Re: [tcpm] question about TCP-AO and rekeying

Eric Rescorla <ekr@networkresonance.com> Wed, 17 June 2009 05:45 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17DC83A6C16 for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 22:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.018
X-Spam-Level:
X-Spam-Status: No, score=0.018 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vn5mvoKyHcB4 for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 22:45:25 -0700 (PDT)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 201133A6BA6 for <tcpm@ietf.org>; Tue, 16 Jun 2009 22:45:25 -0700 (PDT)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id A4E0C1BCA23; Tue, 16 Jun 2009 22:45:51 -0700 (PDT)
Date: Tue, 16 Jun 2009 22:45:51 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <4A37A202.9020500@isi.edu>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090617054551.A4E0C1BCA23@kilo.networkresonance.com>
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 05:45:26 -0000

At Tue, 16 Jun 2009 06:45:38 -0700,
Joe Touch wrote:
> Eric Rescorla wrote:
> > At Sat, 06 Jun 2009 11:46:11 -0700,
> > Joe Touch wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hi, all,
> >>
> >> One open issue remaining is how to express what was formerly a database
> >> with a particular structure (TAPD, previously TSAD) in ways that impact
> >> rekeying and possibly future master key management protocols. We decided
> >> at the last meeting in SFO to do as follows:
> >>
> >> 	- require that each segment match only one key
> >> 		- segments for established connections must match
> >> 		only one connection key
> >> 		- segments for new connections (SYNs) must match
> >> 		only one master key
> >>
> >> Connection keys never overlap; there would never be two connection keys
> >> with the same keyID and socket pair. The open issue focuses on master
> >> keys, which would more likely be specified with wildcards, masks, or
> >> ranges, esp. for remote port numbers, but also potentially for addresses
> >> or local port numbers. This issue is particularly relevant for rekeying
> >> - - adding new master keys that would result in new connection keys being
> >> derived for existing connections - and how an endpoint would be able to
> >> ensure uniqueness as above.
> >>
> >> Do we need additional constraints to ensure that master key descriptions
> >> never overlap?
> >>
> >> As review, the previous description of keys as a database also implied,
> >> by its structure, constraints on wildcards/masks/ranges. Each TAPD entry
> >> was:
> >>
> >>     a socket pair descriptor
> >>         which may include wildcards or masks
> >>
> >>     one or more MKTs, each of which includes:
> >>         sendID
> >>         recvID
> >>         crypto info:
> >>             master key
> >>             MAC info
> >>             KDF info
> >>
> >> The TAPD was defined so that a segment matched at most one socket pair
> >> descriptor, and that MKTs within that descriptor had distinct sendIDs
> >> and recvIDs.
> >>
> >> If we remove that data structure, it would most obviously be replaced
> >> with MKTs with their own socket descriptors, i.e.:
> >>
> >>     MKT
> >>         socket pair descriptor (may include wildcards/masks)
> >>         sendID
> >>         recvID
> >>         crypto info
> >>
> >> The question that remains is whether MKTs that match a segment all have
> >> identical socket pair descriptors, even down to their
> >> wildcards/ranges/masks (which was previously required). If
> >> not, then how do we ensure that MKTs don't interfere?
> > 
> > I don't understand why this is a problem. The invariant that
> > the system needs to enforce is that for any given packet 
> > there be at most one valid MKT with a given key-id, right?
> 
> KeyID doesn't come into play for outgoing packets, so we can ignore that.
> 
> However, the invariant is twofold:
> 
> 	a) for a given packet, only one MKT applies
> 
> 	b) for two endpoints with multiple MKTs,
> 	the *same* MKT applies.

I don't see that this is true. As I understand the current design
there's no reason that both sides can't use different MKTs
indefinitely.


> >> If we throw our hands up and say this is "implementation detail", then
> >> IMO we could be hobbling any KMP, since there would be no common data
> >> for the KMP to coordinate.
> > 
> > I don't see this. Obviously, any KMP will need some model for
> > how it thinks about keys and any particular implementation of
> > a KMP will need to interact with the system on which it is
> > implemented in order to match that model to the system's
> > implementation, but I don't see how that's a problem. It's
> > not like we're defining a C API for the KMP implementations
> > to call.
> 
> If we don't specify some level of commonality, we can't expect to ever
> define such an API.

I don't consider the design of such an API in IETF 
either necessary or desirable.

-Ekr