[tcpm] regarding the TCP/MD5 updates
Joe Touch <touch@ISI.EDU> Fri, 17 March 2006 22:25 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FKNO5-000847-0k; Fri, 17 Mar 2006 17:25:37 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FKNO3-000842-IJ for tcpm@ietf.org; Fri, 17 Mar 2006 17:25:35 -0500
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FKNO2-00082q-4t for tcpm@ietf.org; Fri, 17 Mar 2006 17:25:35 -0500
Received: from [128.9.168.55] (upn.isi.edu [128.9.168.55]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k2HMOEG26568; Fri, 17 Mar 2006 14:24:14 -0800 (PST)
Message-ID: <441B3696.3040103@isi.edu>
Date: Fri, 17 Mar 2006 14:22:14 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: tcpm@ietf.org
References: <4419DDF9.2010006@cisco.com>
In-Reply-To: <4419DDF9.2010006@cisco.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93e7fb8fef2e780414389440f367c879
Subject: [tcpm] regarding the TCP/MD5 updates
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, all, There are three documents that currently propose changes to TCP/MD5: draft-weis-tcp-auth-auto-ks draft-weis-tcp-mac-option draft-bonica-tcp-auth Due to some extraordinary scheduling, I will not be able to participate in TCPM when these are discussed, so I figured I'd post my comments in advance. I've read the three, and my general impression (intended to be simplistic) is that all three extend TCP/MD5 (RFC2385) as follows: draft-weis-tcp-mac-option provides for 4 other MACs, all HMACs (superset of draft-bonica) provides for in-band *rekeying* uses the key as 'direct input' to the HMAC, rather than as part of the digest draft-weis-tcp-auth-auto-ks describes the specific mechanism for inband rekeying as spected in weis-tcp-mac draft-bonica-tcp-auth provides for two other MACs, both HMACs provides for time-based key rollover this seems like a bad idea, and appears to be based on the need to rekey I sincerely hope that the authors of these documents can get together and document a single, coherent solution. MY requirements for that would be: - clear delineation between these and 2385 I would prefer reuse of option 19 (2385) with use of a different length (where 18 refers to the depricated 2385 version); this would ensure that the new TCP auth could not be used where TCP/MD5 is used, and would avoid unncessary waste of TCP option space - initial session key establishment needs to be addressed - algorithm/parameter establishment/agreement needs to be addressed - I prefer the Weis' IKE-style rekeying to Bonica's time-based keys, since the former maps better to TCP semantics and would be simpler and more secure to implement (see below) I would be glad to work with the authors to help accomplish the following (which I would be glad for them to author, but I have a lot of interest in making this happen cleanly): a) set out a reasonable list of reqiurements b) help determine the best way to merge the best parts of the existing work to make this happen c) help determine how to factor the documents out usefully (rather than issuing a single, monolithic doc) I would prefer this course to having either (or, gasp, both) of these proposals moving forward independently. I will be glad to meet with the authors and/or WG chairs interested to help this happen, anytime EXCEPT during TCPM/INT/BTNS ;-( and TRILL. Joe - --------------------------------------- My specific concerns are as follows: - - weis-tcp-mac 'direct input' issue I'm not a cryptographer, but if there's a difference between direct input and using the key as part of the data to be digested I'd highly suspect the MAC; this is a subtle issue that is only recently published and I'd like to understand if there's consensus in the security community. It seems like this is more like defining a new HMAC (KMAC?), at which point it should be defined in a separate document. - - both docs use both key IDs and alg IDs in the option header It seems a bad idea to expose the algorithm in the clear, and it seems unnecessary since a sufficiently large key ID space could be used instead, where the key ID indicates both the key value and the key algorithm (i.e., like an SPI does). - - time-based keying is not a good idea, because TCP has no notion of absolute time shared between the endpoints, so this needs to rely on NTP or somesuch as well as TCP, which presents a separate vulnerability, as well as substantially complicating the TCP implementation. - - neither document discusses initial keying - - neither document discusses agreement on algorithm Perhaps this is because the alg is indicated in the option; it would be preferable to negotiate this during the connection establishment - preferably securely (i.e., not in the clear). I see no reason to change the algorithm during a connection; that could be included in the rekey exchange without too much extra effort if desired. - - neither document discusses the initial key exchange In particular neither document addresses the use of DH for the initial exchange. There may be concerns about the overhead of DH and the resulting opportunity for SYN attack, but this should be overcome by allowing DH to be optional, rather than by ignoring it. I would also suggest that the initial key exchange allow BTNS-style unauthenticated DH, i.e.: - master-keyed (2385-mode) - DH based on master key (authenticated DH) - DH without authentication (BTNS mode) - - both documents discuss 'unused' fields in the proposed option, but need to be more specific about how that field is handled - under the proposed specs, senders MUST set them to zero - under the proposed specs, receivers MUST ignore them - - I would prefer/hope that some of the signalling information between the endpoints was ALWAYS encrypted, e.g., indicating whether a new key is enclosed. I don't like the fact that this info is passed in the clear. - ----------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEGzaVE5f5cImnZrsRAudhAJ41nIIZNphLH8owPevoU8WkHQOq9gCguzAr LJTjNc3lNuSrk2sN49p6tzc= =Ow64 -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] draft-weis-tcp-auth-auto-ks-00 Brian Weis
- [tcpm] regarding the TCP/MD5 updates Joe Touch