Re: [tcpm] TCP-AO: Text for New_Key Process
Joe Touch <touch@ISI.EDU> Sun, 01 February 2009 21:49 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DCE328C0DE; Sun, 1 Feb 2009 13:49:57 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B1FD3A67E4 for <tcpm@core3.amsl.com>; Sun, 1 Feb 2009 13:49:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.946
X-Spam-Level:
X-Spam-Status: No, score=-1.946 tagged_above=-999 required=5 tests=[AWL=-0.472, BAYES_00=-2.599, SORTED_RECIPS=1.125]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3xoShPDW6N9 for <tcpm@core3.amsl.com>; Sun, 1 Feb 2009 13:49:55 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 9654E3A6A44 for <tcpm@ietf.org>; Sun, 1 Feb 2009 13:49:55 -0800 (PST)
Received: from [192.168.1.44] (pool-71-106-119-240.lsanca.dsl-w.verizon.net [71.106.119.240]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n11LnEDa007016; Sun, 1 Feb 2009 13:49:16 -0800 (PST)
Message-ID: <498618DA.1070308@isi.edu>
Date: Sun, 01 Feb 2009 13:49:14 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Brian Weis <bew@cisco.com>
References: <7.1.0.9.2.20081219010400.02bfd3d8@gmail.com> <496d9941.18038e0a.5558.ffffd3a6@mx.google.com> <497F7DDC.70309@isi.edu> <20090128162756.3799450822@romeo.rtfm.com> <B33C7F84-66B7-4F2C-9B04-2BC1716C7994@cisco.com>
In-Reply-To: <B33C7F84-66B7-4F2C-9B04-2BC1716C7994@cisco.com>
X-Enigmail-Version: 0.95.7
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org, Allison Mankin <mankin@psg.com>, skonduru@juniper.net
Subject: Re: [tcpm] TCP-AO: Text for New_Key Process
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI - there's an important reason not to use a separate flag bit. Doing so requires parsing the bits of the incoming packet, i.e., this adds extra processing. It also indicates to everyone on the wire that a key change is pending; when using only the KeyID, no extra parsing is needed and the meaning of a changing key is opaque to those on the wire. Using a key flag means that one side can only ever tell the other end "ready to use the new key", not which key (if there could be more than one). That means that if you try it once and it fails and you want to try it again, you might have to wait MSL (a few minutes) to try it again, otherwise an old packet might indicate 'ready to receive the new key" for the wrong key. Overall, using just the keyID value as the indicator seems much more flexible to and simple to me. Joe Brian Weis wrote: > The message below summarizes the problem nicely. > > On Jan 28, 2009, at 8:27 AM, Eric Rescorla wrote: > >> At Tue, 27 Jan 2009 13:34:20 -0800, >> Joe Touch wrote: >>> I'll kick off discussion on this point on the list. >>> >>> IMO, this mechanism is not viable for TCP-AO; it requires generating >>> (and consuming) TCP segments that a native TCP would not generate. I was >>> under the assumption that our design space was as close to TCP MD5 as >>> possible, i.e., augment existing segments with a new option, but neither >>> generate nor consume new segments. >> >> I think it's important to separate two issues: >> >> 1. How can an implementation decide when it's safe to use a newly >> installed >> key? >> 2. How can an implementation help a peer implementation make that >> decision. >> >> I think it's pretty clear that the most natural way to answer question >> (1) is "when you see a segment protected with that key". Unfortunately, >> this creates a deadlock problem since both sides are waiting for the >> other side to use the key. Thus, we need a combination of two >> methods: >> >> 1. If a node has two keys, OLD and NEW, as soon as it sees a segment >> from the peer protected with NEW, it starts sending with NEW. >> 2. If a node has two keys, OLD and NEW, and it's still using OLD >> it occasionally experimentally sends a segment with NEW (probing). >> >> Taken together, these rules allow a clean transition, since both >> nodes are in probing state until one node receives a packet with >> NEW, at which point it switches over and the peer soon follows. >> >> The question then becomes how the probing mechanism works. At a >> high level, there are two options: >> >> 1. Probe with packets that the TCP stack would already send. >> 2. Generate new segments to use explicitly as probes. >> >> The advantage of (1) is obviously minimal impact on the stack, >> but may mean that segments are lost and could unless cere is taken, >> exert false