Re: [tcpm] question about TCP-AO and rekeying
Joe Touch <touch@ISI.EDU> Thu, 18 June 2009 04:52 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EA793A6EF1 for <tcpm@core3.amsl.com>; Wed, 17 Jun 2009 21:52:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.198
X-Spam-Level:
X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[AWL=-0.199, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N+1egZ6+BLU0 for <tcpm@core3.amsl.com>; Wed, 17 Jun 2009 21:52:18 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 714BC3A6BC6 for <tcpm@ietf.org>; Wed, 17 Jun 2009 21:52:18 -0700 (PDT)
Received: from [192.168.1.46] (pool-71-105-84-152.lsanca.dsl-w.verizon.net [71.105.84.152]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5I4qG8Y006095; Wed, 17 Jun 2009 21:52:18 -0700 (PDT)
Message-ID: <4A39C800.2030901@isi.edu>
Date: Wed, 17 Jun 2009 21:52:16 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu> <20090617054551.A4E0C1BCA23@kilo.networkresonance.com> <4A388C37.3030703@isi.edu> <20090617140939.A3AB61BCC72@kilo.networkresonance.com> <4A390EC0.6070003@isi.edu> <20090617161518.5276C50822@romeo.rtfm.com> <4A3917B7.20301@isi.edu> <20090617232813.1C49D50822@romeo.rtfm.com>
In-Reply-To: <20090617232813.1C49D50822@romeo.rtfm.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2009 04:52:19 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>> If so, the entry fails. If that's what
>>> you mean by "prohibit overlaps", yes, I think we should
>>> prohibit overlaps.
>>>
>>> If what you mean is that two MKTs with different key-ids can't overlap
>>> the same socket pair space, I don't see a problem with that.
>> That is a problem for outgoing SYNs. For those, either the connection
>> has to know a-priori which ID to use, or we need to make sure MKTs can't
>> overlap at all (ignoring keyIDs).
>
> I'm sorry, but I don't see why.
So let's consider outgoing SYNs.
Consider a system with two MKTs:
MKT alpha from ANY:ANY to JOE:80 KEYID=4
MKT beta from ANY:ANY to ANY:ANY KEYID=5
So my web client wants to connect to JOE:80. The web client has not been
modified to indicate a desired KEYID; I doubt many apps will be so
modified. So I'll need to ensure that the socket pair of the SYN matches
only one MKT.
That means I can't have default keys, like beta.
So what I'm wondering is whether we:
a) require MKTs to be unique per {socketpair,ID} tuple
b) require MKTs to be unique per socketpair
We either need (b), or we need something else that says "first match"
and establishes an ordering to MKTs, or "best match", etc.
Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAko5yAAACgkQE5f5cImnZrulywCcC09/JIAnd4B+yCLc3nYVct/5
/s4An2qFtyt9tIZGo+hpepDuFeUk8zyo
=JmIZ
-----END PGP SIGNATURE-----
- [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch