IETF Logo Mail Archive

Re: [tcpm] TCP-AO: Text for New_Key Process

Brian Weis <bew@cisco.com> Fri, 30 January 2009 00:17 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9A383A68DC; Thu, 29 Jan 2009 16:17:27 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE89228C185 for <tcpm@core3.amsl.com>; Thu, 29 Jan 2009 16:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.037
X-Spam-Level:
X-Spam-Status: No, score=-6.037 tagged_above=-999 required=5 tests=[AWL=-0.562, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SORTED_RECIPS=1.125]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPeWgKE7cioy for <tcpm@core3.amsl.com>; Thu, 29 Jan 2009 16:17:25 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id C0A1C3A69B6 for <tcpm@ietf.org>; Thu, 29 Jan 2009 16:17:25 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.37,347,1231113600"; d="scan'208";a="135424793"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 30 Jan 2009 00:17:07 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n0U0H7I3017651; Thu, 29 Jan 2009 16:17:07 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n0U0H4YM004862; Fri, 30 Jan 2009 00:17:07 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Jan 2009 16:17:07 -0800
Received: from [128.107.163.184] ([128.107.163.184]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Jan 2009 16:17:07 -0800
In-Reply-To: <20090128162756.3799450822@romeo.rtfm.com>
References: <7.1.0.9.2.20081219010400.02bfd3d8@gmail.com> <496d9941.18038e0a.5558.ffffd3a6@mx.google.com> <497F7DDC.70309@isi.edu> <20090128162756.3799450822@romeo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <B33C7F84-66B7-4F2C-9B04-2BC1716C7994@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Thu, 29 Jan 2009 16:18:26 -0800
To: Eric Rescorla <ekr@networkresonance.com>
X-Mailer: Apple Mail (2.753.1)
X-OriginalArrivalTime: 30 Jan 2009 00:17:07.0115 (UTC) FILETIME=[15D74FB0:01C98270]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5770; t=1233274627; x=1234138627; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20TCP-AO=3A=20Text=20for=20New_Key=20Proc ess |Sender:=20; bh=LdJ69LZ5KswC/VEWMyH3Q2VEnjZquDmIYHcOk/oqBHg=; b=IJeOFapkTeI4X5sWBxeHfv+8BtWpIvYO87ULmSBO/LyuTVaXvl90++NcCD YOw+7C9QprVVl0BS4GFfErcvoUhYW1I6V1N5Yt9O6EBWnbJUORYtOBT5U1rf 1VS+ZnPxG0;
Authentication-Results: sj-dkim-3; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: tcpm@ietf.org, Allison Mankin <mankin@psg.com>, Joe Touch <touch@ISI.EDU>, skonduru@juniper.net
Subject: Re: [tcpm] TCP-AO: Text for New_Key Process
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

The message below summarizes the problem nicely.

On Jan 28, 2009, at 8:27 AM, Eric Rescorla wrote:

> At Tue, 27 Jan 2009 13:34:20 -0800,
> Joe Touch wrote:
>> I'll kick off discussion on this point on the list.
>>
>> IMO, this mechanism is not viable for TCP-AO; it requires generating
>> (and consuming) TCP segments that a native TCP would not generate.  
>> I was
>> under the assumption that our design space was as close to TCP MD5 as
>> possible, i.e., augment existing segments with a new option, but  
>> neither
>> generate nor consume new segments.
>
> I think it's important to separate two issues:
>
> 1. How can an implementation decide when it's safe to use a newly  
> installed
>    key?
> 2. How can an implementation help a peer implementation make that  
> decision.
>
> I think it's pretty clear that the most natural way to answer question
> (1) is "when you see a segment protected with that key".  
> Unfortunately,
> this creates a deadlock problem since both sides are waiting for the
> other side to use the key. Thus, we need a combination of two
> methods:
>
> 1. If a node has two keys, OLD and NEW, as soon as it sees a segment
>    from the peer protected with NEW, it starts sending with NEW.
> 2. If a node has two keys, OLD and NEW, and it's still using OLD
>    it occasionally experimentally sends a segment with NEW (probing).
>
> Taken together, these rules allow a clean transition, since both
> nodes are in probing state until one node receives a packet with
> NEW, at which point it switches over and the peer soon follows.
>
> The question then becomes how the probing mechanism works. At a
> high level, there are two options:
>
> 1. Probe with packets that the TCP stack would already send.
> 2. Generate new segments to use explicitly as probes.
>
> The advantage of (1) is obviously minimal impact on the stack,
> but may mean that segments are lost and could unless cere is taken,
> exert false congestion feedback. The advantage of (2) is that it
> is less likely to create false congestion feedback, but it requires
> more changes to the stack and of course creates additional traffic
> on the wire. Greg's mechanism is of course of type (2).
>
> -Ekr


Probing implies "using a key optimistically", whereby the sender is  
taking a substantial risk that the peer does not yet have knowledge  
of that key. I don't particularly like either option above since they  
are both highly likely to result in significant change to the  
operation of the TCP session.

Joe mentioned a third approach. Summarizing the discussion, rather  
than "probe" with segments that the TCP stack would already send, his  
approach would add a signal to TCP segments noting that a new master  
key was available. This helps a peer implementation make the decision  
to move to a new key (i.e., the problem we're trying to solve)  
without actually using the new key. This can break the deadlock  
without the actual use of the new key.

I favor this approach, but not the mechanism. Joe's idea consumes one  
extra KeyID value for each real KeyID. The example given was to  
allocate both KeyID 5 and KeyID 6 when using KeyID 5. Signaling the  
presence of a new key comes by moving to KeyID 6. But overloading  
KeyIDs is not ideal -- in particular, recall that KeyID values are  
chosen by some external entity (e.g., a human or some automated key  
management system). I'm really not confident that a human will always  
appreciate that they can only configure "odd" KeyID values, for  
example. Furthermore, in order to guarantee interoperability I  
believe that this would have to be described in TCP-AO. We would want  
to avoid different implementations have different conventions, and  
not be able to set the same KeyIDs! This could be a fair amount of  
addition to TCP-AO.

A better approach is to steal a bit from the KeyID field, and give it  
the meaning "I have a new KeyID". This is an explicit marking with a  
clear meaning. There's no reason the KeyID has to consume 8 bits --  
KeyIDs should be associated with a single peer, and even 7 bits worth  
of simultaneous KeyIDs should be more than enough. A system  
configured with a new KeyID for that peer sets the "new KeyID bit"; a  
system which also has a new KeyID begins use of it when it sees that  
bit set. As far as I can tell, stealing this bit has a negligible  
effect on the current definition of TCP-AO.

Some further comments addressing other discussion in this thread:

- No external entity has to be present in this approach.

- It's true that the two systems could have made an error in stalling  
a new set of policy, and automatically switching to a new KeyID could  
result in peers that cannot communicate. It is a plausible situation  
when the values are manually configured. I'm personally willing to  
make that tradeoff for a simpler TCP stack. This error should rarely  
occur in the presence of a future automated key management method.

One more thought ... it seems to me that with probe-based approaches  
a man-in-the-middle can prevent the session ever moving to the new  
key. This would be done by dropping frames containing a new KeyID,  
forcing the TCP session continue with an old key. Continued use of  
the old key indefinitely may not be detected by operations staff. On  
the other hand, the presences of a "new KeyID bit" would requires a  
man-in-the-middle to disrupt the TCP session entirely, which is not a  
new attack on TCP, and also immediately visible to operations staff.

Brian

-- 
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email