Re: [tcpm] question about TCP-AO and rekeying

[Eric Rescorla <ekr@networkresonance.com>]

At Tue, 16 Jun 2009 06:45:38 -0700,
Joe Touch wrote:
> Eric Rescorla wrote:
> > At Sat, 06 Jun 2009 11:46:11 -0700,
> > Joe Touch wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hi, all,
> >>
> >> One open issue remaining is how to express what was formerly a database
> >> with a particular structure (TAPD, previously TSAD) in ways that impact
> >> rekeying and possibly future master key management protocols. We decided
> >> at the last meeting in SFO to do as follows:
> >>
> >> 	- require that each segment match only one key
> >> 		- segments for established connections must match
> >> 		only one connection key
> >> 		- segments for new connections (SYNs) must match
> >> 		only one master key
> >>
> >> Connection keys never overlap; there would never be two connection keys
> >> with the same keyID and socket pair. The open issue focuses on master
> >> keys, which would more likely be specified with wildcards, masks, or
> >> ranges, esp. for remote port numbers, but also potentially for addresses
> >> or local port numbers. This issue is particularly relevant for rekeying
> >> - - adding new master keys that would result in new connection keys being
> >> derived for existing connections - and how an endpoint would be able to
> >> ensure uniqueness as above.
> >>
> >> Do we need additional constraints to ensure that master key descriptions
> >> never overlap?
> >>
> >> As review, the previous description of keys as a database also implied,
> >> by its structure, constraints on wildcards/masks/ranges. Each TAPD entry
> >> was:
> >>
> >>     a socket pair descriptor
> >>         which may include wildcards or masks
> >>
> >>     one or more MKTs, each of which includes:
> >>         sendID
> >>         recvID
> >>         crypto info:
> >>             master key
> >>             MAC info
> >>             KDF info
> >>
> >> The TAPD was defined so that a segment matched at most one socket pair
> >> descriptor, and that MKTs within that descriptor had distinct sendIDs
> >> and recvIDs.
> >>
> >> If we remove that data structure, it would most obviously be replaced
> >> with MKTs with their own socket descriptors, i.e.:
> >>
> >>     MKT
> >>         socket pair descriptor (may include wildcards/masks)
> >>         sendID
> >>         recvID
> >>         crypto info
> >>
> >> The question that remains is whether MKTs that match a segment all have
> >> identical socket pair descriptors, even down to their
> >> wildcards/ranges/masks (which was previously required). If
> >> not, then how do we ensure that MKTs don't interfere?
> > 
> > I don't understand why this is a problem. The invariant that
> > the system needs to enforce is that for any given packet 
> > there be at most one valid MKT with a given key-id, right?
> 
> KeyID doesn't come into play for outgoing packets, so we can ignore that.
> 
> However, the invariant is twofold:
> 
> 	a) for a given packet, only one MKT applies
> 
> 	b) for two endpoints with multiple MKTs,
> 	the *same* MKT applies.

I don't see that this is true. As I understand the current design
there's no reason that both sides can't use different MKTs
indefinitely.


> >> If we throw our hands up and say this is "implementation detail", then
> >> IMO we could be hobbling any KMP, since there would be no common data
> >> for the KMP to coordinate.
> > 
> > I don't see this. Obviously, any KMP will need some model for
> > how it thinks about keys and any particular implementation of
> > a KMP will need to interact with the system on which it is
> > implemented in order to match that model to the system's
> > implementation, but I don't see how that's a problem. It's
> > not like we're defining a C API for the KMP implementations
> > to call.
> 
> If we don't specify some level of commonality, we can't expect to ever
> define such an API.

I don't consider the design of such an API in IETF 
either necessary or desirable.

-Ekr