congestion feedback. The advantage of (2) is that it >> is less likely to create false congestion feedback, but it requires >> more changes to the stack and of course creates additional traffic >> on the wire. Greg's mechanism is of course of type (2). >> >> -Ekr > > > Probing implies "using a key optimistically", whereby the sender is > taking a substantial risk that the peer does not yet have knowledge of > that key. I don't particularly like either option above since they are > both highly likely to result in significant change to the operation of > the TCP session. > > Joe mentioned a third approach. Summarizing the discussion, rather than > "probe" with segments that the TCP stack would already send, his > approach would add a signal to TCP segments noting that a new master key > was available. This helps a peer implementation make the decision to > move to a new key (i.e., the problem we're trying to solve) without > actually using the new key. This can break the deadlock without the > actual use of the new key. > > I favor this approach, but not the mechanism. Joe's idea consumes one > extra KeyID value for each real KeyID. The example given was to allocate > both KeyID 5 and KeyID 6 when using KeyID 5. Signaling the presence of a > new key comes by moving to KeyID 6. But overloading KeyIDs is not ideal > -- in particular, recall that KeyID values are chosen by some external > entity (e.g., a human or some automated key management system). I'm > really not confident that a human will always appreciate that they can > only configure "odd" KeyID values, for example. Furthermore, in order to > guarantee interoperability I believe that this would have to be > described in TCP-AO. We would want to avoid different implementations > have different conventions, and not be able to set the same KeyIDs! This > could be a fair amount of addition to TCP-AO. > > A better approach is to steal a bit from the KeyID field, and give it > the meaning "I have a new KeyID". This is an explicit marking with a > clear meaning. There's no reason the KeyID has to consume 8 bits -- > KeyIDs should be associated with a single peer, and even 7 bits worth of > simultaneous KeyIDs should be more than enough. A system configured with > a new KeyID for that peer sets the "new KeyID bit"; a system which also > has a new KeyID begins use of it when it sees that bit set. As far as I > can tell, stealing this bit has a negligible effect on the current > definition of TCP-AO. > > Some further comments addressing other discussion in this thread: > > - No external entity has to be present in this approach. > > - It's true that the two systems could have made an error in stalling a > new set of policy, and automatically switching to a new KeyID could > result in peers that cannot communicate. It is a plausible situation > when the values are manually configured. I'm personally willing to make > that tradeoff for a simpler TCP stack. This error should rarely occur in > the presence of a future automated key management method. > > One more thought ... it seems to me that with probe-based approaches a > man-in-the-middle can prevent the session ever moving to the new key. > This would be done by dropping frames containing a new KeyID, forcing > the TCP session continue with an old key. Continued use of the old key > indefinitely may not be detected by operations staff. On the other hand, > the presences of a "new KeyID bit" would requires a man-in-the-middle to > disrupt the TCP session entirely, which is not a new attack on TCP, and > also immediately visible to operations staff. > > Brian > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmGGNAACgkQE5f5cImnZrsbbQCfTVkugXLOyh4n0BPEpPBwiHgT NRsAoMmHYFOT7gt0FukxM45NnNsfk4jb =99A4 -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] TCP-AO: Text for New_Key Process Gregory M. Lebovitz
- Re: [tcpm] TCP-AO: Text for New_Key Process Alfred Hönes
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Lars Eggert
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Brian Weis
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Brian Weis
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Caitlin Bestler
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Ron Bonica
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla
- Re: [tcpm] TCP-AO: Text for New_Key Process Joe Touch
- Re: [tcpm] TCP-AO: Text for New_Key Process Eric Rescorla