IETF Logo Mail Archive

Re: [tcpm] TCP-AO: Text for New_Key Process

Joe Touch <touch@ISI.EDU> Sun, 01 February 2009 21:49 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DCE328C0DE; Sun, 1 Feb 2009 13:49:57 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B1FD3A67E4 for <tcpm@core3.amsl.com>; Sun, 1 Feb 2009 13:49:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.946
X-Spam-Level:
X-Spam-Status: No, score=-1.946 tagged_above=-999 required=5 tests=[AWL=-0.472, BAYES_00=-2.599, SORTED_RECIPS=1.125]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3xoShPDW6N9 for <tcpm@core3.amsl.com>; Sun, 1 Feb 2009 13:49:55 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 9654E3A6A44 for <tcpm@ietf.org>; Sun, 1 Feb 2009 13:49:55 -0800 (PST)
Received: from [192.168.1.44] (pool-71-106-119-240.lsanca.dsl-w.verizon.net [71.106.119.240]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n11LnEDa007016; Sun, 1 Feb 2009 13:49:16 -0800 (PST)
Message-ID: <498618DA.1070308@isi.edu>
Date: Sun, 01 Feb 2009 13:49:14 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Brian Weis <bew@cisco.com>
References: <7.1.0.9.2.20081219010400.02bfd3d8@gmail.com> <496d9941.18038e0a.5558.ffffd3a6@mx.google.com> <497F7DDC.70309@isi.edu> <20090128162756.3799450822@romeo.rtfm.com> <B33C7F84-66B7-4F2C-9B04-2BC1716C7994@cisco.com>
In-Reply-To: <B33C7F84-66B7-4F2C-9B04-2BC1716C7994@cisco.com>
X-Enigmail-Version: 0.95.7
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org, Allison Mankin <mankin@psg.com>, skonduru@juniper.net
Subject: Re: [tcpm] TCP-AO: Text for New_Key Process
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI - there's an important reason not to use a separate flag bit. Doing
so requires parsing the bits of the incoming packet, i.e., this adds
extra processing. It also indicates to everyone on the wire that a key
change is pending; when using only the KeyID, no extra parsing is needed
and the meaning of a changing key is opaque to those on the wire.

Using a key flag means that one side can only ever tell the other end
"ready to use the new key", not which key (if there could be more than
one). That means that if you try it once and it fails and you want to
try it again, you might have to wait MSL (a few minutes) to try it
again, otherwise an old packet might indicate 'ready to receive the new
key" for the wrong key.

Overall, using just the keyID value as the indicator seems much more
flexible to and simple to me.

