 as >> possible, i.e., augment existing segments with a new option, but >> neither >> generate nor consume new segments. > > I think it's important to separate two issues: > > 1. How can an implementation decide when it's safe to use a newly > installed > key? > 2. How can an implementation help a peer implementation make that > decision. > > I think it's pretty clear that the most natural way to answer question > (1) is "when you see a segment protected with that key". > Unfortunately, > this creates a deadlock problem since both sides are waiting for the > other side to use the key. Thus, we need a combination of two > methods: > > 1. If a node has two keys, OLD and NEW, as soon as it sees a segment > from the peer protected with NEW, it starts sending with NEW. > 2. If a node has two keys, OLD and NEW, and it's still using OLD > it occasionally experimentally sends a segment with NEW (probing). > > Taken together, these rules allow a clean transition, since both > nodes are in probing state until one node receives a packet with > NEW, at which point it switches over and the peer soon follows. > > The question then becomes how the probing mechanism works. At a > high level, there are two options: > > 1. Probe with packets that the TCP stack would already send. > 2. Generate new segments to use explicitly as probes. > > The advantage of (1) is obviously minimal impact on the stack, > but may mean that segments are lost and could unless cere is taken, > exert false congestion feedback. The advantage of (2) is that it > is less likely to create false congestion feedback, but it requires > more changes to the stack and of course creates additional traffic > on the wire. Greg's mechanism is of course of type (2). > > -Ekr Probing implies "using a key optimistically", whereby the sender is taking a substantial risk that the peer does not yet have knowledge of that key. I don't particularly like either option above since they are both highly likely to result in significant change to the operation of the TCP session. Joe mentioned a third approach. Summarizing the discussion, rather than "probe" with segments that the TCP stack would already send, his approach would add a signal to TCP segments noting that a new master key was available. This helps a peer implementation make the decision to move to a new key (i.e., the problem we're trying to solve) without actually using the new key. This can break the deadlock without the actual use of the new key. I favor this approach, but not the mechanism. Joe's idea consumes one extra KeyID value for each real KeyID. The example given was to allocate both KeyID 5 and KeyID 6 when using KeyID 5. Signaling the presence of a new key comes by moving to KeyID 6. But overloading KeyIDs is not ideal -- in particular, recall that KeyID values are chosen by some external entity (e.g., a human or some automated key management system). I'm really not confident that a human will always appreciate that they can only configure "odd" KeyID values, for example. Furthermore, in order to guarantee interoperability I believe that this would have to be described in TCP-AO. We would want to avoid different implementations have different conventions, and not be able to set the same KeyIDs! This could be a fair amount of addition to TCP-AO. A better approach is to steal a bit from the KeyID field, and give it the meaning "I have a new KeyID". This is an explicit marking with a clear meaning. There's no reason the KeyID has to consume 8 bits -- KeyIDs should be associated with a single peer, and even 7 bits worth of simultaneous KeyIDs should be more than enough. A system configured with a new KeyID for that peer sets the "new KeyID bit"; a system which also has a new KeyID begins use of it when it sees that bit set. As far as I can tell, stealing this bit has a negligible effect on the current definition of TCP-AO. Some further comments addressing other discussion in this thread: - No external entity has to be present in this approach. - It's true that the two systems could have made an error in stalling a new set of policy, and automatically switching to a new KeyID could result in peers that cannot communicate. It is a plausible situation when the values are manually configured. I'm personally willing to make that tradeoff for a simpler TCP stack. This error should rarely occur in the presence of a future automated key management method. One more thought ... it seems to me that with probe-based approaches a man-in-the-middle can prevent the session ever moving to the new key. This would be done by dropping frames containing a new KeyID, forcing the TCP session continue with an old key. Continued use of the old key indefinitely may not be detected by operations staff. On the other hand, the presences of a "new KeyID bit" would requires a man-in-the-middle to disrupt the TCP session entirely, which is not a new attack on TCP, and also immediately visible to operations staff. Brian -- Brian Weis Router/Switch Security Group, ARTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] TCP-AO: Text for New_Key Process Gregory M. Lebovitz
- Re: [tcpm] TCP-AO: Text for New_Key Process Alfred Hönes
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Lars Eggert
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Brian Weis
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Brian Weis
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Caitlin Bestler
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Ron Bonica
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla