[tcpm] [Repost] Review of the various TCP MACing proposals
EKR <ekr@networkresonance.com> Mon, 10 July 2006 16:11 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FzyMJ-000575-Md; Mon, 10 Jul 2006 12:11:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FzyMI-00056o-5I for tcpm@ietf.org; Mon, 10 Jul 2006 12:11:42 -0400
Received: from [132.219.15.238] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FzyMG-0001AZ-Nt for tcpm@ietf.org; Mon, 10 Jul 2006 12:11:42 -0400
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 1259C1CC22 for <tcpm@ietf.org>; Mon, 10 Jul 2006 09:10:48 -0700 (PDT)
To: tcpm@ietf.org
X-Mailer: MH-E 7.4.3; nmh 1.2; XEmacs 21.4 (patch 19)
Date: Mon, 10 Jul 2006 09:10:48 -0700
From: EKR <ekr@networkresonance.com>
Message-Id: <20060710161048.1259C1CC22@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 2a76bcd37b1c8a21336eb0a1ea6bbf48
Subject: [tcpm] [Repost] Review of the various TCP MACing proposals
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
I originally sent this to bts, but it should probably be posted here.... -Ekr BACKGROUND ---------- There's growing discomfort about the security of TCP MD5 [RFC 2385]. This discomfort comes from a variety of factors: 1. TCP MD5 is an old-style H(Data || Key) design rather than a more modern HMAC-style construction. 2. Recent work by Wang et al. has cast doubt on the security of MD5 in general and it may be applicable to this construction. 3. TCP MD5 doesn't support key rollover, which means that rekeying requires tearing down existing connections which is a problem for BGP. There has been a lot of discussion about what to do to correct these failings. One obvious strategy (though by far not the only one) is to produce an improved version of RFC 2385. This memo discusses three such proposals. draft-bellovin-keyroll2385-00 [Be06] draft-bonica-tcp-auth-04 [BWVLW06] draft-touch-tcpm-tcp-simple-auth-01 [TA06] Note that there are other architectural options, such as running everything over IPsec that are not discussed here. The intent is to discuss merely the proposals which have a lot of commonality. COMMON ISSUES ------------- A number of common issues come up here: - Use of key identifiers: One natural way to support key rollover is to incorporate a key (or association) identifier. This allows the receiving party to determine which key was used to protect the received segment. It also provides a potential hook for external key management, e.g., via IKE. - Trial Authentication: If multiple parallel keys are used for rollover and a key identifier is not used, then the receiver potentially needs to try all the available keys. Concerns have been raised about the potential for computation-based DoS in such systems. - Replacement of MAC algorithm: One way to address issues (1) and (2) above is to replace the current construction with a more modern one such as HMAC. There are actually two issues here, the construction and the underlying digest. draft-bellovin-keyroll2385-00 ----------------------------- This draft is only intended to address the key rollover problem. It is bits on the wire compatible with RFC 2385 and simply provides algorithms on the receiver and sender side for use and detection of new keys. No key identifier, so there is a potential for DoS as indicated above. The MAC algorithm is not replaced. Not replacing the MAC algorithm makes me fairly uncomfortable. The construction in RFC 2385 is almost certainly weak and is getting weaker as time goes on. If we're going to go to the trouble of doing anything I believe that we should replace the MAC algorithm with a more modern one. I'm also not sure I think that the receiver-side algorithm proposed here is the best choice, since it seems designed to allow the use of multiple keys more or less indefinitely (until the old one is expired) rather than having a clean cutover after which the old key is no longer accepted. ISTM that you could use TCP sequence numbers to determine a low-water mark after which the old key could no longer be used. draft-bonica-tcp-auth-04 ------------------------ This draft addresses both the key rollover issue and the MAC algorithm issue. It creates a new TCP option which includes a key identifier and has a new MAC algorithm (the mandatory to implement is AES-128-CMAC-96). The key management system is a fairly complicated list of static keys with overlapping usable time windows. The new option also includes optional protection for TCP options (RFC 2385 had none) and a few other minder features. My detailed comments can be found on my post about this to SAAG [Re06]. For the purposes of the discussion here, my major comment is that I think time-based windows and large keyrings are a bad idea and not needed. Key-Ids are quite sufficient. draft-touch-tcpm-tcp-simple-auth-01 ----------------------------------- This draft is a replacement for RFC 2385 which allows pluggable MAC algorithms, integrity for the TCP options, and some support for rekeying (see below). It also provides for more explicit detail about the interface of the option with TCP. Otherwise, it is very similar to RFC 2385. I have two major comments about this draft: 1. Although the MAC algorithms are pluggable, the default is HMAC-MD5-96. Given the current status of MD5, I don't believe that the IETF should be standardizing any MD5-based algorithms. 2. I'm not convinced that the rekeying strategy described here is OK. Note that TCP-SA's support for rekeying is designed to be minimal. As with the IPsec suite, segments carry only enough context to identify the security association [RFC4301][RFC4306]. In TCP-SA, this context is provided by the socket pair (IP addresses and ports for source and destination). The key is identified only in the LSAD, and coordinated by a separate mechanism not specified in TCP-SA. This differs from recent approaches that assume an additional key ID field and require support for multiple concurrently active keys on a single association [Be06][Bo06][We05][We06]. Such complexity is not necessary in TCP-SA because TCP is already robust to segment loss. ISTM that this only works properly if the key changes are more or less synchronized. Consider what happens in the following sequence of events: 0s A and B are using K1 10s A changes to K2 60s A sends data packet <retries....> 600s A gives up and aborts the connection (assume a total timeout of 9 minutes) 601s B changes to K2 So, the maximum time difference between A and B rekeying has to be less than the total timeout. This is plausible with automatic rekeying, but in cases where it's manual seems difficult. What happens when A calls B and says "rekey now" but then B decides to go get a cup of coffee before rekeying? Obviously, it can be made to work, but it seems undesirable. In order to allow longer gaps between rekeying on the two sides, you need to support multiple parallel keys. SUMMARY OF PROPOSALS -------------------- Be06 BWLVW06 TA06 -------------------------------- Key Identifiers No Yes No Trial Authentication Yes No No New MAC No Yes Yes [Be06] S. Bellovin, "Key Change Strategies for TCP-MD5", draft-bellovin-keyroll2385-00.txt, June 2006. [BWVLW06] R. Bonica, B. Weis, S. Viswanathan, A. Lange, O. Wheeler, "Authentication for TCP-based Routing and Management Protocols", draft-bonica-tcp-auth-04, February, 2006. [Re06] E. Rescorla, Message to SAAG Mailing List http://mailman.mit.edu/pipermail/saag/2006q2/001583.html [RFC2385] A. Heffernan, "Protection of BGP Sessions via the TCP MD5 Signature Option", RFC 2385, August 1998. [TA06] J. Touch, A. Mankin, "The TCP Simple Authentication Option", draft-touch-tcpm-tcp-simple-auth-01.txt, June 2006. _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] [Repost] Review of the various TCP MAC… Joe Touch
- [tcpm] [Repost] Review of the various TCP MACing … EKR
- Re: [tcpm] [Repost] Review of the various TCP MAC… Joe Touch
- Re: [tcpm] [Repost] Review of the various TCP MAC… EKR
- RE: [tcpm] [Repost] Review of the various TCP MAC… Anantha Ramaiah (ananth)
- RE: [tcpm] [Repost] Review of the various TCP MAC… Sriram Viswanathan (sriram_v)
- Re: [tcpm] [Repost] Review of the various TCP MAC… Joe Touch
- RE: [tcpm] [Repost] Review of the various TCP MAC… Sriram Viswanathan (sriram_v)
- Re: [tcpm] [Repost] Review of the various TCP MAC… Joe Touch