Joe

Brian Weis wrote:
> The message below summarizes the problem nicely.
> 
> On Jan 28, 2009, at 8:27 AM, Eric Rescorla wrote:
> 
>> At Tue, 27 Jan 2009 13:34:20 -0800,
>> Joe Touch wrote:
>>> I'll kick off discussion on this point on the list.
>>>
>>> IMO, this mechanism is not viable for TCP-AO; it requires generating
>>> (and consuming) TCP segments that a native TCP would not generate. I was
>>> under the assumption that our design space was as close to TCP MD5 as
>>> possible, i.e., augment existing segments with a new option, but neither
>>> generate nor consume new segments.
>>
>> I think it's important to separate two issues:
>>
>> 1. How can an implementation decide when it's safe to use a newly
>> installed
>>    key?
>> 2. How can an implementation help a peer implementation make that
>> decision.
>>
>> I think it's pretty clear that the most natural way to answer question
>> (1) is "when you see a segment protected with that key". Unfortunately,
>> this creates a deadlock problem since both sides are waiting for the
>> other side to use the key. Thus, we need a combination of two
>> methods:
>>
>> 1. If a node has two keys, OLD and NEW, as soon as it sees a segment
>>    from the peer protected with NEW, it starts sending with NEW.
>> 2. If a node has two keys, OLD and NEW, and it's still using OLD
>>    it occasionally experimentally sends a segment with NEW (probing).
>>
>> Taken together, these rules allow a clean transition, since both
>> nodes are in probing state until one node receives a packet with
>> NEW, at which point it switches over and the peer soon follows.
>>
>> The question then becomes how the probing mechanism works. At a
>> high level, there are two options:
>>
>> 1. Probe with packets that the TCP stack would already send.
>> 2. Generate new segments to use explicitly as probes.
>>
>> The advantage of (1) is obviously minimal impact on the stack,
>> but may mean that segments are lost and could unless cere is taken,
>> exert false congestion feedback. The advantage of (2) is that it
>> is less likely to create false congestion feedback, but it requires
>> more changes to the stack and of course creates additional traffic
>> on the wire. Greg's mechanism is of course of type (2).
>>
>> -Ekr
> 
> 
> Probing implies "using a key optimistically", whereby the sender is
> taking a substantial risk that the peer does not yet have knowledge of
> that key. I don't particularly like either option above since they are
> both highly likely to result in significant change to the operation of
> the TCP session.
> 
> Joe mentioned a third approach. Summarizing the discussion, rather than
> "probe" with segments that the TCP stack would already send, his
> approach would add a signal to TCP segments noting that a new master key
> was available. This helps a peer implementation make the decision to
> move to a new key (i.e., the problem we're trying to solve) without
> actually using the new key. This can break the deadlock without the
> actual use of the new key.
> 
> I favor this approach, but not the mechanism. Joe's idea consumes one
> extra KeyID value for each real KeyID. The example given was to allocate
> both KeyID 5 and KeyID 6 when using KeyID 5. Signaling the presence of a
> new key comes by moving to KeyID 6. But overloading KeyIDs is not ideal
> -- in particular, recall that KeyID values are chosen by some external
> entity (e.g., a human or some automated key management system). I'm
> really not confident that a human will always appreciate that they can
> only configure "odd" KeyID values, for example. Furthermore, in order to
> guarantee interoperability I believe that this would have to be
> described in TCP-AO. We would want to avoid different implementations
> have different conventions, and not be able to set the same KeyIDs! This
> could be a fair amount of addition to TCP-AO.
> 
> A better approach is to steal a bit from the KeyID field, and give it
> the meaning "I have a new KeyID". This is an explicit marking with a
> clear meaning. There's no reason the KeyID has to consume 8 bits --
> KeyIDs should be associated with a single peer, and even 7 bits worth of
> simultaneous KeyIDs should be more than enough. A system configured with
> a new KeyID for that peer sets the "new KeyID bit"; a system which also
> has a new KeyID begins use of it when it sees that bit set. As far as I
> can tell, stealing this bit has a negligible effect on the current
> definition of TCP-AO.
> 
> Some further comments addressing other discussion in this thread:
> 
> - No external entity has to be present in this approach.
> 
> - It's true that the two systems could have made an error in stalling a
> new set of policy, and automatically switching to a new KeyID could
> result in peers that cannot communicate. It is a plausible situation
> when the values are manually configured. I'm personally willing to make
> that tradeoff for a simpler TCP stack. This error should rarely occur in
> the presence of a future automated key management method.
> 
> One more thought ... it seems to me that with probe-based approaches a
> man-in-the-middle can prevent the session ever moving to the new key.
> This would be done by dropping frames containing a new KeyID, forcing
> the TCP session continue with an old key. Continued use of the old key
> indefinitely may not be detected by operations staff. On the other hand,
> the presences of a "new KeyID bit" would requires a man-in-the-middle to
> disrupt the TCP session entirely, which is not a new attack on TCP, and
> also immediately visible to operations staff.
> 
> Brian
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmGGNAACgkQE5f5cImnZrsbbQCfTVkugXLOyh4n0BPEpPBwiHgT
NRsAoMmHYFOT7gt0FukxM45NnNsfk4jb
=99A4
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email